Forum Discussion
field_bad_service
Altocumulus
AltocumulusSupport Variables for ASM
This variable shows the Support ID which helps us find logs more easily when troubleshooting <%TS.request.ID()%>.
However, when exposed on a Response Block Page, it is easy to identify that it is a BigIP system protecting the environment, making the level of recognition exploitation easier for a malicious user.
And speaking of Response and Block Pages, there are other items that can more easily characterize a BIGIP system, making an attacker's life easier when recognizing systems.
The question here is precisely at this point, is it possible to assign a different name to these variables to use them?
Ex. From: <%TS.request.ID()%>
To: <%id.support()%>
Is it a valid question? Does it make sense in the context of security?
- Daniel_Wolf
MVP
I'm afraid you cannot change this variable. But if you are afraid of fingerprint, you can create a custom blocking page and just remove the Request ID from the blocking page. techdocs.f5.com >> Configuring What Happens if a Request is Blocked
You might be able to fool some of the WAF fingerprinting tools with that move.KR
Daniel 
Juergen_Mang> The question here is precisely at this point, is it possible to assign a different name to these variables to use them?
> Ex. From: <%TS.request.ID()%>
> To: <%id.support()%>Renaming the varible does not make sense. The variable is replaced with the actual support id at blocking time. Your users/attackers only see the generated id.
As Daniel said, customize the blocking page and eventually change also the default cookie names of asm: https://my.f5.com/manage/s/article/K54501322
- Nikoolayy1
You can also just drop the packet with an irule but then investigation will be a bit harder 🙂
https://community.f5.com/t5/technical-forum/how-do-i-drop-traffic-on-asm/td-p/324482
Outside of that you can also play with rand function generator in the TCL to make a rand number and then return a custom page with that irule but in your logs to log the related support id to the rand number but that will be a big play and you have to be good with irules and tcl and better send the logs to siem with HSL high speed logging not to log locallly.
