Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

ASM block page for use with API waf policy

kimhenriksen
Cirrostratus
Cirrostratus

Hey all!

I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK. 

What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source.

I´ve got most of it figured out, except the header part... 

So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?

2 ACCEPTED SOLUTIONS

Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

View solution in original post

Just an update from me. I found a much much simpler way to accomplish this.

In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

View solution in original post

17 REPLIES 17

Why not save the ASM::support_id to variable from the "ASM_REQUEST_DONE" event and then in the ''HTTP_RESPONSE'' event just insert the value in a header?

 

See:

 

https://clouddocs.f5.com/api/irules/ASM__support_id.html

 

https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html

 

https://clouddocs.f5.com/api/irules/ASM_REQUEST_BLOCKING.html

 

https://clouddocs.f5.com/api/irules/HTTP__header.html

 

 

Don't forget to enable the irule event triggering under the ASM policy as by default it is dissabled for some stupid reason.

kimhenriksen
Cirrostratus
Cirrostratus

I did this first:

when ASM_REQUEST_VIOLATION {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
#log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}

 

But.. there´s no header receieved on the client end..

Did you check what I mentioned ?

 

Not when ASM_REQUEST_VIOLATION but ASM_REQUEST_DONE and the irule trigger should be enabled under the ASM policy and set to Normal mode not Compatible.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-6-0/29.h...

I´ll change the event and try again. 

I had already changed the irule setting before so events are triggering ok.

Also keep in mind that ASM_REQUEST_DONE irule event will show you support id even for good requests, so if you want to insert the header only when there is violation then you can use ASM_REQUEST_BLOCKING as a replacement for ASM_REQUEST_DONE as it will trigger only for bad requests.

When using ASM_REQUEST_DONE, the HTTP event did not fire at all.. I´ll try REQ_Block.. and see what happens.

This here´s the winner:

when ASM_REQUEST_BLOCKING {
set support_id [ASM::support_id]
#log local0. $support_id
HTTP::header insert ASM $support_id
}
when HTTP_RESPONSE {
log local0. $support_id
HTTP::header insert ASM $support_id
#HTTP::header insert ASM2 testtest
}

 

Thanks you!

I´ll just have to add a IF statement to check if the variable is empty or not.. seems to cause the VIP not to work if applied as i wrote it.

Just an update from me. I found a much much simpler way to accomplish this.

In the settings for the policy and under response and blocking pages, i edit and created a new header and just used the support id variable from the page on the header and that worked like a charm. No irules to apply or anything. 😄

Hi @kimhenriksen 

I'm new to ASM and currently having the same issue, I'd like to edit the blocking response page to give the client a negative response instead of the 200K status without using iRule..  Please can you share HTML you used? Thank you in advance. 

You can accomplish that in the ASM policy settings. Let me check and get back to you. We setup up a like 599 Blocked (not http standard i know, but i works). And also added the supportid as a response header.

Choose policies list under security, there you have the list with all your asm policies. Choose the one to edit.

11

Scroll down to response and blocking pages. And on the right you have the block page settings. I havent edited the page itself, only the code and added the SupID: supportid-header.

22


SupID: <%TS.request.ID()%>

Thank you @kimhenriksen thats was so helpful. you're a lifesaver. I have edited the response page and waiting for the BUs to commence testing. Thank you so much. 

Happy to help out! I see you have a batman profile pic and as a comicbooknerd i just have to help 😉

Haha, appreciate it. 🤣

Do we remove the HTML in the Response Body? 

I didn´t. The systems that cant read the html just dont, but when people test manually they still got the page so it´s easily readable by both.

Thank you.