Forum Discussion

htkiet_42906's avatar
htkiet_42906
Icon for Nimbostratus rankNimbostratus
Mar 21, 2014

Pilot for ASM deployment

Hello friends,

 

Can you please help me as below:

 

I am deploying ASM for our customer, a bank. It is being used for internet banking, web application,... The ASM already learnt traffic and now before applying what has been learnt to the policy and this will effect the whole users. The customer wants that there should have a pilot first, only the internal users are applied this policy but the customer doesn't want to create another virtual server (for pilot) because the customer can't manage if the internal users uses the real server (eg f5.com) or the pilot one (eg f5-1.com). So the question is wether there is a way to apply the policy based on the ip address so that only the internal users with a specific range of ip addresses are affected by this policy.

 

I'm expecting and appreciate your reply.

 

Thank you! Kiet

 

ASM Advanced WAF
security

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Mar 21, 2014

    Kiet,

    Would this simple iRule work? I've taken this from another post bypass ASM

    when HTTP_CLASS_SELECTED {
  ASM::enable
  if { [class match [IP::client_addr] ne asm_internal] } {
    ASM::disable
  }
}

    So, create a datagroup called asm_internal with your internal IP address range and any source IP which doesn't match this will have ASM disabled.

    Hope this helps,

    N

  • htkiet_42906's avatar
    htkiet_42906
    Icon for Nimbostratus rankNimbostratus
    Mar 25, 2014

    Thank you very much Nathan! Our ASM is currently runing version 11.2.1 So what I need to do is: 1. Create a data group (if you have document on how to . 2. Create an Irule as your suggestion 3. Apply that Irule to Virtual Servers Please correct me if I am wrong at somewhere.

     

    Best regards, Kiet