Forum Discussion

Sinistrad_29710's avatar
Sinistrad_29710
Icon for Nimbostratus rankNimbostratus
Oct 11, 2017

Deep ASM logs

How can we know the reason why ASM is blocking a URL ? Can we have more details on the blocking reason ? Which part of the URL is causing problem ? In ASM logs on the F5 I was not able to find this. ...
ASM Advanced WAF
security
F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Oct 12, 2017

Usually this can be extracted using the Support ID displayed on your browser while the request is blocked, from the ID if you have V13 software you may go to the security tab-->Event Logs-->Application-->Requests, and filter by the Support ID you got.

 

Hope this is helpful!

 

  • Sinistrad_29710's avatar
    Sinistrad_29710
    Icon for Nimbostratus rankNimbostratus
    Oct 18, 2017

    Yes I checked but the only reason is multiple encoding, so it doesn't help so much to find the real reason for this blocking, maybe we should check ASM logs on CLI to have more details

     

  • F5_324021's avatar
    F5_324021
    Icon for Cirrus rankCirrus
    Oct 18, 2017

    You can view the evasion technique violations logged by the BIG-IP ASM system:-

     

    Log in to the Configuration utility.

     

    Navigate to Security > Event Logs > Application > Requests.

     

    From the Security Policy menu, select the security policy.

     

    In the filter details, select Evasion Technique Detected from the Violation menu. Click Go.

     

    To view the reason the violation was triggered, select the Evasion technique detected.

     

    Also you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation will be triggered. For example, setting this value to 2 triggers a violation if more than one pass is required to decode the entity, allowing only single-encoded entities.

     

    Refer to the below article

     

    https://support.f5.com/csp/article/K7929

     

    Hope this is helpful!