iRule action after ASM

Question

Another question...&nbsp;
&nbsp;We have ASM and are using it to scan traffic to one of our applications. Is there an event in which I can change the pool selection after ASM has completed its work?

hoolio · Answer

I'm curious to see what are you trying to do.  Can you describe what/why?&nbsp;
&nbsp;After upgrading to 9.2.4, you can select a pool in HTTP_CLASS_SELECTED which is triggered if the request matched an HTTP class on the VIP.&nbsp;
&nbsp;Check this post for details (Click here)&nbsp;
&nbsp;This event is triggered before TMM sends the request to ASM.  There is no direct access from a rule for making changes to the serverside connection from ASM to TMM or from TMM to the node.&nbsp;
&nbsp;Aaron

pablo_valenzuel · Answer

Hi! 
&nbsp;  
&nbsp; I've also have to do some iRule after ASM. Why? because I have to do a cookie change after ASM has inserted it's cookie. 
&nbsp;  
&nbsp; The idea is to send A SINGLE COOKIE to the client (some old clients only support 1 cookie!) so I have to write an iRule that applies in 2 events: 
&nbsp;  
&nbsp; - When the client send data, BEFORE asm get's the content, so I can re-write both cookies (server session and ASM) 
&nbsp; - When the server sends data, AFTER asm puts his cookie, so I can "join" both cookies (server session and ASM) into a single cookie 
&nbsp;  
&nbsp; Therefore, is there an event that applies AFTER asm? or is there a way for ASM NOT to put ANY cookie? 
&nbsp;  
&nbsp; Thanks!

hoolio · Answer

With the introduction of the plugin architecture in 9.4.2, the events for ASM enabled VIPs has improved significantly.  In a standard HTTP VIP with at least one ASM-enabled HTTP Class added, the following events are potentially triggered:  
&nbsp;    
&nbsp;  CLIENT_ACCEPTED  
&nbsp;  HTTP_REQUEST  
&nbsp;  HTTP_CLASS_SELECTED  
&nbsp;  -- ASM request validation --  
&nbsp;  HTTP_CLASS_FAILED  
&nbsp;  LB_SELECTED  
&nbsp;  PERSIST_DOWN  
&nbsp;  LB_FAILED  
&nbsp;  SERVER_CONNECTED  
&nbsp;  HTTP_REQUEST_SEND  
&nbsp;  HTTP_RESPONSE  
&nbsp;  -- ASM response validation --  
&nbsp;    
&nbsp;  You can get definitions for when the various events are triggered from the events page ((Click here)).  
&nbsp;    
&nbsp;  You can modify the HTTP headers and data for a request before the request is sent to ASM for validation using the HTTP_REQUEST event.  You can modify the request after ASM validation using LB_SELECTED (or HTTP_REQUEST_SEND and the clientside command (Click here).  
&nbsp;    
&nbsp;  Unfortunately, the only response event we have to work with is HTTP_RESPONSE.  This is triggered when the server's response HTTP headers are parsed.  The response is then sent to ASM.  I don't think there is another event triggered after ASM has validated the response.  So I don't think you will be able to modify the response after ASM processes it and before it is sent to the client.  
&nbsp;    
&nbsp;  It would be useful if there was an event triggered after ASM parsed the request and response.  It would be great if we could get details on any violation which was found.  I've requested this previously.  At one point, F5 had spec'd the feature, but I don't think it's planned for any upcoming version.  
&nbsp;    
&nbsp;    
&nbsp;  Trigger an iRule event when an ASM violation is generated.  Make the full request info accessible in a variable or array so the rule could have logic based on the violation type/data and modify the handling of the request/response.  This would give administrators much more flexibility in how to handle violations.  
&nbsp;  &nbsp;  
&nbsp;    
&nbsp;  If you want to request this functionality be added in a future version, you could open a case with F5 Support and ask them to attach your case to the request for enhancement.  
&nbsp;    
&nbsp;  Aaron

hoolio · Answer

Hi pvalenzuela, 
&nbsp;  
&nbsp; Also, ASM will insert a cookie to track data specific to a client's session.  You can get some detail on this for 9.4.1 and lower in SOL6850 (Click here).  I don't think there has been an update to this solution for 9.4.2 and later, so it's not complete for the latest versions. 
&nbsp;  
&nbsp; Here are scenarios where ASM would track session data: 
&nbsp;  
&nbsp; Dynamic parameter enforcement 
&nbsp; Tracking domain cookies haven't been modified 
&nbsp; Path sequence enforcement 
&nbsp;  
&nbsp; What type of HTTP client only supports a single cookie?  I've never heard of this before.  Even if you could modify the response after it is parsed by ASM and before it's sent to the client it would be a bit difficult to handle the different cookie properties.  How would you handle it if the app set a timeout or path for its cookie, but ASM didn't?  What if the app specified the cookie should only be sent by the client over HTTPS? 
&nbsp;  
&nbsp; Aaron

pablo_valenzuel · Answer

Well, try old nokia phones... unfortunetly, this is the case, and since the phone only supports 1 cookie, the server sends a session cookie and ASM inserts another one, i must create an iRule to make it "single-cookie" at the client side. 
&nbsp;  
&nbsp; Maybe store it in some local variable? any ideas?

Forum Discussion

iRule action after ASM

Recent Discussions

How to implement LTM forward proxy client to determine the diversion pool based on the domain name

FTP PASV mode to Extended Passive mode

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

Related Content

Upcoming Action Required: F5 NGINX Plus R33 Release and Licensing Update

LTM: Action on Service Down

Traffic Policies: More detailed information on Actions

iRules Style Guide

Action Items in OMB Memorandum M-22-09 “Moving the U.S. Government Toward Zero Trust...”

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS