Forum Discussion

Hakam24's avatar
Hakam24
Icon for Nimbostratus rankNimbostratus
Sep 11, 2024

How to accept Application requests at WAF F5

Dear All,

I just apply WAF policy.

The enforcement mode is blocking.

Policy Building learning mode "Manual"

Policy Builder Learning Speed "Medium"

Other setting is default setting.

After apply this kind of configuration, the user can't finish registering an account at our website. 

When go to Event Logs -> Application the show the traffic has been blocking. 
Attack Types "JSON Parser Attack"

But this is valid traffic. I try to accept this traffic, but after test again. The traffic will block again.

So my question is, how to I permanently accept this traffic and no blocking in future.  

 

event
f5
security
waf
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Icon for MVP rankMVP
    Sep 11, 2024

    Hi, 

     

    Check First if your application uses JSON you need to configure JSON Content profile , to let AWAF to parse JSON Requests correctly , please have a look in this article to know how to configure JSON Content profile: https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html 

    Also Have a look in this article : https://clouddocs.f5.com/products/waf-declarative-policy/violation.html >> search for JSON Parser attack.

     

    Here you're the Violation under Content profile settings: 

     

    • Hakam24's avatar
      Hakam24
      Icon for Nimbostratus rankNimbostratus
      Sep 12, 2024

      Hi Mohamed,

      Thank for the reply.

      Btw, I just newbie in WAF, for this link : https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html  i cannot understand all step. I done until step no 6. No 7 just lose not understand anymore.  Try to find Global Security Policy Settings under attack Signatures tab but not found. 

      Our version and model below:

      Version: 16.1.4.2 Build 0.0.3

      Model: BIG-IP i4600

      By default we not un-tick the all three learn-alarm-block.  If not select the block, by default the traffic will block?

       

      • Mohamed_Ahmed_Kansoh's avatar
        Mohamed_Ahmed_Kansoh
        Icon for MVP rankMVP
        Sep 12, 2024

        Hi, 

        Look in that article from step 7 >> it means if you want to edit in any entity like URLs , Parameters. 
        you can select it and add or remove signatures/meta characters. 
        Like this: 


        For the Question, if you disable ( Learn , alarm , Block ) this allows the request and doesn't block it.

        but I recommend to enable this under specific URL or parameter and don't make this change in the whole of the policy this is more secure.
        I don't know the url that your client try to access and get blocked, I need further visibility in the request and the violation itself