Forum Discussion
NimbostratusASM disable and log requests
Hello,
After i disabled ASM by iRule (ASM::disable) i still should see requests under "Event Logs-->Application-->Requests? i build iRule that recognized specific URL path and disabled ASM for those URL, but unfortunately i still see Requests under Event Logs (the ASM policy still in transparent mode so i cant know if this iRule will affect or not). this is noraml to see those request even i configured this iRule or that my iRule not affect at all?
Thanks Tomer.
9 Replies
IainThomson85_1Cumulonimbus
I'm not overly familiar with that event status, however thinking logically the F5 May process the request to the ASM portion before the iRule has a chance to kick in.
I just tested this on 12.0 with a fairly basic configuration; HTTP VS, Log All Requests logging profile attached, ASM policy set to block for the 'curl' user agent and a test request.
Once I added the iRule my request was no longer blocked and I no longer saw a log entry in the logging profile.
Your test implies the request is, indeed, being processed via the ASM module. What iRule event are you using ASM::disable in? I tested with HTTP_REQUEST.
sys-team_172267Thank you guys for you help, this is my iRule: when ASM_REQUEST_DONE { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_CHAR_CONV")&&([HTTP::path] equals "/request")} { log local0. "VIOLATION_CHAR_CONV detected" ASM::disable } } Unfortunately, I still see the requests log. I am sure that the iRule works because I also get log in "log local0. "VIOLATION_CHAR_CONV detected" Thank you.- The problem you have here is that ASM_REQUEST_DONE is too late in the process to disable ASM; it has already processed the request and made the decision not to send it on to the origin web server. If the end game is granular control of the blocking mask on a per-URL basis then I think the best route forward would be separate policies and use the Local Traffic Policy to direct traffic to one or the other.
I just tested this on 12.0 with a fairly basic configuration; HTTP VS, Log All Requests logging profile attached, ASM policy set to block for the 'curl' user agent and a test request.
Once I added the iRule my request was no longer blocked and I no longer saw a log entry in the logging profile.
Your test implies the request is, indeed, being processed via the ASM module. What iRule event are you using ASM::disable in? I tested with HTTP_REQUEST.
- sys-team_172267Thank you guys for you help, this is my iRule: when ASM_REQUEST_DONE { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_CHAR_CONV")&&([HTTP::path] equals "/request")} { log local0. "VIOLATION_CHAR_CONV detected" ASM::disable } } Unfortunately, I still see the requests log. I am sure that the iRule works because I also get log in "log local0. "VIOLATION_CHAR_CONV detected" Thank you.
- The problem you have here is that ASM_REQUEST_DONE is too late in the process to disable ASM; it has already processed the request and made the decision not to send it on to the origin web server. If the end game is granular control of the blocking mask on a per-URL basis then I think the best route forward would be separate policies and use the Local Traffic Policy to direct traffic to one or the other.
JinshuCirrus
You can create a policy in the LTM and autopolicy for the respective VIP without any irule. It will work. Please let me know if you need any additional details.
- Jinshu
Hi Mate,
You can block ASM check in two different ways. Either do it via an Irule or through GUI (LTM policy).
If you prefer Irule, try below one.
when HTTP_CLASS_SELECTED { ASM::enable if { [HTTP::uri] starts_with "/uri" } { ASM::disable } }Your irule is working but you have allowed ASM to create a Violation and thats why it is notofying you as an event.
If you prefer LTM policy, remove the Irule and configure policy as mentioned below.
Local Traffic > Policies > asm_l7_policy_whatever.website.com > under Rules click on Add, give it a name, like policy_whitelist, operand: http-uri (leave rest of fields default) > condition: choose equals/contains/etc, value = your URI, click add, then click the Add further down where operand/event/etc is located. In the Actions area, target > asm, action > disable. Click Add where target/event/etc are. and Finished. Then once back at the main policy page, do a re-order and move the policy_whitelist you created above default, so it will disable on the URI string prior to hitting the default ASM enable.. once you done this once or twice, pretty simple and can be used a lot.Hope this helps.
