Forum Discussion

Sarah_258804's avatar
Jul 19, 2016

Can I link one ASM policy to two virtual servers?

And would the ASM policy be able to learn traffic from both virtual servers at the same time?

 

  • Yes you can, and yes it would. My understanding is that so long as you are working with the same application on the backside using a single policy works just fine. I am doing so for over 400 VS's.

     

  • Yes you can, and yes it would. My understanding is that so long as you are working with the same application on the backside using a single policy works just fine. I am doing so for over 400 VS's.

     

    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus

      Excellent! and yes I am using the same application on the backside with this one policy, so that is great to hear!

       

      Another follow-up question; can I have the access policy set to "Transparent" on one of the linked virtual servers and "Blocking" on the other?

       

    • John_Buchanan's avatar
      John_Buchanan
      Icon for Nimbostratus rankNimbostratus

      I don't believe so, as that is set on the policy. So if you needed that configuration you'd need to make a copy of your policy and apply the copy to the 2nd VS. Namely, export the policy, edit/change policy name and probably file name(in both the and fields I believe), and import that as a distinctly named policy. Then you'll have policy_transparent assigned to VS-A, and policy_blocking to VS-B. Run a policy diff against them every so often (interval depends on the rate of change I suppose) to incorporate elements learned from policy_transparent in to policy_blocking and vice versa, if desired.

       

  • Yes you can, and yes it would. My understanding is that so long as you are working with the same application on the backside using a single policy works just fine. I am doing so for over 400 VS's.

     

    • Sarah_258804's avatar
      Sarah_258804
      Icon for Cirrus rankCirrus

      Excellent! and yes I am using the same application on the backside with this one policy, so that is great to hear!

       

      Another follow-up question; can I have the access policy set to "Transparent" on one of the linked virtual servers and "Blocking" on the other?

       

    • John_Buchanan_1's avatar
      John_Buchanan_1
      Icon for Altocumulus rankAltocumulus

      I don't believe so, as that is set on the policy. So if you needed that configuration you'd need to make a copy of your policy and apply the copy to the 2nd VS. Namely, export the policy, edit/change policy name and probably file name(in both the and fields I believe), and import that as a distinctly named policy. Then you'll have policy_transparent assigned to VS-A, and policy_blocking to VS-B. Run a policy diff against them every so often (interval depends on the rate of change I suppose) to incorporate elements learned from policy_transparent in to policy_blocking and vice versa, if desired.