ICAP server reachable, however ASM claims communication issues
Greetings, I have encountered a situation where I have implemented basic AV protection to a server. Tests with EICAR file work fine from internal and external networks (should not really matter). The thing is that on some occasions I noticed that the file upload had been blocked but the Virus violation states: "Virus detection was not performed due to communication problem. See details here: /ts/log/bd.log" There is no relevant info in that log file. Guaranteed enforcement was turned on, so I guess that's why the block took place. But the real question is - why is it complaining about not being able to communicate with the ICAP server? When I run a test from any network, it blocks it just right and the violation is described accurately. Whenever this has happened there have been multiple generic violations detected with the traffic as well, but ONLY AV protection is in Blocking mode - generic signatures are just alerting for analysis. Does anyone have more experience with such cases? Any ideas why this is happening? Thank you!685Views0likes3CommentsiRule that triggers a capture of the HTTP request before rejecting
I'm using the following iRule to block an attack coming from an IP that is behind a proxy; however we can still see the original in the XFF header. So far this iRule is working but would like to trigger a capture to better build a policy in ASM to block. Is there a way to trigger a method to capture and log the full request when we get a match and send the 410? Note:Credit to hoolio https://devcentral.f5.com/questions/using-x-forwarded-for-to-block-clients when HTTP_REQUEST { if {[HTTP::header "X-Forwarded-For"] ne ""}{ log local0. "XFF: [HTTP::header "X-Forwarded-For"]" foreach xff [split [string map [list " " ""] [HTTP::header "X-Forwarded-For"]] ","] { log local0. "Current XFF element: $xff" if {[IP::addr $xff equals 1.2.3.4]}{ log local0. "Sending 410 for $xff" HTTP::respond 410 break } } } }249Views0likes2CommentsASM Standalone Persistence
Hello, I have a question about the new TMOS 13.1 running ASM standalone, since it is possible to perform basic load balance actions, how it handles the persistence when you load balance traffic? Because it is not possible to create Peresistence Profiles. I have seen that probably is possible using Local Traffic Policies but I am not sure.317Views0likes3CommentsSensitive Parameters in ASM
I have an application that when you make parameters sensitive, it allegedly breaks the application. I need to have confirmation that changing a parameter to sensitive by either adding it in the Parameters area and checking off the Sensitive checkbox or adding it to the Sensitive Parameters area that this should NOT impact traffic flow in any way and that this is only modifying logging behavior. We are using BIG-IP 11.5.4 Build 4.0.313 Hotfix HF4.315Views0likes4CommentsCannot remove manually configured L7 policy ASM
Dear All , I am trying to deactivate one of the active ASM policy which is not associated to Any VS , But getting below error "Cannot remove manually configured L7 policy" . Has anyone faced this before ? Any suggestions would be appreciated Thanks in advance !!!763Views0likes2CommentsCant get URL Hostname in logs from AVR and ASM
Hi Folks, I currently have a virtual server that hosts multiple websites using "name based hosting". I have an iRule that runs on the VS that says if the incoming http request comes in and the url host name matches an entry in a datagroup forward it to the pool name that it is set to in the datagroup. This part works great... What does not work so great is, if you turn on AVR or ASM, the BIGIP only logs entries with URI and not the host name. I have created a logging profile and told it to log "everything" but still I only just logs with just the URI and not the host name. Naturally it would be nice to have the host name and the URI so I can see what logs pertains to what website the VS is hosting. Any ideas guys? Thanks, Kevin443Views0likes2Comments