Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Jun 22, 2012

Real life benefits of bypassing ASM

So I've inherited a 5 year old LTM / ASM cluster with a lot of old rules which have mostly been kicked along over various versions and architectural changes over that time.

 

 

I have a rule which is designed to bypass ASM for static images originally in order to reduce the load on ASM. Since this time the environment has increased to 5 dedicated ASM devices and left the ASM load very very low, so I'm questioning the need to bypass it.

 

 

 

this rule checks the following:

 

 

 

- url ends in a list of suffixes

 

- method is a GET

 

- uri starts with a /

 

- uri is under a max length

 

- uri contains valid characters only

 

 

 

and then for EVERY header:

 

 

 

- contains valid characters only

 

- name is under a max length

 

- value is under a max length

 

 

 

if every check passes, then ASM is bypasses....

 

 

 

Now, if we're being this rigorous in the first place, wouldn't you just not bother, and let ASM handle it and just dial down the checks on these certain file types? It's not like ASM is really going to be doing a vast amount more, and a fewer iRule to submit every single request to can't be a bad thing...

 

  • Hi Acidkewpie,

     

     

    That iRule to disable ASM for static content was used when the ratio of ASM units to load was much lower. We were trying to transfer some of the load from ASM to TMM back when they used separate CPUs.

     

     

    Since you have much more capacity with the current architecture, I would either pass all of the static content requests through ASM or add RAM cache. RAM cache works really well with ASM in that the first requests for static content are passed through ASM and then cached for future requests.

     

     

    sol8216: Configuring RAM Cache for use with a BIG-IP ASM-enabled virtual server

     

    https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8216.html

     

     

    Aaron
  • It's almost like you know the exact rule I'm talking about... :) ta

     

     

    I think the caching side is an issue as the logs are wanted on the Apache servers. People would probably get very confused in those late night debugging sessions.

     

     

    In general I'm looking to realign as many roles and responsibilities the the appropriate module... application security should be being done by the application security module for one!
  • If caching on LTM complicates troubleshooting, I'd just remove the iRule and have ASM validate all of the requests. Last I know you guys had spare ASM capacity so it makes sense to simplify the implementation and remove the static content iRule. Of course, you'll want to test the policy and make sure the static content is defined correctly in the security policy.

     

     

    You could probably also remove some of the iRules that bypassed ASM for odd requests that ASM couldn't handle. Chances are ASM functionality has improved to the point that it can handle more of these requests.

     

     

    Aaron