Forum Discussion

andresneri1's avatar
andresneri1
Icon for Nimbostratus rankNimbostratus
Jul 09, 2025
Solved

F5 XC and Service Policy/HTTP path

Hi Team,

We are migrating some ASM policies to the XC platform. However, the customer has a long list of URLs allowed by the ASM policy.

I understand that the Service Policy on XC is the functionality to use in this case, but I received an error message:

 

"We found 1 error:

Field 'Exact Values' in HTTP Path must contain no more than 16 item(s)." 

 

Perhaps some URLs can be changed to regular expressions, but I'm unsure how to reduce this to only 16 items.

Any ideas or suggestion would be appreciated

 

 

application delivery
cloud
security
Service PolicY
xc
  • Nikoolayy1's avatar
    Nikoolayy1
    Jul 10, 2025

    Yes that is the limit in a XC service policy rule just make more rules in the same service policy with allow action each having 16 urls. Make one 1 default deny rule at the end. You can use "Next policy" action if you want other checks like geolocations etc. in a service policy after this one. Make certain to have allow all policy at the end if you are chaining multiple policies.

     

    Keep in mind that a wildcard url for example /test/* is migrated with the service policy prefix match option. If the wildcard it at the start */test/ use suffix match and if it is in the middle then regex match will be needed like /te.*st/

     

    Also this is a static feature and I recommend checking XC API discovery/protection that will learn the allowed URL API paths.

1 Reply

  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Jul 10, 2025

    Yes that is the limit in a XC service policy rule just make more rules in the same service policy with allow action each having 16 urls. Make one 1 default deny rule at the end. You can use "Next policy" action if you want other checks like geolocations etc. in a service policy after this one. Make certain to have allow all policy at the end if you are chaining multiple policies.

     

    Keep in mind that a wildcard url for example /test/* is migrated with the service policy prefix match option. If the wildcard it at the start */test/ use suffix match and if it is in the middle then regex match will be needed like /te.*st/

     

    Also this is a static feature and I recommend checking XC API discovery/protection that will learn the allowed URL API paths.