iRule to assign ASM policy to VS by domain name

kaoutar · ‎17-Mar-2021

Hello All,

In order to reduce the amunt of public IPs assigned to our Web App, we decide to deploy multi apps in one VS, Im looking for a way to assign ASM policies to each web app according to the its Domain name,

Thanks in advance

Daniel_Wolf · ‎17-Mar-2021

Hello,

try LTM Policies, no need for iRules. As an example:

KR

Daniel

kaoutar · ‎17-Mar-2021

Thank you

kaoutar · ‎23-Mar-2021

Can you please tell me why i cant log any of http request even if the logging profile is activated?

Daniel_Wolf · ‎23-Mar-2021

Can you share how you applied the logging profile and which logging profile you applied?

Redacted screenshot or tmsh list.

kaoutar · ‎24-Mar-2021

I applied the logging profile with loall request as shown below

Daniel_Wolf · ‎24-Mar-2021

Shown where? I don't see a screenshot. This config works for me, nothing fancy...

kaoutar · ‎25-Mar-2021

kaoutar · ‎25-Mar-2021

I added the screenshots

Daniel_Wolf · ‎25-Mar-2021

Is your security policy configured to log (Alarm)?

Are you using this logging profile on any other virtual server? Do logs get generated from other security polices?

kaoutar · ‎25-Mar-2021

yes it is and this profile applied on various ASM policies and it logs

Daniel_Wolf · ‎25-Mar-2021

Maybe you can add a Logging Action to the LTM Policy, to ensure the Condition is matched?

kaoutar · ‎25-Mar-2021

i added a logging action with message local0 but it doesnt work

Daniel_Wolf · ‎25-Mar-2021

Can you share your policy, complete with log Action? Seems your condition is not matched.

kaoutar · ‎26-Mar-2021

please find below the screenshots

kaoutar · ‎26-Mar-2021

kaoutar · ‎26-Mar-2021

kaoutar · ‎26-Mar-2021

Daniel_Wolf · ‎26-Mar-2021

This really looks your condition is not matched.

Ok, could you share a bit more? I can see that you are trying to match on HTTP Host.

So your value to match this condition should be something similar to www.mydomain.com.

How does your pattern look like? Are you using a non-default port, like 8443? They must be added to the condition (www.mydomain.com:8443).

The logging works a bit different than you thought. See screenshot.

The message field is for the log message, "Hello World" in the example below.

Facility and other parameters are set in the options menu.

The way you configured the log event, you see a log message local0 in /var/log/ltm. I'd recommend to choose a message that stands out a bit more.

小白 · ‎04-Mar-2022

I have applied the strategy to my vs, but I still can't access vs through the domain name.Why is this

2019F5DevCentra · ‎25-Mar-2021

I maybe looking at this a different way, but you should be able to load balance via Layer 7 and disabling and enabling the ASM within irules based on which select statement is triggered.

Daniel_Wolf · ‎26-Mar-2021

You are right, assigning ASM policies by matching certain "Conditions", like URI Path or Host Header, is possible either ways - by iRules or by LTM Policies. LTM Policies are just my preferred way.

Result is the same...

kaoutar · ‎26-Mar-2021

could you plleade provide me an example of that irule ?

2019F5DevCentra · ‎26-Mar-2021

Yes, for example you have a VIP that works off of HTTPS - Stream Enabled of course -

This would be the ASM Policy Applied on the VIP, as traffic passes you disable the policy to the specific Domain within the iRule.

when HTTP_REQUEST {
 
 
 
	STREAM::disable
 
 
 
    switch -glob [string tolower [HTTP::host]] {
 
 
 
       "site1.com" {
 
          pool /Common/Pool1Site1
 
       }
 
       "site2.com" {
 
          pool /Common/Pool2Site2
 
           ASM::disable
 
       }
 
    }
 
 
 
}

DevCentral

iRule to assign ASM policy to VS by domain name