Forum Discussion

Randy_Toombs_35's avatar
Randy_Toombs_35
Icon for Nimbostratus rankNimbostratus
Jan 25, 2019

Single virtual server with multiple apps and ASM policies

We have a virtual server that has multiple apps associated with it and the traffic is being directed to the correct pools through an iRule. I need to setup some individual ASM policies for each app and apply them to the individual app and not a single policy to cover all of them. I know that I can in the iRule add the line to use a different ASM policy but I have had issues with logging when I do this. I see in the Local Traffic Policy properties where I can assign an ASM policy, there seems to be a rule for matching traffic there but I am not sure if I can use this option instead to identify the traffic properly and assign the ASM policy this way. I have not had issues with logging from here.

 

Any suggestions / ideas on this?

 

2 Replies

  • Hi Randy,

     

    You can assign only one ASM policy to a virtual server, not multiple.

     

    What you could build is a layered/targeting virtual server setup. Your first virtual server will target a second "backend" virtual server instead of a pool for a specific application.

     

    Based on host header/tls server name (use a traffic policy for this) the first virtual server will forward traffic to one of the "backend virtual servers" (Use IP addresses that the users can't reach for these virtual servers).

     

    You can assign a ASM policy to each "backend" virtual server with the application specific security. (and a pool, application specific irules, profiles ect)

     

    See this lightboard lesson on VIP Targeting VIP lightboard lesson

     

    And this article for a example of the SNI routing traffic policy.

     

    Cheers,

     

    Kees