Forum Discussion
Federico_Battag
Nimbostratus
Nimbostratusdisable ASM on a specific URL
Hi all,
I'm sending this message to ask if someone can tell me a way to disable ASM checks (violations and signature) for a specific URL.
In particular, I have an application through which is possible to upload files... each upload takes place via the same URL (/uploader.php, for example). The problem is that it isn't possible to determine in advance what kind of files are loaded... Furthermore, the application already conducts checks.
The result is a large number of false positives that are generated and this, when the application will be put in production could create important impact.
If possible I would avoid to use an iRule, is there a way to use only Configuration Utility? Or can anyone suggest me a modus-operandi?
Thanks in advance, greetings
Federico
dichotomouseThe best way I've found, after an F5 Tech Support call is the LTM Policy rules method described here: https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14709.html
Make sure that when you are done creating the rule, you click the 'ReOrder' button and move your new rule ABOVE the default ASM enable rule, otherwise it may not work depending on if you left it at 'first-match', 'best-match', or 'all-match' in the strategy field of the LTM policy.
We also used it to bypass ASM for large uploads and downloads. The difference in that case was we used the 'extension' selector for the request. The tricky part was finding out what our application was using for an extension in the request, it was not the expected file extension but instead '.download' was appended to the URI string. We were able to find that out using the developer tools in Firefox with a little Fiddler work thrown in. Once we added '.download' to the extension list in the rule conditions, it started working perfectly.
BTW: you can see if your new rule is working on the 'Statistics' tab in the LTM Policy screen.
Hope this helps someone!
Joe_Chapman_416For anyone else looking for an answer to this, a simple iRule can accomplish what is being asked: https://devcentral.f5.com/wiki/irules.ASM__disable.ashx
Mike_MaherSo the simplest was I see to do this is to create a new HTTP Class that has Application Security disabled and filter for the URL that you don't want inspected. You will all ASM functionality this way but if that is what you are looking for this will do the job.
Enn_27271Try this:
create an explicit URL
goto Advanced, header-based Content Profile:
configure ASM to parse the content as "Dont Check" for any header.
hope it fits your need!
bye
e
MSZ_221163Initially it was working fine. This option is not working.
Chris_Campbell1Cirrus
The html of file upload page will have an input tag with a name that is parsed by ASM as a parameter, so you could create a parameter in the ASM policy and disable signature checking on that.