Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Adding date and time to ASM response pages

Go to solution
pinkzeppelin
Altostratus
Altostratus

‎14-Apr-2023 04:01

Hi,

How can we add exact date and time when blocking occurs to ASM response pages? 

Thanks.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Daniel_Wolf
MVP
MVP

‎14-Apr-2023 10:57 - edited ‎14-Apr-2023 10:57

Hi @pinkzeppelin,

this iRule should do:

 

when ASM_REQUEST_DONE {
   set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {
   
   HTTP::header remove Content-Length
   HTTP::header insert header_1 value_1

   set response "<html>
                     <head>
                        <title>Request Rejected</title>
                     </head>
                     <body>
                        The requested URL was rejected. Please consult with your administrator.<br><br>
                        The current time and date is: [clock format [clock seconds] -format {%H:%M:%S}], [clock format [clock seconds] -format {%d/%m/%Y}]<br><br>
                        Your support ID is: $asm_support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>


                     </body>
                  </html>"
   ASM::payload replace 0 [ASM::payload length] ""
   ASM::payload replace 0 0 $response
}

 

Make sure to enable Trigger ASM iRule Events in your ASM security policy.
For further reading check:
K22017023: Configuring a custom Blocking Response Page using an iRule and
tcl man page - Time and Date - clock 

KR
Daniel

View solution in original post

4 REPLIES 4

Go to solution
Daniel_Wolf
MVP
MVP

‎14-Apr-2023 10:57 - edited ‎14-Apr-2023 10:57

Hi @pinkzeppelin,

this iRule should do:

 

when ASM_REQUEST_DONE {
   set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {
   
   HTTP::header remove Content-Length
   HTTP::header insert header_1 value_1

   set response "<html>
                     <head>
                        <title>Request Rejected</title>
                     </head>
                     <body>
                        The requested URL was rejected. Please consult with your administrator.<br><br>
                        The current time and date is: [clock format [clock seconds] -format {%H:%M:%S}], [clock format [clock seconds] -format {%d/%m/%Y}]<br><br>
                        Your support ID is: $asm_support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>


                     </body>
                  </html>"
   ASM::payload replace 0 [ASM::payload length] ""
   ASM::payload replace 0 0 $response
}

 

Make sure to enable Trigger ASM iRule Events in your ASM security policy.
For further reading check:
K22017023: Configuring a custom Blocking Response Page using an iRule and
tcl man page - Time and Date - clock 

KR
Daniel

Go to solution
e06137f
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎16-Nov-2023 11:57

Hi @Daniel_Wolf 

As a newcomer to iRule, I'm currently facing a similar issue. I'm seeking guidnace on customizing the blocking response page to send a negative response to clients, rather than the typical 200 OK. In the above iRule example, how do I implement it to show clients a 403 or 503 error code instead?

Also, Does require to empty the default blocking response page setting if iRule is implemented?

Thank you in advance. 

0 Kudos

Go to solution
Daniel_Wolf
MVP
MVP
In response to e06137f

‎16-Nov-2023 13:21 - edited ‎16-Nov-2023 18:20

Hi @e06137f

that's fairly easy. No need to mess around with iRule in order to change the HTTP response code - follow this knowledge base article K35004154: Change the default 200 OK http response code from the ASM blocking page to 503.
However, I do recommend to keep the 200 for the reason that an attacker might use them for fingerprinting or recon. 503 repsonses stay out rather than 200s.

KR
Daniel

Go to solution
e06137f
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎17-Nov-2023 10:25

Hi @Daniel_Wolf 

Thank you for the detailed explanation. I followed the article closly, and it workds perfectly. I appreciate your prompt response and assistance. If you have any recommedations for further learning on iRules please me know. Thank you. 

0 Kudos
Copyright © 2023 Khoros, LLC