Forum Discussion

Rahul_More's avatar
Rahul_More
Icon for Cirrus rankCirrus
Feb 03, 2021

ASM security policy configuration auto changed

Hi Guys,   We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and bloc...
application delivery
ASM Advanced WAF
LTM
security
  • boneyard's avatar
    boneyard
    Mar 04, 2021

    yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.

Ivan_Chernenkii's avatar
Ivan_Chernenkii
Icon for Employee rankEmployee

Hello Rahul,

 

Do you have CMI/HA configured for these BIG-IPs?

Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.

 

It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)

 

Thanks, Ivan

Rahul_More's avatar
Rahul_More
Icon for Cirrus rankCirrus
Mar 02, 2021

Hello Ivan,

 

Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.

 

And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.

 

You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.

 

 

Regards,

Rahul