Forum Discussion

Andrea_Arquint's avatar
Andrea_Arquint
Icon for Nimbostratus rankNimbostratus
Dec 03, 2014

cascading asm policy

Hi,

 

I do have web servers who needs more then one ASM policies because we want to have one global policy and one specific policy. Within the webUI there is a way to configure such thing with LTM policies but this does actually not work.

 

So, does someone have experiences to cascade asm policies in the way we want to with iRules? The target is simply trigger both asm policies within an irule and first match wins (mean by is executed or blocked)?

 

Thank you bb

 

application delivery
ASM Advanced WAF
devops
iRules
security

2 Replies

Sort By
  • akroehnert's avatar
    akroehnert
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2014

    according to F5 support this does not work:

     

    Each Web application should have its own ASM policy, where configuration is made specifically to that web application.

     

    The ASM policies can all be based on a basic ASM policy, and any change to a specific web application should be done in the specific ASM policy for that web application.

     

    The only method of getting a layered ASM policy structure is to have the LTM policy rules referring to different ASM policies in different rules, based on some condition.

     

    For example: Rule 1 - if URI starts with /site1/, send to ASM policy /site1-ASM-policy Rule 2 - if URI starts with /site2/, send to ASM policy /site2-ASM-policy

     

    Assigning 2 actions of referring to 2 different ASM policies in the same rule and the same condition is not going to work. A single request is going to match that condition, but it won't be clear which ASM policy should process that request.

     

    However I am also looking for some creative solution here as I am sure there must be some way on BIG-IP to achieve such a simple requirement.

     

    Andreas