How can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?

Question

So far;This WORKS;&nbsp;when ASM_REQUEST_VIOLATION {&nbsp;&nbsp;if { [ASM::status] eq "blocked" } {&nbsp;&nbsp;&nbsp;&nbsp;if { [class match [IP::client_addr] equals WHITELIST] &amp;&amp; [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION"}{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation count: [ASM::violation count] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation names: [ASM::violation names] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation attack types: [ASM::violation attack_types] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation details: [ASM::violation details] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ASM::unblock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} else {&nbsp;&nbsp;&nbsp;&nbsp;log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;}&nbsp;}&nbsp;However, I only want to skip Geolocation violation.  When watching the logs, I see the violation information - however I want to continue ASM checking if the Geolocation is in my Datagroup named "WHITELIST".  I do NOT want a golden ticket skipping over XSS, SQL Injection, etc... because I made a pinhole in my IP to allow access.  When I add an IP to the IP Address Exceptions, it skips all ASM Rules.  Is there an ASM::skip ability that I'm missing?  GEOLOCATION::ALLOW?

andrewbytes · Accepted Answer

UPDATE!!!!when ASM_REQUEST_DONE {&nbsp;&nbsp;if { [ASM::status] eq "blocked" } {&nbsp;&nbsp;&nbsp;&nbsp;if { [class match [IP::client_addr] equals WHITELIST] &amp;&amp; [ASM::violation names] equals "VIOLATION_ILLEGAL_GEOLOCATION" &amp;&amp; [ASM::violation details] equals ""}{&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "[ASM::violation_data]. [IP::client_addr] found in WHITELIST"#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation count: [ASM::violation count] "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation names: [ASM::violation names] "#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation attack types: [ASM::violation attack_types] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;log local0. "Violation details: [ASM::violation details] "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;ASM::unblock&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;} else {&nbsp;&nbsp;&nbsp;&nbsp;log local0. "[ASM::violation_data]. blocked for [IP::client_addr]"&nbsp;&nbsp;&nbsp;&nbsp;}&nbsp;&nbsp;}&nbsp;}&nbsp;if the ONLY Violation is Geolocation, then I continue.  If there's anything else, I want to skip it.  So NORMAL input on a web form is fine from a specific geolocation.  Try and slip XSS, or SQL Injection, and it returns a System ID error.  How can [ASM::violation count] returns 1 all the time, even though I've slipped some other violation into the form.&nbsp;PLEASE NOTE; the ASM_REQUEST_DONE only works if ASM iRule setting is set to NORMAL.  It will not fire in compatibility mode.&nbsp;&nbsp;

Forum Discussion

How can I skip ONLY Geolocation within ASM_REQUEST_VIOLATION if there is more than one Violation?

1 Reply

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

AWAF - Do not log Geolocation violations from the Event Log

Edge to Pulse: IP Geolocation Database Migration

BIG-IP Geolocation Updates – Part 1

allow one url from blocks geolocation

BIG-IP Geolocation Updates – Part 3