ASM attack signatures not syncing between active and standby F5
Hello F5ers, I have a pair of f5s in active/standby setup running ASM (WAF) module. I have ASM synchronization setup with sync-failover device group on both f5s. Everything else works fine but I noticed ASM signatures under system > software management > live update page no longer shows any signatures downloaded or installed my standby f5 anymore. when i try to select an option for "Installation of automatically downloaded updates" such as Real time or scheduled then click Save, I get a "failed to save configuration" error. This db variable value is same on both f5s tmsh list /sys db liveupdate.allowautoinstallonsecondary value sys db liveupdate.allowautoinstallonsecondary { value "false" } Standby f5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:20:51 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 16:20:51 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 16:20:51 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-17 17:18:46 INFO SyncHandler:351 - Set isMaster = true 2026-06-17 17:18:46 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-17 17:18:46 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:10:23 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:10:23 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:351 - Set isMaster = true 2026-06-23 15:26:03 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:26:03 INFO SyncHandler:347 - Set isDatasyncMaster = false 2026-06-23 15:41:11 INFO SyncHandler:351 - Set isMaster = false 2026-06-23 15:41:11 INFO SyncHandler:343 - Set isAsmMaster = false 2026-06-23 15:41:11 INFO SyncHandler:347 - Set isDatasyncMaster = false Active F5: cat /var/log/tomcat/liveupdate.log | egrep 'isMaster|isAsmMaster|isDatasyncMaster' 2026-06-17 16:39:29 INFO SyncHandler:347 - Set isDatasyncMaster = true 2026-06-23 15:36:50 INFO SyncHandler:343 - Set isAsmMaster = true 2026-06-23 15:36:50 INFO SyncHandler:351 - Set isMaster = true Did anyone came across this issue in their environment? version: 17.1.3 platform: VM Appreciate any help! thanks
F5 ASM/AWAF – violations logged but no learning suggestions generated
Hey everyone, running into a strange behavior with F5 ASM and hoping someone has seen this before. Setup: - Explicit/closed parameter list (only allowed parameters defined, everything else triggers a violation) - "Illegal Parameter" violation has Learn + Alarm + Block all enabled - Parameter learning mode is set to Always - Violations are appearing correctly in the event logs - no blocked IP addresses exceptions The Problem: Despite all of the above, no learning suggestions are being generated for the illegal parameter violations except one on the Traffic Learning page. What I noticed: After digging through the logs, I found a pattern: - the one request that triggered only the illegal parameter violation (with a valid URL) → learning suggestion WAS generated - Requests that triggered illegal parameter + illegal URL or illegal file type simultaneously → no learning suggestion generated The vast majority of my traffic falls into the second category, which is why the suggestions page looks empty. My question: Is there any documented behavior in ASM/AWAF where requests triggering multiple severe violations (illegal URL + illegal file type + illegal parameter together) are suppressed from generating learning suggestions? Or is something else going on here? Has anyone run into this and found a workaround other than manually adding parameters from the event log? Thanks in advance.
[ASM] : SQL-INJ "end-quote UNION" - How to allow this signature to specific url/uri/parameter only
Hi Team , can someone explain me the attack type - end-quote UNION and the solution to allow this signature to specific url/uri/parameter only. Attack Type : SQL-Injection Detected Keyword : ,\"Valore\":\"UNION-GLASS0x20S.R.L.\"},{\&quo Attack Signature : SQL-INJ "end-quote UNION" (Parameter) Context : Parameter (detected in Form Data) Parameter Level : Global Parameter Value : \"ArrayValori\":null
Configuration Assistance: Configure Email Alerts for HA Failover Events and Device Offline
We have a BIG-IP VE High Availability Pair deployed in Microsoft Azure. We need to configure the BIG-IP to automatically send an email notification to our Operations teams immediately when a Failover event occurs(When the unit goes from Active to Standby or Offline) Could you provide the recommended procedure for the configuration to trigger these email alerts?What does session_id = 0 means in ASM session tracking?
We have an ASM policy with session tracking enabled and working fine and we noticed that several ASM logs hace a session_id equals to 0. We suspected some botnet source but we don't know what it's the meaning of that zero value. How is usually got a value this parameter and why is set to zero in those cases?F5 ASM: Capability to Block Threat Caused by Outdated jQuery
Hi Team, We have public facing website that currently running on outdated jQuery version behind the ASM. The question is whether ASM have capabilities to block any threat due to the uses of the outdated jQuery? Please help to provide an update on this query at the earliest. Thanks in advance.
Exced Timeout in Event Logs WAF
I have a issue with a customer WAF, in the Event Logs, it shows me an error in the "triggered violation (I attached a screenshot).", & the request show the status: ilegal. we modify the maximun limitation of 500 to 1000, with recommend F5 docs, and a traffic test was carried out again and the request status is: legal, but the registration of this traffic in Event Logs took a time of 3 minutos, wich is too much. Some recommendation with how resolve? Greetings Friends :),
How to Integrate F5 Anti-Virus with Fortisandbox using ICAP
Helo! i have a question is there possible if i integrate Anti-Virus on F5 with Fortisandbox? Because, i will create an feature on web application for uploading file with xlsx and pdf format. I want to send the file for scanning on fortisandbox before pass to the server. ive read some article https://my.f5.com/manage/s/article/K70941653 but i still wondering, is it possible or not? thank you.How i can apply fast 700 ASM policies?
how can i do to quickly apply 700 asm poltiics with changes, in the old days you could give an option to apply all. how can i do it now? i have a bash script to do it by curls, but it is one by one of the poltiics. Is it possible to do them all at the same time? thanks
