iRule to block string in header and display blocking page
I am wondering if I can create an iRule to block a request if a certain string appears anywhere in the header. For example, it would be something like... when HTTP_REQUEST { if { [HTTP::header "User-Agent"] contains "test1234" } { drop return } } Except I would not want the block to be limited to the User-Agent. I would want it to be blocked no matter where "test1234" appeared in the header. A follow-up to that would be if I can also have this iRule display the blocking page with a SupportID. I would like those testing to be able to have visual confirmation to see it worked and so they can easily share it with others.ASM iRule events not working
Hi all, I activated this irule in my Virtual Server: when HTTP_REQUEST { set redirect 0 set requri [HTTP::uri] } when ASM_REQUEST_BLOCKING { set redirect 1 } when HTTP_RESPONSE { if { $redirect } { switch -glob $requri { /url1* { HTTP::redirect "https://url1/index" } /url2* { HTTP::redirect "https://url2/index" } /url3* { HTTP::redirect "https://url3/index" } default { } } } } I also enabled the "Trigger ASM iRule Events" option on my ASM security Policy which is in Blocking Mode. But, even so, redirections don't work after a violation is triggered. Any ideas?
URL rewrite iRule - ASM
ASM is blocking a request which doesn't have domain name in one of the parameters in the URI. Background: example.domain.com is a VIP and has ASM enabled. Below is the default breakdown login page that changes per request, the issue is one of parameters(resource_url), is missing the domain name, example.domain.com before the context root, /user/loginsso, and ASM thinks it's a web command execution attack and blocking it and I don't want to unblock ASM for this particular request type. I think rewriting the URI fixes the issue but, if it is an LTM iRule, does ASM triggers based on the source URL or rewrite URL? if based on source URL, then what are the config changes to be done in the ASM? and couple of paramters in the url changes per request, so not sure how to use the stringmap, please help. https://example.domain.com/login/login.html ?bmctx=some random ID that changes per request &contextType=external &miscCookies=disablehttponly &username=string &OverrideRetryLimit=1 &password=secure_string &challenge_url=https://example.domain.com/login/login.html &ssoCookie=disablehttponly &DCCCtxCookieMaxLength=5000 &request_id=some ID that changes per request &authn_try_count=0 &locale=en_US &resource_url=/user/loginsso Expected: resource_url=https://example.domain.com/user/loginsso
Sensitive Parameter Client Side Encryption
Hi All, We have set some of the parameters as sensitive for the login pages and confirmed all those sensitive parameters values are masked in the ASM Logs. Query: Whether the ASM Sensitive Parameter feature will mask the sensitive parameter values only in the ASM Logs ? (Verified the parameter values at Client Browser, Proxy(Fiddler) and confirmed sensitive parameters values are not encrypted) If ASM Sensitive Parameter and Websafe Credential Protection are different features, please suggest alternate options like irule to enable sensitive parameter encryption at client side. Note: BigIP is licensed with ASM and LTM.
Difference between Local Traffic Policy and Application Secutiry Policy
Can someone give some explanation between these two kind of policies and for what kind of servers should they be used? I mean, for example depending whether I have a web application or a MySQL db, or an ssh port etc... Thanks in advance
Allow search engines even though country is blocked by geolocation block
Hi! We have an issue where site disappear in search engines. We are forced to use geo based country blocking in ASM policy due to compliance. As side effect, we also block important search engine bots. It will be too cumbersome to whitelist all ip ranges used by these. There is a list of bot signatures including search engines in the ASM ddos profile settings. Is there any way to write an iRule that utilize this list and bypass the geolocation blocking? "This applies to Bot Signatures configured for blocking or reporting, and including Search Engines. Syntax BOTDEFENSE::reason" We cannot trust the user agent string since that can be manipulated by anyone. Reverse DNS lookup (and forward to verify) take a lot of network resources. Is there an easy way (iRule?) to bypas the geo blocking based on this list without using unnecessary resources? We are on version 12.1.2. Many thanks in advance.
