Policy Mapping and Traffic Routing
Last updated
Was this helpful?
Last updated
Was this helpful?
When L11WAAP processes incoming requests (as described in the discussion of the ), the system must perform:
Policy mapping: deciding which security rulesets are applicable to the request.
Traffic routing: If the request successfully passes through the filtering process, the system must decide how and where to route it to the protected backend.
However, other stages of processing will vary. Admins can specify different rulesets for enforcement, depending on the request's destination URL. For these stages, policy mapping is necessary.
Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). It associates each path with several rulesets:
When a request has successfully passed through traffic filtering, L11WAAP forwards it to the customer's backend, accepts the backend's response, and returns the response to the client.
When a request is processed, its destination URL is evaluated against the list of paths, to find the best match. The Backend Service associated with that path is the one to which L11WAAP will send the request, and then receive the response, and so on.
As shown in the diagram above, a fundamental component within L11WAAP is the . Generally, admins will configure a Server Group to represent a domain. Each Server Group specifies:
A , used for policy mapping.
The that is based upon.
The domain's .
During the traffic filtering process, some stages of processing (for example, ) are universal; the same rulesets are enforced upon all requests.
When a request is received, it is first matched with the appropriate Server Group. As shown above, every Server Group includes a , which is the foundation for policy mapping.
(which defines the threat signatures, content requirements, and other restrictions to enforce upon the request according to its content)
(which restrict the rates at which traffic sources can submit requests)
(which define the disposition of requests, depending on the that it received during processing)
The request's destination URL is evaluated against the list of paths, to find the best match. The rulesets associated with that path are the ones used to process the request. For more information, see the explanation of .
To do this, the system must know how to route requests to the backend. This is configured in .
Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). Each path is associated with, among other things, a .