Applies To:

Show Versions Show Versions

Manual Chapter: Synchronizing Application Security Configurations
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: Synchronizing application security configurations

You can use device management to set up several BIG-IP® systems running Application Security Manager™ (ASM) so that they synchronize their security policies and configurations. By using application security synchronization, you can set up application security and create security policies on one system and can propagate them to other systems in an application security device group. In BIG-IP ASM™, a device group is two or more BIG-IP devices using the same configuration and providing consistent security policy enforcement.

You can set up application security synchronization, for example, behind an Application Delivery Controller where multiple BIG-IP systems running Application Security Manager are deployed as members of a pool. The options and security policies on all of the systems stay in sync regardless of where you update them.

This implementation comprises two phases:

  • Establishing a trust relationship, known as a device trust, between the BIG-IP ASM devices that you want to share security policies and configurations. The device trust initiates a line of communication between the ASM devices (in a trusted way by using digital certificates).
  • Adding the ASM devices that are members of the device trust to a device group, then enabling ASM synchronization on the device group. The ASM-enabled device group is the collection of BIG-IP devices that trust each other and can synchronize their ASM configurations and security policies.

When you set up ASM™ synchronization, in addition to security policies, other settings, such as custom attack signatures, logging profiles, SMTP configuration, anti-virus protection, system variables, and policy templates, are synchronized with all devices in the ASM-enabled device group.

Considerations for application security synchronization

When using device management with Application Security Manager™ (ASM™), you need to be aware of the following considerations that apply specifically to application security synchronization.

  • A BIG-IP® system with Application Security Manager can be a member of only one ASM-enabled device group.
  • All BIG-IP systems in a device group must be running the same version (including hot fix updates) of Application Security Manager (version 11.0 or later).
  • The BIG-IP systems in the ASM-enabled device group synchronize application security configuration data and security policies, providing consistent enforcement on all the devices.
  • Real Traffic Policy Builder® can run on only one system per web application. For example, you can set up automatic security policy building on one system that is a member of an ASM-enabled device group, the policy is built on that system and then automatically updated on all of the systems in the device group.
  • If using a VIPRION® platform (with multiple blades), it is considered one device, and you need to add only the master blade to the device trust and group.

Overview: Synchronizing two ASM systems

This implementation describes how to set up two BIG-IP® systems running Application Security Manager™ (ASM) so that you can synchronize their security policies and configurations.

Synchronizing two ASM systems

The two BIG-IP systems are set up for redundancy: one active and the other standby. Both systems are in the same device trust and the same Sync-Failover device group. If one system is unavailable, the other system takes over. You can manually synchronize the systems. The ASM™ configurations and web applications are duplicated on both systems.

You can use this implementation as the basis for more complex configurations. For example, if you have multiple redundant pairs each supporting a different web application, you can use this implementation to set up each pair. You could create a Sync-Failover device group for each pair and not synchronize the two pairs. In this configuration, you can still place all of the devices in the same device trust.

Task Summary

Performing basic network configuration for synchronization

You need to perform basic networking configuration for each of the BIG-IP® systems whose Application Security Manager™ (ASM) configurations you want to synchronize.
  1. Install the same BIG-IP system version (including any hot fixes) on each device.
  2. Provision LTM® and ASM™ on each device (System > Resource Provisioning).
  3. On each device, create one or more VLANs, depending on your networking configuration (Network > VLANs).
  4. On each device, create a self IP (Network > Self IPs). When creating the self IP, set Traffic Group to traffic-group-local-only (non-floating).
  5. On each device, create a default gateway, if needed (Network > Routes).
  6. On each device, configure DNS (System > Configuration > Device > DNS) and NTP (System > Configuration > Device > NTP) so they are set to the same time.
  7. Verify connectivity between the devices (self IP address to self IP address). For example, use this command to check communications: ping -I vlan_interface device_self_IP
  8. On each device, specify the IP address to use when synchronizing configuration objects to the local device:
    1. Click Device Management > Devices.
    2. Click the name of the local device.
    3. From the Device Connectivity menu, choose ConfigSync.
    4. For the Local Address setting, select the self IP address.
  9. If your company requires special device certificates, install them on each device (System > Device Certificates and click Import).
The basic networking setup is complete for the BIG-IP ASM systems for which you want to share security policies and configurations.

