About HTTP protocol compliance failed

MVP

Dec 05, 2023

Hi Sanyang,

You can configure Microservice. Microservices is an application development concept that separates the development process into smaller, logical segments. Using a microservices architecture approach can speed the development process and improve application modularity.

Please note that BIG-IP ASM Microservices Override not an option without Advanced WAF License

You must have Advanced WAF License to use this feature.

Starting in BIG-IP 14.1.0 you can create security policy configurations that accommodate applications and microservices and you can define Microservices.

For example, you can create a single policy to protect a web application that consists of multiple microservices, and then customize the policy for some or all of the microservices.

Additionally, you can override the security policy's default enforcement setting, and specify a different enforcement setting for a specific microservice. You can then review the resulting traffic learning suggestions for the microservice.

When a Microservice is defined with a security policy and the traffic passing through the policy matches the defined Microservice, the security policy will use the defined settings within the Microservice itself.

Traffic not being handled how the general security policy is defined
Example would be if you see a illegal request and you believe the request should be blocked based on the general security policy settings
When you define a Microservice within your security policy it will have it own settings. The different areas that can be defined are the following:
- Evasion technique detected and the ability to Enable, Learn and Override within this
- HTTP protocol compliance failed and the ability to Enable, Learn and Override within this
- The overall enforcement setting for the Microservice itself
  If you are seeing traffic that is flagged as illegal and you believe it should be blocked or vice versa please check to see if you have defined a Microservice that matches the traffic.
  
  If a Microservice is defined for the application traffic in question then the security settings for the Microservice will take precedence over the setting defined within the general policy.
  
  The following microservice configurations are possible:
  - The security policy is in Blocking mode with one or more microservices in Transparent mode.
  - The security policy is in Blocking mode with blocking settings overrides for microservices.
  - The security policy is in Transparent mode with one or more microservices in Blocking mode.
    
    Prerequisites
    You must meet the following prerequisites to use this procedure:
    - You have access to the Configuration utility.
    - You have determined the hostname and URL for the microservice that you want to add to the policy.
      
      Viewing traffic learning suggestions for a microservice
      
      You can view and manage learning suggestions for a microservice so you can adjust the security policy based on traffic patterns. To do so, perform the following procedure:
      
      Impact of procedure: Performing the following procedure should not have a negative impact on your system.
      1. Log in to the Configuration utility.
      2. Navigate to Security > Application Security > Policy Building > Traffic Learning.
      3. In the Traffic Learning Summary section, expand the Enforcement By Microservice option.
      4. Click the microservice and review the traffic learning suggestions.
        To add exceptions to the Policy learning and Blocking setting
        
        Security ›› Application Security : Policy Building : Learning and Blocking Settings
        
        You can go from here:
        
        You can see learning mode suggesitions here
        Security ›› Application Security : Policy Building : Traffic Learning
        
        For Custom Block settings:
        
        You can find more such implementations in great details here:
        
        https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-asm-implementations/working-with-bigip-security-policy-microservices.html
        
        https://techdocs.f5.com/en-us/bigip-17-0-0/big-ip-asm-implementations.html
        
        Very good to read
        https://community.f5.com/t5/technical-forum/enforcement-readiness-summary-and-http-protocol-compliance/td-p/79051
        
        For more details on Advance WAF additoinal features please refer:
        
        https://community.f5.com/t5/technical-articles/from-asm-to-advanced-waf-advancing-your-application-security/ta-p/286022
        
        HTH
        
        🙏

Forum Discussion

About HTTP protocol compliance failed

Recent Discussions

NAT for specific IPs

Upgrading BIGIP 2000S to R2600

TS Declarations for DNS

how to view list os client support via cli

automatic learning logs/report ?

Related Content

Proxy Protocol v2 Initiator

Decoding PCI-DSS v4.0: F5's Ridiculously Easy Guide to Technical Compliance

Making WAF Simple: Introducing the OWASP Compliance Dashboard

F5 BIG-IP Advanced WAF: OWASP Top 10 Application Security Risks 2021 Compliance Dashboard

BIG-IP BGP Routing Protocol Configuration And Use Cases

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS