Forum Discussion

patonbike_25784's avatar
patonbike_25784
Icon for Nimbostratus rankNimbostratus
Apr 28, 2018

Transparent ASM profile breaks RDS GW connection?

We have Web RDS/RDS gateway setup through the LTM (without APM) and when I apply the transparent ASM profile the gateway no longer works. Interestingly, the Gateway already has an HTTP profile and it works fine with the HTTP profile, it seems to be only when we apply the ASM profile that it causes a problem. Unfortunately I don't have a lot of details as to why it is happening. Any suggestions on where to go with this? We'd like the ASM profile on there for PCI compliance. I was thinking maybe a different attack signature set.

 

application delivery
ASM Advanced WAF

6 Replies

Sort By
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Apr 29, 2018

    Do you get logged violations in the ASM Event log?

     

    Does your ASM profile implement DeviceID/Session Opening Tracking or other features that cause clientside Javascript insertion?

     

    Do you have Dataguard enabled, as this is also active even in a Transparent profile, and can modify content impacting functionality.

     

    Many features of ASM can interfere with complex website operation, and some of these are independent of the blocking/transparent status of the policy.

     

    This can also be version dependent - what version of ASM are you using?

     

  • patonbike's avatar
    patonbike
    Icon for Cirrus rankCirrus
    Apr 30, 2018

    I do see violations ... right off the bat, there were a lot of characters sets that the ASM thought were suspect, which seemed like it was more likely just binary traffic going through... with that being said the HTTP profile has never caused a problem (alone). I am going to try ignoring the wildcard parameter and uncheck Check characters on this parameter name.

     

    It may also be that ASM just cannot work with RDS GW due to the nature of the traffic. However It'd be nice to have an ASM policy applied even if it's less restrictive.

     

    We're not using dataguard.

     

    We're using 11.5.4 HF4.

     

    Just found this - may be the issue: https://support.f5.com/csp/article/K17411

     

  • patonbike's avatar
    patonbike
    Icon for Cirrus rankCirrus
    Jun 05, 2018

    It looks like the method was slightly different for RDS GW. It's this:

     

    or ([HTTP::method] equals "RDG_IN_DATA") \ or ([HTTP::method] equals "RDG_OUT_DATA") \

     

    I also excluded ([HTTP::path] equals "/KdcProxy") which I suspect may not be necessary but I ran out of time for testing.

     

    So the above 3 have ASM::disable on them and all functions well in the world of RDS gateways.