How to handle ASM in HTTP_CLASSes

Question

Hi. 
&nbsp; We're having some issues setting up our ASM, as it behaves quite strangely. 
&nbsp; First, I'll try to explain our setup: 
&nbsp;  
&nbsp; We have various VirtualServers (VS) and we use HTTP_CLASS-Profiles a lot to redirect our traffic. 
&nbsp; Now we'd like to activate ASM and we do the following: we create a HTTP_CLASS and enable ASM in it. This HTTP_CLASS does nothing more. 
&nbsp;  
&nbsp; Then we add this HTTP_CLASS-Profile as resource in a VS, and it seems to work. Although, if we put this Profile as the first in the list, the other HTTP_CLASS-Profiles do not work anymore. Given this strange behaviour, we think, maybe this is not the real way to enable/implement ASM on the LTM? 
&nbsp;  
&nbsp; Could you give us some advise? 
&nbsp;  
&nbsp;  
&nbsp; Thank you. 
&nbsp;  
&nbsp; Markus

hoolio · Answer

Hi Markus, 
&nbsp;  
&nbsp; Only one HTTP class can be matched and used to process a single HTTP request.   
&nbsp;  
&nbsp; If you have some requests you want to redirect, you could add the ASM enabled HTTP class last in the list of classes on the VIP.  All requests which were previously redirected using the non-ASM HTTP classes would still be redirected (without going through ASM).  All other requests which don't match a non-ASM redirecting class would be sent to ASM and then the pool on the ASM HTTP class.  If the ASM HTTP class doesn't have a pool configured then the VIP's default pool would be used. 
&nbsp;  
&nbsp; Aaron

mpfeifer_63884 · Answer

Hi Aaron. 
&nbsp; Thanks for your reply.  
&nbsp; Although it doesn't quite reflect our problem. 
&nbsp;  
&nbsp; By saying that we use HTTP-class to "redirect our traffic" I mean something like "if URI is foo, then use pool bar" 
&nbsp; But we still would like to have this action protected by the ASM-Module.  
&nbsp;  
&nbsp; As I understand, putting the ASM-enabled HTTP-class at the end of the VIP resources list, would not protect the actions done by the previous HTTP-classes.  
&nbsp; I hope I could explain the issue. 
&nbsp;  
&nbsp; regards, 
&nbsp;  
&nbsp; Markus

hoolio · Answer

Hi Markus, 
&nbsp;  
&nbsp; Thanks for clarifying.  If you want to do pool selection and use ASM validate the traffic, you can enable ASM on each HTTP class.  This would require separate ASM web apps for each class.  If you want to use one policy for all of the web apps, you'd need to manually export and import the policy between web apps.  This would be a nuisance from a management perspective.   
&nbsp;  
&nbsp; Another option would be to use a single HTTP class with ASM enabled and no filters.  All traffic would match this class.  You could then use an iRule to do the pool selection.  You can do pool selection in the HTTP_CLASSS_SELECTED event. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

How to handle ASM in HTTP_CLASSes

3 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

F5 Software Downgrade from version 17.x.x to 15.x.x

Error diskmonitor

CPU utilization of F5OS on r2600

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Hardware replacement i2800 to r2600

Related Content

Intermediate iRules: Handling Strings

Double Trouble: Multiple Controllers Handling the Same Kubernetes LoadBalancer Service

Intermediate iRules: Handling Lists

AI Security : Prompt Injection and Insecure Output Handling.

Handling HTTP Requests on an HTTPS Virtual Server

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS