Forum Discussion

silvio-m_373169's avatar
silvio-m_373169
Icon for Nimbostratus rankNimbostratus
Jan 30, 2019

Adhoc reports/email notification for ASM web application firewall in case of blocking

Hi there,

 

we use the ASM module to make a web portal more secure. If the Enforcement Mode of the security policy is set to "Blocking", the F5 could block false-positive requests too. To be aware of it - it is possible to send out an email notification of blocked requests like this?

 

"blocked URL", "detected attack signature / type of violation", "source IP", "user-agent", "date and time"

 

BIG-IP v12.1.3 (Build 0.0.378) * ASM, Unlimited

 

2 Replies

  • You can use the Scheduled reports feature and tick the checkbox "Send the report file via E-Mail as an attachment" and specify the target e-mail addresses in "Target E-Mail Address" field - read the manual here;

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/13.html

     

    This will only send the email with report on a schedule (e.g. every 6 hours), but it will be in PDF and will have a nice chart, so ideal for managers and network administrators. If you want realtime e-mails (one e-mail message per blocked request) then it is best to configure ASM Logging Profile to send logs to external logging system like Splunk and then have Splunk to send our e-mail alerts (be ready to get thousands of e-mails an hours though - Internet is a nasty place these days with lots of attack traffic!)