Missing TABs in "Application Security" BIG-IP 17.1.1.3 - BIG-IP 15.1.7
Hello, F5 infra was recently migrated from BIG-IP 15.1.7 to BIG-IP 17.1.1.3. Unfortunately, I can no longer select some tabs in "Application Security". For exemple, "File Type" or "Header" are now missing. I spent some time trying to find something in the documentation but I had no luck. is it expected behavior ? Were they moved somewhere else in the GUI ? Regards, ML
Data Guard exeption patterns configured via tmsh.
Hello Everyone, we have enabled Data Guard in our ASM policy and it works most of the time good ;). From time to time it happen that legit account nr. is validated as credit card nr. and so is blocked. We need than to add this pattern as exception - there is no problem to add this exception via GUI , however I'd like to ask if there is option to add this pattern via tmsh ? Thank you. Y
Protecting against DDoS attack
Dear Community, I need help from application security experts and seasoned web developers. We are getting DDoS attacks on the following requests. This attack is targetting our SMS gateway; resulting in triggerig thousands of SMSs. Please inform which kind of protections we can introduce in application level / application code level to protect against this DDoS attack. DDoS Request Sample: POST xyz.com/api/otp/asdf HTTP/1.1 Host: xyz.com Content-Length: 32 Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="90" Accept: application/json, text/plain, */* Authorization: *********** Accept-Language: ar Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin: http://abc.com Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer:http://abc.com Accept-Encoding: gzip, deflate Connection: close {"mobileNumber":"123456789"} Warm RegardsPreventing DDoS attacks on SMS URL
Dear Community, I am facing DDoS attacks on one of our application. The attacker is sending hundred of requests to a URL, which is consuming all of our SMS quota. The attack is originating from multiple IPs. Please inform how I can protect this application API from this kind of DDoS attack from appliation code level. I need help from application security experts and web developers. https://abc.comis frontend & xyz.com is backend api Sample of DDoS reqeust: POST /asdf/service/sendmobilecode HTTP/1.1 Host:xyz.com Authorization: *********** User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Content-Type: application/json Origin:https://abc.com Referer:https://abc.com/ {"number":"91234567890"} Kind RegardsHelp with creating a regular expression
Dear Community, I am trying to implement parameter value to be starting with +233 Can I use a regular expression validator to achieve it? Please inform which regualar expressoin will be equal to +233 This regular expression I would be using in parameter Best Regards
Http and Https Redirection
Hi. While trying to access a Http Web Server through F5 LTM and after writing http://xxx.xxx.xxxand access to the login page and put the credentials, the URL changed automatically to https://xxx.xxx.xxx( without any redirection configuration applied on F5). and I lost the connection to the server as it works on port 80. What can cause this redirection?
Is blocking all HTTP-HEAD requesta a bad idea?
We think about blocking all HTTP Head requests for our Web-Applications (not REST or SOAP) via ASM, by returning a html response page with HTTP-code 200 OK, because most of them are requests from crawlers. Are there experiences concerning client behavior? Since HTTP-200 is returned, the client thinks that the request ist valid, even if the site doesn't exists. For Office-Doks, which constain invalid web links the user doesn't get a info popup which tells him that the ressource doesn't exists, instead the web-client is opened which then sends a HTTP-GET to a non existing ressource. For me it doesn't sound like a major drawback. Are there any other pitfalls known?Import Cisco ACL(2000+ rows) from Cisco ACE to F5
Hello guys, through last few months I have been looking for scenario how to upload/implement/import Cisco ACL to F5. I have been looking here and found like 5,10 Cisco ACLs articles but none of them is working for me. So the problem is this: I am migrating old Cisco ACE contexts to new client's F5 i5000 series vCMPs. I was preparing this for a couple of months since I had Cisco ACE configs provided. Everything with implementation of first context worked fine. I created vlans,trunks,vCMP, provisioning, configure vCMP itself etc. Also I have used Cisco provided scripts which are from 2015. And in fact for LTM they are not 100% effective. However I managed to configure what was left manually. But now I come to the next context/vCMP where I have more than 2000 rows of ACL regarding some printers access. I was looking for solution of this but still without any result. Interesting thing is that I have request from client if I could implement ACL to F5 directly from pre-defined/created list in .csv format. It could be text or xml whatever. Also this list will change in time. Is there any option for this ? Could it be done through tmsh? Some script? Please help.
Mandatory parameter on a URL
I want to set up a URL parameter so that it is mandatory that the parameter get sent along with that URL. In looking at the parameter setup I don't see where to do that, but in the XML of the policy I do see a tag false and that would seem to be what I am looking for. I can just try and modify the XML directly but I would like to know how to do in the GUI as well.ASM detecting but not blocking the attack
Hello all, I am using ASM and a Apache Tomcat based web application behind it. I am testing negative security accuracy of the ASM and realized that it is not blocking the attacks even it detects that the request is violating the attack signature. The security policy is configured in blocking and manual mode. The signature staging is disabled with all available signatures included to the policy. The issue is once the attack (for example SQL injection) is launched ASM is detecting that the request matches the attack signature and showing it on the Manual Traffic Learning -> Attack signatures detected page. When you go one step further and check the details of the incidents listed under this page you see that ASM is considering the request as legal! No logs are available under Event Logs tab. It will be highly appreciated if anyone explains this behaviour. Is it expected or sth like a bug?