Adding a device to the device trust

Establish lines of communication between the BIG-IP® systems for which you want to synchronize security policies and configurations by adding those systems to a device trust. You do this task on only one of the systems.
  1. On the Main tab, click Device Management > Device Trust > Local Domain.
  2. In the Peer Authority Devices area of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP device. This IP address can be either a management IP address or a self IP address.
  4. Click Next.
  5. Verify that the certificate of the remote device is correct.
  6. Click Next.
  7. Verify that the name of the remote device is correct.
  8. Click Next.
  9. Verify that the management IP address and name of the remote device are correct.
  10. Click Next.
  11. Confirm new device trust: recheck the IP address and name, then click Finished. The system creates the trust domain and adds the devices to the Peer Authority Devices list. The trust status of the devices is In Sync.
The BIG-IP ASM™ systems that you want to share security policies and configurations are now part of a device trust.

Creating a Sync-Failover device group

Perform this procedure to create a Sync-Failover type of device group. You can perform this task on any authority device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. Click Next.
  5. Select the IP address and host name for each BIG-IP device that you want to include in the device group. The list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. Click Next.
  7. Check the box labeled Yes, enable network failover for the group.
  8. Click Next.
  9. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Specifying IP addresses for failover

When configuring failover IP addresses on BIG-IP® systems, you specify local IP addresses for devices in the device group to use for failover communications. You perform this task on both the active and the standby devices.
  1. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  2. In the Name column, click the name of the device you want to configure.
  3. From the Device Connectivity menu, choose Failover.
  4. Add a Failover Unicast address:
    1. Click Add.
    2. For the Local Address setting, specify the IP address of the device to use for failover communications (for example, the self IP address).
    3. Click Finished.
  5. If the BIG-IP system is running on a VIPRION® platform, then for the Failover Multicast Configuration setting, click Enable.
  6. Click Save Changes.
When you specify the failover address on both units, the devices are set up as active/standby.

Enabling ASM synchronization on a device group

You need to have already set up the BIG-IP®systems you want to synchronize in a device trust and a device group. Application Security Manager™ (ASM) must be provisioned on all the systems in the device group.
You can enable ASM™ synchronization on a device group to synchronize security policies and configurations on all devices in the device group. You do this task on one system; for example, the active system in an active/standby pair.
  1. On the Main tab, click Application Security > Synchronization. The system displays a list of device groups of which this device is a member.
  2. For Device Group, select the device group whose members you want to synchronize.
  3. Click Save.
The BIG-IP ASM systems that you want to share security policies and configurations are part of a device group with ASM synchronization.

Manually synchronizing an ASM-enabled device group

You need to have set up the BIG-IP® Application Security Manager™ (ASM) systems you want to synchronize in a Sync-Failover device group that is ASM™-enabled.
You can manually synchronize security policies and configuration of systems in an ASM-enabled device group.
  1. On one system in the ASM-enabled failover device group, create an application security class, then use the Deployment wizard to create a security policy. Because the two systems are not in sync, you see a Changes Pending status message on the screen.
  2. Click the Changes Pending message.
    Tip: You can also click Device Management > Device Groups , click the device group name, and click Config Sync.
    The Config Sync screen opens.
  3. Click Synchronize TO Group. The system synchronizes the configuration data on the local device to other device group members. The status message on the screen changes to say In Sync.
  4. Verify that the devices are synchronized. For example, log in to another device in the device group and check that the security policy you created also resides on that system. Click Application Security > Policies List and see if the policy is listed.
Except for static self IP addresses, the entire set of BIG-IP configuration data including ASM™ security policies and configuration is replicated on the one or more devices in the ASM-enabled device group. If the active device is not available, the standby device becomes active and handles traffic.
You can create new security policies or update existing ones on any of the devices in the group, or update the ASM configuration options (Application Security>Options). You can manually synchronize changes you make on one device with the other devices in the ASM-enabled device group.

