Forum Discussion
MVPF5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
MVPHey Nikolay,
I prefer the normal (aka. modern) "Trigger ASM iRule events Mode" and then use ASM_REQUEST_DONE event in combination with [ASM::status] to handle blockied / violation events. In addition I use the ASM_REQUEST_BLOCKING event with [ASM::payload] to dynamically modify ASM responses.
Note: ASM_RESPONSE_VIOLATION is the compatible iRule event and ASM_REQUEST_DONE is its modern replacement. ASM will trigger the one or the other depending on the configured "Trigger ASM iRule events Mode" setting but not both at the same time.
Cheers, Kai
MVPKai_Wilke I think that this event is still the only active one for Response based ASM/AWAF violations that need to inspect the response and not the request. If you open for example https://clouddocs.f5.com/api/irules/ASM_REQUEST_VIOLATION.html you will see that the replacement is "ASM_REQUEST_DONE." but not for https://clouddocs.f5.com/api/irules/ASM_RESPONSE_VIOLATION.html
I think there are not many use cases for custom response violations and this could be just a bug that was missed that this event is no longer triggered no matter the mode "Normal" or "Compatibility" . Will test again after I upgrade my test F5 devices.
