daboochmeister
Aug 30, 2018Cirrus
ASM - Understanding why "Attack Signature Detected" did not block the access
Env: LTM 11.5.2; Context: Web application
We have an ASM security policy configured and applied to a VIP; the policy is in blocking mode, not transparent; all signatures have "Enforced" = "Yes". Policy Building is off for the policy.
Under those circumstances, if the WAF detects an attack signature, why would it not block the request? See attached picture - in our Event Log, we have many many accesses that were allowed, but for which it noted an attack signature detected, and offers to learn it. I thought by explicitly enabling the signatures, and not being in policy building mode, it would be enforced -- no?
What steps can we take to ensure that all signatures are enforced in a way that blocks accesses?
Thank you.