Forum Discussion

Niles_245942's avatar
Niles_245942
Icon for Nimbostratus rankNimbostratus
Mar 14, 2016

irule to select ASM policy using policy rules

Hi Experts,

This case reflects 11.2.1 -> 11.6.0 HF6 upgrade test. While assessing 11.2.1 configuration, it was identified that 3 irules use HTTP_CLASS_SELECTED method, which create conflicts during upgrade to 11.6.0 HF6. So to avoid this respective HTTP_CLASS_SELECTED configuration has been commented out in irules before upgrade. With this step 11.2.1-> 11.6.0 HF 6 performed. Now I am trying to reconfigure irule to match newly created policy rules. Can you please go through below iRule and comment if you have any suggestions please?

     when HTTP_CLASS_SELECTED {
          ASM::enable
          if { [HTTP::path] equals "/Results/StudyTemplate/Save" } {
              ASM::disable
          }
    }
    

    when HTTP_REQUEST {
            if {[llength [POLICY::names matched]] > 0} {
            switch -glob [POLICY::rules matched]{

            policy rule name=labportal_HTTP_Class_policy_rule //asm policy name =/Common/labportal_HTTP_Class
            "labportal_HTTP_Class_policy_rule"{
                ASM::enable "/Common/labportal_HTTP_Class"
                return
            }

            "BMT_HTTP_Class_policy_rule"{
            policy rule name=BMT_HTTP_Class_policy_rule //asm policy name =/Common/BMT_HTTP_Class
                ASM::enable "/Common/BMT_HTTP_Class"
                return
            }

            "SciPortal_HTTP_Class_policy_rule"{
            policy rule name=SciPortal_HTTP_Class_policy_rule //asm policy name =/Common/SciPortal_HTTP_Class
                ASM::enable "/Common/BMT_HTTP_Class"
                return
            }

            "Recruitment_HTTP_class_policy_rule"{
            policy rule name=Recruitment_HTTP_class_policy_rule //asm policy name = /Common/Recruitment_HTTP_class
                ASM::enable "/Common/Recruitment_HTTP_class"
                return
            }
     if { [HTTP::path] equals "/Results/StudyTemplate/Save" } {
      ASM::disable
  }

}

Appreciate your suggestions to improve this iRule.

Cheers, Nisal

application delivery
ASM Advanced WAF
LTM

3 Replies

Sort By
  • Richard_Karon's avatar
    Richard_Karon
    Icon for Employee rankEmployee
    Mar 19, 2016
    Can you please describe the purpose of the original code? Be as specific as you can. Instead of trying to adapt something that was written for use with httpclasses, you quite possibly are able to use an ltm traffic policy instead.
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Mar 19, 2016

    Hi,

     

    Why are you trying to use irule to configure ASM instead of defining it in the Policy...

     

    All the conditions you use can be done in Policies.

     

    Migration from HTTP Class to Policies is to limit use of irules.

     

    Stanislas

     

  • Niles_245942's avatar
    Niles_245942
    Icon for Nimbostratus rankNimbostratus
    Mar 22, 2016

    Hi Santhalis & Richard, Thanks for your input. I have considered your comments and edited the irule below. I can see http-class profiles have been converted by the big-ip to local policies which includes multiple policy rules. What I am trying to achieve below is that to disable ASM if http uri contains "/Results/StudyTemplate/Save" as below. 

     when HTTP_CLASS_SELECTED {
          ASM::enable
          if { [HTTP::path] equals "/Results/StudyTemplate/Save" } {
              ASM::disable
          }
    }
    
   when HTTP_REQUEST {
                    if { [HTTP::uri] starts_with "/Results/StudyTemplate/Save" } {
                 ASM::disable
                    }
    HTTP::header insert X-Forwarded-For [IP::remote_addr]
    switch -glob [string tolower [HTTP::host]] {
         "*recruitment*" {
            pool DMZ_WEBv01
            return
            } 
        "*recruitmentstage*" {
             Define appropriate pool for webserver hosting web site
            pool DMZ_WEBv02
            return 
        }
}
 }

    Please let me know if you have any comments.

    Regards, Niles