Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Can non-http pass through ASM without being dropped?

Will an ASM allow non-http traffic to pass through it? Is there an option or setting that will allow it?

We are setting up an inspection zone for our external web apps, but we do have occasional non-http virtual server. We are hoping to simplify the design and keep it the same for ALL applications.

I fully understand that we can route non-http virtual servers around the ASM, but we like to be difficult and route everything the same way. Can we do this or will ASM drop the non-http traffic?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

ASM won't just pass through the traffic if it isn't HTTP - it will inspect it and block on HTTP non-compliance.

You can add a profile/irule to disable the ASM policy for non-HTTP traffic, but that is only of value for things like websockets or RPC-over-HTTP where you also have normal HTTP traffic to inspect.

Do yourself a favour and only apply ASM policies to HTTP virtuals.

0
Comments on this Answer
Comment made 2 months ago by refra 428

Hello, but i have an situation where both HTTP and non-HTTP taffic on the same IP and port, and we have to enable ASM on the HTTP traffic only, otherwise disable ASM policy!

0
Comment made 2 months ago by S Blakely

Can you detect the transition between HTTP and non-HTTP traffic via a header or specific method?

0
Comment made 2 months ago by refra 428

Yes the HTTP traffic starts with GET method as supposed, but the non http traffic works on same port and the payload starts with "Hello ..." I used an irule to collect first 10 Bytes from the tcp payload and match on "Hello" then diable ASM and Http if the condition mathed but it didn't work!

0
Comment made 2 months ago by S Blakely

Can you provide the irule?

0
Comment made 2 months ago by refra 428

Sure, the log in the iRule shows only when we test non http traffic, which mesns it matches in the condition, but the traffic is working!

when CLIENT_ACCEPTED {

  TCP::collect 75

}

when CLIENT_DATA {

    if { [TCP::payload 75] contains "Hello UK App" } {

                #log local0. "TCP traffic [TCP::payload 75]"

                ASM::disable

                HTTP::disable

                }

TCP::release

}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Your irule collect only first packet of each tcp connection, if the non http occurs after some http requests within the same tcp connection, it won’t match this code!

How your web server manage it? Is this websocket?

0
Comments on this Answer
Comment made 2 months ago by refra 428

No the Non-HTTP traffic is not websocket, it contians the same pattern in the capture. but it doesn't wotk as supposed!

0
Comment made 2 months ago by refra 428

Hello Stanislas, it seems there's an issue in the iRule, I went deeply onto the capture, it seenms F5 doesn't send the client's request to the server untill the client FIN the connnection (after waiting 10 secs).. what what cause this issue!!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Andrew, regarding your original question; if on your ASM you have a seperate vs for each application, then simply avoid assigning an ASM policy to the non-http virtual servers. The ASM will simply be a router for that traffic.

0