ASM/WAF Management Automation - TMOS
This post is to go over some of my thoughts on ASM/WAF management, and some custom solutions I've made to make it easier and more accurate. This will be highly technical and will apply to most use-cases. Written based on TMOS v15 software, but will be mostly applicable to all recent TMOS versions. Automatic Learning: Informational Automatic Learning will automatically accept most Learning Suggestions that hit 100% confidence Fully Automatic Learning will automatically accept all Learning Suggestions that hit 100% confidence If your application open to the public, it will likely get scanned a lot. Some of the Learning Suggestions will be to loosen your policies based on scanner traffic it sees, like this one that would've accepted a SQL injection attack suggestion from traffic that's clearly from a Veracode scanner Tips Reduce scanner traffic that hits ASM policy: Apply an iRule to your VIPs that have ASM policies that drops external IP-based requests. A lot of scanner traffic hits your VIPs by IP address instead of by hostname, and iRules process before ASM policies. So dropping IP-based traffic via iRule will drastically reduce the amount of bad ASM Learning Suggestions you get I use the attached iRule "irule_all_asm_VIPs" on all ASM VIPs. It has a line to increment the "triggered" field in a Statistics profile named "asm_irule_triggered," so you'll have to create the Statistics profile with the "triggered" field and attach it to the VIP before it will let you attach the iRule to the VIP. This makes sure you don't lose track of how many bad requests are hitting the device If ASM VIP has an existing iRule, irule_all_asm_VIPs must be attached first in order. See below for an automated way to attach this iRule to all ASM VIPs. Ongoing Maintenance Tasks: Enforce Ready Signatures ASM policies have a configured staging period (AKA Enforcement Readiness Period) for all new and modified Attack Signatures. Once this staging period is complete, they must be enforced manually Under Security > Application Security > Policy Building > Traffic Learning, there's an Enforcement Readiness Summary section where you can see ASM signatures that are Ready To Be Enforced. You can also Enforce Ready Entities on this page See here for a script I made that can be pushed from the Big-IQ to Enforce Ready Entities on all ASM Policies: https://community.f5.com/discussions/technicalforum/automate-asm-ready-to-be-enforced-attack-signatures/245055 If using Automatic Learning (not Fully Automatic Learning), periodically review Learning Suggestions at 100% confidence Manual Learning: Informational Manual Learning doesn’t accept any Learning Suggestions automatically Without the automation explained in this post or a full WAF team, it can be hard to manage many policies manually Tips Reduce scanner traffic that hits ASM policy. <see above> Ongoing Maintenance Enforce Ready Signatures <see above> Periodically Review Learning Suggestions at 100% confidence <see below for automation> Big-IQ Script Automation: Enforce Ready Entities <see above> https://community.f5.com/discussions/technicalforum/automate-asm-ready-to-be-enforced-attack-signatures/245055 Review Learning Suggestions Periodic reviews of Learning Suggestions can be tedious because there isn't a main overview page that tells you how many Learning Suggestions each policy has at 100% confidence. So without automation, you have to click through each policy one-by-one to see which policies need to be reviewed. I made the attached "Email Ready Learning Suggestions" script, that builds an HTML table line-by-line showing how many Learning Suggestions each policy has at 100% confidence, then uses the sendmail command to email it. There are 2 initial one-time setup commands at the top of the script you'll have to check first to make sure your F5 can send emails, and you'll have to replace email@example.com with your own email address in at the bottom. If it doesn't work after that, it's likely that your F5 SMTP traffic isn't allowed through a firewall Attach iRule and Statistics Profile to all ASM VIPs I made the attached "Attach iRule and Statistics Profile to all ASM VIPs" script that can be pushed from the Big-IQ to make a list of all VIPs with ASM policies, then attach the iRule if the VIP doesn't already have it. It doesn't remove existing iRules, and it puts this one first in the list if there are existing iRules Obviously for this to work, your F5 needs to already have the "irule_all_asm_VIPs" iRule and "asm_irule_triggered" Statistics profile created. The Statistics profile needs a field called "triggered" Cron Job Automation: Reset Log Statistics Profile Count, and Reset I use these 3 commands in a daily cron job that runs at midnight to send a syslog entry with the number of times an IP-Based request got dropped by the iRule, then reset the counter EXECUTIONS=$(tmsh show ltm profile statistics asm_irule_triggered | grep triggered | tail -n1 | sed s/"triggered"//) logger -p local0.notice "Daily number of IP-based requests that hit ASM iRule: $EXECUTIONS" tmsh reset-stats ltm profile statistics asm_irule_triggered
Big-IP ASM automatically removes my hostname
, but I don't see the violation reaching the threshold of 100. Hello everyone, Recently, my service has encountered an issue. In the evening, while everything was running normally, I received a block warning from ASM. Upon checking, I found that my hostname was automatically removed from the policy by ASM. I am using fully automatic as per this link: https://my.f5.com/manage/s/article/K000134503. However, the problem is that when I checked for violations, I did not see any violations related to violations="Illegal host name." So, why did it reach the threshold of 100 and remove my hostname? Could this be a bug? I checked that there were no accept suggestions at that time, only violations="Illegal repeated parameter name," which I do not think is the issue. Thank you.
