Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

iRule to assign ASM policy to VS by domain name

kaoutar
Cirrus
Cirrus

‎17-Mar-2021 03:06

Hello All,

In order to reduce the amunt of public IPs assigned to our Web App, we decide to deploy multi apps in one VS, Im looking for a way to assign ASM policies to each web app according to the its Domain name,

Thanks in advance

Labels:
0 Kudos
23 REPLIES 23

Daniel_Wolf
MVP
MVP

‎17-Mar-2021 07:10

Hello,

 

try LTM Policies, no need for iRules. As an example:

0691T00000C1k1UQAR.pngKR

Daniel

kaoutar
Cirrus
Cirrus
In response to Daniel_Wolf

‎17-Mar-2021 09:09

Thank you

0 Kudos

kaoutar
Cirrus
Cirrus
In response to Daniel_Wolf

‎23-Mar-2021 03:03

Can you please tell me why i cant log any of http request even if the logging profile is activated?

0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎23-Mar-2021 08:11

Can you share how you applied the logging profile and which logging profile you applied?

Redacted screenshot or tmsh list.

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎24-Mar-2021 05:26

I applied the logging profile with loall request as shown below

0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎24-Mar-2021 08:00

Shown where? I don't see a screenshot. This config works for me, nothing fancy...

0691T00000C2OOsQAN.png0691T00000C2OOTQA3.png

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎25-Mar-2021 02:22

 

 

 

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎25-Mar-2021 02:23

I added the screenshots

0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎25-Mar-2021 03:59

Is your security policy configured to log (Alarm)?

 

Are you using this logging profile on any other virtual server? Do logs get generated from other security polices?

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎25-Mar-2021 04:23

yes it is and this profile applied on various ASM policies and it logs

0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎25-Mar-2021 04:44

Maybe you can add a Logging Action to the LTM Policy, to ensure the Condition is matched?

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎25-Mar-2021 07:48

i added a logging action with message local0 but it doesnt work

0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎25-Mar-2021 08:59

Can you share your policy, complete with log Action? Seems your condition is not matched.

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎26-Mar-2021 01:44

please find below the screenshots

 

0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎26-Mar-2021 01:45

 
0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎26-Mar-2021 01:46

 
0 Kudos

kaoutar
Cirrus
Cirrus
In response to kaoutar

‎26-Mar-2021 01:47

 
0 Kudos

Daniel_Wolf
MVP
MVP
In response to kaoutar

‎26-Mar-2021 04:10

This really looks your condition is not matched.

 

Ok, could you share a bit more? I can see that you are trying to match on HTTP Host.

So your value to match this condition should be something similar to www.mydomain.com.

How does your pattern look like? Are you using a non-default port, like 8443? They must be added to the condition (www.mydomain.com:8443).

 

The logging works a bit different than you thought. See screenshot.

The message field is for the log message, "Hello World" in the example below.

Facility and other parameters are set in the options menu.

0691T00000C2TqXQAV.pngThe way you configured the log event, you see a log message local0 in /var/log/ltm. I'd recommend to choose a message that stands out a bit more.

0 Kudos

小白
Cirrus
Cirrus
In response to Daniel_Wolf

‎04-Mar-2022 18:29

I have applied the strategy to my vs, but I still can't access vs through the domain name.Why is this

0 Kudos

2019F5DevCentra
Cirrus
Cirrus

‎25-Mar-2021 12:48

I maybe looking at this a different way, but you should be able to load balance via Layer 7 and disabling and enabling the ASM within irules based on which select statement is triggered.

0 Kudos

Daniel_Wolf
MVP
MVP
In response to 2019F5DevCentra

‎26-Mar-2021 00:21

You are right, assigning ASM policies by matching certain "Conditions", like URI Path or Host Header, is possible either ways - by iRules or by LTM Policies. LTM Policies are just my preferred way.

Result is the same...

0 Kudos

kaoutar
Cirrus
Cirrus
In response to 2019F5DevCentra

‎26-Mar-2021 04:04

could you plleade provide me an example of that irule ?

0 Kudos

2019F5DevCentra
Cirrus
Cirrus

‎26-Mar-2021 06:09 - last edited on ‎04-Jun-2023 21:00 by Fog

Yes, for example you have a VIP that works off of HTTPS - Stream Enabled of course -

This would be the ASM Policy Applied on the VIP, as traffic passes you disable the policy to the specific Domain within the iRule.

when HTTP_REQUEST {
 
 
 
	STREAM::disable
 
 
 
    switch -glob [string tolower [HTTP::host]] {
 
 
 
       "site1.com" {
 
          pool /Common/Pool1Site1
 
       }
 
       "site2.com" {
 
          pool /Common/Pool2Site2
 
           ASM::disable
 
       }
 
    }
 
 
 
}
 

  

0 Kudos
Copyright © 2023 Khoros, LLC