About scan ASM VIP

Question

I get through  the software (Web Application Firewall detected by Acunetix) to scan my F5 ASM VIP (TMOS 11.3.1 HF6).
Results show that the WAF is F5 ASM. How do I set in F5 ASM, that can prevent Acunetix scanning is not ASM F5.&nbsp;

leon_li_38034 · Answer

![Image Text](/Portals/0/Users/146/34/38034/acunetix waf scan.JPG)&nbsp;

leon_li_38034 · Answer

link text&nbsp;

leon_li_38034 · Answer

scan overview image link https://devcentral.f5.com/Portals/0/Users/146/34/38034/acunetix%20waf%20scan.JPG&nbsp;

boneyard · Answer

first of all what is your exact goal? do you want to be able to scan the actual webserver without WAF? or do you want to disguise that a WAF is in front of the webserver?&nbsp;
i don't believe you can surpress the ASM cookie or rename it, so it is going to be detected.&nbsp;

yann_desmarest · Answer

Hello&nbsp;
Asm can be identified by its blocking page response or specifoc asm cookies injected. But if acunetix do like qualys, there is no real ways to hide that you are using asm as they fingerprint the tcp stack used by bigip (fingerprinting, tcp response latency,...) &nbsp;

Forum Discussion

About scan ASM VIP

5 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SOLVED: sending IsCompliant, IsKnown and IsManaged via SAML (SSO)

BIG-IP methods to Fix the “421 Misdirected Request” Error

Dealing with iRule $variables for HTTP2 workload while HTTP MRF Router is enabled

Is it possible to create a Single Pool with multiple ports ?

F5 object groups in AFM

Related Content

Introducing F5 Distributed Cloud Web App Scanning

Advanced iRules: Scan

Advanced iRules: Binary Scan

Integrating WhiteHat Scans With BIG-IP ASM

OWASP Automated Threats - OAT-014 Vulnerability Scanning

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS