How to check the disabled rules in ASM Policy
Hi Experts , We would like to know the allowed/disbale url or Parameters configured for the Specific ASM policy . Example: www.example.com is the url for which I would like to know the rules applied . How can I check this? Any way I can pull the detailed configuration of ASM Policy from cli ?How to block specific User-Agent in ASM Policy
Hi Experts , We are getting many requests from specific IP with the User Agent libcurl .We would like to block this user agent containing curl . Could you please help to configure the rule in the existing ASM Policy? I would like to apply the Policy for the URI - /bluewhale/api/ProdSearch . Dec 19 12:08:29 F5-ASM-PROD-P1 ASM:"2024-12-16 12:08:28";"213.X.X.X";"20179";"192.168.30.35";"443";"/Common/PRD_ASM_SSL";"GET";"passed";"9232836799849750123";"301";"/bluewhale/api/ProdSearch/Search";"N/A";"N/A";"0";"N/A";"N/A";"N/A";"N/A";"Host: www.example.com\r\nUser-Agent: libcurl/8.10.1 r-curl/6.0.1 httr/1.4.7\r\nAccept-Encoding: deflate, gzip\r\nAccept: application/json, text/xml, application/xml, */*\r\nX-Forwarded-For: 213.X.X.X\r\n\r\n"
IP Intelligence Service
Hello Team, Kindly i have a case which i took over managing our f5 appliances which was managed by one of vendors before and also i found that we have ASM and LTM module installed on our bigip. As i was checking the licensed i found that we have threat camping addons license and IP intelligence license as well and as i was going through the implementation steps of the IP intelligence i found out it will be implemented through iRule and as i were looking our big-ip we don't have any iRule configured for this so there is a high chance that we have paid for the addons license that we didn't use at all. So i need your support to solve and clarify the below concerns: 1-is there anyway to implement this without using iRules? if so please let me know? 2-How to check if we are using the threat camping license in a correct way and i want to know if we are facing same issue with this license also. 3-What are the list of other available addons license also in order to look at it and to know if we need any more license , Can you provide me a list of them? Sorry if my questions looks stupid since iam new to this role. Regards,
Priority group activation on GTM.
Hello All, I need to configure active standby configuration on GTM pool level, only one VS should be UP and second should be standby if one vs is down then traffic should pass to another VS and i can see there is one option Minimum-up Members but i do not know how to use it as a priority group activation on GTM level. If any one has any article or config suggestion please share. Many thanks in advanced for your time and consideration.
F5 ASM API-Protection Policy
Hello F5 Community, Apology if my question looks stupid since iam new to F5. Recently our application starting a project which is communication between our clients and our application through API and for me as f5 administrator its my rule to protect this API communication and as i looked up in the Application Security API template there is a section which ask for the swagger file and when i asked our application team their respond was (we have 3 API endpoints so we have 3 swagger files and not one) and right now iam looking forward to check whats the best design and to how handle this request or whats the best scenario to create and deploy this policy. Is it one of below: -Asking application team to merge these swagger files and provide it to me ?which they initially respond that they can not do that and this is risky. -Creating 3 Application policy and attach it to the same virtual server (if possible)? WE are using on-primes BIG-IP. Please let me know of your thoughts and let me if you prefer additional solution over this. Thanks. Regards,
cannot find Security -> Application Security: Headers: Cookie List
Hello F5 Community, My WAF trial VM runs on 17.1.1.4. I cannot find Security -> Application Security: Headers: Cookie List in the WAF. Is that feature removed or Located in new place. I searched over internet but I could not find a resolution. Security -> Application Security : Security Polices : Policy -> HTTP Message Protection -> Cookies Also empty.automatic learning logs/report ?
