For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hamada_Tabosha_'s avatar
Hamada_Tabosha_
Icon for Nimbostratus rankNimbostratus
Apr 30, 2014

Bypassing the BIG-IP ASM

Dears, I have two application sharing the sama physical server, I need to use one Virtual server, to inspect the first application via ASM and not to inspect the second one.

 

I red this articular http://support.f5.com/kb/en-us/solutions/public/14000/700/sol14709.html and my image is 11.4.1 so its fit to this article.

 

I want to use the first choice mentioned in the article, but in my virtual server options I cant see the (conditions) and the (actions)...

 

anyway if its not there and I should go for the second choice (irule), so is following irule is correct :

 

when HTTP_REQUEST { if {[HTTP::uri] contains "URL_OF_APPLICATION_NUMBER_2" } { ASM::disable log local0. "ASM disabled." } else { ASM::enable /Common/MY_ASM__POLICY_NAME log local0. "ASM enabled. Current ASM policy is [ASM::policy]" } }

 

application delivery
ASM Advanced WAF
design
devops
iRules
LTM
security

6 Replies

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 30, 2014

    To use the first option, you'll have to create a local traffic policy (Local Traffic -> Policies -> Policies List, then click 'Create' at the top right).

     

    You'll need to create two rules within the policy. The first rule will be your default rule. No match condition, but your action should be asm request enable and specify the ASM policy you want to use (/Common/MY_ASM__POLICY_NAME). The second rule will be for your application that you want to disable ASM on. Your match condition will be http-uri request path contains "uri-of-application", and your action will be asm request disable.

     

    After these two rules have been created, move your default rule (enabling ASM) to the top of the list.

     

    • Hamada_Tabosha_'s avatar
      Hamada_Tabosha_
      Icon for Nimbostratus rankNimbostratus
      May 01, 2014
      Thank you Cory, but I think the second rule (disable ASM) should be in the top, and the strategy in the policy should be first match ....do you agree ? And whats about if I have the same case but I need to enable ASM for both, and each one in a different virtual server ? Are you agree that I can put them in one virtual server, apply two policy by the rules option in the same way?
  • Hamada_Tabosha_'s avatar
    Hamada_Tabosha_
    Icon for Nimbostratus rankNimbostratus
    May 01, 2014

    Thank you Cory, but I think the second rule (disable ASM) should be in the top, and the strategy in the policy should be first match ....do you agree ?

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 01, 2014

    You can do it either way really. I ordered it with the second rule being 'enable ASM' for a higher default security posture. Putting the 'enable ASM' as the first rule will work the way you want it to as well.

     

    • Hamada_Tabosha_'s avatar
      Hamada_Tabosha_
      Icon for Nimbostratus rankNimbostratus
      May 29, 2014
      Hi cory, Kindly I have another question: Can i have a VS1 and applying irule on it , saying that if the URL is (A) forward the traffic to VS2 and if the URL is (B) forward the traffic to VS3.
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    May 29, 2014

    Sure can. Keep in mind that this rule isn't redirecting at the HTTP layer, but is rather just directing the traffic to another virtual server on the BIG-IP.

    when HTTP_REQUEST {
 if { [string tolower [HTTP::host]] eq "a.company.com" } {
   virtual virtualserver2
   }
 if { [string tolower [HTTP::host]] eq "b.company.com" } {
   virtual virtualserver3
   }
}