Forum Discussion

Sinistrad_29710's avatar
Sinistrad_29710
Icon for Nimbostratus rankNimbostratus
Oct 11, 2017

Deep ASM logs

How can we know the reason why ASM is blocking a URL ? Can we have more details on the blocking reason ? Which part of the URL is causing problem ? In ASM logs on the F5 I was not able to find this. Please advise,

 

Thanks!

 

4 Replies

  • A blocking response should be accompanied by a violation description. Do you see any violations for the blocked request(s) on the Traffic Learning page?

     

  • Usually this can be extracted using the Support ID displayed on your browser while the request is blocked, from the ID if you have V13 software you may go to the security tab-->Event Logs-->Application-->Requests, and filter by the Support ID you got.

     

    Hope this is helpful!

     

    • Sinistrad_29710's avatar
      Sinistrad_29710
      Icon for Nimbostratus rankNimbostratus

      Yes I checked but the only reason is multiple encoding, so it doesn't help so much to find the real reason for this blocking, maybe we should check ASM logs on CLI to have more details

       

    • F5_324021's avatar
      F5_324021
      Icon for Cirrus rankCirrus

      You can view the evasion technique violations logged by the BIG-IP ASM system:-

       

      Log in to the Configuration utility.

       

      Navigate to Security > Event Logs > Application > Requests.

       

      From the Security Policy menu, select the security policy.

       

      In the filter details, select Evasion Technique Detected from the Violation menu. Click Go.

       

      To view the reason the violation was triggered, select the Evasion technique detected.

       

      Also you can increase or decrease the number of decoding passes that the system attempts to achieve normalization before a violation will be triggered. For example, setting this value to 2 triggers a violation if more than one pass is required to decode the entity, allowing only single-encoded entities.

       

      Refer to the below article

       

      https://support.f5.com/csp/article/K7929

       

      Hope this is helpful!