, but I don't see the violation reaching the threshold of 100.Hello everyone,Recently, my service has encountered an issue. In the evening, while everything was running normally, I received a block warning from ASM. Upon checking, I found that my hostname was automatically removed from the policy by ASM. I am using fully automatic as per this link: https://my.f5.com/manage/s/article/K000134503. However, the problem is that when I checked for violations, I did not see any violations related to violations="Illegal host name." So, why did it reach the threshold of 100 and remove my hostname? Could this be a bug? I checked that there were no accept suggestions at that time, only violations="Illegal repeated parameter name," which I do not think is the issue. Thank you.

have you followed steps in https://my.f5.com/manage/s/article/K19216221?and was subdomain included flag enabled?

The cause may be that Policy Builder is automatically deleting valid hostnames. I don't know the root cause yet.To avoid similar issues, you should set the Automatic Learning to disable "Suggest to delete policy entity if it was not observed in traffic for more than 90 days". Then you can switch the Learning mode back to Automatic.

It is interesting if F5 downgrades the connection to http1.0 as it does not need host header and this to trigger the potential bug. You can also as a workaround try to insert the hostname with an rule at the HTTP_REQUEST_RELEASE event that is after the ASM/AWAF by first saving the hostname to variable at the HTTP_REQUEST event that is triggered before the AWAF/ASM module even if I think the Host header value should be available without saving it to a variable at the request event. HTTP::host is how you can get the hostname. When F5 cannot do something by default or in a case of potential bug irules usually can 😎 You can try to insert the host header with HTTP::host at the HTTP_REQUEST_RELEASE or HTTP::header options but it is interesting that under the HTTP::header article I have read that header sanitize options could remove the Host header so maybe the Policy Builder is doing some header sanitization etc. that causes the same issue but should have seen this. HTTP::host (f5.com) HTTP::header (f5.com) Also upgrade to the latest versions as maybe you are hitting a bug like the one mentioned in A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server (HTTP Desync Attack) (f5.com) so better review the asm and ltm logs as well the policy builder recommendations for headers as in manual mode it will tell you what it wants to do without actually doing it as you host header may not follow some RFC and the Auto mode to just enforce a protection that "cleans" your host header. Edit: Oh now I have read that you mean the AWAF/ASM block message not that the WAF removed the host header and sending the request to the origin server without one. Have you enabled log and learn under the the policy building for the violation ?

Sure, I have configured and my service is running normally. I am not using subdomain included because there is only one hostname for this service.

Big-IP ASM automatically removes my hostname

zamroni777
Nacreous
Jul 30, 2024
have you followed steps in https://my.f5.com/manage/s/article/K19216221?
and was subdomain included flag enabled?
- quangtran
  Cirrus
  Jul 30, 2024
  Sure, I have configured and my service is running normally. I am not using subdomain included because there is only one hostname for this service.
loipt_vpb
Nimbostratus
Sep 19, 2024
The cause may be that Policy Builder is automatically deleting valid hostnames. I don't know the root cause yet.
To avoid similar issues, you should set the Automatic Learning to disable "Suggest to delete policy entity if it was not observed in traffic for more than 90 days". Then you can switch the Learning mode back to Automatic.
- Nikoolayy1
  MVP
  Sep 23, 2024
  It is interesting if F5 downgrades the connection to http1.0 as it does not need host header and this to trigger the potential bug.
  
  You can also as a workaround try to insert the hostname with an rule at the HTTP_REQUEST_RELEASE event that is after the ASM/AWAF by first saving the hostname to variable at the HTTP_REQUEST event that is triggered before the AWAF/ASM module even if I think the Host header value should be available without saving it to a variable at the request event. HTTP::host is how you can get the hostname. When F5 cannot do something by default or in a case of potential bug irules usually can 😎
  
  You can try to insert the host header with HTTP::host at the HTTP_REQUEST_RELEASE or HTTP::header options but it is interesting that under the HTTP::header article I have read that header sanitize options could remove the Host header so maybe the Policy Builder is doing some header sanitization etc. that causes the same issue but should have seen this.
  
  HTTP::host (f5.com)
  
  HTTP::header (f5.com)
  
  Also upgrade to the latest versions as maybe you are hitting a bug like the one mentioned in A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server (HTTP Desync Attack) (f5.com) so better review the asm and ltm logs as well the policy builder recommendations for headers as in manual mode it will tell you what it wants to do without actually doing it as you host header may not follow some RFC and the Auto mode to just enforce a protection that "cleans" your host header.
  
  Edit:
  
  Oh now I have read that you mean the AWAF/ASM block message not that the WAF removed the host header and sending the request to the origin server without one. Have you enabled log and learn under the the policy building for the violation ?
  - loipt_vpb
    Nimbostratus
    Sep 24, 2024
    That's correct. You may want to see the Audit log. You will see the deletion of entities done by Policy Builder. That means F5 automatically deletes the entities depending on the setting of "Suggest to delete policy entity if it was not observed in traffic for more than 90 days"
quangtran
Cirrus
Aug 02, 2024
😟😟
boneyard
MVP
Aug 03, 2024
Did it happen again or was it a one time occurrence?

Can you involve F5 support? They can actually look at your configuration and perhaps logs which makes things way easier.

What was your enforcement mode set to?
- quangtran
  Cirrus
  Aug 05, 2024
  Hi boneyard
  I switched the Policy building learning mode to manual, and this issue no longer occurs. I have always set the mode to blocking from the beginning. I want to investigate the cause of the problem, which is why I brought up this topic. This issue occurs on many of my F5 servers, from devtest to prod.
  - boneyard
    MVP
    Aug 05, 2024
    Certainly if it can be reproduced I would involve F5 support.
    
    I gave it quick try myself, not sure how I would trigger the hostname removal now. You don't do anything just keep getting traffic to it?
quangtran
Cirrus
Sep 04, 2024
🙁😭

Forum Discussion

Big-IP ASM automatically removes my hostname

Recent Discussions

F5 Health Monitor Receive String as JSON

Background Tasks

Which process is consuming higher CPU

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Decrypting BIG-IP Packet Captures Automatically

F5 Automatic ISP failover Configuration

F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

Remove Quotation marks

F5 BIG-IP Automatic email notification for system update events (ASM/AWAF)

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS