Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

ASM custom response page add additional information

Go to solution
Rafi1
Cirrus
Cirrus

‎17-Feb-2022 06:10

Hi,

I saw simikar question but unfortunately the answer was not clear enough,

I'am using custom resoponse page for ASM deny query, inside the custom response I send the client th support ID 

using <%TS.request.ID()%>, can I add to the custom reponse page the blocke url and client source IP ?

I'am usuing ASM version 15.1.5

Regards

Rafi

Labels:
0 Kudos
2 ACCEPTED SOLUTIONS

Go to solution
Sebastiansierra
MVP
MVP

‎17-Feb-2022 09:02

Hi,

You need to follow the next steps:

  1. Make sure that "Trigger ASM iRule Events" option is enabled in the policy properties.
    1. Navigate to Security  ››  Application Security : Policy : Policy Properties.
    2. Change to the correct "Current edited security policy"

Create an iRule with content similar to the following (add/delete fields as needed): 

when HTTP_REQUEST {
# Other HTTP values can be added here 
set requri "http://[HTTP::host][HTTP::uri]"

}

 when ASM_REQUEST_DONE {
         set asm_support_id [ASM::support_id]
      }

      when ASM_REQUEST_BLOCKING {
   
        HTTP::header remove Content-Length
        HTTP::header insert header_1 value_1
        set client_ip [IP::client_addr]

        set response "<html>
                        <head>
                           <title>Request Rejected</title>
                        </head>
                        <body>
                            The requested URL was rejected. Please consult with your administrator.<br><br>
                            Your support ID is: $asm_support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>
                            Your URL is: $requri<br><br>
                            Your client IP is: $client_ip

                        </body>
                    </html>"
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 $response

      }

 

You can reference to this link: https://support.f5.com/csp/article/K22017023

View solution in original post

Go to solution
Rafi1
Cirrus
Cirrus
In response to Rafi1

‎22-Feb-2022 00:20

Hi Sebastiansierra,

Thank you very much,

Attached my irule for other to use 

when HTTP_REQUEST {
# Other HTTP values can be added here
set requri "https://[HTTP::host][HTTP::uri]"

}

when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {


HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip [IP::client_addr]

set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
<p>
<img src='https://xxx.domain.zz/files/2018/01/F5_Logo_700x80.gif' border='1' alt='Organization' width='700' height='80'> ### Web page with company logo ###
<p>

The page was blocked for what seems to be a technical issue.<br><br>
Please click the following link to notify ## link to notify IT Team by mail, the mail will include support is, src ip, suspicious link##
<a href='mailto:mail@domain?subject=support ID is: $asm_support_id&body=The%20page%20was%20blocked%20for%20what%20seems%20to%20be%20a%20technical%20issue%0A%0ASuspicious URL: $requri%0ASource IP: $client_ip%0ASupport ID: $asm_support_id'();>IT Team</a><br><br><br>

<b>Your support ID :</b> $asm_support_id<br><br>
<b>Suspicious URL:</b> $requri<br><br>
<b>Source IP :</b> $client_ip<br><br><br>
Thank you<br> IT Team

</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response


}

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
Sebastiansierra
MVP
MVP

‎17-Feb-2022 09:02

Hi,

You need to follow the next steps:

  1. Make sure that "Trigger ASM iRule Events" option is enabled in the policy properties.
    1. Navigate to Security  ››  Application Security : Policy : Policy Properties.
    2. Change to the correct "Current edited security policy"

Create an iRule with content similar to the following (add/delete fields as needed): 

when HTTP_REQUEST {
# Other HTTP values can be added here 
set requri "http://[HTTP::host][HTTP::uri]"

}

 when ASM_REQUEST_DONE {
         set asm_support_id [ASM::support_id]
      }

      when ASM_REQUEST_BLOCKING {
   
        HTTP::header remove Content-Length
        HTTP::header insert header_1 value_1
        set client_ip [IP::client_addr]

        set response "<html>
                        <head>
                           <title>Request Rejected</title>
                        </head>
                        <body>
                            The requested URL was rejected. Please consult with your administrator.<br><br>
                            Your support ID is: $asm_support_id<br><br><a href='javascript&colon;history.back();'>Go Back</a><br><br>
                            Your URL is: $requri<br><br>
                            Your client IP is: $client_ip

