ASM / WAF : block request containing certain string?
I have added as much XSS blocking to a policy as possible. A request containing onmouseover or onclick or .... ="alert('hello')" is blocked fine. But when it's coded like onmouseover or onclick or .... ="self['\x....... the ASM accepts this as valid. Can I block a request with this parameter value? How do I achieve this?
How to block specific User-Agent in ASM Policy
Hi Experts , We are getting many requests from specific IP with the User Agent libcurl .We would like to block this user agent containing curl . Could you please help to configure the rule in the existing ASM Policy? I would like to apply the Policy for the URI - /bluewhale/api/ProdSearch . Dec 19 12:08:29 F5-ASM-PROD-P1 ASM:"2024-12-16 12:08:28";"213.X.X.X";"20179";"192.168.30.35";"443";"/Common/PRD_ASM_SSL";"GET";"passed";"9232836799849750123";"301";"/bluewhale/api/ProdSearch/Search";"N/A";"N/A";"0";"N/A";"N/A";"N/A";"N/A";"Host: www.example.com\r\nUser-Agent: libcurl/8.10.1 r-curl/6.0.1 httr/1.4.7\r\nAccept-Encoding: deflate, gzip\r\nAccept: application/json, text/xml, application/xml, */*\r\nX-Forwarded-For: 213.X.X.X\r\n\r\n"
How to Integrate F5 Anti-Virus with Fortisandbox using ICAP
Helo! i have a question is there possible if i integrate Anti-Virus on F5 with Fortisandbox? Because, i will create an feature on web application for uploading file with xlsx and pdf format. I want to send the file for scanning on fortisandbox before pass to the server. ive read some article https://my.f5.com/manage/s/article/K70941653 but i still wondering, is it possible or not? thank you.ASM / WAF : block request containing certain string?
I have added as much XSS blocking to a policy as possible. A request containing onmouseover or onclick or .... ="alert('hello')" is blocked fine. But when it's coded like onmouseover or onclick or .... ="self['\x....... the ASM accepts this as valid. Can I block a request with this parameter value? How do I achieve this?
Unable to "accept" a HTTP protocol compliance failed violation that is of "HTTP Parser Attack type
While- I try to "accept" the HTTP protocol compliance violation for HTTP Parser attack type, I find the "accept" button greyed out and instead I getting the message "unlearnable request". How do I understand and allow these kind of requests, so that I can ensure that these requests are not blocked.
F5 ASM API-Protection Policy
Hello F5 Community, Apology if my question looks stupid since iam new to F5. Recently our application starting a project which is communication between our clients and our application through API and for me as f5 administrator its my rule to protect this API communication and as i looked up in the Application Security API template there is a section which ask for the swagger file and when i asked our application team their respond was (we have 3 API endpoints so we have 3 swagger files and not one) and right now iam looking forward to check whats the best design and to how handle this request or whats the best scenario to create and deploy this policy. Is it one of below: -Asking application team to merge these swagger files and provide it to me ?which they initially respond that they can not do that and this is risky. -Creating 3 Application policy and attach it to the same virtual server (if possible)? WE are using on-primes BIG-IP. Please let me know of your thoughts and let me if you prefer additional solution over this. Thanks. Regards,[ASM] : SQL-INJ "end-quote UNION" - How to allow this signature to specific url/uri/parameter only
Hi Team , can someone explain me the attack type - end-quote UNION and the solution to allow this signature to specific url/uri/parameter only. Attack Type : SQL-Injection Detected Keyword : ,\"Valore\":\"UNION-GLASS0x20S.R.L.\"},{\&quo Attack Signature : SQL-INJ "end-quote UNION" (Parameter) Context : Parameter (detected in Form Data) Parameter Level : Global Parameter Value : \"ArrayValori\":null
ASM/AWAF custom block page for specific violation
If you have a need to display a custom block page for a specific ASM/AWAF violation, you can use an iRule to achieve this. ASM/AWAF has the ability to modify the Response and Blocking pages within the ASM Policy itself but these block pages apply across all violations. Modifying the Response and Blocking pages within the policy can be useful if you need to add a corporate look and feel, or embed links or information to contact your support desk for further help etc. There may be cases where you need to display certain information on a block page related to a specific violation. Do have a good think about what negative effects this may have on your organisation, for advising an attacker that they were blocked for a specific reason could very well aid them in finding other ways around the block. The following example is based on ASM/AWAF being integrated with an ICAP server for file upload anti-virus scanning, targeting the VIRUS_DETECTED violation, however it can be manipulated for any violation(s) once you identify the name of the violation. The iRule contains a line to log out the violation name into /var/log/ltm whenever ASM/AWAF implements a block. Substitute "VIOLATION_VIRUS_DETECTED" with the logged violation name you are targeting. Firstly you need to configure your ASM/AWAF policy's "Trigger ASM iRule Events Mode" and set this to "Normal", this is found in the Advanced Settings area on the policy's General Settings. Save and apply the policy. This will enable ASM iRules to trigger. (Note this setting is relevant on later versions of BIG-IP, previous versions have an additional setting 'Trigger ASM iRule Events' which needs to be set to Enable). Then create an iRule based on the below, and attach it to the VIPs/Virtual Servers of which your ASM/AWAF policy is enabled on. To test, hit your web application/API to generate an ASM/AWAF block page for the specific violation you are wanting a custom block page for, and have a look in your /var/log/ltm log for the logged out "ASM Violation was: <violation name here>". Substitute this violation name in the iRule for the 'if' command where it is matching $asm_violation_name. Refresh the page (you may need to close/reopen the page, use an incognito window, or clear your cookies etc depending on your LTM VIP's configuration) trigger the same violation again, and you should now see the information as created in the iRule in the 'set response' section. The iRule could be modified to match on multiple violations by expanding out the 'if' command. when ASM_REQUEST_DONE { set asm_support_id [ASM::support_id] set asm_violation_name [ASM::violation_data] } when ASM_REQUEST_BLOCKING { log local0. "ASM Violation was: $asm_violation_name" if {$asm_violation_name contains "VIOLATION_VIRUS_DETECTED"} { HTTP::header remove Content-Length HTTP::header insert header_1 value_1 set client_ip [IP::client_addr] set response "<html> <head> <title>Request Rejected</title> </head> <body> AWAF has blocked your request due to the ICAP server indicating a file it scanned contained a virus.<br><br> <b>Your support ID:</b> $asm_support_id<br><br> <b>Source IP:</b> $client_ip<br> </body> </html>" ASM::payload replace 0 [ASM::payload length] "" ASM::payload replace 0 0 $response } }