Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

ASM block page for use with API waf policy

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎24-May-2023 23:56

Hey all!

I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK. 

What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source.

I´ve got most of it figured out, except the header part... 

So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Nikoolayy1
MVP
MVP
In response to kimhenriksen

‎25-May-2023 04:17

Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

View solution in original post

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 22:19

Just an update from me. I found a much much simpler way to accomplish this.

In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

View solution in original post

0 Kudos
17 REPLIES 17

Go to solution
Nikoolayy1
MVP
MVP

‎25-May-2023 03:18 - edited ‎25-May-2023 03:19

Why not save the ASM::support_id to variable from the "ASM_REQUEST_DONE" event and then in the ''HTTP_RESPONSE'' event just insert the value in a header?

 

See:

 

https://clouddocs.f5.com/api/irules/ASM__support_id.html

 

https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

 

https://clouddocs.f5.com/api/irules/ASM_REQUEST_BLOCKING.html

 

https://clouddocs.f5.com/api/irules/HTTP__header.html

 

 

Don't forget to enable the irule event triggering under the ASM policy as by default it is dissabled for some stupid reason.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus

‎25-May-2023 03:47

I did this first:

when ASM_REQUEST_VIOLATION {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
#log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}

 

But.. there´s no header receieved on the client end..

0 Kudos

Go to solution
Nikoolayy1
MVP
MVP
In response to kimhenriksen

‎25-May-2023 04:06

Did you check what I mentioned ?

 

Not when ASM_REQUEST_VIOLATION but ASM_REQUEST_DONE and the irule trigger should be enabled under the ASM policy and set to Normal mode not Compatible.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/29.h...

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 04:12

I´ll change the event and try again. 

I had already changed the irule setting before so events are triggering ok.

0 Kudos

Go to solution
Nikoolayy1
MVP
MVP
In response to kimhenriksen

‎25-May-2023 04:17

Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 04:19

When using ASM_REQUEST_DONE, the HTTP event did not fire at all.. I´ll try REQ_Block.. and see what happens.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 04:21

This here´s the winner:

when ASM_REQUEST_BLOCKING {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}

 

Thanks you!

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 04:33

I´ll just have to add a IF statement to check if the variable is empty or not.. seems to cause the VIP not to work if applied as i wrote it.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to Nikoolayy1

‎25-May-2023 22:19

Just an update from me. I found a much much simpler way to accomplish this.

In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

0 Kudos

Go to solution
c27705074
Altostratus
Altostratus
In response to kimhenriksen

‎13-Nov-2023 09:16

Hi @kimhenriksen 

I'm new to ASM and currently having the same issue, I'd like to edit the blocking response page to give the client a negative response instead of the 200K status without using iRule..  Please can you share HTML you used? Thank you in advance. 

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to c27705074

‎13-Nov-2023 10:03

You can accomplish that in the ASM policy settings. Let me check and get back to you. We setup up a like 599 Blocked (not http standard i know, but i works). And also added the supportid as a response header.

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to c27705074

‎13-Nov-2023 10:11

Choose policies list under security, there you have the list with all your asm policies. Choose the one to edit.

11

Scroll down to response and blocking pages. And on the right you have the block page settings. I havent edited the page itself, only the code and added the SupID: supportid-header.

22


SupID: <%TS.request.ID()%>

0 Kudos

Go to solution
c27705074
Altostratus
Altostratus
In response to kimhenriksen

‎13-Nov-2023 12:48

Thank you @kimhenriksen thats was so helpful. you're a lifesaver. I have edited the response page and waiting for the BUs to commence testing. Thank you so much. 

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to c27705074

‎13-Nov-2023 13:09

Happy to help out! I see you have a batman profile pic and as a comicbooknerd i just have to help 😉

0 Kudos

Go to solution
c27705074
Altostratus
Altostratus
In response to kimhenriksen

‎13-Nov-2023 13:55

Haha, appreciate it. 🤣

Do we remove the HTML in the Response Body? 

0 Kudos

Go to solution
kimhenriksen
Cirrostratus
Cirrostratus
In response to c27705074

‎13-Nov-2023 22:30

I didn´t. The systems that cant read the html just dont, but when people test manually they still got the page so it´s easily readable by both.

Go to solution
c27705074
Altostratus
Altostratus
In response to kimhenriksen

‎14-Nov-2023 10:25

Thank you.

Copyright © 2023 Khoros, LLC