ASM not blocking
Hi all- I've been out of the loop using F5 for a couple of years and just coming back to it. I'm having a problem with ASM/AWAF working properly. I have a virtual server pointing to a single node running Apache. When I hit the virtual IP that works fine. I've attached an ASM/AWAF security policy to that server. Enforcement mode = Blocking Policy Building Learning mode = Manual I've included every attack signature group to the policy and moved all signatures out of staging to Enforced. I'm trying to get any signature to fire at this point. Any easy one should be to trigger 200010468 ("/etc/passwd" access URI) or 200010156 ("passwd.txt" access). When requesting either URI, ASM is allowing the requests through. Looking at the log for one of the requests, I can see that it does trigger the /etc/passwd signature, but apparently is still in staging: Decoded Request Request actual size: 85 bytes GET /etc/passwd HTTP/1.1 Host: 192.168.5.5 User-Agent: curl/7.64.0 Accept: */* Response Response logging was disabled Violation Details Attack signature detected [2] Detected Keyword /etc/passwd Attack Signature "/etc/passwd" access (URI) Context URL ActualURL /etc/passwd Wildcard URL *-Staging Applied Blocking Settings Staging Am I missing a setting somewhere? This is the status for that particular signature in my security policy: "/etc/passwd" access (URI) 200010468 Enforced
Incosistent forwarding of HTTP/2 connections with layered virtual
Hi, I'm using a layered virtual configuration: Tier1: Virtual applying SNI-Routing (only SSL persistence profile and LTM policy as described in https://www.devcentral.f5.com/kb/technicalarticles/sni-routing-with-big-ip/282018) Tier2: Virtual applies SSL termination and delivering the actual application, with the required profiles, iRules, .... If the required, an additional LTM policy is applied for URI-based routing and forwards to Tier3 VS. Tier3 (optional, if required): Virtual delivers specific applications, like microservices, usually no monolithical apps. This configuration is very robust and I'm working with it successfully since years. Important: The tier1 uses one single IP address and a single port. So all tier2 and tier3 virtuals MUST be externally available through the same IP address and port. Now I have to publish the first HTTP/2 applications over this concept and see strange behavior of the BIG-IP. User requests www.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests, based on the SNI, to tier2 virtuals "vs-int_www.example.com". Within www.example.com there are references to piwik.example.com, which is another tier2 virtual, behind my tier1 virtual. User requests piwik.example.com. IP and port point to tier1 virtual. Tier1 LTM policy forwards the requests to "vs-int_www.example.com" instead of "vs-int_piwik.example.com". Probably not based on SNI, but on the existing TCP connection. I'm afraid, that this bahvior is a result of HTTP/2, especially because of the persistent TCP connection. I assume that, because the connection ID (gathered from browser devtools) for requests to www.example.com and piwik.example.com is identical. From the perspective of the browser I wouldn't expect such a behavior, because the target hostname differs. I didn't configure HTTP/2 in full-proxy mode, as described in several articles. I've just enabled it on the client-side. I would be very happy for any input on that. Thanks in advance!Applying ASM policy takes too long
Hi Experts, Need help to identify why applying policy in ASM takes long. In the below snapshot, you can see the "Applying Policy" keeps spinning for almost an hour. I think it is because of the learning mode selected as Automatic and Auto-Apply selected as Real-Time. Please advise.
ASM Application Security PolicyManual Configuration (Advanced)
Hi, In 13.1.0.7 (I am not sure if it was the same in 13.1.4 but for sure not like that in 12.1.x) when security policy is applied via Security tab of VS configuration pop up allowing to disable or change policy is gone. Instead entry like that is presented: Application Security PolicyManual Configuration (Advanced) Why so? Is that some kind of weird improvement? With this change management becomes quite complicated: There is no way to figure out which policy is attached to VS (except checking Resources > Policies section of VS) There is no easy way to change or disable security policy (again Resources > Policies and detach Local traffic Policy pointing to security policy) What is reason for this change, I can't see any benefits. Piotr
Assign an existing Security Policy through Python SDK
Can I assign to an Existing Virtual Server an existing Security Policy? Not a local Traffic Policy, I have already created a Automatic Security Policy through the Deployment Wizard but I would like to automate the process through a Python Script. Thanks in advance.Activate a Policy through F5 Common Python
I tried to activate a policy, which is inactive once is created this way: policy.modify(active=True) Obviously it is worng as I have guessed from the answer, which is this one: '{"code":401,"message":"Policy must be applied and/or activated by a Task" What are the tasks and I how can I have a code to do this? Thanks in advance
ASM Application Security PolicyManual Configuration (Advanced)
Hi, In 13.1.0.7 (I am not sure if it was the same in 13.1.4 but for sure not like that in 12.1.x) when security policy is applied via Security tab of VS configuration pop up allowing to disable or change policy is gone. Instead entry like that is presented: Application Security PolicyManual Configuration (Advanced) Why so? Is that some kind of weird improvement? With this change management becomes quite complicated: There is no way to figure out which policy is attached to VS (except checking Resources > Policies section of VS) There is no easy way to change or disable security policy (again Resources > Policies and detach Local traffic Policy pointing to security policy) What is reason for this change, I can't see any benefits. PiotrDifference between Local Traffic Policy and Application Secutiry Policy
Can someone give some explanation between these two kind of policies and for what kind of servers should they be used? I mean, for example depending whether I have a web application or a MySQL db, or an ssh port etc... Thanks in advanceScheduled Report - Top Attacks By Security Policy
Hello, I am looking to generate a scheduled report to display the top attacks by each security policy I have (4) and I am using v12.1.2. I navigate to "Security ›› Reporting : Scheduled Reports" and enter the required fields such as name, SMTP info, frequency, etc. But the question is obviously in the exact configuration of the report. If I use... Dynamic Report Time Period: Last Week Show Results: Top 20 Top Report Criteria: Security Policy Select Measure: Requests .. then I get a report with a chart that shows the amount of requests each of those policies has received. Cool. But that is not exactly what I want. So I hit the plus button to "Use top result from security policy to report" > "Attack Type" Is there any way that I can "Use ALL results from security policy to report > Attack Type" ?? Any other info on how I could get something like this working to see attack types / violation for the last week from all my policies is appreciated. It is hard to share this info with others when I can only see traffic from my largest virtual server in these reports.
