Forum Discussion

Randy_Toombs_35's avatar
Randy_Toombs_35
Icon for Nimbostratus rankNimbostratus
Feb 08, 2019

Apply ASM policy through iRule

I know that I have asked questions about using iRules to apply ASM policies in the past, but I am running into some issues. Just some background, our Load Balancing team is telling us that they need to reduce the amount of VIPs (Virtual Servers) being used and their new plan is to use a single VIP for multiple apps and then use iRules to just send the traffic to the correct pool. This seems to work just fine until I get a request to add an ASM policy to protect the app.

 

I have setup a lab where I can test some things to learn how the best way to apply these ASM policies to the multiple apps. I am running into an issue now where I get some kind of error when trying to add the ASM::enable "policy name" command to the iRule. I get this when trying to save the iRule:

 

requires an associated WEBSECURITY profile on the virtual-server

 

From what I can tell, it wants me to assign an ASM policy to the virtual server and then I am guessing I change which policy gets applied through the iRule. Is this correct or is there something else that I can do to get this working in the iRule?

 

My concern is that if I need to apply a default ASM policy to the Virtual Server, this will affect all the other apps that are getting directed in the iRule. Any suggestions or knowledge would be great.

 

ASM Advanced WAF
security

2 Replies

Sort By
  • nathe's avatar
    nathe
    Icon for Cirrocumulus rankCirrocumulus
    Feb 08, 2019

    Hey,

    Have you tried manually adding a websecurity profile to the VS via tmsh?

    modify ltm virtual  profiles delete {}

    Not tested this myself but thought I'd suggest.

    N

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 11, 2019

    Hi Randy,

    for Virtual Servers serving multiple Web Applications with dedicated ASM Policies, I'm going to assign a "DUMMY" ASM Policy (an ASM Policy which simply blocks everything).

    Then I use the iRule below to switch between different ASM Policies based on a 

    $variable
    or disable ASM as needed. The 
    $variable
    can be 
    set
    or even become computed at the time you select the pool.

    when HTTP_REQUEST priority 999 {
    if { ( [info exist ASM_Policy] )
     and ( $ASM_Policy ne "" ) } then {
        ASM::enable "/Common/$ASM_Policy"
    } else {
        ASM::disable    
    }
    unset -nocomplain ASM_Policy
}

    The important point is, that your have to assign a ASM Policy to your Virtual Server, before you can select a ASM Policy or selectively disable ASM at all. The opposite direction won't work...

    Cheers, Kai