For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Zdenda's avatar
Zdenda
Icon for Cirrus rankCirrus
Oct 01, 2018

ASM Rest API - set "Evasion technique detected" to Block

Hi, version 12.1.3.

how can I set blocking-setting for (for example) "Evasion technique detected" to Block? I know how to operate with each vulnerability, but how to operate with whole section? API seems to have no endpoint for that

GUI:

API Data:

testPico = get /asm/policies/{}/blocking-settings?$expand=evasionReference

As seen in picture, I get details about each vulnerability, but not about global param as "Learn, Alarm, Block"

Where I can operate with global setting as highlighted in the picture above through Rest API?

Thanks a lot, Zdenek

ASM Advanced WAF
devops
iControlREST
security

2 Replies

  • Zdenda's avatar
    Zdenda
    Icon for Cirrus rankCirrus
    Oct 01, 2018

    I just tried 

    /asm/policies/{}/blocking-settings/evasions
    where {} is the policy ID and the result is the same. I just cannot see anything related learn/alarm/block for all of vulnerabilities under evasions technique

  • suttonsc's avatar
    suttonsc
    Icon for Employee rankEmployee
    Oct 10, 2018

    To access these settings use the path "/mgmt/tm/asm/policies/{{POLICY_ID}}/blocking-settings/violations/{{VIOLATION_ID}}"

    Example:

    
 curl -sku admin:admin https://10.3.155.123/mgmt/tm/asm/policies/KXOU5u4TlCMnB6V2U6qm2w/blocking-settings/violations/qaEsdg5TVAbReo1-krgchw | jq .

{
  "lastUpdateMicros": 1539194657000000,
  "description": "Evasion technique detected",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/KXOU5u4TlCMnB6V2U6qm2w/blocking-settings/violations/qaEsdg5TVAbReo1-krgchw?ver=12.1.3",
  "kind": "tm:asm:policies:blocking-settings:violations:violationstate",
  "violationReference": {
    "link": "https://localhost/mgmt/tm/asm/violations/0VXh4FseZsuj0NmAZGNClw?ver=12.1.3"
  },
  "id": "qaEsdg5TVAbReo1-krgchw",
  "alarm": true,
  "block": true,
  "learn": true
}

    You can then patch this to set the block setting to 'true' or 'false as desired.

    
 curl -sku admin:admin -X PATCH https://${bigip_mgmt}/mgmt/tm/asm/policies/KXOU5u4TlCMnB6V2U6qm2w/blocking-settings/violations/qaEsdg5TVAbReo1-krgchw -d '{ "block": false }' | jq .

{
  "lastUpdateMicros": 1539194685000000,
  "description": "Evasion technique detected",
  "selfLink": "https://localhost/mgmt/tm/asm/policies/KXOU5u4TlCMnB6V2U6qm2w/blocking-settings/violations/qaEsdg5TVAbReo1-krgchw?ver=12.1.3",
  "kind": "tm:asm:policies:blocking-settings:violations:violationstate",
  "violationReference": {
    "link": "https://localhost/mgmt/tm/asm/violations/0VXh4FseZsuj0NmAZGNClw?ver=12.1.3"
  },
  "id": "qaEsdg5TVAbReo1-krgchw",
  "alarm": true,
  "block": false,
  "learn": true
}