cancel
Showing results for 
Search instead for 
Did you mean: 

ASM security policy configuration auto changed

Rahul_More
Cirrus
Cirrus

Hi Guys,

 

We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and blocking settings as Blocking >Automatic > Real-time> Medium > 7 days.

 

Our policy template got removed and set as Fundamental template to all security policies.

 

Due to system sudden change multiple application were impacted. Work around - policies were disabled for all impacted websites temporarily until get the root cause and permanent fix.

 

In audit log, I found one common element type "UCS configuration load" for the impacted policies (attached).

 

Kindly assist if I can restore the ASM configuration back to make all sites working with our custom template.

1 ACCEPTED SOLUTION

yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.

View solution in original post

10 REPLIES 10

Rahul_More
Cirrus
Cirrus

Hey Guys,

 

Could you please help me with this ? let me know if needed specific logs.

 

Regards,

Rahul

Ivan_Chernenkii
F5 Employee
F5 Employee

Hello Rahul,

 

Do you have CMI/HA configured for these BIG-IPs?

Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.

 

It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)

 

Thanks, Ivan

Hello Ivan,

 

Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.

 

And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.

 

You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.

 

 

Regards,

Rahul

boneyard
MVP
MVP

too late now, but next time contact support, this is the kind of thing you want to have someone look at as quick as possible and not wait on replies from a forum.

Rahul_More
Cirrus
Cirrus

Hello Boneyard,

 

Thanks for suggestion, I already have a case open with F5 support but no root cause update I received from them as they don't see the logs as why this was happened and removed user-defined template from the device and assigned "Fundamental" template to all affected policies.

 

.As to verify, I have uploaded the same template again and created test policy by selecting the same custom template to the test policy and then deleted it manually. And the result was "None".

 

It means it does not happened due to policy template deleted. This was something else but not sure what was that.

 

Please guide if in case any other possibilities.

 

Regards,

Rahul

 

if there are no logs then it isnt possible determine a cause with any certainty, it will remain a guess.

Hi Boneyard,

 

That's correct, but need to re-enable waf security policies to respective virtual servers and issue is unknown so can't proceed with waf association.

 

Is there any other possibilities for this type of cause.

 

Regards,

Rahul

i dont know understand what exactly you are now asking.

 

if F5 support with access to your system can't tell you, the chance is very small someone here can.

 

so what are you looking for now?

Ok, thanks Beneyard for all your responses. I think, I should move forward and re-create ASM policies for affected applications.

 

 

Regards,

Rahul

yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.