ASM Advanced WAF
3173 TopicsWhat is F5 ASM conviction and can it be used for configuring custom URL honey pot trap?
I see the feature conviction can be triggered in an irule but can it be done also in the ASM policy? Also can the honey pod traps be configured to send specific URL for the honey pod server or this is something that the ASM does automatic and sends custom URLs that target things on the ASM, so the ASM can detect attacks or the ASM sends the URL of an F5 web based honey pod server ? https://clouddocs.f5.com/api/irules/ASM__conviction.html This feature seems like the Citrix ADC bot trap url but there the trap url can be configured. This is my question if f5 ASM/WAF has options to send selected honey pod trap urls with javascript injection to bot devices or hackers?Solved1.7KViews0likes7CommentsAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up to this point, where someone manually has to go and click the "Enforce Ready Entities" button. That sounds like a minor thing to do, but in an Enterprise it includes change control/PVT etc to do... ...but automating this out as a fortnightly thing should reduce risk and I can do other things. So I am comfortable with the API, but looking at v13/v14 API I dont see a functionality that can do this for me. Has anyone done this last step to fully utomate attack signature updates ?Solved2.9KViews1like15CommentsAdding http only / secure flags to TS cookies per policy
Since it is a global change to add flags to the TS or ASM cookie, I am guessing if you need to add it to a specific policy and not global would involve an irule. Below is a rule that seems would work but is not for me and I am out of ideas. The flow is using two vips as we need to limit the number of public ip addresses being used. public_ip_vip_443 redirected to public_ip_vip_8443. 443 has the client side cert and 8443 has serverside with ASM policy on 8443 vip. This works just fine. Automap as well. So on the 8443 vip I want to insert the flags for the TS* cookies. Any ideas why the cookies are not being flagged? when CLIENT_ACCEPTED { set is_ssl [PROFILE::exists serverssl] } when HTTP_RESPONSE { set cookie_list [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" if { $is_ssl } then { foreach cookie $cookie_list { switch -glob -- [string tolower $cookie] { "TS*" { } "*;*secure*httponly*" - "*;*httponly*secure*" { } "*;*httponly*" { set cookie "[string trimright $cookie "; "]; Secure" } "*;*secure*" { set cookie "[string trimright $cookie "; "]; HttpOnly" } default { set cookie "[string trimright $cookie "; "]; Secure; HttpOnly" } } HTTP::header insert "Set-Cookie" $cookie } } else { foreach cookie $cookie_list { switch -glob -- [string tolower $cookie] { "TS*" { } "*;*httponly*" { } default { set cookie "[string trimright $cookie "; "]; HttpOnly" } } HTTP::header insert "Set-Cookie" $cookie } } }Solved3KViews0likes4CommentsBypass the character for Evasion technique Detected violation
Hi, I need help to bypass or allow %", character which has triggered the Detection violation(Bad unescape) in JSON POST Data. This is legitimate request and i don't see this request on learning suggestion. I am able to find with the help support ID provided by user under the event logs.1.2KViews0likes4CommentsASM Policy in "Blocking" Mode switch to "Transparent" for some IP's
I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent. I need to keep the same policy so that I can "proof" that everything is running fine. Is there a method to do that ? Was thinking about an iRule but dont know how. I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions. Bye St.475Views0likes6CommentsF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see that the F5 ASM has correlation logs that trigger incidents but there is not a lot info if this can be used in iRules or to block user ip addresses / deviceid. https://support.f5.com/csp/article/K92532922Solved1.9KViews1like7CommentsASM cookie, modifying "domain" field
Is it possible to modify "domain" field in the ASM cookie ? As it appears ASM is using a hostname from http header, unfortunately the host is replaced to an internal hostname (required by an app) in an irule. So scanners point that this is a vulnerability.506Views0likes2CommentsCookie Violation - Expired TimeStamp.
Dear Team, I am usually facing an issue with (Cookie Violation - Expired TimeStamp), the TS cookies keep are expired always and trigger this violation. I am not sure if i am doing the configurations in the proper way so i need a help how and what is proper way to configure the protection? I mean is there is a relation between the real server session cookie and ASM cookie and how i can avoid the issue which always alarming the violation? it is a general question not specific to any case. Regards, Muhannad1.9KViews0likes4Commentsincreasing ASM system variable ecard_max_http_req_uri_len
Has anyone needed to increase the ASM system variable ecard_max_http_req_uri_len in a production envinronment? ecard_max_http_req_uri_len 2048 bytes Defines a maximum URI length that the system can support in its internal buffers. If this number is higher (more permissive) than the internal URI-length limit defined per file type, the internal file-type limit is the actual limit. Exceeding this internal limit triggers the HTTP protocol compliance failed violation. If so, how large did you make it?606Views0likes3CommentsBot protection "Browser Verification" results/experience
I am just wondering what everyones user experience has been with "Browser Verification" when enabling anything other than then the defaults via any Bot Protection profile. For instance if I have Browser Verification set to anything other then "Challenge Free Verification" in our Sharepoint environments, "funky" things will happen such as users getting bot error/reference ID page when attempting to sign out or or an EXTREME amount of false positives occur and user traffic is impacted. In environments with older Java based apps, it will cause some browsers to automatically sign out when clicking any link in the web application after login (as if cookie persistence is blocked). I have gone back and forth with F5 in almost all my attempts to enable this future (as browser fingerprinting is something we really would like to utilize) but we just cant get it working in most cases (even with work arounds such as single page application or enable a DOS profile in transparent mode). Is something like Device ID+ the solution for all of my problems? https://www.f5.com/products/security/shape-security/f5-device-idplus1.8KViews0likes3Comments