For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sys-team_172267's avatar
sys-team_172267
Icon for Nimbostratus rankNimbostratus
Jun 27, 2016

ASM disable and log requests

Hello,   After i disabled ASM by iRule (ASM::disable) i still should see requests under "Event Logs-->Application-->Requests? i build iRule that recognized specific URL path and disabled ASM for t...
ASM Advanced WAF
devops
LTM
security
Aaron_Brailsfor's avatar
Aaron_Brailsfor
Historic F5 Account
Jun 27, 2016

I just tested this on 12.0 with a fairly basic configuration; HTTP VS, Log All Requests logging profile attached, ASM policy set to block for the 'curl' user agent and a test request.

 

Once I added the iRule my request was no longer blocked and I no longer saw a log entry in the logging profile.

 

Your test implies the request is, indeed, being processed via the ASM module. What iRule event are you using ASM::disable in? I tested with HTTP_REQUEST.

 

Aaron_Brailsfor's avatar
Aaron_Brailsfor
Historic F5 Account
Jul 04, 2016
The problem you have here is that ASM_REQUEST_DONE is too late in the process to disable ASM; it has already processed the request and made the decision not to send it on to the origin web server. If the end game is granular control of the blocking mask on a per-URL basis then I think the best route forward would be separate policies and use the Local Traffic Policy to direct traffic to one or the other.