Forum Discussion

ghost-rider_124's avatar
ghost-rider_124
Icon for Nimbostratus rankNimbostratus
Jun 07, 2015
Solved

How to increase the size of upload file size in ASM

Hello Experts

 

How to increase the upload file size in ASM? I am using 11.2.1

 

ASM Advanced WAF
deployment
security
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Jun 08, 2015

    You can apply the following iRule to your virtual server: The "/upload" is in the path of the file you are uploading. Note that ASM is disable when uploading and malicious files could be uploaded in this particular location without detection...

     

    ++++++++++++++++ when HTTP_REQUEST { if {[HTTP::uri] contains "/upload" } { ASM::disable log local0. "ASM disabled." } else { ASM::enable /Common/ log local0. "ASM enabled. Current ASM policy is [ASM::policy]" } } +++++++++++++++++++

     

16 Replies

Sort By
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Jun 08, 2015

    You can apply the following iRule to your virtual server: The "/upload" is in the path of the file you are uploading. Note that ASM is disable when uploading and malicious files could be uploaded in this particular location without detection...

     

    ++++++++++++++++ when HTTP_REQUEST { if {[HTTP::uri] contains "/upload" } { ASM::disable log local0. "ASM disabled." } else { ASM::enable /Common/ log local0. "ASM enabled. Current ASM policy is [ASM::policy]" } } +++++++++++++++++++

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 09, 2015
      hello Pascal. Thanks. But we are disabling the ASM altogether. There is no way we can restrict the size of upload file for only one policy?
    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 08, 2015
      Thank you but it will be for global level. If I would like to set the upload limit size only for one ASM policy. How could I do that?
    • Torti_93733's avatar
      Torti_93733
      Icon for Nimbostratus rankNimbostratus
      Jun 09, 2015
      try it with the post data length of file types and the maximum length of the parameter
  • Torti's avatar
    Torti
    Icon for Altostratus rankAltostratus
    Jun 08, 2015

    via system variable "long_request_buffer_size" untill 20MB

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 08, 2015
      Thank you but it will be for global level. If I would like to set the upload limit size only for one ASM policy. How could I do that?
    • Torti's avatar
      Torti
      Icon for Altostratus rankAltostratus
      Jun 09, 2015
      try it with the post data length of file types and the maximum length of the parameter
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Jun 10, 2015

    All solutions I have seen so far will either increase the upload limit globally, or disable ASM for a specific URI as shown in the irule. The iRule can be enhanced to do other checks, like only disabling ASM for some trusted IP addresses,..etc.

     

    • ghost-rider_124's avatar
      ghost-rider_124
      Icon for Nimbostratus rankNimbostratus
      Jun 10, 2015
      Thanks Pascal. Can you give me that IRULE to disable ASM for trusted IP. Appreciated
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Jun 11, 2015

    +++ Following is A simple iRule that will disable ASM for a subset of IP addresses++++ +++ You need to create a data group that contains the list of allowed IP addresses++++

    +++++++++++

    ltm rule /Common/disable-asm-for-ip {

    when HTTP_REQUEST {

    if {( [class match [IP::client_addr] equals my-IP-list-data-group] ) } {

       ASM::disable
log local0. "ASM disabled for [IP::client_addr]."
}

    else { ASM::enable "/Common/jt-vs"

    log local0. "ASM enabled. Current ASM policy is [ASM::policy]"

    }

    }

    }

    ++++

    ++++Sample data group with a list of IP addresses++++

    ltm data-group internal /Common/my-IP-list-data-group {

    records {
    10.12.0.32/32 { }
    10.12.0.33/32 { }
    10.12.0.34/32 { }
}
type ip

    }

    ++++++
  • Pascal_Tene_910's avatar
    Pascal_Tene_910
    Historic F5 Account
    Jun 11, 2015

    Above irule will once again disable ASM altogether for a give IP. if you know the URI for file upload (Depending on the application), you can combine the first and second iRule with (AND), that would be more effective and more secure. The users with certain IPs will have ASM disabled only when they are trying to upload...