For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kurt_Knochner_5's avatar
Kurt_Knochner_5
Icon for Cirrus rankCirrus
Mar 10, 2014

ASM signature check blocking ActiveSync Upload of large files

Hi,

 

Problem: ASM signature checking thinks there are attack pattern (SQL injection, command execution, etc.) in ActiveSync file 'up-/downloads' (users accessing large attachments via ActiveSync).

 

Question: What is the best practice to handle this problem?

 

I have seen similar problems here on Devcentral, but the typical 'solution' was to disable signature check for /microsoft-server-activesyn. However, I don't want to disable signature checking completely as that would weaken the security. Writing an iRule to overwrite the block action seems to be an option (https://devcentral.f5.com/wiki/iRules.ASM__unblock.ashx), but I'm not sure if it's possible to 'identify' the access to an attachment within the iRule.

 

Thanks!

 

Kurt

 

application delivery
ASM Advanced WAF
deployment
devops
iRules
security

6 Replies

  • Mike_Maher's avatar
    Mike_Maher
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    When you built the policy initially did you use the Template for Active Sync? I was having similar problems and then I created a new policy starting from scratch and used the Active Sync template, and it seems to have cleared up the false positives on the Attack Signatures.

     

    • Kurt_Knochner_5's avatar
      Kurt_Knochner_5
      Icon for Cirrus rankCirrus
      Mar 10, 2014
      Yes, I used the Template. Any idea what could be causing the problems that get fixed by creating a new policy with the same template!?
  • Mike__Maher_108's avatar
    Mike__Maher_108
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    When you built the policy initially did you use the Template for Active Sync? I was having similar problems and then I created a new policy starting from scratch and used the Active Sync template, and it seems to have cleared up the false positives on the Attack Signatures.

     

    • Kurt_Knochner_5's avatar
      Kurt_Knochner_5
      Icon for Cirrus rankCirrus
      Mar 10, 2014
      Yes, I used the Template. Any idea what could be causing the problems that get fixed by creating a new policy with the same template!?
  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014

    The ASM blocks file uploads of more than 10MB by default. You can either up the limit to the available Max size of 20MB under ASM Advanced Configuration or you have to bypass the ASM for uploads by using an iRule.

    when HTTP_CLASS_SELECTED {
ASM::enable
 Disable ASM for specific method

   if { ([HTTP::method] eq "PUT")}{
      ASM::disable
    }
   if { ([HTTP::method] eq "POST")}{
      ASM::disable
   }
}