Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

iRule to permit access on a specific URL from a source IP on the ASM

Hey guys,

One of my clients is issuing a URL to an F5 virtual server, but ASM is blocking the request because it's seeing it as an "illegal URL" violation and its attack type is "forceful browsing". The URL is not learned from the ASM Security Policy , so I understand why it's being blocked.

Can an iRule permit this specific URL that is not allowed by the ASM Security Policy if the request is coming from a specific IP?

Thanks!

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Forceful browsing is an attack type, but not the specific violation. What is the access violation that's being reported on his connection attempt?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

the specific violation is : " Illegal URL"

Can we write our Irule based on the attack type, like i have written in the below:

when ASM_REQUEST_VIOLATION { set x [ASM::violation_data]

for {set i 0} { $i < 7 } {incr i} { switch $i { 0 { log local0. "attack_type=[lindex $x $i]" } 1 { log local0. "violation=[lindex $x $i]" } 2 { log local0. "support_id=[lindex $x $i]" } 3 { log local0. "web_application=[lindex $x $i]" } 4 { log local0. "severity=[lindex $x $i]" } 5 { log local0. "source_ip=[lindex $x $i]" } 6 { log local0. "request_status=[lindex $x $i]" }

}}

if {([lindex $x 0] contains "ATTACK_TYPE_FORCEFUL_BROWSING") and ([whereis [IP::client_addr]] equals "1.2.3.4") }

pool test_pool member 10.11.12.13 443

}

Thanks!!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You might want to add ASM::disable into your actions as well:

when ASM_REQUEST_VIOLATION { 
 set x [ASM::violation_data]

 for {set i 0} { $i < 7 } {incr i} { 
  switch $i { 
   0 { log local0. "attack_type=[lindex $x $i]" } 
   1 { log local0. "violation=[lindex $x $i]" } 
   2 { log local0. "support_id=[lindex $x $i]" } 
   3 { log local0. "web_application=[lindex $x $i]" } 
   4 { log local0. "severity=[lindex $x $i]" } 
   5 { log local0. "source_ip=[lindex $x $i]" } 
   6 { log local0. "request_status=[lindex $x $i]" }
  }
 }

if {([lindex $x 0] contains "ATTACK_TYPE_FORCEFUL_BROWSING") and ([IP::client_addr] equals "1.2.3.4") } {
 ASM::disable
 pool test_pool member 10.11.12.13 443
 }
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thank you Cory for your Help, But it didn't work. Do you have any other idea of an Irule that can be applied for the same reason?

Thanks.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Did the logging statements work? Exactly what didn't work?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

unfortunately i am not an expert with Irules. What do you mean by logging statements?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The 'log local0' statements in your for statement... Are the expected entries being written to /var/log/ltm?

I'm wondering if you should just remove the 'pool test_pool member 10.11.12.13 443' statement from your iRule and just disable ASM.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have tried to remove the pool from the Irule and i am still getting the same below error in the ASM log statement:

[SECEV] Request blocked, violations: Illegal URL. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: N/A. Virus name: N/A. Support id: 15958200311141796981, source ip: 1.2.3.4, xff ip: N/A, source port: 41203, destination ip: 5.6.7.8, destination port: 443, route_domain: 0, HTTP classifier: /Common/test_class, scheme HTTPS, geographic location: , request: , username: , session_id: <1c92c42d2ac662b2>

It seems that the Irule is not triggering no??

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

That's the ASM log entry. Is anything showing up in /var/log/ltm? When using local0, that should log to /var/log/ltm.

0