iRule action after ASM

Cirrostratus

Oct 27, 2008

With the introduction of the plugin architecture in 9.4.2, the events for ASM enabled VIPs has improved significantly. In a standard HTTP VIP with at least one ASM-enabled HTTP Class added, the following events are potentially triggered:

CLIENT_ACCEPTED

HTTP_REQUEST

HTTP_CLASS_SELECTED

-- ASM request validation --

HTTP_CLASS_FAILED

LB_SELECTED

PERSIST_DOWN

LB_FAILED

SERVER_CONNECTED

HTTP_REQUEST_SEND

HTTP_RESPONSE

-- ASM response validation --

You can get definitions for when the various events are triggered from the events page ((Click here)).

You can modify the HTTP headers and data for a request before the request is sent to ASM for validation using the HTTP_REQUEST event. You can modify the request after ASM validation using LB_SELECTED (or HTTP_REQUEST_SEND and the clientside command (Click here).

Unfortunately, the only response event we have to work with is HTTP_RESPONSE. This is triggered when the server's response HTTP headers are parsed. The response is then sent to ASM. I don't think there is another event triggered after ASM has validated the response. So I don't think you will be able to modify the response after ASM processes it and before it is sent to the client.

It would be useful if there was an event triggered after ASM parsed the request and response. It would be great if we could get details on any violation which was found. I've requested this previously. At one point, F5 had spec'd the feature, but I don't think it's planned for any upcoming version.

Trigger an iRule event when an ASM violation is generated. Make the full request info accessible in a variable or array so the rule could have logic based on the violation type/data and modify the handling of the request/response. This would give administrators much more flexibility in how to handle violations.

If you want to request this functionality be added in a future version, you could open a case with F5 Support and ask them to attach your case to the request for enhancement.

Aaron

Forum Discussion

iRule action after ASM

Introducing the F5 Application Study Tool (AST)

Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance

Recent Discussions

Change Content-Type from application/octet-stream to multipart/form-data

f5 AI Gateway pii-redactor not working

Terraform apply failures - loadbalancer_type.https.port_choice

F5 BigIP APM VPN some LDAP field are base64 encoded

Problem with sending BotDefense logs to remote server

Related Content

Upcoming Action Required: F5 NGINX Plus R33 Release and Licensing Update

LTM: Action on Service Down

Hey DeepSeek, can you write iRules?

Action Items in OMB Memorandum M-22-09 “Moving the U.S. Government Toward Zero Trust...”

Action On Log

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS