I would like to know the quick overview of the functions under: Security --> Event Logs Security --> Reporting And on the basis of Event logs, how we can tune the ASM?

Event Logs will show you the Violations and you can tune based on these individual requests (as it will show what was violated and on what i.e. parameter x). In my view the traffic learning is a better and more straight-forward way of tuning the ASM policy. See the following for help: ASM Learning N

Thanks. Also I am little bit confuse in Staging.

Staging is another form of learning where an entity's properties are learned too. Whilst staging no violations that would've occurred, if the policy is in Blocking mode, will happen. It's extra safety that false positives won't happen. After staging period, say 7 days by default, you can accept the entity as-is and needing no further tuning.

In event logs, please elaborate the function of each like, Block, Illegal request, etc...

hopefully this will help https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/12.html

How to start with F5 BIG-IP ASM quickly?

24 Replies

boneyard
MVP
Sep 16, 2015
when you what you described then you will see all the events the ASM has logged. for those events you then see the status in the status column. an event can have more then one status.

Legal Request - a request the ASM decided is legal, so no issues with the request based on the policy you use.
Illegal Request - a request the ASM decided is illegal, so issues with the request based on the policy you use, but not blocking, perhaps due to staging or other setting, see explanation of G. Scott Harris above.
Blocked Request - a request the ASM decided to block, so issues with the request based on the policy you use.
Truncated Request - a request which can be legal, illegal, blocked, unblocked but which was too long to fully log in the ASM
Unblocked Request - a request which was unblocked after being blocked, this is new functionality search for the documentation for more info.

this screen tells you nothing about how to further act on these request, there are no hints on how to make things better / more secure. this is just a log of what the ASM has done on requests it has seen so far.
MSZ
Nimbostratus
Sep 17, 2015
Thank Boneyard for detailed explanation and get me in the right track :)

Now my question is, Blocked request means blocked or it is just suggestion. (When Policy is in Block mode and Signature staging is disabled)

Second point: When Policy is in Block mode and Signature staging is enabled, then any Blocked request will come or not.
- nathe
  Cirrocumulus
  Sep 17, 2015
  Best we refer you to a good series on DC about ASM. See https://devcentral.f5.com/s/articles/the-big-ip-application-security-manager-part-1-what-is-the-asm
MSZ
Nimbostratus
Sep 17, 2015
Kindly someone help me in this regard. I am too confused in events log. If someone understand my question then please help in this regard.

Policy = Blocking Mode Signature Staging = Disabled Then How we treat the Status from the event logs.
- boneyard
  MVP
  Sep 17, 2015
  what do you mean with "How we treat the Status" ? your general question (which you ask in three different forms within 2 hours) is difficult to answer for every possible situation. as mentioned by nathan please take some time to just read the documentation. build a conceptual model for yourself and then test things to make sure you understand the details. or contact an F5 training partner to go through this. ASM is a difficult product which you simply can't learn quick without putting quite some effort in it. of course dev central can help, but to provide the whole model is difficult. the general principle is: if an attack signature is in staging then it won't cause blocked (or illegal events) in the event log.
MSZ
Nimbostratus
Sep 17, 2015
Thanks for the time. For your kind information I have studied five times the John chapters 1 -10 and its manual with LTM and other configuration also. I am in a production environment that's why asking the questions. I am only stuck in the events appear as logs. But your answers confuse me. Blocked request and Illegal request are two different status. In the above you mentioned that If signature is in staging state it will not block any request so it will not come in event logs. But Illegal request and truncated request messages can be seen even signature are in staging state.

I am very much clear that Policy in Blocking state and Signature staging must be disabled to block the requests implemented in the policy.
- MSZ
  Nimbostratus
  Sep 17, 2015
  Something you know the best does not mean to pass/share in the best manner. A very good F5 administrator may not be the good trainer.
boneyard
MVP
Sep 17, 2015
But your answers confuse me.

well your questions confuse me 🙂

But Illegal request and truncated request messages can be seen even signature are in staging state.

i don't believe this to be the case. if one signature is in staging then there will be NO events in the event log caused by that signature.

and even if it was the case (dont have the time to fully test this now), what does it matter exactly? truncated is just some information about the request being too large to fully log. illegal means the request isn't ok but won't be blocked due to the policy setting. what exactly do you want to know?
MSZ
Nimbostratus
Sep 17, 2015
Illegal Request: It means policy violation. Will it effect the server or application ? Or we need to block it as per our need.

It has also two types depend on rating

False positive (Rating 1 or 2)
Critical (Rating 4 or 5)
MSZ
Nimbostratus
Sep 17, 2015
Signature is in staging state and still generating the events.

boneyard

MVP

Sep 17, 2015

ok, did my tests, used signature: Automated client access "curl" 200021075 

policy: Blocking
general attack signature setting: [x] Learn [x] Alarm [x] Block 
specific signature setting: Automated client access "curl" 200021075 [ ] Staging - so not staging

get a blocked event in Security  ››  Event Logs : Application : Requests

policy: Blocking
general attack signature setting: [x] Learn [x] Alarm [x] Block 
specific signature setting: Automated client access "curl" 200021075 [x] Staging

get no event in Security  ››  Event Logs : Application : Requests

policy: Blocking
general attack signature setting: [x] Learn [x] Alarm [ ] Block 
specific signature setting: Automated client access "curl" 200021075 [ ] Staging - so not staging

get an illegal event in Security  ››  Event Logs : Application : Requests

policy: Blocking
general attack signature setting: [x] Learn [x] Alarm [ ] Block 
specific signature setting: Automated client access "curl" 200021075 [x] Staging

get no event in Security  ››  Event Logs : Application : Requests

MSZ, would it be possible for you to provide which signature, show the signature setting, show your general attack signature blocking settings? in my opinion you either run into a bug or there is a configuration issue somewhere. you have applied the policy after making changes right?

MSZ
Nimbostratus
Sep 29, 2015
Thanks for the all the people. Nathan has answered me on the different plat form that I am getting the RFC violations in events logs. I was confused b/w the RFC violation settings and signature settings. Both have impact on the policy configured on ASM.

Forum Discussion

How to start with F5 BIG-IP ASM quickly?

24 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Expired client-certificate

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

XC - geo LB to the origin servers

Floating Ip Problem

F5 rSeries || Upgrade tenant

Related Content

Scale, Enhance, and Evolve BIG-IP Administration-Getting Started

Re: Get Started with BIG-IP Virtual Edition (VE), BIG-IQ VE or BIG-IP Cloud Edition Trial

Automating Certificate Management on F5 BIG-IP

Introducing the F5 AI Assistant for BIG-IP

Getting Started with BIG-IP Next: Configuring Instance High Availability

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS