Forum Discussion

ctadev's avatar
Icon for Nimbostratus rankNimbostratus
Mar 27, 2023

Mock application response for uri in ASM policy


(I apologize for the quality of my English.)

Presentation of my context: In my company, I have an F5 (WAF) installed on a closed development environment that does not have access to applications and the internet. In this F5, there is a security policy configured to allow a list of APIs and their parameters to access the internet.

My constraint is that the security policy cannot be tested on this development environment. I have to wait for the delivery of the security policy on a test environment that has access to the applications to test if there are any blocks.

My need is to test this F5 security policy on the closed development environment to ensure that all my API parameters are properly declared in the F5 and to avoid any blockages on the second environment.

Since my development environment cannot access applications, my idea is to develop a mock to simulate the applications.

  1. Is it possible to simulate the response of an API of an application declared in the ASM to verify that all its parameters are not blocked?

  2. Is it possible to make a curl call to the URI of an API declared on F5 and simulate the response of the API with an iRule?

Thank you for your attention.

3 Replies

  • you can do of cause. Just create an iRule which will trigger with your api call 

    and then modify the response as needed. you can also modify headers and so on


    when HTTP_REQUEST {
     if {[string tolower [HTTP::uri]] starts_with "/text"} {
        set page \
    "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\">

    <html><head><title>my API Response </title></head>

    <body text=#000000>

    <h2><font face=Verdana>API $servercolor</font></h2>


      HTTP::respond 200 -version auto content "$page"


    • ctadev's avatar
      Icon for Nimbostratus rankNimbostratus

      Hello F5-Enthusiast,

      Thank you for your response.

      I would like to know if it is possible to apply the ASM security policy to the information sent in my URI?

      For example, I have an ASM policy called "SUPREM_ASM_POLICY" that only allows the URI "/param1" and the parameter "value1".

      I am using a curl command that triggers the iRule attached to the virtual server:

      curl -X GET "https://<virtual-server-ip>/param1?value1=test" -H "accept: application/json" -k.

      When I run this curl command, I want my iRule to retrieve the information "/param1?value1=test" and check if the URI and parameter match the rules defined in the ASM security policy.

      If I run the curl command with the URI "/param1?value1=test", there should not be any error.

      However, if I run the curl command with the URI "/param2?value1=test", I want to display an error message (because "param2" has not been declared in the ASM).

      Is it possible to use my "SUPREM_ASM_POLICY" security policy in my iRule to verify this information?

      (Edited to tag F5-Enthusiast. - Leslie)

  • Attach the response irule to a new virtual server that emulates your backend and let the pool from your original server with the asm policy point to this new vs.

    The HTTP_REQUEST event triggers before ASM. If you respond within this event, ASM does never see the request.