For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Muhannad's avatar
Muhannad
Icon for Cirrus rankCirrus
Dec 29, 2021

User gets blocking page instead of captcha for brute force attack

Dears,   I am trying to configure Captcha during brute force attacks for OWA, but i am getting the blocking page instead.   I have read that i need to qualify the URL as a login page. by runn...
ASM Advanced WAF
security
Sebastiansierra's avatar
Sebastiansierra
Icon for MVP rankMVP
Feb 18, 2022

Hi,

1. This behavior is caused for a bug.

2. some URLs fails and another no, you need to test all the brute force login that configuring to figure out if is affected or not.

3. You need to specify the URL path, not the domain.

4. Additional if you need to add more than one path, you must determine if there are URL added, because run the command replaces the current value.

* First run the command :

tmsh list /sys db asm.cs.qualified_urls

*Then modify the db parameter with all the URLs that you need to exclude, in the next example I add /login and /index.php:

tmsh modify /sys db asm.cs.qualified_urls value /loginpage.mvc,/login,/index.php