Order of operations

So I have been running ASM for years now and I will tell you what my setup is, keep in mind we have separate hardware for ASM and LTM.

 

 

Traffic comes into the VS and the resource on the VS is the HTTP Class (sometimes just one Class sometimes many classes sorted by host or URI) then the pool is defined within the class.

 

 

There is LTM in front and behind the ASM to maintain proper load balancing.

Hi,

 

we use different ways ;-)

 

It depends on the VS design.

 

If it is a simple VS with one pool, we use a default pool in the VS and in the class is only the security enabled. Thats it.

 

If u use oneconnect, it is recommended (by f5) to use a default pool, too.

 

If it is a VS with multiple pools, we don't use a default pool in VS. Then, we select the pool in the class.

 

With a normal design, the traffic goes through irule first and after that through the ASM.

 

 

It isn't necessary to use ASM::enable, except you are using ASM::disable, too.

 

 

regards

Thanks for the replies! So if ASM and LTM are on the same hardware I was told that the traffic flow will go through the ASM first then drop to the irules as long as it was allowed by ASM. Is this not true? I'm struggling with that concept.

 

 

Thanks

Good Question - as I'm researching the same thing, it has been my understanding thus far. The traffic hits the VS LTM decrypts SSL, ASM policy is applied, then iRules and LB decision.

The ASM policies is mapped to a http class. a class is mapped to a VS and can be selected in an irule, too.

 

So its wrong. The irule is in front of ASM.

 

 

1. ssl decryption - if set

 

2. irule - if used

 

3. http classes

 

4. LB

So where the iRules comes into play in all of this is actually dependant on how you code the iRule. iRules are resources of the Virtual Server but you write them to look for an "Event" before they fire. If you look at the wiki below you will see all the Events that are available and where in the process of traversing through the Big-IP each will fire.

 

 

https://devcentral.f5.com/wiki/iRules.Events.ashx

 

 

So really depending on what you need an iRule to do will depend on where it will come into play, it could before or after ASM.

 

 

The basic flow through the device would be as follows

 

 

1. VS

 

2. Client SSL Profile

 

3. Protocol and HTTP profiles

 

4. VS Resources (httpclass)

 

5. ASM Policy

 

6. httpclass action (LB pool or redirect)

 

7. Node

 

8. Server SSL Profile (if applicable)

 

9. VS

 

 

Really the iRule could come in at any point in that process it just depends on how you the write the rule and what events you are using.

Thanks Mike... that makes sense in the way you described that the irule would be trigged by an event. This article, for anyone interested, helped me solidify that understanding(https://devcentral.f5.com/tech-tips/articles/irules-event-order). I do still have a question though because the two events that I'm most concerned about are on the same line of that article.. HTTP_REQUEST & HTTP_CLASS_SELECTED. How do I know which one fires first? If my ASM HTTPClass is matching the uri "/abc" and I have an irule with the event "HTTP_REQUEST" matching the uri "/abc"... how would the LTM process this? I've been told that it will first go through the ASM policy then if no pool or redirect is defined it'll fall to the irule and follow the pool assigned in the irule.

 

 

From the article's "Client Request Events":

 

 

CLIENT_ACCEPTED

 

CLIENTSSL_HANDSHAKE

 

CLIENTSSL_CLIENTCERT

 

HTTP_REQUEST / CACHE_REQUEST / RTSP_REQUEST / SIP_REQUEST / HTTP_CLASS_FAILED / HTTP_CLASS_SELECTED

 

STREAM_MATCHED

 

CACHE_UPDATE

 

CLIENT_DATA / RTSP_REQUEST_DATA / HTTP_REQUEST_DATA – Only occur when collected data arrives

 

AUTH_RESULT / AUTH_WANTCREDENTIAL – Only occur when authentication commands return

 

LB_SELECTED / LB_FAILED / PERSIST_DOWN

 

 

As always thanks for the help/support/knowledge

Hi Nando,

 

 

HTTP_REQUEST will always be followed by either HTTP_CLASS_SELECTED or HTTP_CLASS_FAILED if you have at least one HTTP class configured on the virtual server:

 

 

CLIENT_ACCEPTED

 

CLIENTSSL_HANDSHAKE

 

CLIENTSSL_CLIENTCERT

 

HTTP_REQUEST / CACHE_REQUEST / RTSP_REQUEST / SIP_REQUEST /

 

HTTP_CLASS_FAILED / HTTP_CLASS_SELECTED

 

STREAM_MATCHED

 

CACHE_UPDATE

 

CLIENT_DATA / RTSP_REQUEST_DATA / HTTP_REQUEST_DATA – Only occur when collected data arrives

 

AUTH_RESULT / AUTH_WANTCREDENTIAL – Only occur when authentication commands return

 

LB_SELECTED / LB_FAILED / PERSIST_DOWN

 

 

 

...ASM HTTPClass is matching the uri "/abc" and I have an irule with the event "HTTP_REQUEST" matching the uri "/abc"... how would the LTM process this?

 

 

 

If you're selecting a pool in the HTTP_REQUEST iRule event and selecting a pool with an HTTP class, the HTTP class pool selection will override any prior pool selection.

 

 

If that's not what you're referring to, can you clarify the scenario you're thinking of?

 

 

Thanks, Aaron

Thanks Aaron that pretty much answers my question... I mainly want to make sure whatever we defined to do with the "/abc" URI in the irule will still be applied when we turn on ASM. I believe what you are saying is if we don't define a default pool or redirect for the HTTP class then the LTM will forward traffic based on what's defined in the irule.

 

 

If you're selecting a pool in the HTTP_REQUEST iRule event and selecting a pool with an HTTP class, the HTTP class pool selection will override any prior pool selection.

 

 

In this senario if I didn't define a pool for the HTTP class pool then it'll use the pool that was selected by the HTTP_REQUEST correct?

 

 

Thanks!!