Forum Discussion

mm_pen_242283's avatar
mm_pen_242283
Icon for Nimbostratus rankNimbostratus
Sep 19, 2016

F5 ASM - DoS protection and local traffic policies

Hi experts.

 

I successfully managed to segregate ASM policies for different FQDNs that coexist on the same VIP (using Local Traffic Policies and "Host Header" as a classifier). The default rule within Local Trafic Policy is to disable ASM and DOS protection except for traffic destined to: * www.site1.com * www.site2.com

 

What is your recommendation on building tailored DOS profiles for FQDNs (that reside on same VIP)? Should each FQDN site require its own DOS and ASM policies in order to keep statistics unique for particular site? The corresponding ASM rule-set would be:

 

RULE1: NAME: www.site1.comConditions: http-host host equals www.site1.comActions: asm enable policy ASM1, l7dos enable DOS1

 

RULE2: NAME: www.site2.comConditions: http-host host equals www.site2.comActions: asm enable policy ASM2, l7dos enable DOS2

 

RULE3: NAME: defaultActions: asm disable, l7dos disable

 

What is the DOS security policy that is to be applied on VIP (itself) in such scenario?

 

Thank you!!

 

1 Reply

  • Having a separate granular profile for each hostname is a good practice because (I assume) they are different applications with different URLs, users and usage. If one app is high-usage and another one is low you don't want to block IP addresses connecting to your low-usage application because of statistics gathered for high-usage app.

     

    Re: VIP-wide DOS profile. Do you really need one? Who is going to connect to your VIP if they don't have a valid hostname? If this VIP is only supposed to serve your 3 hostnames you might as well just drop all other traffic.