Forum Discussion

boneyard's avatar
Dec 06, 2013

ASM inline scanning

does anyone know if it is possible to use ASM with a general policy to scan traffic to many http servers without having to define all these as a virtual server?

 

with 11.4 i don't see the option to attach a policy to anything (IP forward, performance L4) except a standard virtual server.

 

  • I would seriously guard against doing this. What are you trying to achieve? ASM policy should be customized per application -- the more broader and 'generic' you get - the less valuable the tool becomes, and after a while it starts looking like your corporate firewall, and about as useful.

     

  • thanks, yeah that sounds logical. still doesnt feel like the way forward.

     

  • Hi Boneyard,

     

    You can follow Thomas recommendations but be careful regarding your ASM policy size. If you have many applications on the same policy, you will increase CPU load.

     

    Take care. Matt

     

  • No you can define a wilcard virtual server on the external side (VLAN).

     

    But you will loose the pool selection based on your virtual server choice (you will have to use iRule).

     

  • hmmm, but that would mean connecting directly to the backend IP right? means you do loose some normal configuration.

     

  • To use ASM you have to define a standard virtual server with a http profile.

     

    What you can do is to define a wildcard virtual server listening on port 80 for example.

     

    Then you will able to scan traffic going to your webservers.