Forum Discussion

Nimbostratus

Oct 11, 2017

Deep ASM logs

How can we know the reason why ASM is blocking a URL ? Can we have more details on the blocking reason ? Which part of the URL is causing problem ? In ASM logs on the F5 I was not able to find this. ...

ASM Advanced WAF

security

F5_324021

Cirrus

Oct 12, 2017

Usually this can be extracted using the Support ID displayed on your browser while the request is blocked, from the ID if you have V13 software you may go to the security tab-->Event Logs-->Application-->Requests, and filter by the Support ID you got.

Hope this is helpful!

Sinistrad_29710
Nimbostratus
Oct 18, 2017
Yes I checked but the only reason is multiple encoding, so it doesn't help so much to find the real reason for this blocking, maybe we should check ASM logs on CLI to have more details
F5_324021
Cirrus
Oct 18, 2017
You can view the evasion technique violations logged by the BIG-IP ASM system:-

Log in to the Configuration utility.

Navigate to Security > Event Logs > Application > Requests.

From the Security Policy menu, select the security policy.

In the filter details, select Evasion Technique Detected from the Violation menu. Click Go.

To view the reason the violation was triggered, select the Evasion technique detected.

Also you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation will be triggered. For example, setting this value to 2 triggers a violation if more than one pass is required to decode the entity, allowing only single-encoded entities.

Refer to the below article

https://support.f5.com/csp/article/K7929

Hope this is helpful!