CirrostratusAs I am prepping for the 303 ASM exam I see asm has its own irule events.
I have used the unblock one in the past, however what are the use cases for the others?
I see one for creating a custom blocking page.
Also how are the normal and compatible modes to be used and what's the real difference. It seems they just control the moment when certain events are executed but how exactly is that useful in a real scenario?
Thanks.
EmployeeASM-related events let you interact witlh and potentially change application security policy behavior using an iRule. Three common events are ASM_REQUEST_DONE, ASM_REQUEST_BLOCKING, and ASM_RESPONSE violation. Any of these three need to be triggrered before the irule will fire, and the additional commands below give you more leverage over the event.
Here are some commands and example usage:
ASM::captcha -- Sends a CAPTCHA challenge to the client
ASM::captcha_age -- Returns the age of the sent CAPTCHA challenge
ASM::captcha_status -- Returns the status of the user's answer to the CAPTCHA challenge
ASM::client_ip -- Returns the IP address of the client that sent the request
ASM::disable -- Disables ASM processing on the request
ASM::enable -- Enables ASM processing on the request
ASM::fingerprint -- Returns the device ID of the client (if you have Device ID enabled)
ASM::microservice -- Returns the microservice matched for the request
ASM::payload -- Retrieves or replaces the payload collected by the system
ASM::policy -- Returns the name of the application security policy that applies to this request
ASM::raise -- Issues a user-defined violation on the current request (you must create the violation)
ASM::severity -- Returns the overall severity of violations found in the request
ASM::signature -- Returns a list of enforced or staged attack signatures detected in the request
ASM::support_id -- Returns the support ID of the current request
ASM::threat_campaigns -- Returns a list of threat campaigns detected in the request
ASM::unblock -- Unblocks a blocked request (perhaps you are blocking all clients from a disallowed geolocation, but you wish to allow a single IP address from that geolocation)
ASM::uncaptcha -- Overrides the CAPTCHA action for a request mitigated during a brute-force attack
ASM::violation -- Disables F5 Advanced WAF processing on the connection
ASM::violation_data -- Enables F5 Advanced WAF processing on the connection
Normal mode instructs ASM to invoke the event ASM_REQUEST_DONE after processing each request, regardless of whether the request triggered any violations. This gives you the opportunity to perform actions after ASM handles requests whether they trigger, or do not trigger, violations.
Compatibility mode instructs ASM to invoke the event ASM_REQUEST_VIOLATION after processing each request that triggered a violation. This gives you the opportunity to perform actions after ASM handles only requests which trigger violations. This was the only option available in versions prior to BIG-IP version 11.5.0