ASM/AWAF custom block page for specific violation

If you have a need to display a custom block page for a specific ASM/AWAF violation, you can use an iRule to achieve this.  ASM/AWAF has the ability to modify the Response and Blocking pages within the ASM Policy itself but these block pages apply across all violations.  Modifying the Response and Blocking pages within the policy can be useful if you need to add a corporate look and feel, or embed links or information to contact your support desk for further help etc.

There may be cases where you need to display certain information on a block page related to a specific violation.  Do have a good think about what negative effects this may have on your organisation, for advising an attacker that they were blocked for a specific reason could very well aid them in finding other ways around the block.

The following example is based on ASM/AWAF being integrated with an ICAP server for file upload anti-virus scanning, targeting the VIRUS_DETECTED violation, however it can be manipulated for any violation(s) once you identify the name of the violation.  The iRule contains a line to log out the violation name into /var/log/ltm whenever ASM/AWAF implements a block.  Substitute "VIOLATION_VIRUS_DETECTED" with the logged violation name you are targeting.

Firstly you need to configure your ASM/AWAF policy's "Trigger ASM iRule Events Mode" and set this to "Normal", this is found in the Advanced Settings area on the policy's General Settings. Save and apply the policy. This will enable ASM iRules to trigger.  (Note this setting is relevant on later versions of BIG-IP, previous versions have an additional setting 'Trigger ASM iRule Events' which needs to be set to Enable).

Then create an iRule based on the below, and attach it to the VIPs/Virtual Servers of which your ASM/AWAF policy is enabled on.  To test, hit your web application/API to generate an ASM/AWAF block page for the specific violation you are wanting a custom block page for, and have a look in your /var/log/ltm log for the logged out "ASM Violation was: <violation name here>".  Substitute this violation name in the iRule for the 'if' command where it is matching $asm_violation_name.  

Refresh the page (you may need to close/reopen the page, use an incognito window, or clear your cookies etc depending on your LTM VIP's configuration) trigger the same violation again, and you should now see the information as created in the iRule in the 'set response' section.  The iRule could be modified to match on multiple violations by expanding out the 'if' command.

when ASM_REQUEST_DONE {

set asm_support_id [ASM::support_id]

set asm_violation_name [ASM::violation_data]

}

when ASM_REQUEST_BLOCKING {

log local0. "ASM Violation was: $asm_violation_name"

if {$asm_violation_name contains "VIOLATION_VIRUS_DETECTED"} {

HTTP::header remove Content-Length

HTTP::header insert header_1 value_1

set client_ip [IP::client_addr]

set response "<html>

<head>

<title>Request Rejected</title>

</head>

<body>

AWAF has blocked your request due to the ICAP server indicating a file it scanned contained a virus.<br><br>

<b>Your support ID:</b> $asm_support_id<br><br>

<b>Source IP:</b> $client_ip<br>

</body>

</html>"

ASM::payload replace 0 [ASM::payload length] ""

ASM::payload replace 0 0 $response

}

}