unblock
18 TopicsAbout shun list for L7 DDoS?
Hello everyone, I'm having some problems setting up my L7 DDoS settings. I can successfully run the L7 DDoS defense against source IP in the settings. https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/4.html According to the article linked below, when detected by F5 L7 DDoS, it will be added to a shun list first. I can currently find out about which IPs are being blocked also in the following screen... Is there any way to find out which IPs are currently on the shun list by L7 DDoS ? If I find that a Source IP is currently being blocked by L7 DDoS, is there any way to unblock it? Any help is appreciate. Thanks.73Views0likes2CommentsWindows PowerShell "cp" execution attempt (Parameter)
Hello everyone. In a security policy I am alarmed by an attack signature due to the detection of "cp", this identifies it as a command, however, it is part of the character string that is used to fill out a form on our website. How could this be mitigated without disabling said attack signature?169Views0likes4CommentsCan iRule forward request to pool after ASM block without ASM:unblock ?
Hello expert, I have written an iRule that when blocked forwards to other pools without any problems. It is done ! when ASM_REQUEST_DONE { if { [ASM::status] equals "blocked" } { ASM::unblock HTTP::uri "/" pool pool_blockpage } } I'm asking if there is a way to have blocked traffic directed to another pool without unblocking it ? Any help is appreciate.Solved56Views0likes2CommentsGet associated pool name from VIP IP using F5-LTM
I am trying to get the pool name from the VIP IP which I am getting from a input file, but I am unable to get any cmdlet related to that ``` $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force $MyLTM_IP = "12.16.16.8" $mycreds = New-Object System.Management.Automation.PSCredential "rk", $secpasswd $session = $null #Create an F5 session $session = New-F5Session -LTMName $MyLTM_IP -LTMCredentials $mycreds -PassThru $get_data = Import-Csv -Path "D:\f5\IP_Addition_Input.csv" $VIP_IP = $get_data.VIPIP ``` Please let me know how can I get the pool name. going forward I have a add nodes to that pool. I am using `F5-LTM` module ``` # Download latest version $webclient = New-Object System.Net.WebClient $url = "https://github.com/joel74/POSH-LTM-Rest/archive/master.zip" Write-Host "Downloading latest version of F5-LTM from $url" -ForegroundColor Cyan $file = "$($env:TEMP)\F5-LTM.zip" $webclient.DownloadFile($url,$file) Write-Host "File saved to $file" -ForegroundColor Green # Unblock and decompress Unblock-File -Path $file $targetondisk = "$($env:USERPROFILE)\Documents\WindowsPowerShell\Modules" # no need to handle, this folder should just exist New-Item -ItemType Directory -Force -Path $targetondisk -ErrorAction SilentlyContinue | out-null # Unzip Write-Host "Uncompressing the Zip file to $($targetondisk)" -ForegroundColor Cyan $shell_app=new-object -com shell.application $zip_file = $shell_app.namespace($file) $destination = $shell_app.namespace($targetondisk) $destination.Copyhere($zip_file.items(), 0x10) # Rename and import Write-Host "Renaming folder" -ForegroundColor Cyan if (Test-Path ($targetondisk+"\F5-LTM")) { Write-Host "Removing prior $($targetondisk+"\F5-LTM") folder" -ForegroundColor Yellow Remove-Item -Recurse -Force -Path ($targetondisk+"\F5-LTM") | out-null } Move-Item -Path ($targetondisk+"\POSH-LTM-Rest-master") -Destination "$($targetondisk+"\F5-LTM")" -Force | out-null Write-Host "Module has been installed" -ForegroundColor Green Import-Module -Name "$($targetondisk+"\F5-LTM\F5-LTM")" # Zip file has a sub F5-LTM folder with the module Get-Command -Module F5-LTM <#!-------------------#> ```32Views0likes0Commentsallow one url from blocks geolocation
i have published service from waf and i block urls on all country except KSA and i have one url allowed from aruba i used below i rule but its didn't work hen HTTP_REQUEST { if { ([string tolower [HTTP::uri]] eq "GET /Arabic/MediaCenter/News/Pages/Infectious-Disease-Week.aspx HTTP/1.1") and ([whereis [IP::client_addr] country] ne " Sweden") } { ASM::unblock } else { return } }Solved680Views0likes4CommentsASM::unblock not working for specific violation
