Forum Discussion

Eljay's avatar
Eljay
Icon for Cirrus rankCirrus
Aug 12, 2021
Solved

Bypassing ASM on HTTP response

Is it possible to prevent ASM from blocking responses when there's a specific HTTP header present in the HTTP response? Let's say we block responses with HTTP status code 500 by default in our security policies, but is it possible to circumvent the ASM from blocking when the status code is 500 AND Content-Type = "application/problem-handled-return-to-client"? If possible, I'd like this to be generic so I can reuse the same solution in different VS's without changing code.

ASM Advanced WAF
devops
security
  • SanjayP's avatar
    SanjayP
    Aug 13, 2021

    Try with an iRule. use appropriate asm policy name.

    Use logging to see if condition is getting triggered and then it can be disabled. 

    when HTTP_RESPONSE  {
ASM::enable "/common/asm_policy"
if { ([HTTP::status] == 500) and ([HTTP::header value Content-Type] eq "application/problem-handled-return-to-client") }{
log local0.info "disable asm"
ASM::disable
return
   }
}

7 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Aug 13, 2021

    Try with an iRule. use appropriate asm policy name.

    Use logging to see if condition is getting triggered and then it can be disabled. 

    when HTTP_RESPONSE  {
ASM::enable "/common/asm_policy"
if { ([HTTP::status] == 500) and ([HTTP::header value Content-Type] eq "application/problem-handled-return-to-client") }{
log local0.info "disable asm"
ASM::disable
return
   }
}
  • Eljay's avatar
    Eljay
    Icon for Cirrus rankCirrus
    Aug 17, 2021

    Thanks for your answer,  .

     

    I read about the HTTP_RESPONSE event in the F5 docs, https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html, but ASM::disable isn't mentioned as an available command. Is this command list complete?

     

    I also wonder, is it possible to extract ASM policy name from the HTTP_REQUEST? It makes it easier to make a generic iRule.

    • Eljay's avatar
      Eljay
      Icon for Cirrus rankCirrus
      Aug 27, 2021

      The solution for my last question above can be found here; https://devcentral.f5.com/s/question/0D51T00008nsiZGSAY/irule-to-extract-asm-policy-name

       

  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Aug 18, 2021

    ASM::disable is valid command in HTTP_RESPONSE event.

    If you want to use generic one, you can remove ASM::enable command at the start of the iRule and test it ASM gets enabled in the response for every and all subsequent events​ after a match. But F5 recommends to enable it before disabling for specific traffic.

    • Eljay's avatar
      Eljay
      Icon for Cirrus rankCirrus
      Aug 19, 2021

      Something isn't working as expected. I use this simple code which I cut and pasted from https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html and made only a small change inside the IF-statement :

      when HTTP_RESPONSE {
 
  if { [HTTP::status] contains "500"} {
     log local0.debug "HTTP_RESPONSE - err: 500"
  }
 
}

      But when I make a request that triggers a 500 status code then I get this message in the LTM log:

       

      <date removed> <host removed> err tmm[14816]: 01220001:3: TCL error: /Common/asm-override <HTTP_RESPONSE> - Can't call after responding - ERR_NOT_SUPPORTED (line 1)   invoked from within "HTTP::status"

       

      We are using v15.1.2.1 with an Eng Hotfix.

       

      • Yiğit_Uslu's avatar
        Yiğit_Uslu
        Icon for Cirrus rankCirrus
        Aug 22, 2021

        Can't call after responding means most probably an event overlap is occurring. Checkout if there is another rule or policy attached to VS with HTTP_RESPONSE event.

        If so, combine both HTTP_RESPONSE event content in one iRule.

         

        Hope this helps