03-Feb-2021 13:08
Hi Guys,
We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and blocking settings as Blocking >Automatic > Real-time> Medium > 7 days.
Our policy template got removed and set as Fundamental template to all security policies.
Due to system sudden change multiple application were impacted. Work around - policies were disabled for all impacted websites temporarily until get the root cause and permanent fix.
In audit log, I found one common element type "UCS configuration load" for the impacted policies (attached).
Kindly assist if I can restore the ASM configuration back to make all sites working with our custom template.
Solved! Go to Solution.
04-Mar-2021 09:22
yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.
04-Feb-2021 08:41
Hey Guys,
Could you please help me with this ? let me know if needed specific logs.
Regards,
Rahul
19-Feb-2021 22:37
Hello Rahul,
Do you have CMI/HA configured for these BIG-IPs?
Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.
It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)
Thanks, Ivan
02-Mar-2021 04:04
Hello Ivan,
Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.
And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.
You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.
Regards,
Rahul
27-Feb-2021 02:20
too late now, but next time contact support, this is the kind of thing you want to have someone look at as quick as possible and not wait on replies from a forum.
02-Mar-2021 04:15
Hello Boneyard,
Thanks for suggestion, I already have a case open with F5 support but no root cause update I received from them as they don't see the logs as why this was happened and removed user-defined template from the device and assigned "Fundamental" template to all affected policies.
.As to verify, I have uploaded the same template again and created test policy by selecting the same custom template to the test policy and then deleted it manually. And the result was "None".
It means it does not happened due to policy template deleted. This was something else but not sure what was that.
Please guide if in case any other possibilities.
Regards,
Rahul
02-Mar-2021 10:17
if there are no logs then it isnt possible determine a cause with any certainty, it will remain a guess.
03-Mar-2021 06:05
Hi Boneyard,
That's correct, but need to re-enable waf security policies to respective virtual servers and issue is unknown so can't proceed with waf association.
Is there any other possibilities for this type of cause.
Regards,
Rahul
03-Mar-2021 08:34
i dont know understand what exactly you are now asking.
if F5 support with access to your system can't tell you, the chance is very small someone here can.
so what are you looking for now?
03-Mar-2021 11:03
Ok, thanks Beneyard for all your responses. I think, I should move forward and re-create ASM policies for affected applications.
Regards,
Rahul
04-Mar-2021 09:22
yes that would very much be my advise. it doesnt feel right, you want to know why, but at some point that becomes more unlikely and the best thing is to just move forward.