Result: Synchronizing two ASM systems

You have now set up two BIG-IP® systems running Application Security Manager™ (ASM) so that you can synchronize their security policies and configurations. You must manually synchronize the ASM and BIG-IP configurations.

The two BIG-IP systems are in the same Sync-Failover device group. If one system is unavailable, the other system takes over.

Overview: Synchronizing multiple ASM systems

This implementation describes how to set up multiple BIG-IP® systems running Application Security Manager™ (ASM) so that they automatically synchronize their security policies and configurations. In addition, you can manually synchronize the Local Traffic Manager™ (LTM®) configuration, as needed.

Synchronizing multiple ASM systems

In this case, multiple BIG-IP systems are all processing similar traffic for one or more web applications behind a router (or load balancer). All systems are running BIG-IP ASM™ and are in the same device trust. You organize the systems into two device groups: one Sync-Failover device group for all systems (not ASM-enabled) and one Sync-Only device group with ASM-enabled for all of the systems. The ASM configurations and web applications are automatically duplicated on all of the systems. You can manually synchronize the BIG-IP configuration of the systems in the Sync-Failover device group.

Task Summary

Performing basic network configuration for synchronization

You need to perform basic networking configuration for each of the BIG-IP® systems whose Application Security Manager™ (ASM) configurations you want to synchronize.
  1. Install the same BIG-IP system version (including any hot fixes) on each device.
  2. Provision LTM® and ASM™ on each device (System > Resource Provisioning).
  3. On each device, create one or more VLANs, depending on your networking configuration (Network > VLANs).
  4. On each device, create a self IP (Network > Self IPs). When creating the self IP, set Traffic Group to traffic-group-local-only (non-floating).
  5. On each device, create a default gateway, if needed (Network > Routes).
  6. On each device, configure DNS (System > Configuration > Device > DNS) and NTP (System > Configuration > Device > NTP) so they are set to the same time.
  7. Verify connectivity between the devices (self IP address to self IP address). For example, use this command to check communications: ping -I vlan_interface device_self_IP
  8. On each device, specify the IP address to use when synchronizing configuration objects to the local device:
    1. Click Device Management > Devices.
    2. Click the name of the local device.
    3. From the Device Connectivity menu, choose ConfigSync.
    4. For the Local Address setting, select the self IP address.
  9. If your company requires special device certificates, install them on each device (System > Device Certificates and click Import).
The basic networking setup is complete for the BIG-IP ASM systems for which you want to share security policies and configurations.

Adding a device to the device trust

Establish lines of communication between the BIG-IP® systems for which you want to synchronize security policies and configurations by adding those systems to a device trust. You do this task on only one of the systems.
  1. On the Main tab, click Device Management > Device Trust > Local Domain.
  2. In the Peer Authority Devices area of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP device. This IP address can be either a management IP address or a self IP address.
  4. Click Next.
  5. Verify that the certificate of the remote device is correct.
  6. Click Next.
  7. Verify that the name of the remote device is correct.
  8. Click Next.
  9. Verify that the management IP address and name of the remote device are correct.
  10. Click Next.
  11. Confirm new device trust: recheck the IP address and name, then click Finished. The system creates the trust domain and adds the devices to the Peer Authority Devices list. The trust status of the devices is In Sync.
The BIG-IP ASM™ systems that you want to share security policies and configurations are now part of a device trust.

