Manual Chapter : Configuring What Happens if a Response is Blocked

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Configuring What Happens if a Response is Blocked

Overview: Configuring what happens if a response is blocked

The Application Security Manager™ has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. The system also has a login response page for login violations. You can change the way the system responds to blocked logins or blocked requests.

Note: The system issues response pages only when the enforcement mode is set to Blocking.

A security policy can respond to blocked requests in these ways:

  • Default response
  • Custom response
  • Redirect URL
  • SOAP fault

The system uses default pages in response to a blocked request or blocked login. If the default pages are acceptable, you do not need to change them and they work automatically. However, if you want to customize the response, or include XML or AJAX formatting in the blocking responses, you need to enable the blocking behavior first. You enable XML blocking on the XML profile, and AJAX blocking on the AJAX response page.

All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. Customers can use the support ID to identify the request when making inquiries.

Configuring responses to blocked requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request.
  1. On the Main tab, click Security > Application Security > Blocking > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. On the Default Response Page tab, for the Response Type setting, select one of the following options.
    Option System Response to Blocked Request
    Default Response The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response The system returns a response page with HTML code that you define.
    Redirect URL The system redirects the user to a specified web page.
    SOAP Fault The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select Use XML Blocking Response Page on the XML profile.
    The settings on the screen change depending on the selection that you make for the Response Type setting.
  4. If you selected the Custom Response option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the Response Headers setting, type the response header you want the system to send.
    2. For the Response Body setting, type the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click Show to see what the response will look like.
    To upload a file containing the response:
    1. For the Upload File setting, specify an HTML file that contains the response you want to send to blocked requests.
    2. Click Upload to upload the file into the response body.
  5. If you selected the Redirect URL option, then in the Redirect URL field, type the URL to which the system redirects the user, for example, http://www.myredirectpage.com.
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
If the enforcement mode is blocking and a request is blocked, the system displays the selected response page or redirects the user to another URL depending on the option you selected.

Configuring responses to blocked logins

You can configure the blocking response that the system sends to the user when the security policy blocks a client attempt to log in to the application.
  1. On the Main tab, click Security > Application Security > Blocking > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. On the Default Response Page tab, for the Response Type setting, select one of the following options.
    Option System Response to Blocked Request
    Default Response The system returns the system-supplied response page in HTML. No further configuration is needed.
    Custom Response The system returns a response page with HTML code that you define.
    Redirect URL The system redirects the user to a specified web page.
    SOAP Fault The system returns the system-supplied blocking response page in XML format. You cannot edit the text, but you need to select Use XML Blocking Response Page on the XML profile.
    The settings on the screen change depending on the selection that you make for the Response Type setting.
  4. If you selected the Custom Response option, you can either modify the default text or upload an HTML file.
    To modify the default text:
    1. For the Response Headers setting, type the response header you want the system to send.
    2. For the Response Body setting, type the text you want to send to a client in response to an illegal blocked request. Use standard HTTP syntax.
    3. Click Show to see what the response will look like.
    To upload a file containing the response:
    1. For the Upload File setting, specify an HTML file that contains the response you want to send to blocked requests.
    2. Click Upload to upload the file into the response body.
  5. If you selected the Redirect URL option, then in the Redirect URL field, type the URL to which the system redirects the user, for example, http://www.myredirectpage.com.
    The URL should be for a page that is not within the web application itself.
    For example, to redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format:
    http://www.myredirectpage.com/block_pg.php?support_id= <%TS.request.ID()%>
    The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID.
  6. Click Save to save your settings.
  7. To put the security policy changes into effect immediately, click Apply Policy.
If a user violates one of the preconditions when requesting the target URL of a configured login page, the system displays the selected response page or redirect URL depending on the option you selected.

Customizing responses to blocked XML requests

You can configure the blocking response that the system sends to the user when the security policy blocks a client request that contains XML content, which does not comply with the settings of an XML profile in the security policy.
Note: If you want to use the default SOAP response (SOAP Fault), you only need to enable XML blocking on the profile.
  1. On the Main tab, click Security > Application Security > Blocking > Response Pages .
    The Response Pages screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click the XML Response Page tab.
  4. For the Response Type setting, select Custom Response.
  5. In the Response Headers field, type the response header you want the system to send.
    Tip: Paste the default response header to use the system response that you can then edit.
  6. In the Response Body field:
    • If you want to specify the content to send the client in response to an illegal blocked request, type the text using XML syntax.
    • To upload a file containing the XML response, specify an XML file and click Upload to upload the file into the response body.
    Click Show to see what the response will look like.
  7. Click Save to save your settings.
  8. Make sure that the XML profile the application is using has blocking enabled:
    1. On the Main tab, click Security > Application Security > Content Profiles > XML Profiles .
    2. Click name of the XML profile used by the application.
    3. Make sure that the Use XML Blocking Response Page check box is selected.
    4. Click Update.
  9. To put the security policy changes into effect immediately, click Apply Policy.