Irule to disable ASM

Question

i have 2 servers 
i want to keep forwarding traffic to server1 &amp; in this case ASM should be disabled 
once server1 is down , i want to forward to server2  &amp; enabel ASM checking
if server1 is online again , i should forward to it &amp; disable ASM as it was initially 
Created VS , Created two pools , each with one pool member under it 
Below Irule is now working , once ASM is enabled ON VS  it is always enabled &amp; never goes disabled again when serevr1 comes back online 
when HTTP_REQUEST {
                 Check  Pool-1 status , if Up forward to it &amp; make sure ASM is disabled 
                 Otherwsie Forward  to Pool-2 &amp; enable ASM
                if { [active_members Pool-1] &gt;= 1  } {
                                               pool Pool-1
                       ASM::disable

} elseif {[active_members Pool-2] &gt;= 1  } {

pool Pool-2
                              ASM::enable policy-name

}

telnet_178675 · Answer

i have 2 servers i want to keep forwarding traffic to server1 &amp; in this case ASM should be disabled

once server1 is down , i want to forward to server2 &amp; enabel ASM checking

if server1 is online again , i should forward to it &amp; disable ASM as it was initially

Created VS , Created two pools , each with one pool member under it Below Irule is now working ,

once ASM is enabled ON VS it is always enabled &amp; never goes disabled again when serevr1 comes back online

when HTTP_REQUEST 
{

Check Pool-1 status , if Up forward to it &amp; make sure ASM is disabled
Otherwsie Forward to Pool-2 &amp; enable ASM

if { [active_members Pool-1] &gt;= 1 } {
                                           pool Pool-1
                   ASM::disable

} elseif {[active_members Pool-2] &gt;= 1  } {

pool Pool-2
                          ASM::enable policy-name

}

nitass · Answer

once ASM is enabled ON VS it is always enabled &amp; never goes disabled again when serevr1 comes back online

does server1 get traffic (after coming back online)?
this is my testing and it seems working correctly.
 configuration

root@(B11050-R72-S12)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 100.100.100.100:http
    ip-protocol tcp
    mask 255.255.255.255
    policies {
        asm_auto_l7_policy__bar
    }
    profiles {
        http { }
        tcp { }
        websecurity { }
    }
    rules {
        qux
    }
    security-log-profiles {
        "Log illegal requests"
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 2
}
root@(B11050-R72-S12)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm policy asm_auto_l7_policy__bar
ltm policy asm_auto_l7_policy__bar {
    controls { asm }
    requires { http }
    rules {
        default {
            actions {
                1 {
                    asm
                    enable
                    policy /Common/bar
                }
            }
            ordinal 1
        }
    }
    strategy first-match
}
root@(B11050-R72-S12)(cfg-sync Standalone)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
    when HTTP_REQUEST {
  if { [active_members foo1] &gt; 0 } {
    ASM::disable
    pool foo1
  } elseif { [active_members foo2] &gt; 0 } {
    ASM::enable /Common/bar
    pool foo2
  } else {
    reject
  }
  log local0. "Client=[IP::client_addr]:[TCP::client_port] Host=[HTTP::host] URI=[HTTP::uri] Pool=[LB::server pool]"
}
when ASM_REQUEST_DONE {
  log local0. "Client=[IP::client_addr]:[TCP::client_port] Host=[HTTP::host] URI=[HTTP::uri] Pool=[LB::server pool]"
}
}

test

[root@B11050-R72-S12:Active:Standalone] config  tail -f /var/log/ltm
Dec 20 03:47:06 B11050-R72-S12 info tmm2[21668]: Rule /Common/qux : Client=100.100.100.3:37773 Host=100.100.100.100 URI=/first Pool=/Common/foo1
Dec 20 03:47:16 B11050-R72-S12 info tmm3[21668]: Rule /Common/qux : Client=100.100.100.3:37774 Host=100.100.100.100 URI=/second Pool=/Common/foo1
Dec 20 03:47:23 B11050-R72-S12 notice mcpd[7215]: 01070638:5: Pool /Common/foo1 member /Common/200.200.200.101:80 monitor status down. [ /Common/fake: down ]  [ was unchecked for 0hr:2mins:50sec ]
Dec 20 03:47:23 B11050-R72-S12 err tmm10[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm6[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm2[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm9[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm4[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm5[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm8[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm7[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm3[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm1[21668]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:23 B11050-R72-S12 err tmm11[21669]: 01010028:3: No members available for pool /Common/foo1
Dec 20 03:47:26 B11050-R72-S12 info tmm5[21668]: Rule /Common/qux : Client=100.100.100.3:37775 Host=100.100.100.100 URI=/third Pool=/Common/foo2
Dec 20 03:47:26 B11050-R72-S12 info tmm5[21668]: Rule /Common/qux : Client=100.100.100.3:37775 Host=100.100.100.100 URI=/third Pool=/Common/foo2
Dec 20 03:47:56 B11050-R72-S12 info tmm4[21668]: Rule /Common/qux : Client=100.100.100.3:37777 Host=100.100.100.100 URI=/fourth Pool=/Common/foo2
Dec 20 03:47:56 B11050-R72-S12 info tmm4[21668]: Rule /Common/qux : Client=100.100.100.3:37777 Host=100.100.100.100 URI=/fourth Pool=/Common/foo2
Dec 20 03:48:00 B11050-R72-S12 notice mcpd[7215]: 01070638:5: Pool /Common/foo1 member /Common/200.200.200.101:80 monitor status unchecked. [  ]  [ was down for 0hr:0min:37sec ]
Dec 20 03:48:00 B11050-R72-S12 err tmm2[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm5[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm11[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm3[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm4[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm1[21668]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm9[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm6[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm10[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm8[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:00 B11050-R72-S12 err tmm7[21669]: 01010221:3: Pool /Common/foo1 now has available members
Dec 20 03:48:05 B11050-R72-S12 info tmm7[21669]: Rule /Common/qux : Client=100.100.100.3:37778 Host=100.100.100.100 URI=/fifth Pool=/Common/foo1
Dec 20 03:48:13 B11050-R72-S12 info tmm10[21669]: Rule /Common/qux : Client=100.100.100.3:37779 Host=100.100.100.100 URI=/sixth Pool=/Common/foo1

telnet_178675 · Answer

What version have you tested with&nbsp;

nitass · Answer

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.5.1
  Build    6.0.159
  Edition  Hotfix HF6
  Date     Wed Nov 26 15:08:40 PST 2014

telnet_178675 · Answer

Mine is 11.3
sothat i'm using "ASM::enable" without policy name 
is it a must that i upgrade to 11.5 ?&nbsp;

Forum Discussion

Irule to disable ASM

6 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

ASM irule to disable attack signature authorization header with specific value

Disabling Weak Ciphers

ASM logs

disable http retry

Disable cookie persistance in irule