Creating a Sync-Failover device group

Perform this procedure to create a Sync-Failover type of device group. You can perform this task on any authority device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. Click Next.
  5. Select the IP address and host name for each BIG-IP device that you want to include in the device group. The list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. Click Next.
  7. Check the box labeled Yes, enable network failover for the group.
  8. Click Next.
  9. Click Finished.
You now have a Sync-Failover type of device group containing BIG-IP devices as members.

Specifying IP addresses for failover

When configuring failover IP addresses on BIG-IP® systems, you specify local IP addresses for devices in the device group to use for failover communications. You perform this task on both the active and the standby devices.
  1. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  2. In the Name column, click the name of the device you want to configure.
  3. From the Device Connectivity menu, choose Failover.
  4. Add a Failover Unicast address:
    1. Click Add.
    2. For the Local Address setting, specify the IP address of the device to use for failover communications (for example, the self IP address).
    3. Click Finished.
  5. If the BIG-IP system is running on a VIPRION® platform, then for the Failover Multicast Configuration setting, click Enable.
  6. Click Save Changes.
When you specify the failover address on both units, the devices are set up as active/standby.

Creating a Sync-Only device group

Use this procedure to create a Sync-Only type of device group. You can perform this task on any BIG-IP® device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Only, and type a description for the device group.
  4. Click Next.
  5. Select the IP address and host name for each BIG-IP device that you want to include in the device group. The list shows any devices that are members of the device's local trust domain.
  6. Click Next.
  7. Select the check box labeled Yes, automatically sync the configuration between devices.
  8. Click Next.
  9. Click Finished.
You now have a Sync-Only type of device group containing BIG-IP devices as members.

Enabling ASM synchronization on a Sync-Only device group

You need to have set up the BIG-IP®systems you want to synchronize in a device trust and a device group. Application Security Manager™ (ASM) must be provisioned on all the systems in the device group.
You can enable ASM™ synchronization on a device group to synchronize security policies and configurations on all devices in the device group. You do this task on one system, for example, the active system in an active/standby pair.
  1. On the Main tab, click Application Security > Synchronization. The system displays a list of device groups of which this device is a member.
  2. For Device Group, select the Sync-Only device group you created.
  3. Click Save.
The BIG-IP ASM™ systems that you want to share security policies and configurations are part of a Sync-Only device group with ASM synchronization.

Manually synchronizing the BIG-IP configuration

You can manually synchronize the BIG-IP® configuration to or from other device group members. To determine if a manual config sync is necessary, you can list the members of the device group and view the synchronization status of each member.
Note: When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only. Static self IP addresses are not synchronized. Also, for Sync-Only device groups, you can configure automatic synchronization.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. In the Group Name column, click the name of the relevant device group.
  3. On the menu bar, click Config Sync.
  4. Determine a direction for synchronization, and then click one of these buttons:
    Option Description
    Synchronize TO Group Synchronizes the configuration data on the local device to all device group members.
    Synchronize FROM Group Synchronizes the configuration data on other device group members to the local member.
Except for static self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Result: Synchronizing multiple ASM systems

You have set up multiple BIG-IP® systems running Application Security Manager™ (ASM) so that they automatically synchronize their security policies and configurations. In addition, you can manually synchronize the Local Traffic Manager™ (LTM®) configuration, as needed.

You can create new security policies or update existing ones on any of the devices in the group, or update the ASM™ configuration options (Application Security>Options). Any ASM changes you make on one device are automatically synchronized with the other devices in the ASM-enabled Sync-Only device group.

If Attack Signatures Update Mode is scheduled for automatic update, the attack signature update settings are synchronized. Each device in the device group updates itself independently according to the configured schedule. If you manually upload attack signatures or click Upload Signatures to update from the server, the update is propagated to all of the devices in the device group.

