Forum Discussion

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jan 12, 2016

ASM scenario - Shared Policy for Dozens of Virtual Servers

Hello Team,

 

Perhaps someone has a creative solution to my problem.

 

Question: What would be a good way to put an ASM Security Policy to Transparent Mode (for one Virtual Server). Consider the details below.

 

  • Policy is shared; it's in use for many instances of the same service (applied to multiple Virtual Servers)
  • Transparent Mode operation is temporarily required for one Virtual Server, whereas the Blocking Mode operation should remain for all the other Virtual Servers
  • De-attaching the policy from a specific Virtual Server is forbidden, all logs, such as Manual Traffic Learning suggestions must be preserved since there's a chance a Signature Update will be installed meanwhile.

I have a solution myself, but it involves a duplicate policy. Can the problem be solved without a duplicate policy, and without going the route of implementing a dedicated ASM Security Policy for every Virtual Server?

 

Regards,

 

ASM Advanced WAF
BIG-IP
security

3 Replies

Sort By
  • Tzoori_Tamam_95's avatar
    Tzoori_Tamam_95
    Historic F5 Account
    Jan 12, 2016

    Hi Hannes,

     

    I believe that currently your best option is to use ASM::unblock based on the Host header or Virtual server name.

     

    In the near future ASM will allow better control over such use-cases, so stay tuned :)

     

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 12, 2016

    Hi Hannes,

    as already sugested by Tzoori the 

    [ASM::unblock]
    command can be used to selectively overwrite your "Blocking Mode" policy to "Transparent Mode". The snippet below can be used as a starting point...

    when ASM_REQUEST_DONE {
    if { ( [ASM::status] eq "blocked" ) and 
         ( [HTTP::host] equals "www.domain.de" ) and
        (( [IP::addr [IP::client_addr] equals 10.0.0.0/8] ) or 
         ( [IP::addr [IP::client_addr] equals 172.16.0.0/12] ) or
         ( [IP::addr [IP::client_addr] equals 192.168.0.0/16] )) } then {
        ASM::unblock
    }
}

    Note: Keep in mind that have to enable the post v11.5 iRule operation mode in your ASM policy, to trigger the 

    ASM_REQUEST_DONE
    event.

    Cheers, Kai