Forum Discussion
NimbostratusIs ASM supported when using virtual with http-explicit profile
EmployeeCould you please explain why you would not suggest asm as a valid use case ?
ASM protects a known webserver/application against incoming attack - the protection afforded by the policy is based on knowing which urls and parameters are valid for that application and applying appropriate signatures and settings to those incoming requests (and responses).
An explicit outgoing proxy is passing requests to arbitrary webservers on the internet - the ASM policy would have to completely open to all URLs and parameters, and would have to apply every possible signature to requests because you don't know what the receiving platform may be. Some sites would require exceptions to signatures/settings that would then apply to every other request through the ASM policy to every other arbitrary website. You could end up creating multiple ASM policies selected by local traffic policies for external sites - a policy for google.com, one for amazon.com, one for facebook.com, one for ...
Your management may be happy for your ASM administration team to protect other people's websites from your users, but it will end up being an infinite timesink fixing requests that were blocked.
In other words - ASM is used to protect your specific application from the internet, and does an extremely poor job of protecting the internet from the behaviour of your internal web clients.
If you wish to protect your users from bad responses from the internet, set up an ICAP server with ICAP inspection profiles on the external proxy VIP.
