For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jinshu's avatar
Jinshu
Icon for Cirrus rankCirrus
Jul 27, 2016

Custom ASM block for HTTP methods

Hi, I want to block all HTTP methods except GET using ASM. I amk using below irule for blocking and raise ASM violation but somehow irule execution is getting failed while testing with HTTP method ...
ASM Advanced WAF
security
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

Looks like a mashup of my custom violation iRule. Tehcnically, it should work - maybe you have cache of previous results (webacceleration profile)?

This should do the trick in v11.x

when HTTP_REQUEST {
  set reqBlock 0
  if { not ( [HTTP::method] eq "GET" ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_METHOD
  }
}

Also note that if you can upgrade to v12.1, you will get a better built-in control over allowed http methods per URL (also works with wildcard URLs):

https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-12-1-0.html

Enforcing a method on a URL

 

You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.