Forum Discussion

tuganim's avatar
tuganim
Icon for Altostratus rankAltostratus
Oct 21, 2020

GUID omission in request URL

Hello,

I use BIG-IP 14.1.2.7 with the ASM module. I have a URL in my system which includes a dynamic GUID as part of the URL. For example: “/api/user/9fa42455-7adc-4550-813d-53c1aed654a9/permissions”.

 

For some unknown reason, when I want to add it as an allowed URL in the ASM, the only way I managed to do that is to add the URL “/api/user//permissions” – It seems that the ASM ignores the GUID and I have to use double-slash between “user” and “permissions”. It is also recognized that way (without the GUID) in the title of the request log, although the GUID does appear inside the request tab, together with all the request details. I prefer adding a wildcard URL but the ASM does not recognize it as matching to the request URL, so it does not work.

 

I have a second BIG-IP instance with s similar policy and in this second instance the same URL is recognized as expected, and I managed to add valid wildcard to approve it. Therefore, I believe that the omission of the GUID in the first BIG-IP instance is some configuration, but I did not manage to find it. Also, it seems that this behavior is specific to GUIDs – any other string between “user” and “permissions” is recognized normally.

 

How can I configure the BIG-IP to recognize the GUID as GUID and not as an empty string so I can use a wildcard URL?

 

Thanks

  • can it be the "Dynamic Session ID in URL" setting on the advanced security policy settings which is different between the policies?

     

    https://support.f5.com/csp/article/K6756

  • can it be the "Dynamic Session ID in URL" setting on the advanced security policy settings which is different between the policies?

     

    https://support.f5.com/csp/article/K6756

    • tuganim's avatar
      tuganim
      Icon for Altostratus rankAltostratus

      This setting is indeed different between the two policies and it seems that this is the cause of the issue. in the first instance - the one in which I had the problem - this setting is enabled and its value is a regular expression that matches a GUID. In the second instance this setting is disabled.

       

      Thank you very much!