F5 ASM/AWAF Preventing unauthorized users accessing admin path​

The below code uses the new BIG-IP variables " [ASM::is_authenticated] " and " [ASM::username] " and the code is simple enough as if you are authenticated but not admin then you will not get access to the url path " /about.php "  and this is logged in the /var/log/asm logs because " log local3. ".

 

At the end of the article I have shown how with APM you can accomplish AD group limit for specific  urls but then the Authentication is moved on the APM while the AWAF iRule example the authentication is on the origin web server and the AWAF just handles the URL Authorization. 

 

 

when ASM_REQUEST_DONE {

    if { [ASM::is_authenticated] && [HTTP::path] equals "/about.php" } {
    
        log local3. "This request was sent by user [ASM::username]."
        
          if {[ASM::username] equals "admin"} {
              log local3. "The admin has logged!"
            return
        } else {
       drop

     }   
   }  
}

 

Github link:

• Nikoolayy1/F5_AWAF-ASM-ADMIN-Access: F5 BIG-IP iRule code for limiting users by to access urls!

 

The harder part is that you need to do several prerequisites that I will explain here:

 

• Enable iRule support in the ASM policy.

• Configure a login page and optionally login enforcement (if " /about.php " is not blocked by the origin server to not be accessible before login this is a needed step!)

• Enable session tracking  by login page

• Attach the irule
• Test and see

 

Example logs:

cat /var/log/asm

.........

Jun 25 03:59:33 bigip1.com info tmm2[11400]: Rule /Common/f5-asm-allow-admin <ASM_REQUEST_DONE>: This request was sent by user admin.
Jun 25 03:59:33 bigip1.com info tmm2[11400]: Rule /Common/f5-asm-allow-admin <ASM_REQUEST_DONE>: The admin has logged!
[root@bigip1:Active:Standalone] config #

 

The DVWA app was used for this demo that is old but gold and there are many F5 demos how to configure login enforcement for it! Here is a youtube video for assistance:

• BIG-IP AWAF Demo 32 - Use Login Page Enforcement with F5 BIG-IP Adv WAF (formerly ASM)

 

Extra links (there is also a new event "ASM_RESPONSE_LOGIN"):

• ASM::username
• ASM::is_authenticated
• https://clouddocs.f5.com/api/irules/ASM.html

 

AD group url enforcement:

 

If you want to control access to URLs based on AD groups I suggest seeing the F5 APM/Acess module that will take of the authentication and with Layer 7 ACL each AD group could be limited what it has access to. APM and AWAF can work together as with layered virtual server AWAF can be before the APM as by default is after it and then to get the username you need to use the login page feature and not "Use APM username and Session ID" feature in the AWAF policy.

 

• Configuring Access Control Lists
• https://my.f5.com/manage/s/article/K00363504
• https://my.f5.com/manage/s/article/K03113285
• https://my.f5.com/manage/s/article/K54217479

Example APM profile of type LTM+APM and the APM policy for anyone interested where the APM uses AD to authenticate the users and query for group data and the members for of the guest group have an ACL assigned that limits their access 😜

 

 

Summary:

 

This probably will be seen as well in F5 NEXT with many more cool features !