Forum Discussion

Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
May 04, 2016

ASM: Case-insensitive entities

Policy_Export.xml: 

...
true
...

If the case_insensitive parameter is set to 'true', are there any parts of the configuration that will remain to be treated as case-sensitive?

What will happen if policy has a parameter named 

LOGIN.data
while policy is configured as case-insensitive? (are the exceptions configured in the parameter bypassed, or are they still valid?)

ASM Advanced WAF
BIG-IP
security
  • Richard_Karon_7's avatar
    Richard_Karon_7
    Historic F5 Account
    May 14, 2016

    I don't see a version so I will use the latest.

     

    From https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-0-0/29.html :

     

    "By default, the option Security Policy is case sensitive is selected, and the security policy treats file types, URLs, and parameters as case-sensitive. "

     

    So creating the policy as case insensitive, it follows that all file types, URLS, and parameters are now case-insensitive. Elements will stored as lowercase. (from menu help)

     

    I am not sure I understand your specific question, but here is an example case insensitivity setting

     

    GET /index.php?UPDOWN=ROLLER HTTP/1.1

     

    GET /index.php?UPdown=ROLLer HTTP/1.1

     

    Both gather under

     

    Illegal parameter:: Parameter: updown on [HTTP] /index.php (notice the lower case for parameter)

     

    Remember, this case-insensitivity can only be selected at creation of the policy.

     

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      May 14, 2016
      Thanks for the explanation, Richard. Actually the reason for asking is that I was migrating case-sensitive policies to case-insensitive. Apart from minor issue, I got this change executed successfully. Case-sensitivity setting can be modified in existing policies, it's just not very straight-forward to do so
  • Richard_Karon's avatar
    Richard_Karon
    Icon for Employee rankEmployee
    May 14, 2016

    I don't see a version so I will use the latest.

     

    From https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-0-0/29.html :

     

    "By default, the option Security Policy is case sensitive is selected, and the security policy treats file types, URLs, and parameters as case-sensitive. "

     

    So creating the policy as case insensitive, it follows that all file types, URLS, and parameters are now case-insensitive. Elements will stored as lowercase. (from menu help)

     

    I am not sure I understand your specific question, but here is an example case insensitivity setting

     

    GET /index.php?UPDOWN=ROLLER HTTP/1.1

     

    GET /index.php?UPdown=ROLLer HTTP/1.1

     

    Both gather under

     

    Illegal parameter:: Parameter: updown on [HTTP] /index.php (notice the lower case for parameter)

     

    Remember, this case-insensitivity can only be selected at creation of the policy.

     

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      May 14, 2016
      Thanks for the explanation, Richard. Actually the reason for asking is that I was migrating case-sensitive policies to case-insensitive. Apart from minor issue, I got this change executed successfully. Case-sensitivity setting can be modified in existing policies, it's just not very straight-forward to do so