ASM - pool to be defined in http class or in VIP ?

Hi Joe,

 

 

There are a few considerations. Are you using the same pool for both the HTTP and HTTPS VIP?

 

 

Are you ever going to use multiple HTTP classes on the same VIP with any filters set?

 

 

In a simple VIP, one ASM-enabled class and one pool scenario it shouldn't make any difference whether the pool is configured on the class or the VIP (or both). I'd say it's easier to configure the pool on the VIP so the VIP status is updated based on the pool availability. If you add the pool to the class and don't have a default pool on the VIP, the VIP status shows unknown.

 

 

If you are going to use multiple classes with filters set, you should always add a catch-all class with no filters set and ASM enabled. This ensures that any request which doesn't match any prior class will always hit the catch-all class and go to ASM for validation.

 

 

Aaron

Thanks Aaron for you your quick response.

 

 

Actually, we are using the same pool for http and https VIP. in http we haven't defined the pool since we are using this for http-https redirect. Also we are not using multiple http classes.

 

 

1.My confusion is do we need to define the default pool in the https virtual server since we are defining it already in the http class.

 

 

2. Secondly, do you think by defining the default pool in the virtual server ONLY and NOT in the http class, we are actually bypassing the ASM since the http-class takes the precedence? Not sure..any comments.

 

 

 

Rgds./

 

Joe

If you're redirecting HTTP to HTTPS you can use a simple iRule or an HTTP class without ASM enabled. The action on the class would be redirect to https://[HTTP::host][HTTP::uri]. You would not want or need to add a pool to this VIP or class as it would never be used.

 

 

For the HTTPS VIP, you could add a single HTTP class with ASM enabled and no filters. Add the pool to the VIP--not the HTTP class. As long as you have no filters enabled on the class, all requests will go to ASM and then the VIP's default pool (assuming the request isn't blocked by ASM).

 

 

Aaron

Hi Aaron,

 

 

Let make it more clear -

 

 

I am already having an irule in place and that is called in http virtual server and in the https virtual server I have defined the http class.

 

 

Now, I have not defined any pool in http virtual server, but I have defined the pool in https virtual server and in the http class.

 

 

My doubt is if we define the pool in the https virtual server and in the http class, we are saying that if there is not match in the http class the request will be directed to the default pool in the virtual server. So, don't you think its a security risk ?

 

 

Ideally, we should be defining the pool in the http class and put the default pool in the virtual server to none. I am new to ASM and my understanding could be wrong. I need your expert advice.

 

 

Rgds./

 

Joe.

The way you have it configured is secure and fine.

 

 

However, there is no security risk with having a default pool on the VIP if you only have one HTTP class with ASM enabled and no filters on that class. If you add a pool to the HTTP class, that pool will be used (and the default pool would never be used).

 

 

The only downside to that approach is that the VIP status shows as unknown because TMM only checks the VIP's default pool's state.

 

 

Aaron

Hi Aaron,

 

 

We are having some filters in the http class like we have defined some filters like URL lists and URI path list.

 

So, which approach would be better ?

 

 

Rgds./

 

Joe.

 

 

Hi Joe,

 

 

I missed your last reply. If you have one or more HTTP classes with filters set, it could be possible for a request to not match any HTTP class and go to the default pool. So I'd suggest using a catch-all HTTP class with no filters and ASM enabled. You could set up a block all policy on this catch-all class to send a blocking response to any request which hits this class. Due to a quirk in class handling, you need to specify a pool with at least one member on the block all class in order to get TMM to send the request to ASM for parsing.

 

 

Here is a solution which details the class matching logic with pools on the class(es) and/or VIP:

 

 

SOL8018: Overview of the BIG-IP HTTP class traffic flow

 

https://support.f5.com/kb/en-us/solutions/public/8000/000/sol8018.html

 

 

Aaron

Hi Aaron,

 

I have a VIP with several HTTPClasses. Do I need to add ASM to each HTTPclass? or is there a way to call ASM via an irule?

 

Thanks

 

Wallace

 

Wallace,

 

"Do I need to add ASM to each HTTPclass?" - depends really. The Http class profiles can distinguish the traffic based on Host name, URI etc and then enable ASM or not. They work in a top down order too and the first one it matches it uses. If you want all the traffic to be security enabled, notwithstanding the order config in the class then yes, you may have to enable it on every one.

 

Re irules and ASM see: https://devcentral.f5.com/wiki/iRules.asm.ashx

 

Hope this helps, N