For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gu3rr3ir0's avatar
gu3rr3ir0
Icon for Nimbostratus rankNimbostratus
Feb 05, 2020

F5 ASM learning new parameters while being in blocking mode.

Hi,   I have my ASM protecting many web applications. The problem is that some of the applications/websites, don´t have that much traffic, but some of the websites have a lot of Forms etc. Since...
ASM Advanced WAF
blocking
parameter
parameters
policy
security
Erik_Novak's avatar
Erik_Novak
Icon for Employee rankEmployee
Feb 05, 2020

Question 1: Yes. All parameters disallow meta characters by default. If you override those meta characters, then they are allowed--but attack signature are still applied to the parameter input value.

 

Question 2: Yes. There are two ways to do this. One is to un-check the Block checkbox for the "Illegal Parameter" violation. In fact, that works with all violations, including "Illegal meta character in value" related to your first question. The ot her is to leave all parameters in staging during the learning process as developers add them.

 

Question 3: Once the policy is mature, you can enforce the wildcard or remove it altogether.

 

Question 4: One way would be to turn off blocking on the specific violation that is getting triggered until the learning period is over. Or go to the Learning and Blocking Settings page > Policy Building Process, and select the Advanced view. Under Policy Building Process, locate Loosen Policy and review the default rules. Also ensure you have "Track Site Changes" enabled, and review those rules and adjust accordingly. If you have a way to build the policy using trusted traffic then you can reduce the time required dramatically.