For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JimT's avatar
JimT
Icon for Nimbostratus rankNimbostratus
Jun 24, 2016

Enable ASM policy based on pool selection in iRule

Hi, Hope someone can point me in the right direction: We have a virtual server with a default ASM policy assigned to it. When clients connect we want to set the ASM policy based on which pool you...
application delivery
ASM Advanced WAF
iRules
Tikka_Nagi_1315's avatar
Tikka_Nagi_1315
Historic F5 Account
Jun 29, 2016

If I understood correctly what you are trying to achieve I think you need an iRule that will disable ASM for each HTTP request in HTTP_REQUEST and then selectively dis/enable ASM if LB has already taken place for a previous request on this connection. In LB_SELECTED selectively dis/enable ASM for the first request on any connection. The following iRule probably won't work as is but intended to be a pointer:

  when HTTP_REQUEST {
  if { [LB::server addr] ne "" } {
     Skip the leading partition name from the pool name:
    set pool [getfield [LB::server pool] "/" 3]
    set asm_policy [class lookup ${pool} map_pool_to_asm_policy]
    if { $asm_policy ne "" } {
    ASM::enable "/Common/$asm_policy"
    }

  } else {
    log local0. "New HTTP_REQUEST with no LB, disabling ASM so LB_SELECTED will always fire"
    ASM::disable
  }
}

when LB_SELECTED {
  if { [LB::server addr] eq [getfield [LB::server pool] "/" 3] } {
    log local0. "LB selected set [LB::server addr] - disabling ASM"
    ASM::disable
  } else {
    log local0. "LB selected set [LB::server addr] - enabling ASM"
    ASM::enable "/Common/$asm_policy"
  }
}
  • JimT's avatar
    JimT
    Icon for Nimbostratus rankNimbostratus
    Jun 29, 2016
    Hi nagi and thanks for your answer. Will try this and reply as soon testing is done.