14-Apr-2023 04:01
Hi,
How can we add exact date and time when blocking occurs to ASM response pages?
Thanks.
Solved! Go to Solution.
14-Apr-2023 10:57 - edited 14-Apr-2023 10:57
Hi @pinkzeppelin,
this iRule should do:
when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}
when ASM_REQUEST_BLOCKING {
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
The requested URL was rejected. Please consult with your administrator.<br><br>
The current time and date is: [clock format [clock seconds] -format {%H:%M:%S}], [clock format [clock seconds] -format {%d/%m/%Y}]<br><br>
Your support ID is: $asm_support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
Make sure to enable Trigger ASM iRule Events in your ASM security policy.
For further reading check:
K22017023: Configuring a custom Blocking Response Page using an iRule and
tcl man page - Time and Date - clock
KR
Daniel
14-Apr-2023 10:57 - edited 14-Apr-2023 10:57
Hi @pinkzeppelin,
this iRule should do:
when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}
when ASM_REQUEST_BLOCKING {
HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
The requested URL was rejected. Please consult with your administrator.<br><br>
The current time and date is: [clock format [clock seconds] -format {%H:%M:%S}], [clock format [clock seconds] -format {%d/%m/%Y}]<br><br>
Your support ID is: $asm_support_id<br><br><a href='javascript:history.back();'>Go Back</a><br><br>
</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response
}
Make sure to enable Trigger ASM iRule Events in your ASM security policy.
For further reading check:
K22017023: Configuring a custom Blocking Response Page using an iRule and
tcl man page - Time and Date - clock
KR
Daniel
16-Nov-2023 11:57
Hi @Daniel_Wolf
As a newcomer to iRule, I'm currently facing a similar issue. I'm seeking guidnace on customizing the blocking response page to send a negative response to clients, rather than the typical 200 OK. In the above iRule example, how do I implement it to show clients a 403 or 503 error code instead?
Also, Does require to empty the default blocking response page setting if iRule is implemented?
Thank you in advance.
16-Nov-2023 13:21 - edited 16-Nov-2023 18:20
Hi @e06137f,
that's fairly easy. No need to mess around with iRule in order to change the HTTP response code - follow this knowledge base article K35004154: Change the default 200 OK http response code from the ASM blocking page to 503.
However, I do recommend to keep the 200 for the reason that an attacker might use them for fingerprinting or recon. 503 repsonses stay out rather than 200s.
KR
Daniel
17-Nov-2023 10:25
Hi @Daniel_Wolf
Thank you for the detailed explanation. I followed the article closly, and it workds perfectly. I appreciate your prompt response and assistance. If you have any recommedations for further learning on iRules please me know. Thank you.