Forum Discussion

cornemrc's avatar
cornemrc
Icon for Altostratus rankAltostratus
Jun 24, 2021
Solved

Disable ASM illegal HTTP status response logging

Hello,

my ASM policy setting looks like this:

 

 

Why do I still get Application Request Logs where the only violation is

 

 

I am fine with the blocking of unallowed HTTP status codes but I was expecting that the unchecked alarm box would prevent these logs. Do I have to define a special log profile for this? It is set to "log illegal requests".

 

Thank you

ASM Advanced WAF
BIG-IP
http
logging
security
  • Erik_Novak's avatar
    Erik_Novak
    Jun 24, 2021

    The purpose of Alarm is to let you know if you have traffic that may be illegal--but you haven't decided yet, as might be the case when the policy is in Transparent mode. For example, you might be checking that F5 Adv. WAF doesn't classify something as illegal that should be legal for your application before you place the policy in blocking mode. Alarm produces a log entry to alert you about the potential of a false positive violation.

     

    Block controls whether the violation will cause the request to be blocked. Blocked events are always logged because they are illegal by definition.

     

    If you really don't want to see that response code violation, you can create a custom logging profile, enable Response Logging, and then exclude specific response codes from being logged. 

     

     

     

2 Replies

Sort By
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Jun 24, 2021

    From the help section of Block:

     

    Specifies, when checked (enabled), that if this violation occurs, the system performs the following actions:

    • Records the request in the local log (the Requests screen) and/or in a remote log, depending on the settings of the logging profile. (...)

     

    further down...

     

    If the Alarm and/or Block check boxes are enabled, the system records, on the Requests screen, requests that trigger violations as Illegal Requests.

     

    KR

    Daniel

  • Erik_Novak's avatar
    Erik_Novak
    Icon for Employee rankEmployee
    Jun 24, 2021

    The purpose of Alarm is to let you know if you have traffic that may be illegal--but you haven't decided yet, as might be the case when the policy is in Transparent mode. For example, you might be checking that F5 Adv. WAF doesn't classify something as illegal that should be legal for your application before you place the policy in blocking mode. Alarm produces a log entry to alert you about the potential of a false positive violation.

     

    Block controls whether the violation will cause the request to be blocked. Blocked events are always logged because they are illegal by definition.

     

    If you really don't want to see that response code violation, you can create a custom logging profile, enable Response Logging, and then exclude specific response codes from being logged.