Forum Discussion

Zebra_131802's avatar
Zebra_131802
Icon for Nimbostratus rankNimbostratus
Nov 18, 2015

ASM httpclass to local policy

I am doing some work to migrate asm policies based on httpclass to local traffic policies,

 

Currently I have a number asm policies applied to the same virtual server through a number of httpclasses, the structure is like this

 

match URI 1 -> asm policy 1 match URI 2 -> asm policy 2 match URI 3 -> asm policy 3 Otherwise deny all

 

with httpclass each line can be represented with a httpclass, I am having difficulties with local traffic policy, for a local traffic policy when asm is selected as controls, i must provide a default policy with an asm policy, and i need to make it a default deny. Can anyone suggest how to implement a default deny with an asm policy?

 

Thanks

 

ASM Advanced WAF
BIG-IP
local traffic policy
security

2 Replies

Sort By
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Nov 19, 2015

    You do not need to define a default ASM policy. You only need to define a default ASM action which could be "ASM Disable".

    Use the lp_sample for your reference.

    action_default If HTTP path match is false, request will receive TCP/RST packet from F5 in response

    action_conditional1 If HTTP path match is true (/parentpath/subpath/path1 or /parentpath/subpath/anotherpath), F5 will enable ASM security policy sp_securitypolicy1

    action_conditional2 If HTTP path match is true (/parentpath/path2 or /parentpath/anotherpath2), F5 will enable ASM security policy sp_securitypolicy2

    ltm policy /Common/lp_sample {
    controls { asm forwarding }
    requires { http }
    rules {
        action_conditional1 {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/sp_securitypolicy1
                }
            }
            conditions {
                0 {
                    http-uri
                    path
                    values { /parentpath/subpath/path1 /parentpath/subpath/anotherpath }
                }
            }
            ordinal 2
        }
        action_conditional2 {
            actions {
                0 {
                    asm
                    enable
                    policy /Common/sp_securitypolicy2
                }
            }
            conditions {
                0 {
                    http-uri
                    path
                    values { /parentpath/path2 /parentpath/anotherpath2 }
                }
            }
            ordinal 3
        }
        action_default {
            actions {
                0 {
                    forward
                    reset
                }
                1 {
                    asm
                    disable
                }
            }
            ordinal 1
        }
    }
    strategy /Common/best-match
}