How to handle ASM in HTTP_CLASSes

Question

Hi. 
&nbsp; We're having some issues setting up our ASM, as it behaves quite strangely. 
&nbsp; First, I'll try to explain our setup: 
&nbsp;  
&nbsp; We have various VirtualServers (VS) and we use HTTP_CLASS-Profiles a lot to redirect our traffic. 
&nbsp; Now we'd like to activate ASM and we do the following: we create a HTTP_CLASS and enable ASM in it. This HTTP_CLASS does nothing more. 
&nbsp;  
&nbsp; Then we add this HTTP_CLASS-Profile as resource in a VS, and it seems to work. Although, if we put this Profile as the first in the list, the other HTTP_CLASS-Profiles do not work anymore. Given this strange behaviour, we think, maybe this is not the real way to enable/implement ASM on the LTM? 
&nbsp;  
&nbsp; Could you give us some advise? 
&nbsp;  
&nbsp;  
&nbsp; Thank you. 
&nbsp;  
&nbsp; Markus

hooleylist · Answer

Hi Markus, 
&nbsp;  
&nbsp; Only one HTTP class can be matched and used to process a single HTTP request.   
&nbsp;  
&nbsp; If you have some requests you want to redirect, you could add the ASM enabled HTTP class last in the list of classes on the VIP.  All requests which were previously redirected using the non-ASM HTTP classes would still be redirected (without going through ASM).  All other requests which don't match a non-ASM redirecting class would be sent to ASM and then the pool on the ASM HTTP class.  If the ASM HTTP class doesn't have a pool configured then the VIP's default pool would be used. 
&nbsp;  
&nbsp; Aaron

mpfeifer_63884 · Answer

Hi Aaron. 
&nbsp; Thanks for your reply.  
&nbsp; Although it doesn't quite reflect our problem. 
&nbsp;  
&nbsp; By saying that we use HTTP-class to "redirect our traffic" I mean something like "if URI is foo, then use pool bar" 
&nbsp; But we still would like to have this action protected by the ASM-Module.  
&nbsp;  
&nbsp; As I understand, putting the ASM-enabled HTTP-class at the end of the VIP resources list, would not protect the actions done by the previous HTTP-classes.  
&nbsp; I hope I could explain the issue. 
&nbsp;  
&nbsp; regards, 
&nbsp;  
&nbsp; Markus

hooleylist · Answer

Hi Markus, 
&nbsp;  
&nbsp; Thanks for clarifying.  If you want to do pool selection and use ASM validate the traffic, you can enable ASM on each HTTP class.  This would require separate ASM web apps for each class.  If you want to use one policy for all of the web apps, you'd need to manually export and import the policy between web apps.  This would be a nuisance from a management perspective.   
&nbsp;  
&nbsp; Another option would be to use a single HTTP class with ASM enabled and no filters.  All traffic would match this class.  You could then use an iRule to do the pool selection.  You can do pool selection in the HTTP_CLASSS_SELECTED event. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

How to handle ASM in HTTP_CLASSes

3 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Intermediate iRules: Handling Strings

Handle False Positive for files upload

Intermediate iRules: Handling Lists

Handling HTTP Requests on an HTTPS Virtual Server

iRules LX Sideband Connection - Handling timeouts