Report to audit virtual servers without ASM policy or ASM policy disabled

You can obtain a list of all virtual servers that have no policy (and hence have no traffic going via ASM) via this command:

tmsh list ltm virtual one-line | grep -v policies | cut -d' ' -f 3

Syntax error: "cut", grep is currently the only filter that is supported.

Guess I should have stated we are still on 11.5.x.

However, even without the cut pipe we still get which VS's don't have policies so thanks. I can then combine that with a search on all ltm policies with no ASM policy enabled rule: list ltm policy one-line | grep -v "asm enable" -e sys

As far as my second question, I can search on all ltm policies with an ASM policy disabled rule: list ltm policy one-line | grep "asm disable"

The script I provided was meant to be run from the linux shell, because of the flexibility of having access to linux utilites like cut (and sort and uniq, for example).

Here's a one liner that prints out virtual server and policy names when the policy includes 'asm disable':

for policy in `tmsh list ltm policy one-line | grep 'asm disable' | cut -d' ' -f3 `; do echo -n `tmsh list ltm virtual one-line | grep $policy | cut -d' ' -f3`; echo ::$policy; done

Another long term solution is BigIQReport - https://devcentral.f5.com/s/articles/bigip-report

The latest version provides both way to to search and report of VIPs with no ASM policy as well as a way to see traffic policies attached. In our case we disabled ASM via iRule for WebSocket support that was lacking in ASM on version 12.x. We run a Windows task which runs every night to gather fresh captures of our configuration. BigIQ is another, but that is a bigger task. You can setup BigIPReport in a hour or less.

/jeff