For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Jan 13, 2009

Virtual Server Pool versus ASM Class Pool

I'm struggling trying to understand the difference between using a pool applied to a Virtual Server versus a pool applied to an ASM class, and when I might want to use one versus the other. ...
app sec
BIG-IP Access Policy Manager (APM)
security
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 14, 2009
Here is a diagram which illustrates the logical flow for requests:

 

 

 

SOL6754 - Traffic flow for ASM-enabled virtual servers (Click here)

 

 

And SOL8018 (Click here) gives a similar overview of this in text and includes some common configuration options.

 

 

The typical suggestion has been to use a pool on each HTTP class and not configure a default pool on the VIP. This ensures that all traffic must explicitly match a class in order to get through the BIG-IP. It makes it more difficult to accidentally allow traffic to slip through the classes and go to the default pool without being validated by ASM.

 

 

A common exception to this configuration would be if you wanted to use the same HTTP class and ASM web app + policy on multiple VIPs. If you wanted to reuse the same class/web app/policy, you could not configure the pool on the class, but instead use a default pool on the VIP. If you want to use any filters on the HTTP class, you should add a default class to the VIP(s) with no filters to ensure no traffic bypasses ASM.

 

 

Aaron