Forum Discussion

marta_sl's avatar
marta_sl
Icon for Nimbostratus rankNimbostratus
Sep 07, 2023

File upload and ASM

Hi,

We have developed a web application for uploading videos. This web app is protected by our ASM module. However, when we attempt to upload a video larger than 10 MB, the ASM blocks the request and displays the error message "Request length exceeds the defined buffer size."

We attempted a solution we found in the forum, which involved creating a parameter for the specific URL, as we prefer not to modify the buffer size. Unfortunately, this solution did not work for us.

Could someone provide us with some guidance or assistance?

Thank you!

  • Hi  marta_sl ,

    If your application is a web application for uploading videos I really recommend disabling this feature.

    In some cases, you may want to increase the request buffer size (long_request_buffer_size) for the BIG-IP ASM security policy. However, increasing the long_request_buffer_size parameter value will increase the allowed size of all requests processed by the BIG-IP ASM system. Such a change can result in increased resource consumption as the BIG-IP ASM buffers the larger requests in memory. Resource usage should be closely monitored and any changes to the parameter value should be adjusted accordingly.

    Additionally, changing the long_request_buffer_size parameter value requires that you restart the BIG-IP ASM service, resulting in a brief traffic disruption.

    You can increase the value of the long_request_buffer_size internal parameter to a maximum of 30 megabytes, by performing the following procedure:

    Impact of procedure: Restarting the BIG-IP ASM service results in a brief traffic disruption.

    1. Log in to the Configuration utility.
    2. Go to Security > Options > Application Security > Advanced Configuration > System Variables
    3. For Search By Parameter Name, enter long_request_buffer_size and select Go.

      The long_request_buffer_size parameter displays.

    4. Select long_request_buffer_size.
    5. For Parameter Value, enter the maximum length in bytes that you want the BIG-IP ASM security policy to accept.

      Note: The appropriate maximum buffer size depends on your system configuration and resource provisioning. You should set the buffer size to the smallest possible value that will accommodate the largest anticipated request, up to 30 megabytes.

    6. Select Update.
    7. Log in to the command line.
    8. Restart the BIG-IP ASM bd processes by entering the following command:

      Important: This step causes a brief traffic disruption.

      tmsh restart sys service asm

      In the case you want to disable this feature you have to set 0 in the value and then restart the ASM, take in mind this step causes a brief traffic disruption.

     

  • Bypass for an ASM policy better be done just for the violation with an irule as I see it as to not stop the ASM checks for urls , headers etc. and this way you are making a smaller security hole 😗. This is a nice example:

     

    https://clouddocs.f5.com/api/irules/ASM__unblock.html

     

     

    Other option that can be tested is Request Body Handling, select Do Nothing. under the url:

     

    https://my.f5.com/manage/s/article/K32081491

     

    What was mentioned till now are all good solutions.

  • Hi marta_sl , 

    beside Sebastiansierra comment which is exactly correct , I want to add something important , if you intent to set value more than 10 MB , it's crucial to monitor your memory before the change and after , this increasment in request buffer size will consume from memory and you can't measure this impact because it depends on the number of requests which are processed by ASM engine so if you have now a high utilization of system memory , it's recommended not to set higher values of request buffer size in asm variable attributes >>> also take in your consedration this value will applied in all ASM policies not only for the policy you are complaining from it. 

    > I would provide you another workaround if you have high memory utilization: 

    you can bypass the url that contains this large file/video form being processed by ASM , you can do this using LTM policies or irules.

    you will the steps of by bypassing in this article : https://my.f5.com/manage/s/article/K22021244


    Thanks Sebastiansierra for your detailed comment. 

  • Hi,

    Thank you very much for your responses and advice. What if we disable the "Block action" for the "Request length exceeds defined buffer size" in the policy building settings? Do you think it may affect the performance of the hardware?

    • Hi marta_sl , 

      no there is no impact on hardware or performance. 

      if you disabled it , it will not block the large files upload , but this will be applied in all urls or virtual server applied under this ASM policy. 

      So you have much varites : 
      > bypassing asm policy for specific  url ( using irule , LTM policy ) 
      > disablie ( learn , alarm , block ) for that violation.
      > increasing request buffer size ( but this needs to monitor your system resources specially your memory consumption.