cancel
Showing results for 
Search instead for 
Did you mean: 

iRule to assign ASM policy to VS by domain name

kaoutar
Altocumulus
Altocumulus

Hello All,

In order to reduce the amunt of public IPs assigned to our Web App, we decide to deploy multi apps in one VS, Im looking for a way to assign ASM policies to each web app according to the its Domain name,

Thanks in advance

23 REPLIES 23

Hello,

 

try LTM Policies, no need for iRules. As an example:

0691T00000C1k1UQAR.pngKR

Daniel

Thank you

Can you please tell me why i cant log any of http request even if the logging profile is activated?

Can you share how you applied the logging profile and which logging profile you applied?

Redacted screenshot or tmsh list.

I applied the logging profile with loall request as shown below

Shown where? I don't see a screenshot. This config works for me, nothing fancy...

0691T00000C2OOsQAN.png0691T00000C2OOTQA3.png

 

 

 

I added the screenshots

Is your security policy configured to log (Alarm)?

 

Are you using this logging profile on any other virtual server? Do logs get generated from other security polices?

yes it is and this profile applied on various ASM policies and it logs

Maybe you can add a Logging Action to the LTM Policy, to ensure the Condition is matched?

i added a logging action with message local0 but it doesnt work

Can you share your policy, complete with log Action? Seems your condition is not matched.

please find below the screenshots

 

 

 

 

This really looks your condition is not matched.

 

Ok, could you share a bit more? I can see that you are trying to match on HTTP Host.

So your value to match this condition should be something similar to www.mydomain.com.

How does your pattern look like? Are you using a non-default port, like 8443? They must be added to the condition (www.mydomain.com:8443).

 

The logging works a bit different than you thought. See screenshot.

The message field is for the log message, "Hello World" in the example below.

Facility and other parameters are set in the options menu.

0691T00000C2TqXQAV.pngThe way you configured the log event, you see a log message local0 in /var/log/ltm. I'd recommend to choose a message that stands out a bit more.

I have applied the strategy to my vs, but I still can't access vs through the domain name.Why is this

I maybe looking at this a different way, but you should be able to load balance via Layer 7 and disabling and enabling the ASM within irules based on which select statement is triggered.

You are right, assigning ASM policies by matching certain "Conditions", like URI Path or Host Header, is possible either ways - by iRules or by LTM Policies. LTM Policies are just my preferred way.

Result is the same...

could you plleade provide me an example of that irule ?

Yes, for example you have a VIP that works off of HTTPS - Stream Enabled of course -

 

This would be the ASM Policy Applied on the VIP, as traffic passes you disable the policy to the specific Domain within the iRule.

when HTTP_REQUEST {       STREAM::disable       switch -glob [string tolower [HTTP::host]] {       "site1.com" {   pool /Common/Pool1Site1   }   "site2.com" {   pool /Common/Pool2Site2   ASM::disable   }   }       }