Syncing F5 APM Policies Across Cloud Regions or Datacenters

In a previous article, I discussed the syncing of F5 ASM policies across BIG-IP instances stretching separate datacenters or different cloud regions. This use case was extremely useful to me when deploying standalone BIG-IPs in the same AWS regions but separate availability zones. The application I was securing was in both AZ's as an active/active instance so I needed to ensure WAF policies were being synced.

Today I wanted to discuss a very similar use case though with a different F5 module -- the Access Policy Manager (APM). In the same environment, I was supporting authentication and single sign-on (SSO) to the same application yet different availability zones. They were authenticating to the same active directory infrastructure using the same attributes so I needed to come up with an automated solution of syncing configurations rather than me making human mistakes when trying to duplicate them across BIG-IPs. So with the use case out of the way, let's get started deploying it.

Prerequisites

Define a ConfigSync Address on the Devices to Share APM Configs

  • Navigate to Device Management >> Devices.
  • Click the device listed.
  • Select the ConfigSync tab.
  • From the drop-down menu, select a local address to be used.

Note: I am using the Internal Self IP for demonstration purposes.

  • Repeat this step on the other device to be synced.

Configuring a Device Trust

  • Navigate to Device Management >> Device Trust : Device Trust Members.
  • Click Add.

  • Device Type: Peer
  • Device IP Address: Management or Self IP address of the peer
  • Administrator Username: admin
  • Administrator Password: the admin password
  • Click Retrieve Device Information.

  • Click Device Certificate Matches.

  • Click Add Device.

Create a Sync-Only Device Group

  • Navigate to Device Management >> Device Groups.
  • Click Create.

  • Name: demo_sync_only
  • Group Type: Sync-Only
  • Members: Include the BIG-IP's to be synced
  • Sync Type: Automatic with Incremental Sync
  • Click Finished.

Perform Initial Sync of Device Groups if Prompted with Changes Pending

In the event you receive a notice of Changes Pending, perform a sync of Manual Sync Groups. Though the device group created in the previous steps is Automatic, there are global sync groups and trust groups created during the process of establishing trusts. Believe me, there is no need to worry. The device group that was created in this how-to will be synced automatically without manual intervention.

  • Click Changes Pending from the top left of the TMUI.

  • Identify the Device Group that is not in sync.
  • Click Sync.

Note: If you have issues syncing, a quick step would be to delete the Device Group, ensure all other default device groups have synced and recreate the Device Group.

Configure APM Policy Syncing

Before we get started, let's take a look at the policy we are going to sync and see why it can be very beneficial to sync rather than manually recreating the policy.

In this policy, I am performing smart card auth with AD auth as a fallback. To support multi-factor authentication I have configured the AD auth branch to use F5's native OTP capability. Now, this is a simple policy, could you imagine doing a complex policy across 10 or more BIG-IP's? Me either!

  • Navigate to Access >> Profiles / Policies : Policy Sync

  • Select the policy you would like to sync and click Sync Policy.
  • Device Group: demo_sync_only
  • Description: Any
  • Ignore errors due to Variable Assign Agent during sync: In this scenario, I have selected yes to ignore errors related to a variable assign object related to smart card authentication.
  • Use Source configuration on Target: In this scenario, I have selected yes to sync static and dynamic objects in my policy.

Once the APM Policy Sync pop up displays as shown above, you will notice there are options to Ignore errors, Use Source configuration on Target as well as Advanced Settings. The goal of this article is a basic introduction of the ability to sync policies. I will not review each setting in detail though I will provide the F5 overview of each setting. Additional information on syncing APM policies can be found here.

  • The Ignore errors due to Variable Assign Agent during sync setting affects system behavior only when a Variable Assign agent is included in a per-session policy and the Variable Assign agent uses resources. (The username and password fields are not considered to be resources.)
  • Setting the Use Source configuration on Target value to Yes will ensure that all the resources (static and dynamic) created on the target as part of the synced policy will be exactly the same as on the source. So there will be no need to Resolve Conflicts for such Resources on each target device.
  • Click Sync.
  • Once you see a completed status, view the Sync Details to ensure a successful sync.

  • Log into the device that was receiving the sync and validate the Access Policy exists and review all settings.

You have now successfully synced Access Policies across appliances in separate datacenters or cloud regions. Until next time!

Published Jan 04, 2019
Version 1.0

Was this article helpful?

2 Comments

  • if I remember well, there is (was?) a limitation: you cannot add the source BIGIP in a sync-failover cluster after configuring a sync-only. So the solution is either to build the Sync-failover cluster before or temporarily remove the sync-only, create the sync-failover and re-create the sync-only.

     

  • Amolari, thanks for the feedback. Yes, you are correct.

     

    Understanding policy sync device group setup for Active-Standby pairs To add devices to a device group, all devices must belong to the same local trust domain. If you want to sync access policies with a device that does not belong to the local trust domain, but also belongs to a Sync-Failover group, you must reset the trust between the devices and remove them from the Sync-Failover device group. (For more information, see BIG-IP® Device Service Clustering: Administration on the AskF5™ web site located at http://support.f5.com/.)

     

    After you establish device trust between your BIG-IP system and the devices, you can add them to a Sync-Failover group again.