Forum Discussion

Kuldeep22's avatar
Kuldeep22
Icon for Altostratus rankAltostratus
Jun 27, 2024

ASM-legitimate traffic

I'm new to ASM, and I have a security policy that's causing blocking of my legitimate traffic. How can I resolve this issue?

  • Hi, 
    You need to let your ASM policy get a sufficient period of learning to avoid most of false positives or blocking legitimate traffic. 

    Please have a look in this article: https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/23.html

     

    Also, I recommend this AWAF Demos from F5: https://youtube.com/playlist?list=PLZmbPz-KgDtgJLfsdLmSHIXyv0TlQ-CJj

    it will enhance your skills in AWAF by showing you most of AWAF Use cases and how to implement them.

    • bravo1's avatar
      bravo1
      Icon for Nimbostratus rankNimbostratus

      To resolve issues with your Application Security Manager (ASM) blocking legitimate traffic, follow these steps:

      1. Identify the False Positives:
        • Check Logs: Look at the ASM logs to identify the requests that are being blocked. This will help you understand what legitimate traffic is being blocked and why.
        • Review Alerts: Analyze the alerts and logs to see the specific violations that are triggering the blocks.
      2. Tune the Security Policy:
        • Adjust Policy Settings: Based on the logs, adjust the security policy settings to be less restrictive for the specific legitimate traffic.
        • Create Exceptions: If certain types of requests are repeatedly flagged but are legitimate, consider creating exceptions or relaxations in the policy for those requests.
        • Whitelist IPs: If specific IP addresses are known to be legitimate, you can whitelist them to prevent blocking.
      3. Update Signatures and Rules:
        • Update Signatures: Ensure that your ASM signatures and rules are up-to-date. Sometimes, outdated signatures can lead to false positives.
        • Custom Rules: Create custom rules that better match your specific application's behavior.
      4. Learn Traffic Patterns:
        • Traffic Learning: Use the traffic learning feature in ASM to automatically suggest policy adjustments based on observed traffic patterns.
        • Manual Learning: Manually review and approve suggested changes to ensure they align with your security needs and traffic patterns.
      5. Test and Validate:
        • Test Changes: After making adjustments, test the changes in a controlled environment to ensure they do not introduce new issues.
        • Monitor: Continuously monitor the logs and traffic to verify that the adjustments are effective and do not inadvertently block legitimate traffic.
  • learning for sure is a good way to prevent this if you have the environment for it.

     

    when you now have something blocked which shouldn't be blocked you have to find to configuration which causes the block and change that. Where and how exactly differs from block reason to block reason. so can you share the message associated with the block in the ASM logs.

     

    which TMOS version are you running?

     

    also be sure to check with other employees working on this and having a chat with your F5 partner (or the demo's pointed out in the other post), getting ASM explained will help a lot then trying to find out everything yourself in production.