Forum Discussion
Different policies same destination and pool
Hello,
I started recently administrated a f5 big-ip waf.
The previous administrator created a single virtual server for multiple websites (there are multiple SSL certificates on this virtual server). The traffic for all these websites is forwarded to one server pool that has a single IP in it.
My purpose is to sepparate all these websites in multiple virtual servers in order to custom each security policy.
Given this task I am searching for a way of doing the sepparation in multiple policies based on the url or certificate.
My question is if creating multiple virtual servers each one with another certificate but the same destination IP and same forwarding pool would work. Would the waf route the traffic in different policies based only on SSL certificate? I can not afford to test this because F5 is in a production envirenoment.
Thank you!
Hello,
Since the current setup now is using one virtual server IP for all services, and multiple ceritficates, you can create a LTM policy and start checking for the host header and based on this, apply the appropriate ASM polict based on this service.
For example:
Rule1:
if host header = www.abc.com when http request, Action: apply ASM policy 1.
Rule2:
if host header = www.aaa.com when http request, Action: apply ASM policy 2.
and so on, until you apply different ASM policies on all services. and then add a default rule at the end of the LTM policy, for exmaple (forward to pool x or disable ASM)
A fter finishing the policy, you must publish it and then assign the policy to the virtual server. everytime you caan to add/modify rule, you will need first to clone it and then modify the rules, and publish the policy again.
here is an example:
Thanks,
Hello,
Since the current setup now is using one virtual server IP for all services, and multiple ceritficates, you can create a LTM policy and start checking for the host header and based on this, apply the appropriate ASM polict based on this service.
For example:
Rule1:
if host header = www.abc.com when http request, Action: apply ASM policy 1.
Rule2:
if host header = www.aaa.com when http request, Action: apply ASM policy 2.
and so on, until you apply different ASM policies on all services. and then add a default rule at the end of the LTM policy, for exmaple (forward to pool x or disable ASM)
A fter finishing the policy, you must publish it and then assign the policy to the virtual server. everytime you caan to add/modify rule, you will need first to clone it and then modify the rules, and publish the policy again.
here is an example:
Thanks,
Hi buzzkin
I am still trying to understand your ask. If I have correctly understand it, then below should work for you.If you want to have dedicated virtual server for each website then you can map desired SSL profile and a WAF policy to each vServer.
Also same pool can be mapped to multiple virtual servers.
Only big thing will change here is – your virtual server IP address for each website/app. Earlier it was common to each website/app.
- buzzkinAltostratus
Just for clarifying, now we have one virtual server - multiple SSL certificates - one destination IP - one server pool.
We want to get to multiple virtual servers- one SSL certificate per virtual server - one destination IP - one server pool.
Basically F5 will do the routing through virtual server only by SSL certificate assigned.
Just to confirm if that is ok,
Thank you!
You can't use the same the destination IP on multiple virtual servers as you will need to change the port and source IP address, so better try the Mohamed_Salah_ suggestion.
Outside of that you can have a virtual server that redirects traffic to other virtual servers with a "forward action" with irules or local traffic policies and this can be based on SSL attributes like SNI as shown in https://my.f5.com/manage/s/article/K60036398 (K60036398: Configuring local traffic policies to restrict access to a virtual server using the TLS SNI extension) and then each virtual server can have a different WAF policy.
Read:
F5 has 30 day trial, so you can play on a Vware Workstation or AWS/Azure as much as you want 🙂
- buzzkinAltostratus
Thanks guys!
LTM looks like the best solution. Didn't have time to test it but it is work in progress.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com