Forum Discussion
AltostratusTraffic Policy to map HTTP::class select command?
Hello Folks,
Sorry, opening another thread similar to the first one I opened today morning. Can anyone help me with Traffic Policies as per the requirement? Basically following is the iRule snippet, which needs to be applied with upgraded F5 i.e. 11.5.1
when HTTP_REQUEST {
if { [class match [IP::client_addr] equals "disable_asm_ip_ranges"] }{
HTTP::class select /Common/cls_EMS_staging_admin
}
else {
HTTP::class select /Common/cls_EMS_staging
}
}
}
Basically the HTTP Class is mapped to enable the ASM, based on the iRule Datagroup applied in the iRule.
I found that associated classes are converted into Traffic Policies, just need them to map with iRule.
Any help?
Thank you, Darshan
6 Replies
TortiCirrus
try:
when HTTP_REQUEST { if { [class match [IP::client_addr] equals "disable_asm_ip_ranges"] }{ ASM::enable /Common/cls_EMS_staging_admin } else { ASM::enable /Common/cls_EMS_staging } }but I believe, you have to select a security policy at the virtual server, first. Via the security tab.
swo0sh_gt_13163Hello Torti,
Yes, correct. I have LTM Policy applied on those VS where the above iRule is applied. Also ASM is enabled within the LTM policy.
However I am struggling to make the following working now. 😞
when RULE_INIT { set static::intranet_groupName "interactive_range" } when HTTP_REQUEST { set flag_classSelect_developer 0 if {[matchclass [IP::client_addr] equals $static::intranet_groupName]} { ASM::disable set flag_classSelect_developer 1 HTTP::class select /Common/cls_intranet_noFirewall } } when HTTP_CLASS_SELECTED { if {$flag_classSelect_developer == 1} { HTTP::class select /Common/cls_intranet_noFirewall set theClassName [HTTP::class] } } }The HTTP Class associated with the iRule, has nothing except ASM enable. Any idea how can I achieve the same for 11.5.1?
Thank you again. Darshan
- Torti
I think, you get a problem, if you enable an ASM policy with the irule and with the LTM policy. Normally, I do this all with LTM plicy only, but there is no option to filter for an ip address or address range. Only a vlan filter is possible. Thats a missing feature.
Your code looks a little bit to complicated.
Try it with my example from above, but set ASM::disable at the ip filter.
Like thiswhen HTTP_REQUEST { if { [class match [IP::client_addr] equals "disable_asm_ip_ranges"] }{ ASM::disable } else { ASM::enable /Common/cls_EMS_staging }}
and don't forget to enable security at the virtual server
- swo0sh_gt_13163
Hello Torti,
Yes, I agree that above code will work. However in second post, I have posted a code with HTTP_CLASS_SELECTED event, which doesn't seem to be compatible with 11.5.1.
How can we deal with that? Small part coppied from above iRule which needs to be converted for 11.5.1
when HTTP_CLASS_SELECTED { if {$flag_classSelect_developer == 1} { HTTP::class select /Common/cls_intranet_noFirewall set theClassName [HTTP::class] } } }Thank you, Darshan
- Tortiyes, it doesn't work. The event was deleted, because the ltm class doesn't exist anymore. But I don't undestand the sence of this part in your irule. what do you want to do with the parameter 'theClassName'?
- swo0sh_gt_13163
Hello Torti,
Yes, I got the point. I modified the code as following now.
when HTTP_REQUEST { if {[matchclass [IP::client_addr] equals "intranet_groupName"]} { ASM::disable } }And I have applied the LTM Policy with ASM policy. Looks fine now?
Thanks for your help. Much appreciated. Darshan
