Hi Guys, We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and blocking settings as Blocking >Automatic > Real-time> Medium > 7 days. Our policy template got removed and set as Fundamental template to all security policies. Due to system sudden change multiple application were impacted. Work around - policies were disabled for all impacted websites temporarily until get the root cause and permanent fix. In audit log, I found one common element type "UCS configuration load" for the impacted policies (attached). Kindly assist if I can restore the ASM configuration back to make all sites working with our custom template.

yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.

ASM security policy configuration auto changed

Rahul_More
Cirrus
Feb 04, 2021
Hey Guys,

Could you please help me with this ? let me know if needed specific logs.

Regards,
Rahul
Ivan_Chernenkii
Employee
Feb 20, 2021
Hello Rahul,

Do you have CMI/HA configured for these BIG-IPs?
Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.

It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)

Thanks, Ivan
- Rahul_More
  Cirrus
  Mar 02, 2021
  Hello Ivan,
  
  Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.
  
  And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.
  
  You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.
  
  Regards,
  Rahul
boneyard
MVP
Feb 27, 2021
too late now, but next time contact support, this is the kind of thing you want to have someone look at as quick as possible and not wait on replies from a forum.
Rahul_More
Cirrus
Mar 02, 2021
Hello Boneyard,

Thanks for suggestion, I already have a case open with F5 support but no root cause update I received from them as they don't see the logs as why this was happened and removed user-defined template from the device and assigned "Fundamental" template to all affected policies.

.As to verify, I have uploaded the same template again and created test policy by selecting the same custom template to the test policy and then deleted it manually. And the result was "None".

It means it does not happened due to policy template deleted. This was something else but not sure what was that.

Please guide if in case any other possibilities.

Regards,
Rahul
- boneyard
  MVP
  Mar 02, 2021
  if there are no logs then it isnt possible determine a cause with any certainty, it will remain a guess.
  - boneyard
    MVP
    Mar 03, 2021
    i dont know understand what exactly you are now asking.
    
    if F5 support with access to your system can't tell you, the chance is very small someone here can.
    
    so what are you looking for now?

Forum Discussion

ASM security policy configuration auto changed

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

Auditing Security Policy Updates

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

Get Started with WAAP Security Incidents

My Security+ Certification Journey

Multiple Ways to Configure Usage Reporting in NGINX

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS