Forum Discussion

Thibaut_91745's avatar
Thibaut_91745
Icon for Nimbostratus rankNimbostratus
Apr 09, 2014

ASM on HTTP and HTTPs VS

Hi all,

 

I'm pretty new with the ASM module on F5 and I was wondering how you are used to implement this module on your http(s) virtual servers. Actually, I have 1 website and 2 virtual servers : one VS listening on HTTP and one on HTTPS (with SSL terminaison on the F5 - the trafic between the F5 and the HTTP servers are not encrypted). The 2 VS are load balancing on to the same servers, the HTTPs is mostly used when logging on to the website and when you are logged in.

 

Since the ASM is "binded" to a virtual server...logically I should have two security policies but I don't think this is optimised ?

 

I was wondering if a better solution would be to have an irule HTTP to HTTPs redirect, so all the trafic is forced on the HTTPs µ VS and have only one security policy to manage on the HTTPs virtual server ?

 

How do you usually implement the ASM when you have HTTP and HTTPs VS ?

 

Thanks for your help

 

ASM Advanced WAF
cloud
design
security
vmware

5 Replies

Sort By
  • Thibaut_91745's avatar
    Thibaut_91745
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014
    Humm...I didn't see when creating a security policy that we could directly put HTTP and HTTPS for the application use and have the ASM binded to both VS in one !
  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 09, 2014

    You'll definitely want to keep the same policy applied to HTTP and HTTPS virtual servers that are referencing the same application/servers on the back end. Otherwise you may get inconsistent results from a blocking perspective.

     

  • Mark_Lowcher_62's avatar
    Mark_Lowcher_62
    Historic F5 Account
    Apr 09, 2014
    What version of F5 code are you running? Any of the later versions will allow you to select both http and https for the policy. It gives you that option when you run the template.
  • Thibaut_91745's avatar
    Thibaut_91745
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2014

    Hi,

     

    Thanks for your answers. I'm running code 1.4.1 so I have the HTTP and HTTPs option on the same security policy, so that's great. Just for my information, on previous code, how was this done ?

     

    Thanks again.

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 10, 2014

    Prior to v11.4, security policies could be assigned to HTTP classes. The HTTP classes were then applied to virtual servers. If you had a separate 80 and 443 virtual server for the same content, you'd need to apply the HTTP class to both of the virtual servers.