Forum Discussion
NimbostratusDeep ASM logs
How can we know the reason why ASM is blocking a URL ? Can we have more details on the blocking reason ? Which part of the URL is causing problem ? In ASM logs on the F5 I was not able to find this. Please advise,
Thanks!
Erik_NovakEmployee
A blocking response should be accompanied by a violation description. Do you see any violations for the blocked request(s) on the Traffic Learning page?
F5_324021Cirrus
Usually this can be extracted using the Support ID displayed on your browser while the request is blocked, from the ID if you have V13 software you may go to the security tab-->Event Logs-->Application-->Requests, and filter by the Support ID you got.
Hope this is helpful!
- Sinistrad_29710
Yes I checked but the only reason is multiple encoding, so it doesn't help so much to find the real reason for this blocking, maybe we should check ASM logs on CLI to have more details
- F5_324021
You can view the evasion technique violations logged by the BIG-IP ASM system:-
Log in to the Configuration utility.
Navigate to Security > Event Logs > Application > Requests.
From the Security Policy menu, select the security policy.
In the filter details, select Evasion Technique Detected from the Violation menu. Click Go.
To view the reason the violation was triggered, select the Evasion technique detected.
Also you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation will be triggered. For example, setting this value to 2 triggers a violation if more than one pass is required to decode the entity, allowing only single-encoded entities.
Refer to the below article
https://support.f5.com/csp/article/K7929
Hope this is helpful!