Syncing access policies from one BIG-IP® Access Policy Manager® device to another Access Policy Manager (APM®) device, or to multiple devices in a device group allows you to maintain up-to-date access policies on multiple APM devices, while adjusting appropriate settings for objects that are specific to device locations.
To synchronize access policies between multiple devices, first you configure a Sync-Only device group, which includes the devices between which you want to synchronize access policies. Device group setup requires establishing trust relationships between devices and creating a device group. You set the devices in each group to use Automatic Sync and Full Sync, and then synchronize access policies one at a time, resolving conflicts as needed.
Access policy synchronization in Sync-Only and Sync-Failover device groups
Before you configure device trust, you should consider the following:
Before you begin this task, verify that:
You perform this task to establish trust among devices on one or more network segments. Devices that trust each other constitute the local trust domain. A device must be a member of the local trust domain prior to joining a device group.
By default, the BIG-IP software includes a local trust domain with one member, which is the local device. You can choose any one of the BIG-IP devices slated for a device group and log into that device to add other devices to the local trust domain. For example, devices Bigip_1, Bigip_2, and Bigip_3 each initially shows only itself as a member of the local trust domain. To configure the local trust domain to include all three devices, you can simply log into device Bigip_1 and add devices Bigip_2 and Bigip_3 to the local trust domain; there is no need to repeat this process on devices Bigip_2 and Bigip_3.
The Ignore errors due to Variable Assign Agent during sync setting affects system behavior only when a Variable Assign agent is included in an access policy, and the Variable Assign agent uses resources.
If you set Ignore errors due to Variable Assign Agent during sync to Yes:
If you set Ignore errors due to Variable Assign Agent during sync to No:
To summarize, you now have synchronized access policies between devices in a sync-only device group.
On the Sync Details tab, you can see sync status for an access policy.
|Device||The specific device to which the access policy was synced.|
|Sync Status||One of the following:
|Status End Time||The time at which the last status entry completed on the specific device.|
|Sync Status Details||More information about the Sync Status for a specific device.|
On the Sync History tab, you can see the sync history for an access policy.
|Last sync||The last time a sync was initiated for this access policy.|
|Last Sync Status||The outcome of the last sync for this access policy.|
|Device Group||The device group to which the access policy was synced.|
|Description||A clickable icon that presents information about the sync operation for the device group.|
|Non Location Specific Objects||An access policy was created with certain resources which the sync process indicates are not location-specific, but that might in fact be location-specific on the target device. This column lists such objects, which you can then verify by checking the objects on the remote systems, and modifying if necessary.|