Mask Request Body ASM Reporting

Hi Ryan,

 

 

Can you mark the parameters which contain sensitive data as sensitive so that ASM won't log the values?

 

 

Configuring sensitive parameters

 

https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0/asm_parameters.html1035705

 

 

In 11.4, ASM automatically masks CC numbers in reports:

 

 

 

https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-4-0.html

 

 

Mask Sensitive Information in Request Log

 

In addition to masking sensitive information in parameters, with this release the security policy can also mask credit card numbers that appear in any part of the request. The credit card numbers are not masked in the actual requests, but rather in various ASM logs within the ASM Configuration utility:

 

 

Credit card numbers appearing in entity names are only masked in the ASM Requests log.

 

Credit card numbers appearing in entity values are masked wherever request information can be viewed.

 

 

To set the security policy to mask credit card numbers in the Requests log, navigate to the Security > Application Security > Security Policies screen, click a security policy to view its properties, and enable the Mask Credit Card Numbers in Request Log check box. This setting is enabled by default.

 

 

When you are upgrading to version 11.4, or importing from older versions, the configuration of this feature is set to enabled. Logs generated by previous versions do not undergo offline credit card number masking.

 

 

 

You could open a Support case to request a new feature that would allow an admin to specify one or more generic regexes to mask in a similar fashion.

 

 

Aaron