Forum Discussion

Cirrus

Jan 11, 2021

Solved

ASM flagging legitimate traffic as "most likely a threat"

I'm fairly new to managing ASM and I'm learning on the fly. In this case, the protected application is a Jira instance. Most traffic that ASM has blocked for this application so far has been a single...

application delivery

ASM Advanced WAF

Scott123456789
Jan 14, 2021
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.

This instructs ASM to not inspect the BODY of the request:

- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy

- click 'Create' (for New Allowed URL)

- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging

- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list

- click 'Create'.
- Apply Policy

Erik_Novak

Employee

Jan 12, 2021

Are you able to discern which violation resulted in the blocking event? Check if your attack signatures are in staging--if they are, staged signatures can be ruled out in terms of causing the block.

Scott123456789
Cirrus
Jan 12, 2021
Maybe that's what I don't know how to do. Every other block I've dealt with up until now has been just one violation type, and only one occurrence of it. In this case, I have the three violation types and hundreds of occurrences in the same event. I have no idea how to proceed from there. Sorry to sound like its my first day...