Forum Discussion

Rafi1

Cirrus

Feb 17, 2022

ASM custom response page add additional information

Hi,

I saw simikar question but unfortunately the answer was not clear enough,

I'am using custom resoponse page for ASM deny query, inside the custom response I send the client th support ID

using <%TS.request.ID()%>, can I add to the custom reponse page the blocke url and client source IP ?

I'am usuing ASM version 15.1.5

Regards

Rafi

security

Sebastiansierra
Feb 17, 2022
Hi,
You need to follow the next steps:
Make sure that "Trigger ASM iRule Events" option is enabled in the policy properties.
Navigate to Security ›› Application Security : Policy : Policy Properties.
Change to the correct "Current edited security policy"
Create an iRule with content similar to the following (add/delete fields as needed):

when HTTP_REQUEST {
# Other HTTP values can be added here
set requri "http://[HTTP::host][HTTP::uri]"
}
when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {

HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip [IP::client_addr]

set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
The requested URL was rejected. Please consult with your administrator. 
Your support ID is: $asm_support_id <a href='javascript&colon;history.back();'>Go Back</a> 
Your URL is: $requri 
Your client IP is: $client_ip

</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response

}

You can reference to this link: https://support.f5.com/csp/article/K22017023
Rafi1
Feb 22, 2022
Hi Sebastiansierra,
Thank you very much,
Attached my irule for other to use
when HTTP_REQUEST {
# Other HTTP values can be added here
set requri "https://[HTTP::host][HTTP::uri]"
}
when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}
when ASM_REQUEST_BLOCKING {

HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip [IP::client_addr]
set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>

<img src='https://xxx.domain.zz/files/2018/01/F5_Logo_700x80.gif' border='1' alt='Organization' width='700' height='80'> ### Web page with company logo ###


The page was blocked for what seems to be a technical issue. 
Please click the following link to notify ## link to notify IT Team by mail, the mail will include support is, src ip, suspicious link##
<a href='mailto:mail@domain?subject=support ID is: $asm_support_id&body=The%20page%20was%20blocked%20for%20what%20seems%20to%20be%20a%20technical%20issue%0A%0ASuspicious URL: $requri%0ASource IP: $client_ip%0ASupport ID: $asm_support_id'();>IT Team</a> 
Your support ID : $asm_support_id 
Suspicious URL: $requri 
Source IP : $client_ip 
Thank you IT Team
</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response

}

Sebastiansierra
MVP
Feb 17, 2022
Hi,
You need to follow the next steps:
Make sure that "Trigger ASM iRule Events" option is enabled in the policy properties.
Navigate to Security ›› Application Security : Policy : Policy Properties.
Change to the correct "Current edited security policy"
Create an iRule with content similar to the following (add/delete fields as needed):

when HTTP_REQUEST {
# Other HTTP values can be added here
set requri "http://[HTTP::host][HTTP::uri]"
}
when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {

HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip [IP::client_addr]

set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
The requested URL was rejected. Please consult with your administrator. 
Your support ID is: $asm_support_id <a href='javascript&colon;history.back();'>Go Back</a> 
Your URL is: $requri 
Your client IP is: $client_ip

</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response

}

You can reference to this link: https://support.f5.com/csp/article/K22017023
- Rafi1
 Cirrus
 Feb 20, 2022
 Hi,
 Thank you for your response,
 I tried to configured it from GUI security->application security-> security policies-> policy list-><policy name>->response page
 So irule is the only way ?
 Regards
 Rafi
Sebastiansierra
MVP
Feb 21, 2022
Hi,
I think that yes, the only way is using an irule because you need to store the headers that you want to print when the event is triggered using.The custom response page only enables printing an HTML.
- Rafi1
 Cirrus
 Feb 21, 2022
 Hi,
 I am using version 15.1.5, and configured the security policy with trigger ASM irule events mode
 My final goal is to acheive response page with:
 1. my logo (taken from web page)
 2. support ID
 3.The abiltiy to send mail with all details above
 This the the current custom block page Iam using, and i want to add the problematic url & path
 
 <!DOCTYPE html>
 <html>
 
 <html><head><title>Request Rejected</title></head><body>
 
 <img src="https://site.domain.com/files/2018/01/F5_Logo_700x80.gif" border="1" alt="xxxx" width="700" height="80">
 
 
 The page was blocked for what seems to be a technical issue. Please click the following link to notify <a href="mailto:mail.domain?subject=support ID is: <%TS.request.ID()%>">
 Web Support</a> and make sure to include the affected URL Your support ID is: <%TS.request.ID()%></body></html> Thank you Web Support
 
 </body>
 </html>
 Can you help to do the adjusment?
 Regards
 Rafi
 - Rafi1
 Cirrus
 Feb 22, 2022
 Hi Sebastiansierra,
 Thank you very much,
 Attached my irule for other to use
 when HTTP_REQUEST {
 # Other HTTP values can be added here
 set requri "https://[HTTP::host][HTTP::uri]"
 }
 when ASM_REQUEST_DONE {
 set asm_support_id [ASM::support_id]
 }
 when ASM_REQUEST_BLOCKING {
 
 HTTP::header remove Content-Length
 HTTP::header insert header_1 value_1
 set client_ip [IP::client_addr]
 set response "<html>
 <head>
 <title>Request Rejected</title>
 </head>
 <body>
 
 <img src='https://xxx.domain.zz/files/2018/01/F5_Logo_700x80.gif' border='1' alt='Organization' width='700' height='80'> ### Web page with company logo ###
 
 
 The page was blocked for what seems to be a technical issue. 
 Please click the following link to notify ## link to notify IT Team by mail, the mail will include support is, src ip, suspicious link##
 <a href='mailto:mail@domain?subject=support ID is: $asm_support_id&body=The%20page%20was%20blocked%20for%20what%20seems%20to%20be%20a%20technical%20issue%0A%0ASuspicious URL: $requri%0ASource IP: $client_ip%0ASupport ID: $asm_support_id'();>IT Team</a> 
 Your support ID : $asm_support_id 
 Suspicious URL: $requri 
 Source IP : $client_ip 
 Thank you IT Team
 </body>
 </html>"
 ASM::payload replace 0 [ASM::payload length] ""
 ASM::payload replace 0 0 $response
 
 }

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

ASM custom response page add additional information

Recent Discussions

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

F5 Health Monitor Receive String as JSON

Cloudflare True-Client-IP as Persistence

Get actual client ips in splunk

Related Content

Introduction of Incident Response

Help with iRule to mask/hide User Personal Information in HTTP Response

custom response page for api

Logging of DNS Requests and Responses without a DNS license

Find CVE information on AskF5

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS