LTM/ASM Stacking Policies - BIG-IP 12.1.2

Question

Hey all,&nbsp;
I believe it was asked in the past (I found a few articles from years ago), but wanted to ask again. Looking to possibly get LTM policy to have stacked ASM policies. Ideally, would like traffic to be routed through each one, as using the filters would essentially drop out necessary traffic.&nbsp;
Concept is as follows:
- All traffic flows through a limited block ASM policy (only specific attack signatures/items/etc.)
- All traffic that isn't blocked previously flows through another transparent ASM policy for monitoring purposes (includes other attack signatures, other items for traffic learning, etc.)&nbsp;
And so on, essentially if traffic is not blocked or stopped from previous specific policy, it would move to the next one or a more broader policy. Any thoughts or setup ideas?&nbsp;

samstep · Answer

Simply upgrade to v13.x as F5 ASM has support for Layered policies from v13.0.&nbsp;
If you are stuck with v 12.1 then it is a bit tricky but still possible - basically you will have 2 virtual servers - one with base policy and another with elevated one and you will need to write an irule which will use the "virtual" iRule command to forward traffic from one VIP to another.&nbsp;

Forum Discussion

LTM/ASM Stacking Policies - BIG-IP 12.1.2

Recent Discussions

F5 looses the token for the first call

iRule - Url rewrite and header replace and pool selection not working

Switch ssl profile based on weak cipher detection via IRULE

full-proxy HTTP2

Decode ObjectSID from Base64-encode string

Related Content

Remember your first stack?

iRule based RADIUS Client Stack

iRule based RADIUS Server Stack

App Stack, the "iRule" of F5 Distributed Cloud

Converting a BIG-IP Maintenance Page iRule to Distributed Cloud using App Stack

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS