Forum Discussion

Greg_33558's avatar
Greg_33558
Icon for Nimbostratus rankNimbostratus
Jun 09, 2015

IP Address Exceptions & iRule event triggers

I am using IP Address Exceptions to exclude known good automated scanners from my ASM Policy. I've told it to "Never log traffic from this IP Address", which successfully prevents these scans from filling up the Event Logs within the ASM:

However, I have an iRule that triggers on ASM_REQUEST_DONE event and logs any events that aren't 'clear':

set asm_info [ASM::violation_data]
if {[string equal {clear} [ASM::status]] != 1} {
    log local0. "client_addr=[lindex $asm_info 4] asm_support_id=[lindex $asm_info 1] asm_status=[ASM::status] asm_violation=[lindex $asm_info 0]"
}

and this iRule is still triggering, and logging, when the Qualys scanner scans the Virtual with this ASM policy attached.

Are there any elegant ways to avoid this?

  • [ASM::way-to-tell-if-IP-address-Exception-is-in-place-on-this-violation]?
  • 'Never trigger iRule events on traffic from this IP address'?
  • [ASM::way-to-query-list-of-IP-address-Exception-IPs]?

If all else fails, I can just write the same address exception logic into my iRule, but then I'm going to keep two lists of exceptions, which is inelegant and error-prone.

ASM Advanced WAF
ip address exception
security
  • Or_A_157009's avatar
    Or_A_157009
    Icon for Cirrus rankCirrus
    Jun 09, 2015
    can you add those ip addresses to a data group or table? if they are not many and static ip's than you could create a data group and use class match agains them for each incoming connection from that ip or use a table. the data groups are available to configure from the gui.
  • gowenfawr's avatar
    gowenfawr
    Icon for Nimbostratus rankNimbostratus
    Jun 09, 2015
    Or Azarzar, that's exactly what I was describing when I said "I can just write the same address exception logic into my iRule." I want to avoid having to maintain both the ASM policy IP Address Exception list *and* a data group, iRule variable, or other list. (Update - as per @cjunior's answer below, I'm fine *using* a datagroup file as long as I don't need to *maintain* it)
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jun 09, 2015

    Hi Greg,

     

    [ASM::way-to-tell-if-IP-address-Exception-is-in-place-on-this-violation]?

     

    I can't remember, this list is on MySQL, https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6979.html

     

    'Never trigger iRule events on traffic from this IP address'?

     

    I think you need mark to never block this address.

     

    [ASM::way-to-query-list-of-IP-address-Exception-IPs]?

     

    Take a look at this iApp: https://devcentral.f5.com/codeshare/export-asm-ip-address-exceptions-list-to-ltm-data-group-list

     

    It exports the ASM IP Address Exceptions List to a LTM Data Group.

     

    Maybe this helps you. [ ]