Forum Discussion

kimhenriksen's avatar
kimhenriksen
Icon for Cirrostratus rankCirrostratus
May 25, 2023

ASM block page for use with API waf policy

Hey all! I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the...
api
application delivery
BIG-IP Access Policy Manager (APM)
policy
  • Nikoolayy1's avatar
    Nikoolayy1
    May 25, 2023

    Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

  • kimhenriksen's avatar
    kimhenriksen
    May 26, 2023

    Just an update from me. I found a much much simpler way to accomplish this.

    In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

kimhenriksen's avatar
kimhenriksen
Icon for Cirrostratus rankCirrostratus

I´ll change the event and try again. 

I had already changed the irule setting before so events are triggering ok.

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
May 25, 2023

Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

  • kimhenriksen's avatar
    kimhenriksen
    Icon for Cirrostratus rankCirrostratus
    May 25, 2023

    This here´s the winner:

    when ASM_REQUEST_BLOCKING {
    set support_id [ASM::support_id]
    #log local0. $support_id
    HTTP::header insert ASM $support_id
    }
    when HTTP_RESPONSE {
    log local0. $support_id
    HTTP::header insert ASM $support_id
    #HTTP::header insert ASM2 testtest
    }

     

    Thanks you!

  • kimhenriksen's avatar
    kimhenriksen
    Icon for Cirrostratus rankCirrostratus
    May 25, 2023

    When using ASM_REQUEST_DONE, the HTTP event did not fire at all.. I´ll try REQ_Block.. and see what happens.

  • kimhenriksen's avatar
    kimhenriksen
    Icon for Cirrostratus rankCirrostratus
    May 25, 2023

    I´ll just have to add a IF statement to check if the variable is empty or not.. seems to cause the VIP not to work if applied as i wrote it.

  • kimhenriksen's avatar
    kimhenriksen
    Icon for Cirrostratus rankCirrostratus
    May 26, 2023

    Just an update from me. I found a much much simpler way to accomplish this.

    In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

    • c27705074's avatar
      c27705074
      Icon for Altostratus rankAltostratus
      Nov 13, 2023

      Hi kimhenriksen 

      I'm new to ASM and currently having the same issue, I'd like to edit the blocking response page to give the client a negative response instead of the 200K status without using iRule..  Please can you share HTML you used? Thank you in advance. 

      • kimhenriksen's avatar
        kimhenriksen
        Icon for Cirrostratus rankCirrostratus
        Nov 13, 2023

        You can accomplish that in the ASM policy settings. Let me check and get back to you. We setup up a like 599 Blocked (not http standard i know, but i works). And also added the supportid as a response header.