Overview: Synchronizing ASM systems for disaster recovery

This implementation describes how to set up multiple BIG-IP® systems running Application Security Manager™ (ASM) so that you can synchronize their security policies and configurations for disaster recovery. You could use this implementation to back up BIG-IP ASM™ security policies and configurations on systems residing in different network segments or LANs, such as those in separate offices or data centers. Note that traffic must be routable between the network segments. If a disaster occurs at one of the offices and both devices are disabled, the latest security policies are still available on the systems in the other location.

Synchronizing ASM systems for disaster recovery

In the figure, two sets of BIG-IP systems are set up for redundancy: one active and the other standby. Each pair is in a different network segment (LAN), and there can be additional pairs, as needed. Each LAN has one pair of devices, where both have the same default routing, but routing is not the same for the devices in the other LAN.

All of the systems are running ASM and are in the same device trust. Three device groups are set up: one Sync-Failover device group for each pair (not ASM-enabled), and one Sync-Only device group with ASM enabled using automatic synchronization for all of the systems. The systems automatically duplicate the ASM configurations and security policies on all of the systems automatically. You can manually synchronize the BIG-IP configurations of each pair of systems when needed.

Task Summary

Performing basic network configuration for synchronization

You need to perform basic networking configuration for each of the BIG-IP® systems whose Application Security Manager™ (ASM) configurations you want to synchronize.
  1. Install the same BIG-IP system version (including any hot fixes) on each device.
  2. Provision LTM® and ASM™ on each device (System > Resource Provisioning).
  3. On each device, create one or more VLANs, depending on your networking configuration (Network > VLANs).
  4. On each device, create a self IP (Network > Self IPs). When creating the self IP, set Traffic Group to traffic-group-local-only (non-floating).
  5. On each device, create a default gateway, if needed (Network > Routes).
  6. On each device, configure DNS (System > Configuration > Device > DNS) and NTP (System > Configuration > Device > NTP) so they are set to the same time.
  7. Verify connectivity between the devices (self IP address to self IP address). For example, use this command to check communications: ping -I vlan_interface device_self_IP
  8. On each device, specify the IP address to use when synchronizing configuration objects to the local device:
    1. Click Device Management > Devices.
    2. Click the name of the local device.
    3. From the Device Connectivity menu, choose ConfigSync.
    4. For the Local Address setting, select the self IP address.
  9. If your company requires special device certificates, install them on each device (System > Device Certificates and click Import).
The basic networking setup is complete for the BIG-IP ASM systems for which you want to share security policies and configurations.

Adding a device to the device trust

Establish lines of communication between the BIG-IP® systems for which you want to synchronize security policies and configurations by adding those systems to a device trust. You do this task on only one of the systems.
  1. On the Main tab, click Device Management > Device Trust > Local Domain.
  2. In the Peer Authority Devices area of the screen, click Add.
  3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP device. This IP address can be either a management IP address or a self IP address.
  4. Click Next.
  5. Verify that the certificate of the remote device is correct.
  6. Click Next.
  7. Verify that the name of the remote device is correct.
  8. Click Next.
  9. Verify that the management IP address and name of the remote device are correct.
  10. Click Next.
  11. Confirm new device trust: recheck the IP address and name, then click Finished. The system creates the trust domain and adds the devices to the Peer Authority Devices list. The trust status of the devices is In Sync.
The BIG-IP ASM™ systems that you want to share security policies and configurations are now part of a device trust.

Creating a Sync-Failover device group

Devices that you want to add to a device group must already be in a device trust.
Perform this procedure to create a Sync-Failover device group for each office or data center in which you want an active and standby BIG-IP® system. You can perform this task on any authority device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Failover, and type a description for the device group.
  4. Click Next.
  5. Select the IP address and host name for each BIG-IP device that you want to include in the device group. The list shows any devices that are members of the device's local trust domain but not currently members of a Sync-Failover device group. A device can be a member of one Sync-Failover group only.
  6. Click Next.
  7. Check the box labeled Yes, enable network failover for the group.
  8. Click Next.
  9. Click Finished.
You now have a Sync-Failover device group containing BIG-IP devices as members.
Next, you need to specify IP addresses for failover.

