Forum Discussion

kridsana's avatar
kridsana
Icon for Cirrocumulus rankCirrocumulus
Nov 10, 2022

Is there Limitation of irule "virtual".. can we do it like this?

Hi

We have BIG-IQ and BIG-IP AWAF.

I see that BIG-IQ application dashboard is show only 1 application per virtual server.
But in BIG-IP AWAF.. we config it as 1 virtual server 100 application (multi domain vip+use irule to check host header and send it to specific pool and choose specific waf policy)

So we can't see each application metric in BIG-IQ.... This is our issue.

I understand we need to config each vip for each application so BIG-IQ can retrive data from each vip per application but we can't use that many public ip.

So I found that we have irule "virtual" which can send traffic to another virtual server.
Can we do it like this?
Instead of
when HTTP_REQUEST {
if {[HTTP::host] equals "abc.example.com"} {
ASM::enable /Common/abc.example.com >>>> choose pool and waf policy by host header
pool /External/Pool_abc.example.com
}
------------------------------------

Change to
when HTTP_REQUEST {
if {[HTTP::host] equals "abc.example.com"} {
virtual VS_abc.example.com >>> send it to private ip virtual server by host header which craete a new.
}

and in virtual server VS_abc.example.com we use private ip and assign pool and waf policy normally
so we can add VS_abc.example.com in BIG-IQ application dashboard and see metric per application.

But is there any limitation on how to use irule "virtual" like this? Is this practical?

  • yep, this is a common scenario and works great. I'm not sure about a top-end limitation, you'd need to test. But with the iRule, if there more than a handful of hosts/policies, I'd recommend a data-group to map host header->virtual so you can keep the iRule logic light. Something like:

    when HTTP_REQUEST {
      set vip_target [class match -value -- [HTTP::host] equals host2vipmap_dg]
      if {$vip_target ne ""} {
        virtual $vip_target
      } else { reject }
    }

     with a data-group set up like:

    ltm data-group internal host2vipmap_dg {
        records {
            abc.example.com {
                data VS_abc.example.com
            }
        }
        type string
    }
    • kridsana's avatar
      kridsana
      Icon for Cirrocumulus rankCirrocumulus

      Thank you for answer JRahm

      May I've another question.. We perform ssl bridging on F5 AWAF (VIP port 443 and pool port 443.. decrypt to scan waf and reencrypt again)

      when I use irule "virtual".. Do I need to reencypt before send it to VS_private ?
      Flow will be like 
      Client > VIP:443 > Decrypt > irule send to virtual > (1) what port I need to use on Virtual private ?  is it 80?

      if it port 80.. So I need to config Virtual_Private to use port 80 with only serverssl profile to re-encrypt it to 443 before send to server , am I correct?
      I'm concern about multiple decrypt/encrypt which might affect latency

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin

        your thought there is correct, you don't want to re-encrypt between the virtual servers on the same backplane. Decrypt on the front-end virtual server with a clientssl profile, re-encrypt on the back-end virtual servers with a serverssl profile.