Lab 2: Sync Only exercise

Objective: Add a sync only device group. You have already configured two VE’s in an Active/Active Configuration with two traffic groups. Add a 3rd VE. Create new Sync-Only group, and new Partition that will leverage new Sync-Only group. Create new SSL profile which will sync to all devices.

Prerequisites and Notes

Have at least 2 VE’s in an Active/Active Failover Configuration.

Note that for this exercise we will use three network interfaces (as in in the previous failover exercise)

1.1 = External Network Interface (Wan Side)

1.2 = Internal network interface (LAN Side)

1.3 = High Availability Network Interface

TASK 1 – Add HA Self IP to bigip3.lab

  1. Go to Network -> Self Ips -> Create

    • Name:
    • IP Address:
    • Netmask:
    • VLAN: HA
    • Port Lockdown: Allow Default
  2. Click Finished


TASK 2 – Update Config-Sync Properties on bigip3.lab

  1. Go to Device Management -> Devices

  2. Click on then bigip3.lab (Self) link

  3. Go to ConfigSync tab

  4. Select (HA) in Local Address dropdown

  5. Click Update


TASK 3 – Add bigip3 to peer list on bigip1

  1. Go to Device Management -> Device Trust -> Device Trust Members -> Add


  2. Click on Retrieve Device Information

  3. Click Device Certificate Matches

  4. Click Add Device


  5. Go to bigip3 and verify bigip1 and bigip2 are now in the peer list


TASK 4 – Create New Sync Only Group

On bigip1:

Create a sync only group

  1. Go to Device Management -> Device Groups -> Create

    • Name = device_group_02_so
    • Group Type = Sync-Only
    • Members = All 3 bigip’s


  2. Click Finished

Perform initial sync

  1. Click Awaiting Initial Sync in the upper-left of the GUI

  2. Choose device_group_02_so, then choose bigip1.

  3. Select Push the selected device configuration to the group and then click Sync


TASK 5 – Create New Partition and SSL Profile, Configure for Sync-Only

On bigip1:

Create new Partition

  1. Go to System -> Users -> Partition List -> Create

    • Partition Name = partition_02_so
    • Device Group = (uncheck "Inherit device group from root folder" box), device_group_02_so
    • Traffic Group = None


  2. Click Finished

Create new Client SSL Profile

  1. Go to Local Traffic -> Profiles -> SSL -> Client

  2. Change Partition to partition_02_so in the upper-right of the GUI


  3. Click Create

    • Name = clientssl_02_lab
    • Accept all defaults
  4. Click Finished

Sync Changes

  1. On bigip2 and bigip3, confirm this Sync-Only clientssl profile has synced
  2. Go to Local Traffic -> Profiles -> SSL –> Client
  3. Choose partition_02_so
  4. Is clientssl_02_lab there?

What are some practical uses for Sync-Only device groups?