Transparent and Blocking mode in the same ASM Policy?

Question

Hi all,&nbsp;
My scenario is one ASM Policy (ASM-1) applied to one Virtual Server (VS-1). On the other side, I have a Local Traffic Policy which enables ASM-1 when the url starts with /application1 or /application2, otherwise disables asm. ASM-1 iw working in Blocking Mode.&nbsp;
It would be possible to add a new application (starting with /application3), which is in VS-1, but working in Transparent Mode? In my actual scenario, changing the policy ASM-1 to Blocking Mode would affect application1 and application2.&nbsp;
Thanks in advance.&nbsp;

yann_desmarest · Answer

Hi,&nbsp;
You can assign multiple ASM policies on the same VS by using Local Traffic Policies.&nbsp;
Just pay attention to the strategy adopted : best-match, all-match, first-match&nbsp;
If you have to protect /application1 and /application1/test using 2 different ASM policies, you need to define 2 rules. In this case, the first rule must assign the ASM policy for /application1/test and first-match strategy should be adopted.&nbsp;

yann_desmarest_ · Answer

Hi,&nbsp;
You can assign multiple ASM policies on the same VS by using Local Traffic Policies.&nbsp;
Just pay attention to the strategy adopted : best-match, all-match, first-match&nbsp;
If you have to protect /application1 and /application1/test using 2 different ASM policies, you need to define 2 rules. In this case, the first rule must assign the ASM policy for /application1/test and first-match strategy should be adopted.&nbsp;

albert_252822 · Answer

Hi Yann, this was my first idea, but in each rule I define a different ASM Policy (one Transparent and the other one in Blocking Mode) and ASM only allows to have one active policy for each Virtual Server. Having an ASM Policy without a VS associated, it won't work because of next: "A security policy not associated with a virtual server is unusable because no traffic will go through this security policy, and therefore it is meaningless to run the Policy Builder on this type of security policy."

albert_252822 · Answer

Hi Yann, this was my first idea, but in each rule I define a different ASM Policy (one Transparent and the other one in Blocking Mode) and ASM only allows to have one active policy for each Virtual Server. Having an ASM Policy without a VS associated, it won't work because of next: "A security policy not associated with a virtual server is unusable because no traffic will go through this security policy, and therefore it is meaningless to run the Policy Builder on this type of security policy."

Forum Discussion

Transparent and Blocking mode in the same ASM Policy?

4 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can you help with getting a BigIP virtual edition serial key

VIP in https that redirect to another vip in https

In Using the AST tool am I pointing it to TENANTS or to the F5OS(hardware) I have?

2026 is Almost Here

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

Related Content

Transparent Load Balancing in Azure

Fileless Malware, Anti-Cheat Transparency, & NGINX OSS Security Policy

Understanding F5's Transparent Mode vs Blocking Mode with a Focus on Geo-Blocking

Transparent load balancing in Azure, Part 2

Integrating SSL Orchestrator with McAfee Web Gateway-Transparent Proxy

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS