Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Dec 15, 2020

F5 ASM | count violation

Hi   We receive a lot of traffic try to scan our website We enabled ip intelligence but the thing is it is not blocking all ip addresses, it relay on one external db called "vector.brightcloud....
ASM Advanced WAF
iRules
security
  • Enes_Afsin_Al's avatar
    Enes_Afsin_Al
    Dec 15, 2020

    Hi Abed AL-R,

     

    You can use session tracking.

    https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/preventing-session-hijacking-and-tracking-user-sessions.html

    Result after X violations in the last Y seconds:

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus

Can this feature "Violation Detection Actions" work with XFF (if xff header is available)?

is it possible to configure in this feature to block xff header client ip and not the source ip ?

because sometimes source ip hides many users behind it

 

Enes_Afsin_Al's avatar
Enes_Afsin_Al
Icon for MVP rankMVP
Dec 15, 2020

When Trust XFF Header option enabled, it blocks xff header value.

 

"Beginning in BIG-IP ASM 10.1.0, you can instruct the BIG-IP ASM system to trust the X-Forwarded-For header and use the IP address information in the HTTP header instead of the source IP of the packet if the BIG-IP ASM system is deployed behind an internal or other trusted proxy. You can enable this feature in the Configuration utility by selecting the Trust XFF Header check box in the security policy properties advanced configuration settings."

 

REF: https://support.f5.com/csp/article/K12264