For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

cdjac0bsen's avatar
cdjac0bsen
Icon for Nimbostratus rankNimbostratus
Oct 09, 2017

Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?

We would like to allow vulnerability scanners or pen testers to send requests without being blocked on an ad hoc basis without our intervention. Currently we have to add a temporary IP address except...
application delivery
ASM Advanced WAF
iRules
security
samstep's avatar
samstep
Icon for Cirrocumulus rankCirrocumulus
Oct 16, 2017

It is certainly possible to do with an iRule and a datagroup containing a list of codes (or allowed IP addresses which is much easier to implement). Lists of codes/IP Addresses are easier to manage in a datagroup rather than constantly adding/removing IP address exceptions in ASM policies.

 

you would simply use ASM:disable command if the request contains your X-SCAN-TESTING header

 

https://devcentral.f5.com/wiki/iRules.ASM__disable.ashx

 

having an iRule to connect and retrieve OTP from an external source is a bit over-engineering for such a simple problem, but it is certainly possible

 

You can also have the solution with no iRule at all and just put all the rules of header checking into the local traffic policy