Forum Discussion
MVPF5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
Hey Everyone,
The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x.
I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue.
I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me.
This can be easily tested with the below irule that logs to /var/log/asm
when ASM_REQUEST_DONE {
log local3. "test request"
}
when ASM_RESPONSE_VIOLATION {
log local3. "test response"
}
The custom response signature is in the policy to just trigger alarm.
I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.
2 Replies
- Kai_Wilke
Hey Nikolay,
I prefer the normal (aka. modern) "Trigger ASM iRule events Mode" and then use ASM_REQUEST_DONE event in combination with [ASM::status] to handle blockied / violation events. In addition I use the ASM_REQUEST_BLOCKING event with [ASM::payload] to dynamically modify ASM responses.
Note: ASM_RESPONSE_VIOLATION is the compatible iRule event and ASM_REQUEST_DONE is its modern replacement. ASM will trigger the one or the other depending on the configured "Trigger ASM iRule events Mode" setting but not both at the same time.
Cheers, Kai
- Nikoolayy1
Kai_Wilke I think that this event is still the only active one for Response based ASM/AWAF violations that need to inspect the response and not the request. If you open for example https://clouddocs.f5.com/api/irules/ASM_REQUEST_VIOLATION.html you will see that the replacement is "ASM_REQUEST_DONE." but not for https://clouddocs.f5.com/api/irules/ASM_RESPONSE_VIOLATION.html
I think there are not many use cases for custom response violations and this could be just a bug that was missed that this event is no longer triggered no matter the mode "Normal" or "Compatibility" . Will test again after I upgrade my test F5 devices.
