Forum Discussion
NimbostratusHelp excluding URLs from HTTP Protocol violations in ASM
I am having a problem where a network health ping /checkhealth is hitting several sites multiple times a second creating 100,000s of events a week. It is getting blocked because it has an IP address in the header instead of the FQDN. I know the requests are legitimate, and want to allow them.
My issue is that I still want to keep the blocking the "header containing IP address" rule on these sites, but it looks like even if I create the /checkhealth URL exception it is only looking at attack signatures and not the vulnerability/HTTP compliance rules. They are also using a wide range of IP addresses. So there isn't an easy way to just whitelist the IPs.
What is the best way I can made the WAF policy ignore those requests completely? Is my only option creating a custom L7 Policy or a custom iRule, or is there an easier route? (ibig-ip VE 15.1) Thanks!
2 Replies
Hello,
I'm not getting exactly your requets, but from my understanding there is kind of health check from several IPs towards the F5 VIP, and the policy assigned to this VIP is blocking those health check requests because of the host header contains an IP address, am I right?
if yes, you can check those options.
- You can add a white list that contains a list of IPs using IP address exception, and select "never Block this IP Address".
- Disable ASM when matching with data group that contain list of IPs
https://clouddocs.f5.com/api/irules/ASM__disable.html
Thanks,
Mohamed Salah
nclarkeHello, sorry for the late reply (I guess my email alerts are disabled haha). There is a very wide range of IP addresses from the external network health checks. So there is no easy way to create a IP whitelist. The only thing similar is the /healthcheck123 URI, but there doesn't seem to be an easy way to just ignore that URL. Any ideas are appreciated.