ASM::unblock not working for specific violation
Hello there, I set an iRule for ASM that should unblock a specific violation: when ASM_REQUEST_DONE { set asm_support_id [ASM::support_id] if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then { ASM::unblock } } This rule is not triggered for that specific violation. What am I missing? I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine. I am 100% sure the violation I am targeting is correct. Any clues on what is wrong with it? Thank you!
Custom attack signature syntax for multiple user agents
Hi, I want to create a custom attack signature that will block requests that contains specific user agents. I've already created a signature that blocks Python user agent, but I'm not sure how to add multiple ones to the same signature. Under "Rule" section, I use the Simple Edit Mode and I have set: Matched Element: Header Matched Criteria: Matches regular expression Keyword: User-Agent:.*[Pp]ython.* How do I add more user agents? ThanksAWAF Path Parameters with OPENAPI json file
Hi, Iam securing a API with a JSON OPENAPI file it mostly works fine however I have two positional parameters used in one url that seems to mask the following paths "/dqm/v1/projects/{customerId}/{pageNumber} &/dqm/v1/projects/projectDetails/{workRequestId}" The result is illegal parameter length violations on a url that is actually valid. the two paths have different operationId headers associated with them Does the WAF use the operationId to match the Path? It appears not as if I delete the operation Id from the api file then the policy matches the correct URL. Any assistance in ubderstanding what is happening and why is appreaciated. Allowed URL's extract from JSON openAPI file /dqm/v1/projects/{customerId}/{pageNumber}: get: tags: - customer-projects-controller operationId: getCustomerProjectsForIdperPage parameters: - name: customerId in: path required: true schema: type: string - name: pageNumber in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/CustomerProjectsResponse' /dqm/v1/projects/projectDetails/{workRequestId}: get: tags: - customer-projects-controller operationId: getProjectDetailswithID parameters: - name: workRequestId in: path required: true schema: type: string responses: '200': description: OK content: '*/*': schema: $ref: '#/components/schemas/ProjectDetailsResponse'Are the Bot protection "Browser Verification" and the DDOS "Client Side Integrity Defense" the same?
I recently needed to configure some Advanced WAF/ASM Bot defense profile and DDOS profile and I saw the two features "Client Side Integrity Defense" and the DDOS "Browser Verification". I knew them but I started asking myself are they the same feature but with the DDOS profile only after the DDOS threesholds being reached then this feature is activated and for the F5 Bot profile this feature if enabled always checks the web browsers if they support javascript. Basically if I enable Bot protection "Browser Verification" do I need at all to enable the DDOS "Client Side Integrity Defense" feature? Also with the DDOS "Client Side Integrity Defense" feature is the javascript inserted Before Access or After Access?Big-IQ snapshot management
Hello community, I have an interesting situation that I want to run by you guys and hopefully somebody/someone can give me a hand. We have in our environment 20 Big-IQ devices, handling nearly 500 devices (between LTMs, ASMs, DNSs and combination of them). Internally we have configured Big-IQs to trigger snapshots for all of them, the only difference we have is that we only keep snapshot files storaged in the Big-IQ is for ASMs. The rest of the modules keep their snapshots locally. Now, we want (need) to create a python script (basically because we make it run from a 3rd party solution that ssh into the Big-IQs and run that python script) to delete snapshots older than 30 days, for example. For that purpose, I have searched for several documentation regarding API for snapshot management on Big IQ , basically there are 2 API calls relevant for me: 1.- Snapshot checkup: GET /cm/<module>/tasks/snapshot-config/<id> 2.- Snapshot deletion: DELETE mgmt/cm/<module>/tasks/snapshot-config/<id> Now the values between <>, which are: 'module' and 'id', in our case module = asm and 'id' is for the snapshot we want to checkup and delete if meets the criteria. The thing here is that, we do not have any 'id' number, because the snapshots are created by several business units outside our team, where they log into the Big-IQ's GUI and deploy the snapshot manually. I have tried to send a GET request (via POSTMAN) using these variations (hoping some sort of response): GET /cm/<module>/tasks/snapshot-config/ GET /cm/<module>/tasks/snapshot-config/* But logically is expecting the 'id' value so it shoots back an error. NOTE: the 'id' is provided when you try the API call for snapshot creation: POST mgmt/cm/<module>/tasks/snapshot-config. That particular POST, only request the name of the snapshot as parameter and then provides the precious 'id' in return. So you can see my dilemma and where I am missing data. QUESTIONS: 1.- Is there any way to fetch the 'id' using any resource? 2.- where exactly is located the repository for these snapshots in the Big-IQ? I mean the Linux's bash prompt for each Big-IQ, I have searched and searched but I haven't found them... This would be a great peace of information. 3.- Is this the right approach? I found some information about 'restcurl' but I am not completely sure about this resource. Thanks.-
