Forum Discussion
jomedusa
Altostratus
AltostratusMultiple BIG-IP LTM Policies
We currently have a policy applied to a VIP that matches specific text in URI string and sends the traffic to different pools based on the results. This is the only Policy applied, but I would like to also introduce an existing policy that simply inserts information such as TLS version Original Source address and port numbers, this is used for IIS logging.
I am assuming that I could put the Insert Policy above the existing policy and it would insert the headers first then it would follow the existing policy that is in place. I may be overthinking it but wanted to get some input from the expects.
Thanks,
Joe
- Aswin_mk
Cumulonimbus
You can use x forward for enable for getting actual client ip in backend server(if it's http traffic). If you restrict tls version in F5, then that traffic only accept (you can create client SSL profile and only need to allow Tls1.2 or higher).
jomedusaThanks for your response, yes we use the X forward, we are working to restrict the VIP to TLS 1.2, and we use the Policy to send the information that can parsed via Splunk from the IIS logs. It allows us to determine which clients are still utilizing TLS 1.0/1.1 and determine how to remediate that service call or end user application. So would putting that policy above the existing policy allow the HTTP headers values to be inserted for logging purposes and the existing policy still route traffic appropriately?
- Mayur_Sutare
MVP
Hi jomedusa Yes, you can have multiple LTM policies on a single VIP and it will be processed based on the order you have set. You can also have all the conditions to match under single policy also. Its upto you how do you want to configure it. Hope it helps!
