Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Steph_282542's avatar
Steph_282542
Oct 05, 2017

ASM Policy in "Blocking" Mode switch to "Transparent" for some IP's

I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) ...
application delivery
ASM Advanced WAF
irules
security
Steph's avatar
Steph
Icon for Nimbostratus rankNimbostratus
Oct 06, 2017

Hi Chris,

 

I had the idea of duplicating the policy, the discipline about syncing both policy is not an issue ;) The tools on the F5 (Policy Diff) will help a lot. The concerns are more related to the business who want "One and Same" policy for both.

 

You are correct, there will be the internal IP range which should be in blocking mode in the first place, and the rest of the world in transparent.

 

There will be 2 VS pointing to the same policy : * one internal * one for the others

 

Using exclusion list will make the story a bit complicated. An iRule to disable ASM would take not more than 3 lines of code... instead of a "disable ASM" I could use a command to set the policy to transparent... but I can't find anything about that.