Forum Discussion
Nimbostratusirule to select ASM policy using policy rules
Hi Experts,
This case reflects 11.2.1 -> 11.6.0 HF6 upgrade test. While assessing 11.2.1 configuration, it was identified that 3 irules use HTTP_CLASS_SELECTED method, which create conflicts during upgrade to 11.6.0 HF6. So to avoid this respective HTTP_CLASS_SELECTED configuration has been commented out in irules before upgrade. With this step 11.2.1-> 11.6.0 HF 6 performed. Now I am trying to reconfigure irule to match newly created policy rules. Can you please go through below iRule and comment if you have any suggestions please?
when HTTP_CLASS_SELECTED {
ASM::enable
if { [HTTP::path] equals "/Results/StudyTemplate/Save" } {
ASM::disable
}
}
when HTTP_REQUEST {
if {[llength [POLICY::names matched]] > 0} {
switch -glob [POLICY::rules matched]{
policy rule name=labportal_HTTP_Class_policy_rule //asm policy name =/Common/labportal_HTTP_Class
"labportal_HTTP_Class_policy_rule"{
ASM::enable "/Common/labportal_HTTP_Class"
return
}
"BMT_HTTP_Class_policy_rule"{
policy rule name=BMT_HTTP_Class_policy_rule //asm policy name =/Common/BMT_HTTP_Class
ASM::enable "/Common/BMT_HTTP_Class"
return
}
"SciPortal_HTTP_Class_policy_rule"{
policy rule name=SciPortal_HTTP_Class_policy_rule //asm policy name =/Common/SciPortal_HTTP_Class
ASM::enable "/Common/BMT_HTTP_Class"
return
}
"Recruitment_HTTP_class_policy_rule"{
policy rule name=Recruitment_HTTP_class_policy_rule //asm policy name = /Common/Recruitment_HTTP_class
ASM::enable "/Common/Recruitment_HTTP_class"
return
}
if { [HTTP::path] equals "/Results/StudyTemplate/Save" } {
ASM::disable
}
}
Appreciate your suggestions to improve this iRule.
Cheers, Nisal
3 Replies
Richard_KaronEmployee
Can you please describe the purpose of the original code? Be as specific as you can. Instead of trying to adapt something that was written for use with httpclasses, you quite possibly are able to use an ltm traffic policy instead.- Stanislas_Piro2
Cumulonimbus
Hi,
Why are you trying to use irule to configure ASM instead of defining it in the Policy...
All the conditions you use can be done in Policies.
Migration from HTTP Class to Policies is to limit use of irules.
Stanislas
Niles_245942Hi Santhalis & Richard, Thanks for your input. I have considered your comments and edited the irule below. I can see http-class profiles have been converted by the big-ip to local policies which includes multiple policy rules. What I am trying to achieve below is that to disable ASM if http uri contains "/Results/StudyTemplate/Save" as below.
when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::path] equals "/Results/StudyTemplate/Save" } { ASM::disable } } when HTTP_REQUEST { if { [HTTP::uri] starts_with "/Results/StudyTemplate/Save" } { ASM::disable } HTTP::header insert X-Forwarded-For [IP::remote_addr] switch -glob [string tolower [HTTP::host]] { "*recruitment*" { pool DMZ_WEBv01 return } "*recruitmentstage*" { Define appropriate pool for webserver hosting web site pool DMZ_WEBv02 return } } }Please let me know if you have any comments.
Regards, Niles