Specifying IP addresses for failover

When configuring failover IP addresses on BIG-IP® systems, you specify local IP addresses for devices in the device group to use for failover communications. You perform this task on both the active and the standby devices.
  1. On the Main tab, click Device Management > Devices. This displays a list of device objects discovered by the local device.
  2. In the Name column, click the name of the device you want to configure.
  3. From the Device Connectivity menu, choose Failover.
  4. Add a Failover Unicast address:
    1. Click Add.
    2. For the Local Address setting, specify the IP address of the device to use for failover communications (for example, the self IP address).
    3. Click Finished.
  5. If the BIG-IP system is running on a VIPRION® platform, then for the Failover Multicast Configuration setting, click Enable.
  6. Click Save Changes.
When you specify the failover address on both units, the devices are set up as active/standby.

Creating a Sync-Only device group

Use this procedure to create a Sync-Only type of device group. You can perform this task on any BIG-IP® device within the local trust domain.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. On the Device Group List screen, click Create.
  3. Type a name for the device group, select the device group type Sync-Only, and type a description for the device group.
  4. Click Next.
  5. Select the IP address and host name for each BIG-IP device that you want to include in the device group. The list shows any devices that are members of the device's local trust domain.
  6. Click Next.
  7. Select the check box labeled Yes, automatically sync the configuration between devices.
  8. Click Next.
  9. Click Finished.
You now have a Sync-Only type of device group containing BIG-IP devices as members.

Enabling ASM synchronization on a Sync-Only device group

You need to have set up the BIG-IP®systems you want to synchronize in a device trust and a device group. Application Security Manager™ (ASM) must be provisioned on all the systems in the device group.
You can enable ASM™ synchronization on a device group to synchronize security policies and configurations on all devices in the device group. You do this task on one system, for example, the active system in an active/standby pair.
  1. On the Main tab, click Application Security > Synchronization. The system displays a list of device groups of which this device is a member.
  2. For Device Group, select the Sync-Only device group you created.
  3. Click Save.
The BIG-IP ASM™ systems that you want to share security policies and configurations are part of a Sync-Only device group with ASM synchronization.

Manually synchronizing the BIG-IP configuration

You can manually synchronize the BIG-IP® configuration to or from other device group members. To determine if a manual config sync is necessary, you can list the members of the device group and view the synchronization status of each member.
Note: When synchronizing self IP addresses, the BIG-IP system synchronizes floating self IP addresses only. Static self IP addresses are not synchronized. Also, for Sync-Only device groups, you can configure automatic synchronization.
  1. On the Main tab, click Device Management > Device Groups. This displays a list of existing device groups, if any.
  2. In the Group Name column, click the name of the relevant device group.
  3. On the menu bar, click Config Sync.
  4. Determine a direction for synchronization, and then click one of these buttons:
    Option Description
    Synchronize TO Group Synchronizes the configuration data on the local device to all device group members.
    Synchronize FROM Group Synchronizes the configuration data on other device group members to the local member.
Except for static self IP addresses, the entire set of BIG-IP configuration data is replicated on each device in the device group.

Result: Synchronizing ASM systems for disaster recovery

You have set up disaster recovery for multiple BIG-IP® systems running Application Security Manager™ (ASM). Each office or data center has an active system and a standby that takes over if the active system should fail. You must manually synchronize the BIG-IP configuration from one system to the other if you change the configuration.

You can create new security policies or update existing ones on any of the devices in the group, or update the ASM™ configuration options (Application Security>Options). Any changes you make on one device are automatically synchronized with the other devices in the ASM-enabled Sync-Only device group.

If Attack Signatures Update Mode is scheduled for automatic update, the attack signature update settings are synchronized. Each device in the device group updates itself independently according to the configured schedule. If you manually upload attack signatures or click Upload Signatures to update from the server, the update is propagated to all of the devices in the device group.

Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)