ASM: "Illegal Request"
I have come across a weird problem. A user access was blocked, with a support ID displayed. After searching the event log withe the support ID, I found that there was no learning suggestion for the access request, and I could not "accept" the request: the text shown when having the mouse over the grayed-out button of "Accept" was "there was no violation". I had to configure "never block this IP address" to allow the request through. And the log entry showed that this was an "illegal" request. Is there a way to allow an "illegal" request through in this situation? The IP address based solution is only temporary as the user was on a dynamic address.
Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device
Nowadays the F5 XC Distributed Cloud is all the rage for shadow API discovery and schema learning as seen in https://docs.cloud.f5.com/docs/how-to/app-security/apiep-discovery-control and for a good reason! The F5 BIG-IP does not have this option but with a little bit of irule code the shadow API endpoints can be discovered by creating an API security policy with irules enabled. As by default new URL will not be learned, you can enable this as to not only see the logs but also the learning suggestions. In the future there could be integration between F5 XC API protection and F5 AWAF/ASM to generate the OpenAPI/Swagger file by sending the API data from the F5 BIG-IP to the F5 XC Distributed Cloud WAAP API Protection service that will generate the OpenAPI/Swagger file, using the XC receiver features. You can review the discussion below: https://community.f5.com/t5/technical-forum/export-big-ip-awaf-urls-to-swagger-file/td-p/319845 Edit: Now there is an official article about sending the API traffic from F5 BIG-IP to XC for Swagger/OpenAPI file generation: https://community.f5.com/t5/technical-articles/apis-everywhere/ta-p/320688 This is limited to what F5 XC can do and there is no way to generate a new Swagger/OpenAPI files based on accepted new endpoints but it is still a good option for on-prem implementations. The below code is a modification of the code at https://clouddocs.f5.com/api/irules/ASM__unblock.html and https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html CODE: when ASM_REQUEST_DONE { log local0. "[ASM::violation_data] uri=[HTTP::uri]" set x [ASM::violation_data] for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { } 1 { } 2 { } 3 { } 4 { } 5 { } 6 { } }} if {([lindex $x 5] contains "ATTACK_TYPE_FORCEFUL_BROWSING")} { log local0. "Illegal API endpoint detected for uri=[HTTP::uri]" ASM::unblock } } The ASM::unblock is added as if we want to just monitor and discover undocumented or shadow API but to have the ASM policy in blocking mode for anything else. Also just the Illegal URL violation still can be stopped under Traffic Learning but Alarm and Learn can be left enabled. Also custom SNMP and email notifications can be configured based on this message and for more info you can see https://my.f5.com/manage/s/article/K3727 and https://my.f5.com/manage/s/article/K3667 . Even ASM reports can be generated for this data. The same can be done for parameters and Methods !
ASM::unblock not working for specific violation
Hello there, I set an iRule for ASM that should unblock a specific violation: when ASM_REQUEST_DONE { set asm_support_id [ASM::support_id] if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then { ASM::unblock } } This rule is not triggered for that specific violation. What am I missing? I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine. I am 100% sure the violation I am targeting is correct. Any clues on what is wrong with it? Thank you!
