Forum Discussion
NimbostratusIs ASM supported when using virtual with http-explicit profile
Hi all,
I have configured a virtual server which is supposed to be working as an explicit forwarding proxy. This virtual server has got an ASM security policy attached. However, it is not passing any traffic.
In /var/log/ts/bd.log, I see the message "TMEVT_REQUEST: Request has no HTTP selector, empty web-security, action is bypass". Message seems valid as the client is performing a proxy request.
Does this mean no ASM security policy can be used in case of an explicit proxy configuration ?
Patrick_NordeChanged configuration of the LTM policy which ties the ASM security policy to the virtual server. "enable asm for policy [security policy name] at http proxy request time", instead of "...at request time". This solves the ASM error in /var/log/ts/bd.log.
However, traffic is still not passing. Have to dig a little further. Perhaps someone has built a similar configuration before ?
- nathe
Cirrocumulus
What pool configuration do you have on the forward proxy? Normally this would be a pool of default gateways. I would not suggest asm is a valid use case here.
- Patrick_Norde
Hi Nathan, at first thank you for your comment !
The pool configuration does indeed contain the default gateways as members.
Could you please explain why you would not suggest asm as a valid use case ? I can think of some reasons, but would like to hear yours. Do you also know if it should work, because in my situation it does not ?
In the mean time we have chosen a different direction for this project implementation, but still I want to know if we can make it work. It would add some more knowledge which would be handy in future cases...
- Simon_Blakely
Employee
Could you please explain why you would not suggest asm as a valid use case ?
ASM protects a known webserver/application against incoming attack - the protection afforded by the policy is based on knowing which urls and parameters are valid for that application and applying appropriate signatures and settings to those incoming requests (and responses).
An explicit outgoing proxy is passing requests to arbitrary webservers on the internet - the ASM policy would have to completely open to all URLs and parameters, and would have to apply every possible signature to requests because you don't know what the receiving platform may be. Some sites would require exceptions to signatures/settings that would then apply to every other request through the ASM policy to every other arbitrary website. You could end up creating multiple ASM policies selected by local traffic policies for external sites - a policy for google.com, one for amazon.com, one for facebook.com, one for ...
Your management may be happy for your ASM administration team to protect other people's websites from your users, but it will end up being an infinite timesink fixing requests that were blocked.In other words - ASM is used to protect your specific application from the internet, and does an extremely poor job of protecting the internet from the behaviour of your internal web clients.
If you wish to protect your users from bad responses from the internet, set up an ICAP server with ICAP inspection profiles on the external proxy VIP.
- Patrick_Norde
Hi Simon, I get your point and indeed, we should not be using ASM for protecting the Internet...
In my lab I was forwarding to the Internet, but for my customer project, we are protecting internal servers and maybe using the F5 as an explicit forwarding proxy.
Perhaps I should open up a support case in order to find out if the combination of forwarding proxy and ASM is actually supported / should be working. I think not too many people have used this combination before.