Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Jan 11, 2021
Solved

ASM flagging legitimate traffic as "most likely a threat"

I'm fairly new to managing ASM and I'm learning on the fly. In this case, the protected application is a Jira instance. Most traffic that ASM has blocked for this application so far has been a single...
application delivery
ASM Advanced WAF
  • Scott123456789's avatar
    Scott123456789
    Jan 14, 2021

    According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.

     

    This instructs ASM to not inspect the BODY of the request:

     

    - Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs

    - make sure to 'select' the correct policy

     

    - click 'Create' (for New Allowed URL)

     

    - change view to 'Advanced'.

    - Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)

    - uncheck staging

     

    - click on 'Header-Based Content Profile':

     Request Header Name: Content-Type

     Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet   

     Request body handling: Do nothing

     click 'Add'.

     move it up the list

     

    - click 'Create'.

     - Apply Policy

Erik_Novak's avatar
Erik_Novak
Icon for Employee rankEmployee
Jan 12, 2021

Do you see the link to "Suggestions" to the right of each of those violations? If you click that link you will go to the Traffic Learning page which gives you some additional options not visible on the request log page. You can also get there by going to Security >> Application Security : Policy Building : Traffic Learning....

 

  • Scott123456789's avatar
    Scott123456789
    Icon for Cirrus rankCirrus
    Jan 12, 2021

    These settings are not in staging. I do not see a "Suggestions" section in the blocked event.