Forum Discussion

nirsham_178691's avatar
nirsham_178691
Icon for Nimbostratus rankNimbostratus
Mar 31, 2015

IP Address Exception in ASM

Hi,

 

Is there a way to create an IP ADDRESS exception per ASM signature ?

 

The IP Address exceptions list is too general for all ASM protections . I need something more specific .

 

I know ASM is not an IPS device but it's the same and in all IPS devices you can do this kind of exception.

 

Regards,

 

Nir

 

ASM Advanced WAF
management
security
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Mar 31, 2015

    As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

    A single IP and signature:

    when ASM_REQUEST_DONE {

  if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{
    ASM::unblock
    log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
  }

}

    Multiple IP addresses and multiple signatures:

    when ASM_REQUEST_DONE {

  if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{
    log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
    ASM::unblock
  }

}
    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      Mar 31, 2015
      I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Mar 31, 2015

    As far as I'm aware, the closest option in GUI you have is creating an IP address exception (linked to a particular ASM policy). If you want something more granular (an exception, linked to a specific signature ID), it can be done using iRules only.

    A single IP and signature:

    when ASM_REQUEST_DONE {

  if { ([IP::client_addr] == "My-IP-Address") && ( [ASM::violation details] contains "My-Signature-ID") }{
    ASM::unblock
    log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
  }

}

    Multiple IP addresses and multiple signatures:

    when ASM_REQUEST_DONE {

  if { ( [class match[IP::client_addr] == "data-group-ip-address-list"] ) && ( [class match[ASM::violation details] contains "data-group-signature-ids"] ) }{
    log local0. "[ASM::violation_data]. Unblocked for [IP::client_addr]"
    ASM::unblock
  }

}
    • gsharri's avatar
      gsharri
      Icon for Altostratus rankAltostratus
      Mar 31, 2015
      I agree with Hannes. This requires an iRule. There is no option in security policies to exempt an IP address from an individual attack signature.