Forum Discussion

Ghislain_Pellet's avatar
Icon for Nimbostratus rankNimbostratus
Jan 11, 2017

Blocking Response Page seems to be blocked

We've set up a custom blocking response page on our site but it seems to be blocked when an illegal request is detected. The custom page is a contact form that, when filled by the client, enables us to contact him/her to solve the issue. The page is in the Allowed URLs list. The blocking response page is on the same server/domain as the monitored website.


The URI is something like


Any idea on how to tell the F5 to NEVER BLOCK this URL?


3 Replies

  • When a request is blocked by ASM, that happens before the connection is ever proxied to the back end server. You can configure a custom blocking response in ASM so that, when ASM does block a request, the client is redirected to a different location, such as your custom PHP form. See this article here:


    Although it's for 11.5, you can check the equivalent on later releases.


  • Hi Ghislain,

    I'm using a layered approach for my violation pages.

    1. If an violation occours somewhare on the page, the request will be redirected to the landing page, with a query string appended containing an b64encoded SupportID (e.g.
      /default.html?RequestID=[b64encode [ASM::support_id]]
    2. If a violation occours and a the RequestID parameter is present, the violation response will not trigger the HTTP-Redirect to the landing page again. Instead it will directly serve a HTTP Err403 response to the client that the request was blocked.

    This behavior gives us a good user experience (no explicit error messages), still allows easy troubleshootings (via embedded query string information) and implements a decent protection for redirect loops, which may occour if the redirected request to the error page would trigger a violation again (e.g. disallowed/misconfigured user-agents, etc.).

    Cheers, Kai

  • Another solution to this loop problem would be to remove all elements coming from the initial request that could cause the violation on the blocking response page. These could be in the Referer header or in the cookies.

    when HTTP_REQUEST {
        if { [HTTP::uri] starts_with "/my-blocking-response-page" }{
            if { [HTTP::header exists Referer] }{
                HTTP::header remove Referer
            foreach cookiename [HTTP::cookie names] {
                switch -glob $cookiename {
                    "a-cookie-I-want-to-keep-1" -
                    "a-cookie-I-want-to-keep-2" {}
                    default {
                        HTTP::cookie remove $cookiename