                        </body>
                    </html>"
        ASM::payload replace 0 [ASM::payload length] ""
        ASM::payload replace 0 0 $response

      }

 

You can reference to this link: https://support.f5.com/csp/article/K22017023

Go to solution
Rafi1
Cirrus
Cirrus
In response to Sebastiansierra

‎20-Feb-2022 08:12

Hi,

Thank you for your response,

I tried to configured it from GUI security->application security-> security policies-> policy list-><policy name>->response page

So irule is the only way ?

Regards

Rafi

 

0 Kudos

Go to solution
Sebastiansierra
MVP
MVP

‎21-Feb-2022 00:27

Hi,

I think that yes, the only way is using an irule because you need to store the headers that you want to print when the event is triggered using.The custom response page only enables printing an HTML.

0 Kudos

Go to solution
Rafi1
Cirrus
Cirrus
In response to Sebastiansierra

‎21-Feb-2022 01:17

Hi,

I am using version 15.1.5, and configured the security policy with trigger ASM irule events mode 

My final goal is to acheive response page with:

1. my logo (taken from web page)

2. support ID

3.The abiltiy to send mail with all details above

This the the current custom block page Iam using, and i want to add the problematic url & path

 

<!DOCTYPE html>
<html>


<html><head><title>Request Rejected</title></head><body>
<p>
<img src="https://site.domain.com/files/2018/01/F5_Logo_700x80.gif" border="1" alt="xxxx" width="700" height="80">
</p>
<br>
The page was blocked for what seems to be a technical issue.<br><br><b>Please click the following link to notify <a href="mailto:mail.domain?subject=support ID is: <%TS.request.ID()%>">
Web Support</a> and make sure to include the affected URL <br><br> Your support ID is: <%TS.request.ID()%></body></html><br><br><br><br> Thank you<br> Web Support


</body>
</html>

Can you help to do the adjusment?

Regards

Rafi

0 Kudos

Go to solution
Rafi1
Cirrus
Cirrus
In response to Rafi1

‎22-Feb-2022 00:20

Hi Sebastiansierra,

Thank you very much,

Attached my irule for other to use 

when HTTP_REQUEST {
# Other HTTP values can be added here
set requri "https://[HTTP::host][HTTP::uri]"

}

when ASM_REQUEST_DONE {
set asm_support_id [ASM::support_id]
}

when ASM_REQUEST_BLOCKING {


HTTP::header remove Content-Length
HTTP::header insert header_1 value_1
set client_ip [IP::client_addr]

set response "<html>
<head>
<title>Request Rejected</title>
</head>
<body>
<p>
<img src='https://xxx.domain.zz/files/2018/01/F5_Logo_700x80.gif' border='1' alt='Organization' width='700' height='80'> ### Web page with company logo ###
<p>

The page was blocked for what seems to be a technical issue.<br><br>
Please click the following link to notify ## link to notify IT Team by mail, the mail will include support is, src ip, suspicious link##
<a href='mailto:mail@domain?subject=support ID is: $asm_support_id&body=The%20page%20was%20blocked%20for%20what%20seems%20to%20be%20a%20technical%20issue%0A%0ASuspicious URL: $requri%0ASource IP: $client_ip%0ASupport ID: $asm_support_id'();>IT Team</a><br><br><br>

<b>Your support ID :</b> $asm_support_id<br><br>
<b>Suspicious URL:</b> $requri<br><br>
<b>Source IP :</b> $client_ip<br><br><br>
Thank you<br> IT Team

</body>
</html>"
ASM::payload replace 0 [ASM::payload length] ""
ASM::payload replace 0 0 $response


}

0 Kudos
Copyright © 2023 Khoros, LLC