Putting new and updated signature in staging
Hi, I have some questions about the mechanism in ASM (version 12.x) in updating attack signatures to: put newly added attack signature in staging, AND put updated/modified existing signatures in staging. I know that to achieve this, I need to check the "Place updated signatures in staging" in Security >> Application Security >> Policy Building >> Learning and Blocking Settings. But do we need to check "Enable Signature Staging" (the option just on top of it)? As reading some past answers to this similar questions, it was suggested to enable signature staging first before updating. Isn't this option will put all signatures in staging instead of just the new/updated ones? Thanks!
How to Apply Existing Attack Signaturue Set to an ASM Policy using iControl REST API
Hello, I am trying to use the iControl REST API interface in order to automatically and programmatically apply attack signature sets to all of our ASM Policies defined on our 11.6 device. Following the REST User Guide, I saw that it was possible to create new resources for a given policy (there was an example using /mgmt/tm/asm/policies/MD5HASH/urls as the resource endpoint) and so I tried extending the same principle to /mgmt/tm/asm/policies/MD5HASH/signature-sets , as that appears to be the most appropriate endpoint in order to apply defined signatures-sets to policies To illustrate further, issuing a GET request for signature-sets already applied to one of my ASM policies, I get the following as a response: {"selfLink": "https://localhost/mgmt/tm/asm/policies/tWE3e4F2jlpKH22mCw0I0Q/signature-sets", "kind": "tm:asm:policies:signature-sets:signature-setcollectionstate", "totalItems": 1, "items": [ { "learn": false, "kind": "tm:asm:policies:signature-sets:signature-setstate", "alarm": true, "signatureSetReference": {"link": "https://localhost/mgmt/tm/asm/signature-sets/2ODl_CpPYisXJvG_0bmcEA"}, "selfLink": "https://localhost/mgmt/tm/asm/policies/tWE3e4F2jlpKH22mCw0I0Q/signature-sets/GLKMhVlZQFNsMbMRD1EtkQ", "id": "GLKMhVlZQFNsMbMRD1EtkQ", "block": false}]} Based off the key/value pairs on display here, I extrapolated and structured my JSON POST payload as follows to try and add a different existing signature set to the same policy as above -- I deduced that "signatureSet" is the only required JSON key to add here based off the error output that I've been receiving from the REST API and the above signature-set payload: { "signatureSet": "iZvFXdIDR8lEbUdSWttwPQ" } However, I keep getting a 500 error from the REST API stating the following error message error_message:Could not parse/validate the Policy Signature Set. Can\'t use string ("iZvFXdIDR8lEbUdSWttwPQ") as a HASH ref while "strict refs" in use. I don't quite understand what I'm doing wrong here -- is the signature set ID value not the appropriate value to provide here? The REST API Guide hasn't been too helpful as it does not provide signature-set POST sample requests. Appreciate any help and clarification here! Thanks!
F5 ASM - Compact Learning
Hi, I have configured a manual policy with the Compact learning for parameters but it doesn't add parameters to the list. However, wildcard parameter is changed with suggestions. I think it's working like Never (Wildcard Only) learning, why? On the other hand, I've read in K74535942 that the policy must include the following: Most commonly used entities Disallowed file types Top-level URLs, such as /abc/* https://support.f5.com/csp/article/K74535942 How can I include these requirements in the security policy? Thanks, best regards.
Need- F5 webserver for to setup own lab (not LAMP server in the partner portal)
Hi Team / Experts, Anyone please share me the F5 webserver(backend server) which is used to setup F5 official lab for training. I got lamp server from f5 partner portal, but i want to setup same F5 training lab in my home to prepare and practice with F5 official training material. It would be more helpful if anyone guided me or share me those official lab setup with webserver(backend server). Thanks, RK
TCL error: _cgc_pick_clientside
Hi, in an ASM-LTM (Perimeter) Setup I see frquently the following logs: ***err: tmm3[19962]: 01220001:3: TCL error: _cgc_pick_clientside - unknown cgc sni: f5-bei1.xxxx.xx (line 49) invoked from within "CGC::sni $tls_servername"*** Any idea what this TCL error causes? The clientssl is quite Basic: one certificate chain, no Server Name set. Thanks, Rolf
Bypass the character for Evasion technique Detected violation
Hi, I need help to bypass or allow %", character which has triggered the Detection violation(Bad unescape) in JSON POST Data. This is legitimate request and i don't see this request on learning suggestion. I am able to find with the help support ID provided by user under the event logs.ASM Policy in "Blocking" Mode switch to "Transparent" for some IP's
I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent. I need to keep the same policy so that I can "proof" that everything is running fine. Is there a method to do that ? Was thinking about an iRule but dont know how. I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions. Bye St.
