cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Can Irule forward request after ASM block?

Steve_Knapp
Altostratus
Altostratus

Below is a snippet from an inquiry I received from our web developers. Matching on part of the URI is no problem, but what about forwarding the request even after blocked by the ASM?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So the iRule would have to match on:

  • Portions of the URI that indicate this is an FNOL
  • That the ASM blocked the request

Then:

  • Forward the buffered request to a specific URL

Assumptions:

  • The iRule can buffer the request so it persists beyond the ASM block. This alone may be the show-stopper as this may be a significant performance problem.
  • The iRule can send to a different location than just allowing to pass to the back end pool members

 

2 REPLIES 2

Andrew-F5
F5 Employee
F5 Employee

"The iRule can buffer the request so it persists beyond the ASM block. This alone may be the show-stopper as this may be a significant performance problem."

◘ I'm not entirely sure what you mean by this?

 

"The iRule can send to a different location than just allowing to pass to the back end pool members"

◘ You can use a 'forward' command, redirect, etc, after the 'ASM::unblock' statement.

 

when ASM_REQUEST_DONE { #log local0.debug "\[ASM::status\] = [ASM::status]" if { [ASM::status] equals "blocked" } { ASM::unblock log local0. "Unblocked request with ID [ASM::support_id]" } }

 

 

References:

https://clouddocs.f5.com/api/irules/ASM__status.html

https://clouddocs.f5.com/api/irules/ASM__unblock.html

Steve_Knapp
Altostratus
Altostratus

Thanks. Great info!