I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when the URL is not yet qualified for challenge injection, but the help also provides no details how to correct this.
Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx
What version of BIG-IP do you use and what type of login page do you configure in policy for BF?
In general, URL must become qualified for challenge injection after about 10 valid request to it.
Also, make sure that brute force prevention with CPATCHA doesn't overlapping some other criteria - if you configure several BF preventions, then it is possible that block happens by some other criteria, which becomes valid before CAPTCHA
Hi , I am using BIG-IP v13. The only control I have in place on the Brute Force Protection page is IP - 5 fails in 15 mins. When I breach this rule, I get the ASM block page despite having the control set to "Alarm and CAPTCHA". I have logged in through this control legitimately a number of times as have QA. I have retested the control and still get the block page. If I set to "Alarm" instead of "Alarm and CAPTCHA" I simply generate the log with no log - that looks correct. From what I can tell I need this page to qualify for challenge injection somehow. For the moment, I will try to login a few more times legitimately and see if that looks any better. Thanks for the response.
Does your /LoginHere.aspx contain HTML tag in response?
It must include HTML tag to be qualified. If this is so, then you need to send 10 requests to /LoginHere.aspx (no need to login), after that URL should be qualified for challenge injections.
Before brute force mitigation will be applied, ASM must see at least 10 responses in 5 minutes from the back-end application with a Content-Type header of text/html and a response code of 200. If you run this TMSH command you should see the list of all Qualified URLS: <tmsh list sys db dosl7.cs_qualified_urls>