Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Jinshu's avatar
Jinshu
Icon for Cirrus rankCirrus
Jul 27, 2016

Custom ASM block for HTTP methods

Hi, I want to block all HTTP methods except GET using ASM. I amk using below irule for blocking and raise ASM violation but somehow irule execution is getting failed while testing with HTTP method ...
ASM Advanced WAF
security
Hannes_Rapp's avatar
Hannes_Rapp
Icon for Nimbostratus rankNimbostratus
Jul 27, 2016

Looks like a mashup of my custom violation iRule. Tehcnically, it should work - maybe you have cache of previous results (webacceleration profile)?

This should do the trick in v11.x

when HTTP_REQUEST {
  set reqBlock 0
  if { not ( [HTTP::method] eq "GET" ) } {
    set reqBlock 1
  }
}   
when ASM_REQUEST_DONE {
  if { $reqBlock == 1} {
    ASM::raise VIOLATION_FORBIDDEN_METHOD
  }
}

Also note that if you can upgrade to v12.1, you will get a better built-in control over allowed http methods per URL (also works with wildcard URLs):

https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-12-1-0.html

Enforcing a method on a URL

 

You can define a list of allowed and disallowed methods, for each URL, that will override the list defined on the security policy level.