Nimbostratus
NimbostratusThank you Youssef,
Ok. I was expecting your answer. I don't understand why this option is not provide by ASM. It's very useful to block a specific tree view (more than blocking one particular page). My objective was to limit the number of iRules we use. But not this time 😞
For now, as workaround, we use an iRule to filter access to admin pages and raise an ASM event. If users come from the internet and not intranet, admin pages are blocking.
Here is an example :
when HTTP_REQUEST {
set httpuri [string tolower [URI::decode [HTTP::uri]]]
set httpuri [string trimleft $httpuri /]
set httpuri /$httpuri
set blockurl 0
if { ( $httpuri starts_with "/admin" )} {
if { [class match [IP::client_addr] equals INTRANET_POOL_IP ] } {
log local0. "MyApp - Access granted from [IP::client_addr] on [HTTP::host][HTTP::uri]"
} else {
set blockurl 1
log local0. "MyApp - Forbidden access from [IP::client_addr] on [HTTP::host][HTTP::uri]"
}
}
}
when ASM_REQUEST_DONE {
if { $blockurl } {
set x []
lappend x "Requested URL" "\[HTTPS\][URI::decode [HTTP::uri]]" "Detection Cause" "Disallowed URL"
ASM::raise VIOLATION_ILLEGAL_URL $x
}
}
We have an ASM policy with a custom violation defined (with option Trigger ASM iRule Events defined enabled in Advanced Policy Properties). We use that for :
blocking evasion techniques (directory traversal and co)
logging purpose
user information
This is the only way we found to block admin pages with ASM.
CumulonimbusHi
indeed it's a basic feature that we would need ... I saw your irule. It's a good job, with asm alert (thank for sharing)...
Let me now if you need other things...
Regards