Hello, My client has no other solution but to implement automatic learning for a new website where the owners won't help the team in understanding the application. On another side, security team wants to have information on what was changed and when by the automatic learning policy. I've come to article https://my.f5.com/manage/s/article/K58082590 that uses API to retrieve the list of learning suggestions for a given policy, but I'm not sure it will give me the information I need for automatic policy. Since suggestions that reach 100% are learned, I imagine the suggestion disappear as soon as 100% score is reached and the API will return nothing if the suggestion has already been learned. Is there a better way to get this report ? I'm ok with SIEM, syslog, API, or maybe an iCall ? To start with, I couldn't find the info in audit logs or in asm logs. some pieces of info are found in Webui : Security > application Security > audit > logs. But how to export this ?ASM API v16 - get list of SignatureOverride
Hello, My client would like a scheduled report on all the signatures used as exceptions in the policy items (let's say in parameters and URL object). I've figured that the info can be retrieved through API : https:///mgmt/tm/asm/policies//parameters/ I could have this kind of output where parameter1 has 2 signatures overrides, and parameter2 doesn't have any { "maximumLength": 200, "stagedSinceDatetime": "2024-10-16T13:33:54Z", "hostNameRepresentation": "domain-name", "dataType": "uri", "createdBy": "GUI", "sensitiveParameter": false, "parameterLocation": "any", "valueType": "user-input", "kind": "tm:asm:policies:parameters:parameterstate", "selfLink": "https://localhost/mgmt/tm/asm/policies/gK_P0j6j8NT8wUz2pORRRQ/parameters/SZehdfNxQfRzSeE_d2V5eA?ver=16.1.5", "inClassification": false, "urlReference": { "link": "https://localhost/mgmt/tm/asm/policies/gK_P0j6j8NT8wUz2pORRRQ/urls/OXujEJOZ7V0nU7Mgu2-Bzg?ver=16.1.5", "protocol": "https", "name": "/random-uri/path/", "method": "*", "type": "explicit" }, "checkMinValueLength": false, "isCookie": false, "mandatory": false, "id": "SZehdfNxQfRzSeE_d2V5eA", "allowEmptyValue": false, "checkMaxValueLength": true, "name": "parameter1", "lastUpdateMicros": 1.729085634e+15, "isReferenced": false, "isHeader": false, "attackSignaturesCheck": true, "level": "url", "allowRepeatedParameterName": true, "signatureOverrides": [{ "signatureReference": { "link": "https://localhost/mgmt/tm/asm/signatures/gJ3lZomuuxyJqa2InBac1w?ver=16.1.5", "isUserDefined": false, "name": "Unix/Linux \"date\" execution attempt (Parameter)", "signatureId": 200003085 }, "enabled": false }, { "signatureReference": { "link": "https://localhost/mgmt/tm/asm/signatures/YqXJ-_VkhoSiQ49IuaFmUA?ver=16.1.5", "isUserDefined": false, "name": "Unix/Linux \"time\" execution attempt (Parameter)", "signatureId": 200003155 }, "enabled": false } ], "type": "explicit", "performStaging": false } { "isBase64": false, "maximumLength": 120, "stagedSinceDatetime": "2024-11-20T09:17:03Z", "dataType": "alpha-numeric", "createdBy": "GUI", "sensitiveParameter": false, "parameterLocation": "any", "valueType": "user-input", "kind": "tm:asm:policies:parameters:parameterstate", "selfLink": "https://localhost/mgmt/tm/asm/policies/gK_P0j6j8NT8wUz2pORRRQ/parameters/iKZNHNqAGGVo_-csIuNBwQ?ver=16.1.5", "inClassification": false, "checkMinValueLength": false, "isCookie": false, "mandatory": false, "metacharsOnParameterValueCheck": true, "id": "iKZNHNqAGGVo_-csIuNBwQ", "allowEmptyValue": false, "checkMaxValueLength": true, "valueMetacharOverrides": [], "name": "parameter2", "lastUpdateMicros": 1.732094223e+15, "isReferenced": false, "isHeader": false, "parameterEnumValues": [], "attackSignaturesCheck": true, "level": "global", "allowRepeatedParameterName": false, "signatureOverrides": [], "type": "explicit", "performStaging": true, "enableRegularExpression": false } I would like to filter the query and only have the parameters with a non-empty list of SignatureOverride. I learnt that F5 API is relying on OData and that we can borrow some of its functions. I also need to consider that SignatureOverride field is an array. I tried this: $filter=signatureOverrides/any(s: s ne null) => but the any function doesn't seem to be available and I also tried this: $filter=signatureOverrides/$count ne 0 => same, the count command is not available either how can I work with OData filter on the signatureOverrides field ?High CPU utilization (100%).
I observed high CPU utilization (100%) on F5 device, resource provision ASM nominal. I checked the client-side throughput and server-side throughput both are normal but found management interface throughput is very high and what i noticed this is happening in same time period for last 30 days. What could be the reason for this spike. Many thanks in advanced for your time and consideration.
