ASM_REQUEST_BLOCKING not being triggered in iRule

Anyone here faced the issue that "ASM_REQUEST_BLOCKING" not being triggered in LTM iRule ? The "Trigger ASM iRule Events Mode" is set to normal in ASM policy Running v15.1.0.5 New setup, never tri...

ASM Advanced WAF

iRules

LTM

security

boneyard

Oct 26, 2020

I believe it found the issue, as this is a response violation (it is not something bad send by the client, but the response the webserver sends is what should be blocked) it should be handled in the ASM_RESPONSE_VIOLATION event.

this iRule both logs the violation and allows me to rewrite the block page.

when ASM_RESPONSE_VIOLATION {
 
  log local0. "response violation"
 
  set x [ASM::violation_data]
 
  for {set i 0} { $i < 7 } {incr i} {
      switch $i {
      0         { log local0. "violation=[lindex $x $i]" }
      1         { log local0. "support_id=[lindex $x $i]" }
      2         { log local0. "web_application=[lindex $x $i]" }
      3         { log local0. "severity=[lindex $x $i]" }
      4         { log local0. "source_ip=[lindex $x $i]" }
      5         { log local0. "attack_type=[lindex $x $i]" }
      6         { log local0. "request_status=[lindex $x $i]" }
 
   }}
   
  ASM::payload replace 0 [ASM::payload length] ""
  ASM::payload replace 0 0 "12345607890"
  HTTP::header replace Content-Length [ASM::payload length]
  
}

logs

Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: response violation
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: violation=VIOLATION_REDIRECT
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: support_id=5611810483771277404
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: web_application=/Common/asm-1
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: severity=Error
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: attack_type=ATTACK_TYPE_OTHER_APPLICATION_ACTIVITY
Oct 26 19:32:00 bigip-01 info tmm[20840]: Rule /Common/irule-asm_blockpage <ASM_RESPONSE_VIOLATION>: request_status=blocked

once you can confirm ill try to get the cloud docs updated. these things can be made a lot easier when a couple of extra lines explaining the different types of events.

Forum Discussion

ASM_REQUEST_BLOCKING not being triggered in iRule

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Syslog server not visible in GUI

Same LTM Monitor applied to different Pools with Common Nodes

irule execution error

F5 AWAF/ASM learning only from Trusted traffic?

OWA File Upload URIs for WAF Bypass

Related Content

Trigger js challenge/Captcha for ip reputation/ip intelligence categories

Leveraging Ansible Rulebooks for Streamlined Event Triggers: Advantages and Benefits

iCall Triggers - Invalidating Cache from iRules

SLA Uptime, Resiliency, and why 100% Uptime can be Misleading

Irule Trigger two times

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS