Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Multiple ASM policy applied on Virtual Server

Preet_pk
Altostratus
Altostratus

‎17-Jan-2022 01:33

Hi,

 

We have a F5 design were single Virtual Server (VIP) is pointing to multiple application on back-end via iRule & iRule load balancing is based on HTTP::host (Layer 7)

 

for eg:

 

when HTTP_REQUEST {

   switch [string tolower [HTTP::host]] {

      a.test.ae {

           pool a_test_Pool1}

      b.test.ae {

           pool b_test_Pool1 }

       }

   }

 

We have a requirement to apply ASM policy on specific application (for eg: application "a") - while enforcing ASM policy specific to application "a" & applied on Virtual Server, will application "b" break? if so, please let me know what will be the best approach in this scenario.

 

Labels:
0 Kudos
5 REPLIES 5

Mayur_Sutare
MVP
MVP

‎17-Jan-2022 23:59 - last edited on ‎24-Mar-2022 01:21 by Fog

Hi  ,

 

If ASM policy has set any blocks/drops which matches traffic pattern coming for "application b" then yes, it will disturb that traffic also. So best approach would be applying ASM policy to specific or desired HOST URL only where you want to have it. You can achieve same using LTM policy.

 

Create LTM policy where under condition you can match HOST that you want to match for enabling ASM policy and then under actions -

ENABLE --> ASM --> Select desired ASM policy

 

Once you apply above LTM policy on the vServer, ASM policy will get applied to traffic coming for given host only.

 

Hope it helps!

 

0 Kudos

Tamer_Zain
Nimbostratus
Nimbostratus

‎18-Jan-2022 07:39

Hi

 

you can do that using LTM policy then attach many of ASM policies pointing to the specific host name even you are using single VIP

 

Regards

0 Kudos

Preet_pk
Altostratus
Altostratus

‎17-Jan-2022 01:33 - last edited on ‎26-Jan-2022 12:48 by Community Manager

 

[editors note] moved this thread from a duplicate question.

0 Kudos

CA_Valli
MVP
MVP
In response to Preet_pk

‎17-Jan-2022 02:05 - last edited on ‎05-Jun-2023 23:01 by Fog

Hello,

applying ASM policy at virtual server level means that both application traffic will be seen by WAF:

  • Traffic learning will also show suggestions for b.test.ae in policy tuning
  • When policy is set to blocking state, traffic directed to b.test.ae will also be checked and will trigger protections, resulting in possible blocks.

iRule tool can manage ASM policy assignment.

I remember from installations I've performed, that you require an ASM policy to be applied at virtual server leve, regardless. You need to perform this task before modifying iRule or ASM instructions won't be accepted.

In your scenario, to prevent application b.test.ae to be checked by WAF, I'd just add an ASM::disable string instruction: 

when HTTP_REQUEST {
   switch [string tolower [HTTP::host]] {
      a.test.ae {
           pool a_test_Pool1}
      b.test.ae {
           ASM::disable
           pool b_test_Pool1 }
       }
   }

Hope this helps

CA

0 Kudos

Nikoolayy1
MVP
MVP
In response to Preet_pk

‎26-Jan-2022 01:39 - edited ‎26-Jan-2022 01:41

You can also use the current irule with the ASM:Enable command and following the article below:

 

https://community.f5.com/t5/technical-forum/apply-asm-policy-through-irule/td-p/194373

 

 

Still better to use local traffic policy that matches the HTTP hostname and assigns the specific ASM policy as this is more optimal than irules:

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-1-0/35.h...

 

You have opened the same question many times, please close the duplicate questions as it not a good example.

0 Kudos
Copyright © 2023 Khoros, LLC