Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Sudden change in ASM policy

THE_BLUE
Cirrus
Cirrus

I observed a  change within bigip settings. Sudden block on a violation called illegal host name/ reguest length and this violation is not marked as block from policy settings, but i can see it blocked from event logs..  How to check the system logs to track what happen before this change ?could it beacuse of signture update?

3 REPLIES 3

Which violation is matched in your request? illegal host name or illegal reguest length or both?

If both are matched or any additional one in the request, and at least one of them is set to block, then this may be the cause.

You can verify from the event logs by looking for the triggered violations of your request, under the 'occurences' column click on the number of occurences, this will open a popup containing the applied actions for that occurence.

illegal.png

Dear Amine,

both are blocked but the strange is this violation is not blocked from learning and blocking settings. Also, policy in transparent mode is blocked with this violation.

The blocking you described must absolutely not occur in transparent mode. I suspect the policy does not get applied correctly due to some reason, you can first check in /var/log/asm if you have errors after applying the policy. If everything seems OK after basic troubleshooting, better is to open a case with F5