Bug ID 928685: ASM Brute Force mitigation not triggered as expected

Last Modified: Apr 24, 2024

Affected Product(s):
BIG-IP ASM(all modules)

Fixed In:
16.1.0,, 15.1.3,,

Opened: Jul 20, 2020

Severity: 3-Major

Related Article: K49549213


Under certain conditions the Brute Force mitigation will not be triggered.


Brute Force mitigation is not triggered as expected.


- ASM enabled - Brute Force mitigation enabled


The following iRule will look for an issue with the authorization header and will raise an custom violation when this is happening: when ASM_REQUEST_DONE? {     if { [catch { HTTP::username } ] } {?      log local0. "ERROR: bad username";?      ASM::raise bad_auth_header_custom_violation ?    } }

Fix Information

Brute Force mitigation is now triggered as expected.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips