F5 AWAF/ASM learning only from Trusted traffic?
I found this nice option "Only from Trusted Traffic" for the Policy Builder but this is seems to relevant only after the learning period has passed. I did increase the thresholds to the max possible value 1000000000 under "Loosen Policy" for "Untrusted Traffic "as to never learn from not trusted IP addresses in the initial learning period that is 7 days. I think that is the correct way ? I would have been nice to have a global option or option under "Loosen Policy" to learn from "Only from Trusted Traffic" like in "Track Site ".F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x
Hey Everyone, The F5 AWAF/ASM ASM_RESPONSE_VIOLATION event seem to not trigger on 17.1.x. I have enabled irules support the waf policy and I tested in Normal and Compatibility mode but no luck. The other events trigger without an issue. I created 2 custom signatures for response and request match and request match one has no issues so it seems a bug to me. This can be easily tested with the below irule that logs to /var/log/asm when ASM_REQUEST_DONE { log local3. "test request" } when ASM_RESPONSE_VIOLATION { log local3. "test response" } The custom response signature is in the policy to just trigger alarm. I tried string or regex match " (?i)failed " PCRE-style as F5 15.x and up are using this regex style.
Is it possible to select ASM BoT profile from irule?
Hi. . Is it possible to select BoT profile from irule? . Concept is we have different set of IP which need to allow "some" BoT type. That why we can't use whitelist IP in BoT profile because it will allow all BoT type. So We want to use iRule to check if it IP A > use BoT profile which have some exception, but if all other IP > use normally BoT profile. . when HTTP_REQUEST { # Check IP and select BoT profile from that if { [IP::client_addr] eq "A" } { ASM::enable allow_some_bot_profile } else { ASM::enable normally_bot_profile } } ps. I didn't see any document about how to select BoT profile. So I'm not sure if ASM::enable can do that.
[ASM] : SQL-INJ "end-quote UNION" - How to allow this signature to specific url/uri/parameter only
Hi Team , can someone explain me the attack type - end-quote UNION and the solution to allow this signature to specific url/uri/parameter only. Attack Type : SQL-Injection Detected Keyword : ,\"Valore\":\"UNION-GLASS0x20S.R.L.\"},{\&quo Attack Signature : SQL-INJ "end-quote UNION" (Parameter) Context : Parameter (detected in Form Data) Parameter Level : Global Parameter Value : \"ArrayValori\":null
How to allow Request getting blocked due to Malformed JSON data
Hi Everyone, I've little trouble understanding how i can allow this request. Requests are getting blocked at WAF end due to "Malformed JSON data" violation (Illegal character encountered - json syntax error -" / ") Can i allow / (forward slash) character to provide exception for this violation & keep malformed json data blocking setting as it is. and how can i achieve this.
F5 ASM XML processing - policy name.
Hello, we have an error message in logs: ASM out of memory error: event code X89 Exceeded maximum memory assigned for XML processing we have already increased both variables total_xml_memory and additional_xml_memory_in_mb to 4GB but they still appear. What i wanted to ask if its possible to identify which ASM policy generates these logs? Or which policy is responsible for the most of xml memory usage? Is it possible to create an irule that will check this and assign custom violation with policy name (and request details) that raised this violation regarding xml memory? Because as it is now we would have to further increase additional xml memory variable and maybe its better to troubleshoot why is it getting exceeded in the first place?
