ASM send mail alert when request violation with iRule
Hi all I have F5-ASM (11.3.0), when ASM have violation or blocking request, I want F5 notice me via email. I have configed F5-ASM send email when have request blocking. But I want in body of email show more information detail about this request is blocked or violation like this: violation_type; status request; ip client source... all in one email Currently when I recieved email i just know only one information is Support_id of violation. I using iRule to capture Support_id from ASM log, here is iRule i found on Devcentral: when ASM_REQUEST_VIOLATION { log local3. "Support_id: [lindex [ASM::violation_data] 1]" } and modify in /config/user_alert.conf to send email: alert ASM_MAIL "Support_id" { email toaddress="abc@company.com" fromaddress="monitor" body="The ASM Blocking" } ==> this way work fine but with one information is "Support_id" ======================= I have tried to insert other information in iRule : when ASM_REQUEST_VIOLATION { log local3. "Support_id: [lindex [ASM::violation_data] 0]" log local3. "Support_id: [lindex [ASM::violation_data] 1]" log local3. "Support_id: [lindex [ASM::violation_data] 2]" ....... } This way i can recieved 2 or 3 email every have request blocked or violation but these informations not stay same one email ?? So hope everyone help this issue ? Thanks
APM and second-factor authentication
Environment: v11.1 HF1 LTM and APM Hi all, I am running into a strange error from APM that I can't find any documentation on: The resource you are looking for is temporarily unavailable. The cause may be an incomplete access policy evaluation. Please continue to finish your access policy in the previous browser window, and close this current window immediately. What I am attempting to do is introduce a second-factor authentication system into my APM flow. The second-factor system runs on different servers in a separate pool on my LTM. This is my current policy flow: start -> logon page -> AD auth -> iRule Event -> message box -> sso credential mapping -> allow (all fallback branches fall to deny) So in that iRule event, I'm trying to trigger the intercept to my second-factor handling after the first factor succeeds. The second-factor system will post back to my protected VS with a fake URI (/fromSF) to indicate it has completed successfully. This is the iRule I've created so far: when HTTP_REQUEST priority 700 { log local0. "--- URI is [HTTP::uri]" set apm_cookie [HTTP::cookie value MRHSession] if { $apm_cookie != "" && [ACCESS::session exists $apm_cookie] } { log local0. "*** We have a valid APM session cookie" } else { log local0. "*** We DO NOT have a valid APM session cookie yet!" } if { [HTTP::uri] eq "/goToSF" } { log local0. "*** goToSF URI received; trying to get the SF form to display; so changing uri and disabling APM for this event" ACCESS::disable HTTP::uri /abc/Default2.htm pool pool_SF } else { ACCESS::enable log local0. "*** setting pool to protected app" pool pool_APP if { [HTTP::uri] eq "/fromSF" } { log local0. "*** Completed the second factor successfully, we now redirect them to start page of protected app" HTTP::respond 301 Location /def } } } when HTTP_RESPONSE { log local0. "*** in http response" } when ACCESS_POLICY_AGENT_EVENT { if { [ACCESS::policy agent_id] eq "intercept_for_sf" } { log local0. "*** tricking us back into http_request" ACCESS::session data set session.custom.sf_result 0 HTTP::respond 301 Location /goToSF } } This is what I see in my log file: Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : --- URI is / Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** We DO NOT have a valid APM session cookie yet! Apr 13 11:37:08 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** setting pool to protected app Apr 13 11:37:12 tmm3 info tmm3[24171]: Rule /Common/APP-irule : *** tricking us back into http_request Apr 13 11:37:12 tmm3 err tmm3[24171]: 011f0007:3: http_process_state_prepend - Invalid action EV_SINK_HEADER during ST_HTTP_PREPEND_HEADERS (Client side: vip=/Common/VS_APP profile=http pool=/Common/pool_APP client_ip=1.1.1.1) Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : --- URI is /goToSF Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** We have a valid APM session cookie Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** goToSF URI received; trying to get the SF form to display; so changing uri and disabling APM for this event Apr 13 11:37:12 tmm info tmm[24168]: Rule /Common/APP-irule : *** in http response Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : --- URI is /fromSF Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** We have a valid APM session cookie Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** setting pool to protected app Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** Completed the second factor successfully, we now redirect them to start page of protected app Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : --- URI is /def Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** We have a valid APM session cookie Apr 13 11:39:28 tmm1 info tmm1[24169]: Rule /Common/APP-irule : *** setting pool to APP After clicking the submit button in the second-factor app, it waits for the timeout to expire and then finishes the rest of the log messages. The last message in the session report for APM is "Session variable 'session.logon.page.errorcode' set to '0'". I never see the message box from the policy. I'm sure I'm doing something goofy, I just don't know what it is? Thanks, Jen
Virtual Server Pool versus ASM Class Pool
I'm struggling trying to understand the difference between using a pool applied to a Virtual Server versus a pool applied to an ASM class, and when I might want to use one versus the other. Is there anything wrong with not defining an ASM pool, and allowing the Default Pool or iRules applied to the Virtual Server determine where to route the traffic? For example say I have an HTTP VS, with no default pool, and an iRule which checks the URI to determine where to route traffic, i.e.: when HTTP_REQUEST { if {[HTTP::uri starts_with "/navigation"]} { pool navigation_pool } else { pool browse_pool } } I've also got an ASM Class applied to this VS which has no default Pool. Can you see anything wrong with simply allowing ASM to scan the incoming requests and afterwards hand them back off to the VS for routing? I fail to see how one could make any type of dynamic routing decision like an iRule can when specifying an ASM pool.
