About shun list for L7 DDoS?
Hello everyone, I'm having some problems setting up my L7 DDoS settings. I can successfully run the L7 DDoS defense against source IP in the settings. https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/4.html According to the article linked below, when detected by F5 L7 DDoS, it will be added to a shun list first. I can currently find out about which IPs are being blocked also in the following screen... Is there any way to find out which IPs are currently on the shun list by L7 DDoS ? If I find that a Source IP is currently being blocked by L7 DDoS, is there any way to unblock it? Any help is appreciate. Thanks.
Windows PowerShell "cp" execution attempt (Parameter)
Hello everyone. In a security policy I am alarmed by an attack signature due to the detection of "cp", this identifies it as a command, however, it is part of the character string that is used to fill out a form on our website. How could this be mitigated without disabling said attack signature?Get associated pool name from VIP IP using F5-LTM
I am trying to get the pool name from the VIP IP which I am getting from a input file, but I am unable to get any cmdlet related to that ``` $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force $MyLTM_IP = "12.16.16.8" $mycreds = New-Object System.Management.Automation.PSCredential "rk", $secpasswd $session = $null #Create an F5 session $session = New-F5Session -LTMName $MyLTM_IP -LTMCredentials $mycreds -PassThru $get_data = Import-Csv -Path "D:\f5\IP_Addition_Input.csv" $VIP_IP = $get_data.VIPIP ``` Please let me know how can I get the pool name. going forward I have a add nodes to that pool. I am using `F5-LTM` module ``` # Download latest version $webclient = New-Object System.Net.WebClient $url = "https://github.com/joel74/POSH-LTM-Rest/archive/master.zip" Write-Host "Downloading latest version of F5-LTM from $url" -ForegroundColor Cyan $file = "$($env:TEMP)\F5-LTM.zip" $webclient.DownloadFile($url,$file) Write-Host "File saved to $file" -ForegroundColor Green # Unblock and decompress Unblock-File -Path $file $targetondisk = "$($env:USERPROFILE)\Documents\WindowsPowerShell\Modules" # no need to handle, this folder should just exist New-Item -ItemType Directory -Force -Path $targetondisk -ErrorAction SilentlyContinue | out-null # Unzip Write-Host "Uncompressing the Zip file to $($targetondisk)" -ForegroundColor Cyan $shell_app=new-object -com shell.application $zip_file = $shell_app.namespace($file) $destination = $shell_app.namespace($targetondisk) $destination.Copyhere($zip_file.items(), 0x10) # Rename and import Write-Host "Renaming folder" -ForegroundColor Cyan if (Test-Path ($targetondisk+"\F5-LTM")) { Write-Host "Removing prior $($targetondisk+"\F5-LTM") folder" -ForegroundColor Yellow Remove-Item -Recurse -Force -Path ($targetondisk+"\F5-LTM") | out-null } Move-Item -Path ($targetondisk+"\POSH-LTM-Rest-master") -Destination "$($targetondisk+"\F5-LTM")" -Force | out-null Write-Host "Module has been installed" -ForegroundColor Green Import-Module -Name "$($targetondisk+"\F5-LTM\F5-LTM")" # Zip file has a sub F5-LTM folder with the module Get-Command -Module F5-LTM <#!-------------------#> ```
ASM::unblock not working for specific violation
Hello there, I set an iRule for ASM that should unblock a specific violation: when ASM_REQUEST_DONE { set asm_support_id [ASM::support_id] if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then { ASM::unblock } } This rule is not triggered for that specific violation. What am I missing? I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine. I am 100% sure the violation I am targeting is correct. Any clues on what is wrong with it? Thank you!Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device
Nowadays the F5 XC Distributed Cloud is all the rage for shadow API discovery and schema learning as seen in https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control and for a good reason! The F5 BIG-IP does not have this option but with a little bit of irule code the shadow API endpoints can be discovered by creating an API security policy with irules enabled. As by default new URL will not be learned, you can enable this as to not only see the logs but also the learning suggestions. In the future there could be integration between F5 XC API protection and F5 AWAF/ASM to generate the OpenAPI/Swagger file by sending the API data from the F5 BIG-IP to the F5 XC Distributed Cloud WAAP API Protection service that will generate the OpenAPI/Swagger file, using the XC receiver features. You can review the discussion below: https://community.f5.com/t5/technical-forum/export-big-ip-awaf-urls-to-swagger-file/td-p/319845 Edit: Now there is an official article about sending the API traffic from F5 BIG-IP to XC for Swagger/OpenAPI file generation: https://community.f5.com/t5/technical-articles/apis-everywhere/ta-p/320688 This is limited to what F5 XC can do and there is no way to generate a new Swagger/OpenAPI files based on accepted new endpoints but it is still a good option for on-prem implementations. The below code is a modification of the code at https://clouddocs.f5.com/api/irules/ASM__unblock.html and https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html CODE: when ASM_REQUEST_DONE { log local0. "[ASM::violation_data] uri=[HTTP::uri]" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { } 1 { } 2 { } 3 { } 4 { } 5 { } 6 { } }} if {([lindex $x 5] contains "ATTACK_TYPE_FORCEFUL_BROWSING")} { log local0. "Illegal API endpoint detected for uri=[HTTP::uri]" ASM::unblock } } The ASM::unblock is added as if we want to just monitor and discover undocumented or shadow API but to have the ASM policy in blocking mode for anything else. Also just the Illegal URL violation still can be stopped under Traffic Learning but Alarm and Learn can be left enabled. Also custom SNMP and email notifications can be configured based on this message and for more info you can see https://my.f5.com/manage/s/article/K3727 and https://my.f5.com/manage/s/article/K3667 . Even ASM reports can be generated for this data. The same can be done for parameters and Methods !
