Forum Discussion
NimbostratusASM httpclass to local policy
I am doing some work to migrate asm policies based on httpclass to local traffic policies,
Currently I have a number asm policies applied to the same virtual server through a number of httpclasses, the structure is like this
match URI 1 -> asm policy 1 match URI 2 -> asm policy 2 match URI 3 -> asm policy 3 Otherwise deny all
with httpclass each line can be represented with a httpclass, I am having difficulties with local traffic policy, for a local traffic policy when asm is selected as controls, i must provide a default policy with an asm policy, and i need to make it a default deny. Can anyone suggest how to implement a default deny with an asm policy?
Thanks
2 Replies
nolipinedaAltostratus
I'd be interested in the answer to this too.
- Hannes_Rapp
You do not need to define a default ASM policy. You only need to define a default ASM action which could be "ASM Disable".
Use the lp_sample for your reference.
action_default If HTTP path match is false, request will receive TCP/RST packet from F5 in response
action_conditional1 If HTTP path match is true (/parentpath/subpath/path1 or /parentpath/subpath/anotherpath), F5 will enable ASM security policy sp_securitypolicy1 action_conditional2 If HTTP path match is true (/parentpath/path2 or /parentpath/anotherpath2), F5 will enable ASM security policy sp_securitypolicy2ltm policy /Common/lp_sample { controls { asm forwarding } requires { http } rules { action_conditional1 { actions { 0 { asm enable policy /Common/sp_securitypolicy1 } } conditions { 0 { http-uri path values { /parentpath/subpath/path1 /parentpath/subpath/anotherpath } } } ordinal 2 } action_conditional2 { actions { 0 { asm enable policy /Common/sp_securitypolicy2 } } conditions { 0 { http-uri path values { /parentpath/path2 /parentpath/anotherpath2 } } } ordinal 3 } action_default { actions { 0 { forward reset } 1 { asm disable } } ordinal 1 } } strategy /Common/best-match }
