Forum Discussion

Snehal_C's avatar
Icon for Nimbostratus rankNimbostratus
May 07, 2021

How does number of ASM policies affect the processing capacity?

We are trying to deploy ASM policy in the BIG-IP 14.x version. Around 8-10 virtuals servers are configured. Which would be the best option?

  1. Applying a single policy to all VS.
  2. A separate policy to each VS.

2 Replies

  • Hi,


    Processing-wise, it doesn't really matter which one you choose. ASM is a CPU-heavy system and how you configure the ASM policies (and which components you configure) is more important. There are certain parts of an ASM configuration that are quite CPU-heavy (such as DataGuard and Dynamic Parameter extraction), whereas other components hardly make a difference. With this, you also need to keep in mind how much traffic is going through the virtual servers. Putting this together makes for difficult predictions on how busy ASM will be.

    As a guide, you can keep an eye on the CPU requirements for ASM via: Security ›› Reporting : ASM Resources : CPU Utilization


    When it comes to deciding whether to go for 1 policy on 10 VS-es, or 10 policies on 10 VS-es, I would recommend having a look at how different the applications are from eachother and how much time you have. If the applications are very similar, and you want to spend as little time as possible on it, then the first option would be best.

    There are many different options in deployment on ASM though - way too many to go into in a short response here. (ASM is a beast.... but what a beautiful beast it is... ;) If you want to get the most out of ASM, your are best off having a look at a training course where we take you through all deployment options, functions and best practises.


    Hope this helps.

  • Alex is correct. First figure out what the security requirements are for each application. If you have a broad set of general requirements which apply to all applications, you would be well-served by creating a parent policy first and then using it as the basis for all subsequent policies. That can save you a tremendous amount of configuration time.