Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Apply ASM policy through iRule

I know that I have asked questions about using iRules to apply ASM policies in the past, but I am running into some issues. Just some background, our Load Balancing team is telling us that they need to reduce the amount of VIPs (Virtual Servers) being used and their new plan is to use a single VIP for multiple apps and then use iRules to just send the traffic to the correct pool. This seems to work just fine until I get a request to add an ASM policy to protect the app.

I have setup a lab where I can test some things to learn how the best way to apply these ASM policies to the multiple apps. I am running into an issue now where I get some kind of error when trying to add the ASM::enable "policy name" command to the iRule. I get this when trying to save the iRule:

requires an associated WEBSECURITY profile on the virtual-server

From what I can tell, it wants me to assign an ASM policy to the virtual server and then I am guessing I change which policy gets applied through the iRule. Is this correct or is there something else that I can do to get this working in the iRule?

My concern is that if I need to apply a default ASM policy to the Virtual Server, this will affect all the other apps that are getting directed in the iRule. Any suggestions or knowledge would be great.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Randy,

for Virtual Servers serving multiple Web Applications with dedicated ASM Policies, I'm going to assign a "DUMMY" ASM Policy (an ASM Policy which simply blocks everything).

Then I use the iRule below to switch between different ASM Policies based on a $variable or disable ASM as needed. The $variable can be set or even become computed at the time you select the pool.

when HTTP_REQUEST priority 999 {
    if { ( [info exist ASM_Policy] )
     and ( $ASM_Policy ne "" ) } then {
        ASM::enable "/Common/$ASM_Policy"
    } else {
        ASM::disable    
    }
    unset -nocomplain ASM_Policy
}

The important point is, that your have to assign a ASM Policy to your Virtual Server, before you can select a ASM Policy or selectively disable ASM at all. The opposite direction won't work...

Cheers, Kai

0
Comments on this Answer
Comment made 1 week ago by Randy Toombs 60

Thanks, that is kind of what I have been learning, I just wanted to make sure I wasn't missing something that was better.

0
Comment made 1 week ago by Kai Wilke 6860

Hi Randy,

better (in terms of performance) than using such an iRule would be to enable ASM and select the proper Policy via LTM's Traffic Policies depending of the HTTP request.

Well, personally I do prefer to not mix iRules and Traffic Policies (for administrative reasons). So I simply enable ASM for every request via LTMs Traffic Policies and then reconfigure/disable ASM the way explained above...

Cheers, Kai

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hey,

Have you tried manually adding a websecurity profile to the VS via tmsh?

modify ltm virtual <name of virtual server> profiles delete {<name of websecurity profile>}

Not tested this myself but thought I'd suggest.

N

0
Comments on this Answer
Comment made 1 week ago by Randy Toombs 60

I have not tried via tmsh but I have been able to create an ASM policy with really nothing in it and then applying that to the Virtual Server, and then in the iRule changing the policy to the correct one based on URL request. That is how they are directing it to the different pools anyway, it is through the URL request.

This seems to have worked the URL requests for apps that I have a policy created for, but what this also does, is apply a policy to the virtual server which would apply that to all other apps unless I specifically disable the ASM on those parts of the iRule. I guess that would be my option at this point, just try to make some kind of default policy that doesn't really do anything and then apply that one to the Virtual Server, then disable the ASM in the iRule for all URL request directions and then enable the specific policy on those that I need to.

Any others out there that have experience with this? Will having a policy set to the virtual server cause issues to all other apps that are getting directed through the iRule?

0