Hi Peevuto,
I think the limiting factors for ASM are probably some of these below and not necessarily the number of policies, VIPs or pools configured:
- requests / second
- size of requests / responses
- latency in client requests and, more significantly, server responses
- complexity of the policy: are you checking a lot of parameters, are you validating parameters set by the app in subsequent requests (dynamic parameters), are you using every attack signature, etc.
From a manageability perspective, I think it would be difficult to configure and maintain 600 separate policies. I'd try developing one policy per type of architecture rather than per website you want to protect. The only time I'd use a new policy for a web app of the same architecture as an existing set of apps is if the security requirements were significantly different.
It's extremely difficult to give accurate sizing recommendations with ASM because there are so many variables involved. I'd try going back to your F5 SE and give them as much detail as you can on your use case and see if they can suggest rough numbers. Else, the most accurate answer might come from testing your potential configuration in a QA environment.
You might also consider posting this in the Performance Testing forum (
Click here). Maybe Mike or someone else has done testing which would be relevant to your scenario.
Aaron