For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Eljay's avatar
Eljay
Icon for Cirrus rankCirrus
Aug 12, 2021
Solved

Bypassing ASM on HTTP response

Is it possible to prevent ASM from blocking responses when there's a specific HTTP header present in the HTTP response? Let's say we block responses with HTTP status code 500 by default in our securi...
ASM Advanced WAF
devops
security
  • spalande's avatar
    spalande
    Aug 13, 2021

    Try with an iRule. use appropriate asm policy name.

    Use logging to see if condition is getting triggered and then it can be disabled. 

    when HTTP_RESPONSE  {
ASM::enable "/common/asm_policy"
if { ([HTTP::status] == 500) and ([HTTP::header value Content-Type] eq "application/problem-handled-return-to-client") }{
log local0.info "disable asm"
ASM::disable
return
   }
}
Eljay's avatar
Eljay
Icon for Cirrus rankCirrus
Aug 17, 2021

Thanks for your answer,  .

 

I read about the HTTP_RESPONSE event in the F5 docs, https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html, but ASM::disable isn't mentioned as an available command. Is this command list complete?

 

I also wonder, is it possible to extract ASM policy name from the HTTP_REQUEST? It makes it easier to make a generic iRule.

Eljay's avatar
Eljay
Icon for Cirrus rankCirrus
Aug 27, 2021

The solution for my last question above can be found here; https://devcentral.f5.com/s/question/0D51T00008nsiZGSAY/irule-to-extract-asm-policy-name