Forum Discussion

Nimbostratus

Oct 09, 2017

Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?

We would like to allow vulnerability scanners or pen testers to send requests without being blocked on an ad hoc basis without our intervention. Currently we have to add a temporary IP address except...

Cirrocumulus

Oct 16, 2017

It is certainly possible to do with an iRule and a datagroup containing a list of codes (or allowed IP addresses which is much easier to implement). Lists of codes/IP Addresses are easier to manage in a datagroup rather than constantly adding/removing IP address exceptions in ASM policies.

you would simply use ASM:disable command if the request contains your X-SCAN-TESTING header

https://devcentral.f5.com/wiki/iRules.ASM__disable.ashx

having an iRule to connect and retrieve OTP from an external source is a bit over-engineering for such a simple problem, but it is certainly possible

You can also have the solution with no iRule at all and just put all the rules of header checking into the local traffic policy

Forum Discussion

Allow vuln scanner or pen tester access dynamically? One time code, OTP, comparison?

Recent Discussions

how can I find the software version is 32 bit or 64 bit from LTM 15.1.10.4

(How) can I get two client certificates in one APM session?

Open Redirection Mitigation

BIG-IP DNS iRule issue with static variable

Using okta as SSO to login F5 GUI

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Code comparison between deploying AS3 or FAST API Declarations with Ansible and Terraform

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two

SteganoAmor, Fake IP Scanner, MITRE Corporation Breach - April 14-20, 2024 - This Week in Security

Case Insensitive Comparisons