Hello there, I set an iRule for ASM that should unblock a specific violation: when ASM_REQUEST_DONE { set asm_support_id [ASM::support_id] if { $uri starts_with "/my/uri" and [ASM::violation names] contains "VIOL_ENCODING" } then { ASM::unblock } } This rule is not triggered for that specific violation. What am I missing? I would also like to point out that if I remove the second part of the IF and leave just the uri match, the rule triggers just fine. I am 100% sure the violation I am targeting is correct. Any clues on what is wrong with it? Thank you!807Views1like6CommentsException for GeoBlocked Country. Without Allow-Listing a specific IP
We are geo-blocking users from China, but some users are trying to ship goods and needs to see access certain guidelines regarding the types of goods that are allowed. The security policy that governs access to this application also applies to several other applications. I am concerned that allow-listing the specific IP addresses of those users could potentially open up a security loophole. We are in a bit of pickle and exploring the best way to address this issue without compromising security protocols. Any suggestions would be appriciated. I tinkered and composed this iRule. I am uncertain about the last part... (ignore private.url as I don't want to post it publcily here) when CLIENT_ACCEPTED { # Initialize a variable to hold the block status set blocked_ip 1 } when HTTP_REQUEST { # Check if the request is for the specific full URL and the client is from China if { ([HTTP::host] equals "private.url") and ([HTTP::uri] equals "/substances-search/Substance?lang=en") and ([whereis [IP::client_addr] country] equals "CN") } { # Tentatively allow access, pending the ASM check set blocked_ip 0 } } when ASM_REQUEST_DONE { # Check if the request is blocked by ASM if { [ASM::status] eq "blocked" } { # If it's due to geolocation and the specified conditions are met, unblock if { [ASM::violation names] contains "VIOLATION_ILLEGAL_GEOLOCATION" and $blocked_ip == 0 } { ASM::unblock log local0. "[ASM::violation_data] unblocked for [IP::client_addr]" } else { # For other violations, ensure the request remains blocked set blocked_ip 1 } } } when HTTP_RESPONSE { # If the block status is true, respond with a 403 Forbidden if { $blocked_ip == 1 and [ASM::status] eq "blocked" and ![ASM::violation names] contains "VIOLATION_SQL_INJECTION" } { HTTP::respond 403 content "Access denied" "Content-Type" "text/plain" "Connection" "close" } }Solved859Views0likes2CommentsHow could I exclude Vulnerability scanners from Session Tracking?
I have enabled session tracking on an application and it has quickly blocked my vulnerability scanner. Of course this is "scan interference" and makes the results invalid. The options on the IP Address Exceptions page allow me to "Never Block" the IP , but then I get false results and ASM is not providing any protection. Because I've seen that when blocked by Session Tracking the other violations were still recorded in the logs I thought this may work as an iRule when ASM_REQUEST_DONE { if { ([ASM::violation count] equals 1) && ([ASM::violation names] eq "VIOL_SESSION_AWARENESS") && ([IP::addr [IP::client_addr] equals n.n.n.n]) } { ASM::unblock } } But it didn't, the connections were still blocked when the session tracking count was reached. Can anyone suggest something to try next?Solved892Views0likes6CommentsCMS causing False Positives
Hello, I am recently seeing many false positives relating to CMS (Kentico EMS) on one of my F5 ASM policies. As it is CMS and marketing department would be editing web sites etc. we are seeing many requests being blocked due to various injection attack signatures. The users, and app developers, are getting frustrated with the amount of false positives. Is there any recommended set up such as which attack signatures to include in the learning and blocking settings for CMS? Trawling through the traffic learning it's hard to determine which attack signature suggestions to disable as difficult to ascertain which as true false positives and which are actual injection attempts. We are running a manual policy.Solved774Views0likes1Comment