Forum Discussion

sys-team_172267's avatar
sys-team_172267
Icon for Nimbostratus rankNimbostratus
Jun 27, 2016

ASM disable and log requests

Hello,

 

After i disabled ASM by iRule (ASM::disable) i still should see requests under "Event Logs-->Application-->Requests? i build iRule that recognized specific URL path and disabled ASM for those URL, but unfortunately i still see Requests under Event Logs (the ASM policy still in transparent mode so i cant know if this iRule will affect or not). this is noraml to see those request even i configured this iRule or that my iRule not affect at all?

 

Thanks Tomer.

 

ASM Advanced WAF
devops
LTM
security

9 Replies

Sort By
  • IainThomson85_1's avatar
    IainThomson85_1
    Icon for Cumulonimbus rankCumulonimbus
    Jun 27, 2016

    I'm not overly familiar with that event status, however thinking logically the F5 May process the request to the ASM portion before the iRule has a chance to kick in.

     

  • AaronJB's avatar
    AaronJB
    Icon for SIRT rankSIRT
    Jun 27, 2016

    I just tested this on 12.0 with a fairly basic configuration; HTTP VS, Log All Requests logging profile attached, ASM policy set to block for the 'curl' user agent and a test request.

     

    Once I added the iRule my request was no longer blocked and I no longer saw a log entry in the logging profile.

     

    Your test implies the request is, indeed, being processed via the ASM module. What iRule event are you using ASM::disable in? I tested with HTTP_REQUEST.

     

    • sys-team_172267's avatar
      sys-team_172267
      Icon for Nimbostratus rankNimbostratus
      Jun 28, 2016
      Thank you guys for you help, this is my iRule: when ASM_REQUEST_DONE { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_CHAR_CONV")&&([HTTP::path] equals "/request")} { log local0. "VIOLATION_CHAR_CONV detected" ASM::disable } } Unfortunately, I still see the requests log. I am sure that the iRule works because I also get log in "log local0. "VIOLATION_CHAR_CONV detected" Thank you.
    • AaronJB's avatar
      AaronJB
      Icon for SIRT rankSIRT
      Jul 04, 2016
      The problem you have here is that ASM_REQUEST_DONE is too late in the process to disable ASM; it has already processed the request and made the decision not to send it on to the origin web server. If the end game is granular control of the blocking mask on a per-URL basis then I think the best route forward would be separate policies and use the Local Traffic Policy to direct traffic to one or the other.
  • Aaron_Brailsfor's avatar
    Aaron_Brailsfor
    Historic F5 Account
    Jun 27, 2016

    I just tested this on 12.0 with a fairly basic configuration; HTTP VS, Log All Requests logging profile attached, ASM policy set to block for the 'curl' user agent and a test request.

     

    Once I added the iRule my request was no longer blocked and I no longer saw a log entry in the logging profile.

     

    Your test implies the request is, indeed, being processed via the ASM module. What iRule event are you using ASM::disable in? I tested with HTTP_REQUEST.

     

    • sys-team_172267's avatar
      sys-team_172267
      Icon for Nimbostratus rankNimbostratus
      Jun 28, 2016
      Thank you guys for you help, this is my iRule: when ASM_REQUEST_DONE { set x [ASM::violation_data] if {([lindex $x 0] contains "VIOLATION_CHAR_CONV")&&([HTTP::path] equals "/request")} { log local0. "VIOLATION_CHAR_CONV detected" ASM::disable } } Unfortunately, I still see the requests log. I am sure that the iRule works because I also get log in "log local0. "VIOLATION_CHAR_CONV detected" Thank you.
    • Aaron_Brailsfor's avatar
      Aaron_Brailsfor
      Historic F5 Account
      Jul 04, 2016
      The problem you have here is that ASM_REQUEST_DONE is too late in the process to disable ASM; it has already processed the request and made the decision not to send it on to the origin web server. If the end game is granular control of the blocking mask on a per-URL basis then I think the best route forward would be separate policies and use the Local Traffic Policy to direct traffic to one or the other.
  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Jul 04, 2016

    You can create a policy in the LTM and autopolicy for the respective VIP without any irule. It will work. Please let me know if you need any additional details.

     

  • Jinshu's avatar
    Jinshu
    Icon for Cirrus rankCirrus
    Jul 04, 2016

    Hi Mate,

    You can block ASM check in two different ways. Either do it via an Irule or through GUI (LTM policy).

    If you prefer Irule, try below one.

    when HTTP_CLASS_SELECTED { 
ASM::enable 
if { [HTTP::uri] starts_with "/uri" } { 
ASM::disable 
} 
}

    Your irule is working but you have allowed ASM to create a Violation and thats why it is notofying you as an event.

    If you prefer LTM policy, remove the Irule and configure policy as mentioned below.

    Local Traffic > Policies > asm_l7_policy_whatever.website.com > under Rules click on Add, give it a name, like policy_whitelist, operand: http-uri (leave rest of fields default) > condition: choose equals/contains/etc, value = your URI, click add, then click the Add further down where operand/event/etc is located.

In the Actions area, target > asm, action > disable. Click Add where target/event/etc are. and Finished.

Then once back at the main policy page, do a re-order and move the policy_whitelist you created above default, so it will disable on the URI string prior to hitting the default ASM enable.. once you done this once or twice, pretty simple and can be used a lot.

    Hope this helps.