APM Full Webtop customization
I've created a Dynamic full webtop that presents the users with access to certain SAML SPs based on their AD group membership. We do not want the webtop page to show that it is from F5, and I cannot find where the title "F5 Dynamic Webtop" is located once a user is logged in so that I can change it. Can someone help me?DDoS attack prevention in LTM
Last week's multiple distributed denial-of-service (DDoS) attacks have led to a fresh interest in how to secure a website and networks against such an invasion. DoS/DDoS attacks are becoming an increasingly common way of bringing down websites and causing network performance degradation. Hackers use a botnet of compromised PCs that are controllable via the ‘Low Orbit Ion Cannon' (LOIC), which is used to direct PC traffic towards delivering a DoS attack. However, BIG-IP Local Traffic Manager helps protect against network DoS and DDoS threats. When using LTM, you can protect against network DoS attacks and increase end-user application performance with accurate triggers and controls. In BIG-IP LTM, there are a couple of changes you can make in tightening the configuration and monitoring messages to ensure the LTM helps protect against DoS and DDoS attacks. 1. Lower the default TCP connection timeouts in the TCP profile. 2. Lower the Reaper percents from low 85 / high 95 to low 75 / high 90. a. This means fewer connections are held open, but means the LTM will be more aggressive cleaning out idle connections during a TCP connection flood. 3. Analyze the typical and maximum HTTP header size, including cookies, that should legitimately be seen. a. The default maximum on LTM is 32k. b. This should be lowered if your average is 4k and max possible is 8k. c. In this example, setting the max header size to 16 should adequately ensure no false positives (resulting in rejected connections), while helping to ensure a number of HTTP header based DoS attacks are better handled. Monitor /var/log/ltm for messages such as: • Sweeper imitated - this means the reapers have kicked in due to high TCP connection counts and high memory utilization • ICMP messages limited to 250 - Usually a ping or form of ICMP attack encountered and being mitigated • SYNcookie activated - SYN flood attack encountered • HTTP header size exceeding 32k length - often from SlowLoris or similar HTTP header attack Once configured, BIG-IP LTM's approach to network DoS and DDoS attacks is an attack mitigation configuration that protects core infrastructure when an attack occurs. For more information review the LTM manual on how to Mitigate Denial of Service attacks at: http://support.f5.com/kb/en-us/prod...r=11673465
disable ASM on a specific URL
Hi all, I'm sending this message to ask if someone can tell me a way to disable ASM checks (violations and signature) for a specific URL. In particular, I have an application through which is possible to upload files... each upload takes place via the same URL (/uploader.php, for example). The problem is that it isn't possible to determine in advance what kind of files are loaded... Furthermore, the application already conducts checks. The result is a large number of false positives that are generated and this, when the application will be put in production could create important impact. If possible I would avoid to use an iRule, is there a way to use only Configuration Utility? Or can anyone suggest me a modus-operandi? Thanks in advance, greetings FedericoSSL Read Error
I have a strange problem that I'm trying to sort out. I have a vendor (Mandrill) that is POSTing a webhook to a site that I have sitting behind my BigIP. BigIPis managing the certificate for the client, there is no server-side cert. This system supports several vendors posting to the same site. This one is slightly different in that it is posting a JSON payload as an encoded URL form field versus just a JSON post. Anyway, the vendor keeps failing on "SSL read: error:00000000:lib(0):func(0):reason(0), errno 104". Since the F5 is hosting the SSL and since I've tried everything else...I've sort of run out of ideas beyond posting here and looking for some ideas on where to look. If I download the content and manually post with curl it works. I've seen this error elsewhere, I'm wondering if there's something I need to allow for given their sending system?
