Forum Discussion
This might help : https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/37.html
- GGoran_276252Jul 23, 2016Nimbostratus
Hi, tnx for your answer. Maybe it isn't clear from my first post, but we managed to get antivirus checking on Symantec and blocking them on F5. So we have a basic functionality of the system.
What we would like to achieve is that when a virus is blocked, to have F5 generate a blocking response page for the end user. How to do this is unclear to us.
When a virus is blocked, this is considered a security violation on F5. How can we use this violation to trigger a response page for the use? Maybe it's unimportant, but we're missing Response Status Code which is set to N/A.
Policy in blocking mode (EICAR test virus uploaded):
Policy in transparent mode (response code 200 OK, same file uploaded):
I've looked over F5 Guide for blocking response page, and it just states that we can use default or customized reponse pages. I've checked this Guide
Also, do we need to use iRules for this? I'd be happier without them :)
Regards, Goran
- boneyardJul 23, 2016MVP
in principle this should just work, if an ASM policy is violated then that page is shown if you didn't make any extreme changes. do you get the blocking page when you violate something else?
your whole policy might be in blocking but what about the specific "Virus detected" setting?
this is set in Blocking section upto 11.6 and (which took me some time to find) from 12.0 here:
Security ›› Application Security : Policy Building : Learning and Blocking Settings
- GGoran_276252Jul 23, 2016Nimbostratus
Hi there, we have never seen a blocking page kicking in (even for critical events, there was just no need for alerting users about it). No extreme changes were made to the configuration. Is it supposed to show up for any policy violation if once turned on? What could be the reason for it not showing up, maybe it is never triggered? Is there more to this in terms of configuring more options?
Setting "Virus detected" is checked for all three options (Learn, Alarm and Block), and policy is indeed in Blocking mode (1st picture in the comment i made above). F5 Guide states that for "Virus detected" we should check only Alarm or Alarm and Block. Maybe this is the reason for not triggering blocking response page, although it would be a bit strange?
I don't have access to our customer's site over the weekend, but I could re-check this on Monday and report back here.
- boneyardJul 23, 2016MVP
if you take a default ASM policy, put it in blocking and violate the policy then the response page should show up. it will have something like:
The requested URL was rejected. Please consult with your administrator.
i would take a step back and make sure it happens for other violations, can't say which as i don't know your exactly policy. it might be a good moment to involve f5 support or someone more ASM experience to make sure that part is ok.
while im thinking about it, perhaps you are running into a caching issue. have to tried to clear all cache, bypass any proxy, restart browser and all such things?
- GGoran_276252Jul 23, 2016Nimbostratus
Thanks for the suggestions. Haven't tried clearing browser cache or even tried with another browser, in the whole process of rechecking various settings on various appliances I honestly didn't even think of it :)
Ok on Monday I will try that and also monitor more closely what happens with other policy violations, hopefully something will be different this time and reveal to me what's wrong with this configuration.
If no success, I'll try raising a ticket with F5 support. Thanks again!
Regards, Goran