Forum Discussion

Sinistrad_29710's avatar
Sinistrad_29710
Icon for Nimbostratus rankNimbostratus
Oct 11, 2017

Deep ASM logs

How can we know the reason why ASM is blocking a URL ? Can we have more details on the blocking reason ? Which part of the URL is causing problem ? In ASM logs on the F5 I was not able to find this. ...
ASM Advanced WAF
security
F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Oct 12, 2017

Usually this can be extracted using the Support ID displayed on your browser while the request is blocked, from the ID if you have V13 software you may go to the security tab-->Event Logs-->Application-->Requests, and filter by the Support ID you got.

 

Hope this is helpful!

 

F5_324021's avatar
F5_324021
Icon for Cirrus rankCirrus
Oct 18, 2017

You can view the evasion technique violations logged by the BIG-IP ASM system:-

 

Log in to the Configuration utility.

 

Navigate to Security > Event Logs > Application > Requests.

 

From the Security Policy menu, select the security policy.

 

In the filter details, select Evasion Technique Detected from the Violation menu. Click Go.

 

To view the reason the violation was triggered, select the Evasion technique detected.

 

Also you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation will be triggered. For example, setting this value to 2 triggers a violation if more than one pass is required to decode the entity, allowing only single-encoded entities.

 

Refer to the below article

 

https://support.f5.com/csp/article/K7929

 

Hope this is helpful!