Forum Discussion
hooleylist
Jan 14, 2009Cirrostratus
Here is a diagram which illustrates the logical flow for requests:
SOL6754 - Traffic flow for ASM-enabled virtual servers (Click here)
And SOL8018 (Click here) gives a similar overview of this in text and includes some common configuration options.
The typical suggestion has been to use a pool on each HTTP class and not configure a default pool on the VIP. This ensures that all traffic must explicitly match a class in order to get through the BIG-IP. It makes it more difficult to accidentally allow traffic to slip through the classes and go to the default pool without being validated by ASM.
A common exception to this configuration would be if you wanted to use the same HTTP class and ASM web app + policy on multiple VIPs. If you wanted to reuse the same class/web app/policy, you could not configure the pool on the class, but instead use a default pool on the VIP. If you want to use any filters on the HTTP class, you should add a default class to the VIP(s) with no filters to ensure no traffic bypasses ASM.
Aaron