Forum Discussion
How to accept Application requests at WAF F5
Dear All,
I just apply WAF policy.
The enforcement mode is blocking.
Policy Building learning mode "Manual"
Policy Builder Learning Speed "Medium"
Other setting is default setting.
After apply this kind of configuration, the user can't finish registering an account at our website.
When go to Event Logs -> Application the show the traffic has been blocking.
Attack Types "JSON Parser Attack"
But this is valid traffic. I try to accept this traffic, but after test again. The traffic will block again.
So my question is, how to I permanently accept this traffic and no blocking in future.
Hi,
Check First if your application uses JSON you need to configure JSON Content profile , to let AWAF to parse JSON Requests correctly , please have a look in this article to know how to configure JSON Content profile: https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html
Also Have a look in this article : https://clouddocs.f5.com/products/waf-declarative-policy/violation.html >> search for JSON Parser attack.Here you're the Violation under Content profile settings:
- Hakam24Nimbostratus
Hi Mohamed,
Thank for the reply.
Btw, I just newbie in WAF, for this link : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html i cannot understand all step. I done until step no 6. No 7 just lose not understand anymore. Try to find Global Security Policy Settings under attack Signatures tab but not found.
Our version and model below:Version: 16.1.4.2 Build 0.0.3
Model: BIG-IP i4600
By default we not un-tick the all three learn-alarm-block. If not select the block, by default the traffic will block?Hi,
Look in that article from step 7 >> it means if you want to edit in any entity like URLs , Parameters.
you can select it and add or remove signatures/meta characters.
Like this:
For the Question, if you disable ( Learn , alarm , Block ) this allows the request and doesn't block it.but I recommend to enable this under specific URL or parameter and don't make this change in the whole of the policy this is more secure.
I don't know the url that your client try to access and get blocked, I need further visibility in the request and the violation itself
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com