Forum Discussion
SanYang
Cirrus
CirrusAbout HTTP protocol compliance failed
Hello,
Lately, I've been tweaking the "HTTP protocol compliance failed" settings in detail.
1. In this case, there is an enable option to get the "alert" event logs
2.In this case, there is an enable option to "block" behavior"
If I only want one of the blocks and the others are just alarm
(For example, only "Null in request" is blocked, but the others are just alerts.)
What should I do?
Any help is appreciate.
Hi SanYang,
When configuring HTTP Protocol Compliance options, F5 recommends that you examine the Traffic Learning report before disabling any sub violations that were triggered by the HTTP Protocol Compliance option. The Traffic Learning report is located under Policy Builder within Application Security.
The HTTP Protocol Compliance violation is comprised of a list of individual sub violations which perform HTTP validation checks. You can configure the Learn, Alarm, and Block settings for the HTTP Protocol Compliance violation in the Settings section of the Blocking page. Sub violations can be enabled and disabled individually within the HTTP Protocol Compliance section of the Configuration utility.
If a violation is triggered due to a match of one or more of the HTTP Protocol Compliance sub-options, the HTTP Protocol Compliance option which failed along with the name of the sub violation will be listed in the Request log or the Policy Builder Learning screen.
- Click on the Alarm check box to turn off all HTTP Protocol Compliance checks. Note: this will affect ALL traffic coming through this policy. If you have a small number of URLs that are non-compliant, consider using a Local Traffic Policy to bypass ASM for that specific URL as shown in Manual Chapter : Configuring ASM with Local Traffic Policies
- Click on the Block check box to turn off all HTTP Protocol Compliance checks . Note: this will affect ALL traffic coming through this policy. If you have a small number of URLs that are non-compliant, consider using a Local Traffic Policy to bypass ASM for that specific URL as shown in Manual Chapter : Configuring ASM with Local Traffic Policies
Note: F5 does not recommend turning off all HTTP compliance Checks unless required, due to the holes left in the protections by doing so.
Note: You can be more precise as to what you open by choosing to not block only specific HTTP protocol checks, rather than disabling all of them at once. - Please refer following article with great details :
https://f5-agility-labs-waf.readthedocs.io/en/latest/class3/module2/lab1/lab1.html -
HTH
šBest Regards
F5 Design Engineerā
SanYangHi F5_Design_Engineer ,
Thanks for your reply.
What do I do if I want the "Null in request" in HTTP protocol compliance failures to be a block and all other behavior to be an alert?
Hi Sanyang,
You can configure Microservice. Microservices is an application development concept that separates the development process into smaller, logical segments. Using a microservices architecture approach can speed the development process and improve application modularity.
Please note that BIG-IP ASM Microservices Override not an option without Advanced WAF License
You must have Advanced WAF License to use this feature.
Starting in BIG-IP 14.1.0 you can create security policy configurations that accommodate applications and microservices and you can define Microservices.
For example, you can create a single policy to protect a web application that consists of multiple microservices, and then customize the policy for some or all of the microservices.
Additionally, you can override the security policy's default enforcement setting, and specify a different enforcement setting for a specific microservice. You can then review the resulting traffic learning suggestions for the microservice.
When a Microservice is defined with a security policy and the traffic passing through the policy matches the defined Microservice, the security policy will use the defined settings within the Microservice itself.
- Traffic not being handled how the general security policy is defined
- Example would be if you see a illegal request and you believe the request should be blocked based on the general security policy settings
When you define a Microservice within your security policy it will have it own settings. The different areas that can be defined are the following:
- Evasion technique detected and the ability to Enable, Learn and Override within this
- HTTP protocol compliance failed and the ability to Enable, Learn and Override within this
- The overall enforcement setting for the Microservice itself
If you are seeing traffic that is flagged as illegal and you believe it should be blocked or vice versa please check to see if you have defined a Microservice that matches the traffic.
If a Microservice is defined for the application traffic in question then the security settings for the Microservice will take precedence over the setting defined within the general policy.
The following microservice configurations are possible:
- The security policy is in Blocking mode with one or more microservices in Transparent mode.
- The security policy is in Blocking mode with blocking settings overrides for microservices.
- The security policy is in Transparent mode with one or more microservices in Blocking mode.
PrerequisitesYou must meet the following prerequisites to use this procedure:
- You have access to the Configuration utility.
- You have determined the hostname and URL for the microservice that you want to add to the policy.
Viewing traffic learning suggestions for a microservice
You can view and manage learning suggestions for a microservice so you can adjust the security policy based on traffic patterns. To do so, perform the following procedure:
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
- Log in to the Configuration utility.
- Navigate to Security > Application Security > Policy Building > Traffic Learning.
- In the Traffic Learning Summary section, expand the Enforcement By Microservice option.
- Click the microservice and review the traffic learning suggestions.
To add exceptions to the Policy learning and Blocking setting
Security āŗāŗ Application Security : Policy Building : Learning and Blocking Settings
You can go from here:
You can see learning mode suggesitions here
Security āŗāŗ Application Security : Policy Building : Traffic Learning
For Custom Block settings:
āYou can find more such implementations in great details here:
https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-asm-implementations.html
Very good to read
https://community.f5.com/t5/technical-forum/enforcement-readiness-summary-and-http-protocol-compliance/td-p/79051For more details on Advance WAF additoinal features please refer:
HTHš
ā
- SanYang
Hi F5_Design_Engineer ,
Thanks for your teachings.
But I don't know why I can't get the lab to work...The original setup
(1) I entered the lab based on the two items in the red box(2)Event logs (As a result these two behaviors are blocked.)
Requirement Settings (I only want to send the alert "Host header contains IP address".)
(1) Microservice Properties(2) Event logs (Alerts are sent for both behaviors)
I want one to alert and one to block
What should I do ?
