Forum Discussion

SanYang's avatar
SanYang
Icon for Cirrus rankCirrus
Dec 04, 2023

About HTTP protocol compliance failed

Hello, Lately, I've been tweaking the "HTTP protocol compliance failed" settings in detail. 1. In this case, there is an enable option to get the "alert" event logs 2.In this case, the...
application delivery
F5_Design_Engineer's avatar
F5_Design_Engineer
Icon for MVP rankMVP
Dec 04, 2023

Hi SanYang,

When configuring HTTP Protocol Compliance options, F5 recommends that you examine the Traffic Learning report before disabling any sub violations that were triggered by the HTTP Protocol Compliance option. The Traffic Learning report is located under Policy Builder within Application Security.

The HTTP Protocol Compliance violation is comprised of a list of individual sub violations which perform HTTP validation checks. You can configure the Learn, Alarm, and Block settings for the HTTP Protocol Compliance violation in the Settings section of the Blocking page. Sub violations can be enabled and disabled individually within the HTTP Protocol Compliance section of the Configuration utility.

If a violation is triggered due to a match of one or more of the HTTP Protocol Compliance sub-options, the HTTP Protocol Compliance option which failed along with the name of the sub violation will be listed in the Request log or the Policy Builder Learning screen.

  1. Click on the Alarm check box to turn off all HTTP Protocol Compliance checks.  Note: this will affect ALL traffic coming through this policy.  If you have a small number of URLs that are non-compliant, consider using a Local Traffic Policy to bypass ASM for that specific URL as shown in Manual Chapter : Configuring ASM with Local Traffic Policies
  2. Click on the Block check box to turn off all HTTP Protocol Compliance checks . Note: this will affect ALL traffic coming through this policy.  If you have a small number of URLs that are non-compliant, consider using a Local Traffic Policy to bypass ASM for that specific URL as shown in Manual Chapter : Configuring ASM with Local Traffic Policies

    Note: F5 does not recommend turning off all HTTP compliance Checks unless required, due to the holes left in the protections by doing so.
    Note: You can be more precise as to what you open by choosing to not block only specific HTTP protocol checks, rather than disabling all of them at once.

  3. Please refer following article with great details :

    https://f5-agility-labs-waf.readthedocs.io/en/latest/class3/module2/lab1/lab1.html

  4.  

    HTH

    🙏Best Regards

     

    F5 Design Engineer 

 

  • SanYang's avatar
    SanYang
    Icon for Cirrus rankCirrus
    Dec 05, 2023

    Hi F5_Design_Engineer ,

    Thanks for your reply.

    What do I do if I want the "Null in request" in HTTP protocol compliance failures to be a block and all other behavior to be an alert?