Forum Discussion

Cirrocumulus

Nov 10, 2022

Is there Limitation of irule "virtual".. can we do it like this?

Hi We have BIG-IQ and BIG-IP AWAF. I see that BIG-IQ application dashboard is show only 1 application per virtual server. But in BIG-IP AWAF.. we config it as 1 virtual server 100 application (mul...

Admin

Nov 10, 2022

yep, this is a common scenario and works great. I'm not sure about a top-end limitation, you'd need to test. But with the iRule, if there more than a handful of hosts/policies, I'd recommend a data-group to map host header->virtual so you can keep the iRule logic light. Something like:

when HTTP_REQUEST {
  set vip_target [class match -value -- [HTTP::host] equals host2vipmap_dg]
  if {$vip_target ne ""} {
    virtual $vip_target
  } else { reject }
}

with a data-group set up like:

ltm data-group internal host2vipmap_dg {
    records {
        abc.example.com {
            data VS_abc.example.com
        }
    }
    type string
}

kridsana
Cirrocumulus
Nov 10, 2022
Thank you for answer JRahm

May I've another question.. We perform ssl bridging on F5 AWAF (VIP port 443 and pool port 443.. decrypt to scan waf and reencrypt again)

when I use irule "virtual".. Do I need to reencypt before send it to VS_private ?
Flow will be like
Client > VIP:443 > Decrypt > irule send to virtual > (1) what port I need to use on Virtual private ? is it 80?

if it port 80.. So I need to config Virtual_Private to use port 80 with only serverssl profile to re-encrypt it to 443 before send to server , am I correct?
I'm concern about multiple decrypt/encrypt which might affect latency
- JRahm
  Admin
  Nov 10, 2022
  your thought there is correct, you don't want to re-encrypt between the virtual servers on the same backplane. Decrypt on the front-end virtual server with a clientssl profile, re-encrypt on the back-end virtual servers with a serverssl profile.