This implementation describes how to sync access policies from one BIG-IP Access Policy Manager device to another Access Policy Manager device, or to multiple devices in a device group. This allows you to maintain up-to-date access policies on multiple Access Policy Manager devices, while adjusting appropriate settings for objects that are specific to device locations.
To synchronize access policies between multiple devices, you configure a Sync-Only device group, which includes the devices between which you want to synchronize access policies. Device group setup requires establishing trust relationships between devices and creating a device group. You set the devices in each group to use Automatic Sync and Full Sync, and then synchronize access policies one at a time, resolving conflicts as you go.
When you have more than one BIG-IP device in a local trust domain, you can synchronize BIG-IP configuration data among those devices by creating a device group. A device group is a collection of BIG-IP devices that trust each other and synchronize their BIG-IP configuration data. If you want to exclude certain devices from ConfigSync, you can simply exclude them from membership in that particular device group.
You can synchronize some types of data on a global level across all BIG-IP devices, while synchronizing other data in a more granular way, on an individual application level to a subset of devices.
Before you configure device trust, you should consider the following:
The configuration process for a BIG-IP system entails configuring a Sync-Only device group, syncing access policies to a device group, and resolving conflicts caused by location-specific and dynamic resources. You must pre-configure a device group to sync access policies to multiple systems.
Before you begin this task, verify that:
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.
By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices A, B, and C each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device A and add devices B and C to the local trust domain. Note that there is no need to repeat this process on devices B and C.
The Ignore errors due to Variable Assign Agent during sync setting affects system behavior only when a Variable Assign agent is included in an access policy, and the Variable Assign agent uses resources.
If you set Ignore errors due to Variable Assign Agent during sync to Yes:
If you set Ignore errors due to Variable Assign Agent during sync to No:
To summarize, you now have synchronized access policies between devices in a sync-only device group.
On the Sync Details tab, you can see sync status for an access policy.
|Device||The specific device to which the access policy was synced.|
|Sync Status||One of the following:
|Status End Time||The time at which the last status entry completed on the specific device.|
|Sync Status Details||More information about the Sync Status for a specific device.|
On the Sync History tab, you can see the sync history for an access policy.
|Last sync||The last time a sync was initiated for this access policy.|
|Last Sync Status||The outcome of the last sync for this access policy.|
|Device Group||The device group to which the access policy was synced.|
|Description||A clickable icon that presents information about the sync operation for the device group.|
|Non Location Specific Objects||An access policy was created with certain resources which the sync process indicates are not location-specific, but that might in fact be location-specific on the target device. This column lists such objects, which you can then verify by checking the objects on the remote systems, and modifying if necessary.|