ASM Policy in "Blocking" Mode switch to "Transparent" for some IP's

Question

I have a policy that I need to switch to blocking but the business want to have a phased approach.  Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent.&nbsp;
I need to keep the same policy so that I can "proof" that everything is running fine.&nbsp;
Is there a method to do that ?  Was thinking about an iRule but dont know how.
I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions.&nbsp;
Bye
St.&nbsp;

daniel_varela · Answer

Hi Steph,&nbsp;
You can create exceptions based on IP addresses. Please look this: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-2-0/2.html&nbsp;
Cheers&nbsp;

steph · Answer

Thank you,&nbsp;
This would be exactly what I need... but the other way around.
I need to block a specific range e.g. 10.10.10.0/24 but allow all the others.&nbsp;
With the build-in solution, I can only "unblock" a specific range, I dont know how to unblock ALL but 10.10.10.0/24.&nbsp;

chris_grant · Answer

Are your users coming in from the global internet then, or are they coming from a specific intranet?  You can still use the exclusions list, but it's more work.  
&nbsp;
Another option would be to duplicate your policy and have a transparent policy that is an exact match for your blocking policy, but is the default for the virtual server while the 10.10.10.0/24 network is sent to the blocking policy.&nbsp;
This would require you to be disciplined about changes, but would probably be the simplest way to handle this.&nbsp;

steph · Answer

Hi Chris,&nbsp;
I had the idea of duplicating the policy, the discipline about syncing both policy is not an issue ;)
The tools on the F5 (Policy Diff) will help a lot.
The concerns are more related to the business who want "One and Same" policy for both.&nbsp;
You are correct, there will be the internal IP range which should be in blocking mode in the first place, and the rest of the world in transparent.&nbsp;
There will be 2 VS pointing to the same policy : 
* one internal 
* one for the others&nbsp;
Using exclusion list will make the story a bit complicated.  An iRule to disable ASM would take not more than 3 lines of code... instead of a "disable ASM" I could use a command to set the policy to transparent... but I can't find anything about that.&nbsp;

chris_grant · Answer

Truthfully I'm not sure this use case occurred to the team that developed the ASM.  The ASM is designed to be used in transparent, then moved to blocking.  Because the transparent/blocking setting is a setting that is global for the entire policy, it can't be easily toggled on and off per connection.  
&nbsp;
ASM can be disable for certain flows very easily, as we simply pass the request to the back end servers without handing it off to bd (the ASM process).  Setting ASM to transparent for certain IPs would be far less straightforward (and is likely why irules can't do it).  You might be able to convince PD to whip something up to do this, but likely not without paying for the feature (an expensive proposition, but your Account team can help).  
&nbsp;
Barring that, duplicate policies will be your best option.&nbsp;

Forum Discussion

ASM Policy in "Blocking" Mode switch to "Transparent" for some IP's

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Active- Active HA setup

syslog server connection

Cannot see floating MAC address outside of ESXi

Rewrite uri translation not working

Related Content

What's the difference "Transparent" and "Translucent"

What's the difference "Virtual Wire" and "VLAN group(Transparent) "

Auditing Security Policy Updates

Minimizing Security Complexity: Managing Distributed WAF Policies

Access policy, LTM policy and iRules