02-Feb-2023 22:06 - edited 02-Feb-2023 22:22
I observed a change within bigip settings. Sudden block on a violation called illegal host name/ reguest length and this violation is not marked as block from policy settings, but i can see it blocked from event logs.. How to check the system logs to track what happen before this change ?could it beacuse of signture update?
Which violation is matched in your request? illegal host name or illegal reguest length or both?
If both are matched or any additional one in the request, and at least one of them is set to block, then this may be the cause.
You can verify from the event logs by looking for the triggered violations of your request, under the 'occurences' column click on the number of occurences, this will open a popup containing the applied actions for that occurence.
both are blocked but the strange is this violation is not blocked from learning and blocking settings. Also, policy in transparent mode is blocked with this violation.
The blocking you described must absolutely not occur in transparent mode. I suspect the policy does not get applied correctly due to some reason, you can first check in /var/log/asm if you have errors after applying the policy. If everything seems OK after basic troubleshooting, better is to open a case with F5