Forum Discussion

Festus_50639's avatar
Icon for Nimbostratus rankNimbostratus
Jan 10, 2011

ASM_REQUEST_BLOCKING and email notification

I am trying to send an email notification directly from the ASM when the blocking response page is presented.



There is a post similar to this which I now cannot find, but it seemed geared more towards sending an snmp trap rather than sending an email notification.



Background and setup info -



-Big-IP version: 10.2.0 HF2



-ASM SMTP Options configured



-Using ASM Security policy with "Trigger ASM iRule Event" checked.



-ASM iRule assigned as a Virtual Server resource



-ASM iRule name: ASM_iRule_app1



-ASM iRule content:






log local0. "ASM_BLOCK_app1 - Request for Support ID: has been blocked"





-/config/user_alert.conf entry information:



alert ASM_BLOCK_app1 "ASM_BLOCK_APP1" {






body="The ASM Blocking response page was just presented for an app1page request"





Questions -



1. Is an "snmptrap OID=" line required in the user_alert.conf file for each alert created? Based on the Solutions articles I've found, that appears to be the case. ( I would like to send an email alert without creating an snmptrap message.)



2. How can I add the SupportID to both the /var/log/ltm entry and the email that is sent by the alert daemon? (My thought is that I can add " ." to the end of the "body" line in the user_alert.conf entry.)



3. Has anyone successfully implemented something similar?



4. Does anyone know if this has been requested as a feature in a future release so that email notifications can be configured from the web UI when the blocking response page is presented?






1 Reply

  • First of all ASM SMTP Options in 10.2 are for something else - for new scheduled reports feature. (Application Security/Reporting/Charts/Chart Scheduler)

    To configure e-mail sending you need to enable the postfix service as described in SOL7365

    To answer your questions:

    1) you do need OID, just use a custom one, as per SOL3727, for example: .

    here is what should be in your user_alert.conf

    snmptrap OID=".";
    email toaddress=""
     body="ASM Block"

    2. You can get the SupportID from [ASM::violation_data] (see documentation here:

    So, your iRule should look like this:

    log local0. "SupportID: [lindex [ASM::violation_data] 1]"

    3. I tried it and it worked for me and you get SupportId in both/var/log/ltm and the SNMP trap (and the email notification)

    4. I think getting the BIG-IP box to send an e-mail on each ASM block can be considered an overkill (and possibly a performance hog). If your site gets attacked by a bunch of PCs running trojans (most frequent attacks these days) your BIG-IP will be very busy sending thousands of e-mails whilst trying to block the attacks, load balance request, do SSL decryption, decompression and all the other good stuff BIG-IP does ...

    you can always send logs to a remote syslog server which will send e-mail alert (for example free Kiwi syslog will do that).

    By all means you can put a feature request via F5 support to make this configurable in WebGUI