BIG-IP LTM/ASM Order of Operations

In response to your question about whether or not an iRule is evaluated before an ASM security policy, the answer is, "It depends." Think TCP stack on client-side and server-side connections, as well as request and response contexts. For example, if the iRule is triggered on a client-side L4 event, such as CLIENT_ACCEPTED, then the iRule will be evaluated before the ASM security policy. However, if the iRule is triggered on a server-side event, such as SERVER_CONNECTED, then the ASM policy will be evaluated for the request before the iRule. If you are just comparing at L7, then on an HTTP_REQUEST event, for example, it would appear the iRule is evaluated first. (I ran a quick test with an iRule that triggered on HTTP_REQUEST and sent a custom HTTP response. I received the response from the iRule and no ASM event log messages were recorded.) You can also trigger an iRule on certain ASM events, in which case you could say that the evaluation of the iRule is interspersed with the evaluation of the ASM policy.