For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Shiraz's avatar
Shiraz
Icon for Altostratus rankAltostratus
Sep 11, 2014

iRule for selecting ASM policy

Dears,

 

We have an application which runs on two different charset (windows-1252 and windows-1256). We have to created two Security Policies(one for Windows-1252 and other for Windows-1256) and would like to select the appropriate policy depending on the charset.. I heard that, it can be done using HTTP::class. However, in version 11.5.0 we are dealing with policy and I am unable to create the proper iRule for the same. Need some assistance in acheiving this goal.

 

Any suggestions are highly appreciated.

 

Regards, Mohammed Shiraz

 

application delivery
ASM Advanced WAF
deployment
devops
iRules
LTM
security

5 Replies

  • MiLK_MaN's avatar
    MiLK_MaN
    Icon for Nimbostratus rankNimbostratus
    Sep 11, 2014

    Perhaps you can go down the VIP targeting VIP path.

     

    First VIP has the iRule that determines the charset in HTTP_REQUEST, then send to a second virtual with the virtual iRule command which has the appropriate ASM policy attached.

     

  • Shiraz's avatar
    Shiraz
    Icon for Altostratus rankAltostratus
    Sep 14, 2014

    Dear,

     

    Thanks for your response.

     

    The issue with VIP targeting VIP is... When a user logged in on a windows 1252 , VIP will target it to the windows 1252 security enabled VIP... After that, if the user changes to Windows 1256 encoded page.. it will not work..

     

    We have thought of this approach. However, in our scenario.. it will not work..

     

    Any other suggestions please..

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 15, 2014
    how is the charset determined? Or rather, how do you distinguish on the traffic BIG-IP receives?
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Sep 15, 2014

    Shiraz. Is the charset based on uri possibly? A local traffic policy rule could forward particular URIs to one ASM policy and others to another... each using a different charset.

     

    Just a thought.

     

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Sep 15, 2014

    another option is an ltm policy. I'm guessing here on how you determine (going with the Accept-Charset header, but you could also match on other headers on request or response):

    ltm policy cpm.charsets {
    controls { asm }
    requires { http }
    rules {
        default {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/asm_default_policy
                }
            }
            ordinal 3
        }
        win1252 {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/asm_win1252_policy
                }
            }
            conditions {
                0 {
                    http-header
                    name Accept-Charset
                    values { Windows-1252 }
                }
            }
            ordinal 1
        }
        win1256 {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/asm_win1256_policy
                }
            }
            conditions {
                0 {
                    http-header
                    name Accept-Charset
                    values { Windows-1256 }
                }
            }
            ordinal 2
        }
    }
    strategy first-match
}