Forum Discussion
Nimbostratuscascading asm policy
Hi,
I do have web servers who needs more then one ASM policies because we want to have one global policy and one specific policy. Within the webUI there is a way to configure such thing with LTM policies but this does actually not work.
So, does someone have experiences to cascade asm policies in the way we want to with iRules? The target is simply trigger both asm policies within an irule and first match wins (mean by is executed or blocked)?
Thank you bb
2 Replies
amolariCirrostratus
HI aa I don't think with iRule you could cascade them. You could do a match in the iRule and then evaluate a selected asm policy. Layering seems not supported, unfortunately
https://devcentral.f5.com/questions/stack-multiple-asm-policies
Alex
akroehnertaccording to F5 support this does not work:
Each Web application should have its own ASM policy, where configuration is made specifically to that web application.
The ASM policies can all be based on a basic ASM policy, and any change to a specific web application should be done in the specific ASM policy for that web application.
The only method of getting a layered ASM policy structure is to have the LTM policy rules referring to different ASM policies in different rules, based on some condition.
For example: Rule 1 - if URI starts with /site1/, send to ASM policy /site1-ASM-policy Rule 2 - if URI starts with /site2/, send to ASM policy /site2-ASM-policy
Assigning 2 actions of referring to 2 different ASM policies in the same rule and the same condition is not going to work. A single request is going to match that condition, but it won't be clear which ASM policy should process that request.
However I am also looking for some creative solution here as I am sure there must be some way on BIG-IP to achieve such a simple requirement.
Andreas
