NimbostratusASM not blocking
Hi all- I've been out of the loop using F5 for a couple of years and just coming back to it. I'm having a problem with ASM/AWAF working properly.
I have a virtual server pointing to a single node running Apache. When I hit the virtual IP that works fine. I've attached an ASM/AWAF security policy to that server.
Enforcement mode = Blocking
Policy Building Learning mode = Manual
I've included every attack signature group to the policy and moved all signatures out of staging to Enforced. I'm trying to get any signature to fire at this point. Any easy one should be to trigger 200010468 ("/etc/passwd" access URI) or 200010156 ("passwd.txt" access). When requesting either URI, ASM is allowing the requests through. Looking at the log for one of the requests, I can see that it does trigger the /etc/passwd signature, but apparently is still in staging:
Decoded Request
Request actual size: 85 bytes
GET /etc/passwd HTTP/1.1 Host: 192.168.5.5 User-Agent: curl/7.64.0 Accept: */*
Response
Response logging was disabled
Violation Details
Attack signature detected [2]
| Detected Keyword | /etc/passwd |
| Attack Signature | "/etc/passwd" access (URI) |
| Context | URL |
| Actual URL | /etc/passwd |
| Wildcard URL | * - Staging |
| Applied Blocking Settings | Staging |
Am I missing a setting somewhere? This is the status for that particular signature in my security policy:
"/etc/passwd" access (URI) 200010468 Enforced
