Forum Discussion

Rahul_More's avatar
Feb 03, 2021

ASM security policy configuration auto changed

Hi Guys,

 

We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and blocking settings as Blocking >Automatic > Real-time> Medium > 7 days.

 

Our policy template got removed and set as Fundamental template to all security policies.

 

Due to system sudden change multiple application were impacted. Work around - policies were disabled for all impacted websites temporarily until get the root cause and permanent fix.

 

In audit log, I found one common element type "UCS configuration load" for the impacted policies (attached).

 

Kindly assist if I can restore the ASM configuration back to make all sites working with our custom template.

  • yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.

  • Hey Guys,

     

    Could you please help me with this ? let me know if needed specific logs.

     

    Regards,

    Rahul

  • Hello Rahul,

     

    Do you have CMI/HA configured for these BIG-IPs?

    Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.

     

    It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)

     

    Thanks, Ivan

    • Rahul_More's avatar
      Rahul_More
      Icon for Cirrus rankCirrus

      Hello Ivan,

       

      Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.

       

      And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.

       

      You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.

       

       

      Regards,

      Rahul

  • too late now, but next time contact support, this is the kind of thing you want to have someone look at as quick as possible and not wait on replies from a forum.

  • Hello Boneyard,

     

    Thanks for suggestion, I already have a case open with F5 support but no root cause update I received from them as they don't see the logs as why this was happened and removed user-defined template from the device and assigned "Fundamental" template to all affected policies.

     

    .As to verify, I have uploaded the same template again and created test policy by selecting the same custom template to the test policy and then deleted it manually. And the result was "None".

     

    It means it does not happened due to policy template deleted. This was something else but not sure what was that.

     

    Please guide if in case any other possibilities.

     

    Regards,

    Rahul

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP

      if there are no logs then it isnt possible determine a cause with any certainty, it will remain a guess.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        i dont know understand what exactly you are now asking.

         

        if F5 support with access to your system can't tell you, the chance is very small someone here can.

         

        so what are you looking for now?