Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Single virtual server with multiple apps and ASM policies

We have a virtual server that has multiple apps associated with it and the traffic is being directed to the correct pools through an iRule. I need to setup some individual ASM policies for each app and apply them to the individual app and not a single policy to cover all of them. I know that I can in the iRule add the line to use a different ASM policy but I have had issues with logging when I do this. I see in the Local Traffic Policy properties where I can assign an ASM policy, there seems to be a rule for matching traffic there but I am not sure if I can use this option instead to identify the traffic properly and assign the ASM policy this way. I have not had issues with logging from here.

Any suggestions / ideas on this?

0
Rate this Question
Comments on this Question
Comment made 3 weeks ago by Randy Toombs 60

Image Text Here is a screen shot of what I am refering to.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Randy,

You can assign only one ASM policy to a virtual server, not multiple.

What you could build is a layered/targeting virtual server setup. Your first virtual server will target a second "backend" virtual server instead of a pool for a specific application.

Based on host header/tls server name (use a traffic policy for this) the first virtual server will forward traffic to one of the "backend virtual servers" (Use IP addresses that the users can't reach for these virtual servers).

You can assign a ASM policy to each "backend" virtual server with the application specific security. (and a pool, application specific irules, profiles ect)

See this lightboard lesson on VIP Targeting VIP lightboard lesson

And this article for a example of the SNI routing traffic policy.

Cheers,

Kees

0
Comments on this Answer
Comment made 3 weeks ago by Randy Toombs 60

Thanks for the help. I know they are using iRules to direct the traffic to different pools based on the request. I have added different policies in the past using the iRule like this but I have ran into issues with logging and getting the logs we want where we want them. I was just hoping there may be a better way to do this. I believe the iRule will be the way we need to go.

Thanks again for your help and info.

0
Comment made 3 weeks ago by Kees van den Bos 767

.Hi Randy,

You can modify your irule to select the backend virtual server instead of the pool.
Replace "pool <pool name>" with "virtual <virtual name>" (virtual my_vs)

Your logic and logging will stay the same and you can have an ASM policy per application.

Cheers,

Kees

0