Forum Discussion
How to tuning policy WAF F5 for Command Execution
Hi TsukiAzuma ,
would you please share the violation that F5 WAF produce it against this request.
- TsukiAzumaDec 14, 2022
Altostratus
It mean that ?
violations="Illegal meta character in value,Attack signature detected",support_id="6258108010622842152",request_status="blocked",response_code="0",ip_client="xxx",route_domain="0",method="POST",protocol="HTTPS",query_string="",x_forwarded_for_header_value="xxx, xxx",sig_ids="200003086",sig_names="%22vi%22 execution attempt",date_time="2022-12-07 15:32:38",severity="Error",attack_type="Abuse of Functionality,Command Execution",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="d080b92a930b4a2",src_port="xxx",dest_port="xxx",dest_ip="xxx",sub_violations="",virus_name="N/A",violation_rating="2",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",blocking_exception_reason="N/A",captcha_result="not_received",uri="/login"- Dec 14, 2022
Hi TsukiAzuma ,
Try to define the impacted url and its parameters as an explicit entity in allowed urls , after that allow the attack signature that blocks your requests to this url and the same thing with meta characters under this url parameter , allow the meta character that blocks you when this request come to F5.
I will send some snapshot from my lab will help :
1- Create explicit url " /login " with POST method :> get the attack signature ID and search in " Global security policy setting bar " by this ID and drag it from Right table to Left , by this way you allowed this attack signature under this url only.
2- After that create your parameters that come with this url , in " POST " data and allow the meta character , you can do this by selecting Url Parameters TAB in the last snap shot and proceed :> After doing that , your Request shoudn’t be blocked.
> Note , I do not know what are your parameters under this requested url , you should know them and able to add this impacted parameter such as last snap shot.> Read this Article Carefully , it will show you more :
https://support.f5.com/csp/article/K64208044
I hope this helps you.
Regards- TsukiAzumaDec 15, 2022
Altostratus
Thank you.
I will contact with network team and try it
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com