We have BIG-IP ASM in our environment which is loaded with 111 security policies, Out of all 101 policies configuration got changed suddenly and each policy is having learning and blocking settings as Blocking >Automatic > Real-time> Medium > 7 days.
Our policy template got removed and set as Fundamental template to all security policies.
Due to system sudden change multiple application were impacted. Work around - policies were disabled for all impacted websites temporarily until get the root cause and permanent fix.
In audit log, I found one common element type "UCS configuration load" for the impacted policies (attached).
Kindly assist if I can restore the ASM configuration back to make all sites working with our custom template.
Solved! Go to Solution.
Do you have CMI/HA configured for these BIG-IPs?
Based on provided audit log I can make an assumption, that configuration of BIG-IP was recently restored from some UCS, but reason of that is not clear to me.
It can not be related to any Learning actions. Policy template can be removed only manually or via loading UCS without it (which most probably happened in your case)
Yes these devices have HA configured as Active and Standby. I have also raised case with F5 support & share QKview report of both active and standby devices, but they couldn't see logs before than 15th Jan 2021.
And as per the current log history they can not confirm the root cause of this issue. Hence, this is still as unknown cause.
You are correct. The UCS backup is on dated of 15th Jan 2021 and there is no earlier backup file on the device.
Thanks for suggestion, I already have a case open with F5 support but no root cause update I received from them as they don't see the logs as why this was happened and removed user-defined template from the device and assigned "Fundamental" template to all affected policies.
.As to verify, I have uploaded the same template again and created test policy by selecting the same custom template to the test policy and then deleted it manually. And the result was "None".
It means it does not happened due to policy template deleted. This was something else but not sure what was that.
Please guide if in case any other possibilities.
That's correct, but need to re-enable waf security policies to respective virtual servers and issue is unknown so can't proceed with waf association.
Is there any other possibilities for this type of cause.