Forum Discussion

quangtran's avatar
quangtran
Icon for Cirrus rankCirrus
Jul 30, 2024

Big-IP ASM automatically removes my hostname

, but I don't see the violation reaching the threshold of 100.
Hello everyone,

Recently, my service has encountered an issue. In the evening, while everything was running normally, I received a block warning from ASM. Upon checking, I found that my hostname was automatically removed from the policy by ASM. I am using fully automatic as per this link: https://my.f5.com/manage/s/article/K000134503. However, the problem is that when I checked for violations, I did not see any violations related to violations="Illegal host name." So, why did it reach the threshold of 100 and remove my hostname? Could this be a bug? I checked that there were no accept suggestions at that time, only violations="Illegal repeated parameter name," which I do not think is the issue. Thank you.
  • The cause may be that Policy Builder is automatically deleting valid hostnames. I don't know the root cause yet.
    To avoid similar issues, you should set the Automatic Learning to disable "Suggest to delete policy entity if it was not observed in traffic for more than 90 days". Then you can switch the Learning mode back to Automatic.

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP

      It is interesting if F5 downgrades the connection to http1.0 as it does not need host header and this to trigger the potential bug.

       

      You can also as a workaround try to insert the hostname with an rule at the HTTP_REQUEST_RELEASE event that is after the ASM/AWAF by first saving the hostname to variable at the HTTP_REQUEST event that is triggered before the AWAF/ASM module even if I think the Host header value should be available without saving it to a variable at the request event. HTTP::host is how you can get the hostname. When F5 cannot do something by default or in a case of potential bug irules usually can 😎

      You can try to insert the host header with HTTP::host at the HTTP_REQUEST_RELEASE or HTTP::header options but it is interesting that under the HTTP::header article I have read that header sanitize options could remove the Host header so maybe the Policy Builder is doing some header sanitization etc. that causes the same issue but should have seen this.

      HTTP::host (f5.com)

      HTTP::header (f5.com)

       

       

      Also upgrade to the latest versions as maybe you are hitting a bug like the one mentioned in A specifically crafted HTTP request may lead the BIG-IP system to pass malformed HTTP requests to a target pool member web server (HTTP Desync Attack) (f5.com)  so better review the asm and ltm logs as well the policy builder recommendations for headers as in manual mode it will tell you what it wants to do without actually doing it as you host header may not follow some RFC and the Auto mode to just enforce a protection that "cleans" your host header.

       

      Edit:

       

      Oh now I have read that you mean the AWAF/ASM block message not that the WAF removed the host header and sending the request to the origin server without one. Have you enabled log and learn under the the policy building for the violation ?

      • loipt_vpb's avatar
        loipt_vpb
        Icon for Nimbostratus rankNimbostratus

        That's correct. You may want to see the Audit log. You will see the deletion of entities done by Policy Builder. That means F5 automatically deletes the entities depending on the setting of "Suggest to delete policy entity if it was not observed in traffic for more than 90 days"

         

  • Did it happen again or was it a one time occurrence?

     

    Can you involve F5 support? They can actually look at your configuration and perhaps logs which makes things way easier.

     

    What was your enforcement mode set to?

    • quangtran's avatar
      quangtran
      Icon for Cirrus rankCirrus

      Hi boneyard 
      I switched the Policy building learning mode to manual, and this issue no longer occurs. I have always set the mode to blocking from the beginning. I want to investigate the cause of the problem, which is why I brought up this topic. This issue occurs on many of my F5 servers, from devtest to prod.

      • boneyard's avatar
        boneyard
        Icon for MVP rankMVP

        Certainly if it can be reproduced I would involve F5 support.

         

        I gave it quick try myself, not sure how I would trigger the hostname removal now. You don't do anything just keep getting traffic to it?

    • quangtran's avatar
      quangtran
      Icon for Cirrus rankCirrus

      Sure, I have configured and my service is running normally. I am not using subdomain included because there is only one hostname for this service.