Forum Discussion

Steve_Knapp's avatar
Steve_Knapp
Icon for Altostratus rankAltostratus
Sep 09, 2020

Can Irule forward request after ASM block?

Below is a snippet from an inquiry I received from our web developers. Matching on part of the URI is no problem, but what about forwarding the request even after blocked by the ASM?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

So the iRule would have to match on:

  • Portions of the URI that indicate this is an FNOL
  • That the ASM blocked the request

Then:

  • Forward the buffered request to a specific URL

Assumptions:

  • The iRule can buffer the request so it persists beyond the ASM block. This alone may be the show-stopper as this may be a significant performance problem.
  • The iRule can send to a different location than just allowing to pass to the back end pool members

 

ASM Advanced WAF
iRules
security

2 Replies

Sort By
  • Andrew-F5's avatar
    Andrew-F5
    Icon for Employee rankEmployee
    Sep 11, 2020

    "The iRule can buffer the request so it persists beyond the ASM block. This alone may be the show-stopper as this may be a significant performance problem."

    ◘ I'm not entirely sure what you mean by this?

    "The iRule can send to a different location than just allowing to pass to the back end pool members"

    ◘ You can use a 'forward' command, redirect, etc, after the 'ASM::unblock' statement. 

    when ASM_REQUEST_DONE {
    #log local0.debug "\[ASM::status\] = [ASM::status]"
    if { [ASM::status] equals "blocked" } {
            ASM::unblock
            log local0. "Unblocked request with ID [ASM::support_id]"
            }
}

    References:

    https://clouddocs.f5.com/api/irules/ASM__status.html

    https://clouddocs.f5.com/api/irules/ASM__unblock.html