For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SIEM_281457's avatar
SIEM_281457
Icon for Nimbostratus rankNimbostratus
Jul 26, 2016

Illegal meta character in value

How to fine tune the "Illegal meta character in value" However the device custom string is "filenetservice" and in some cases its Exchange asm policy. please suggest me how to finetune this alert.  ...
application delivery
ASM Advanced WAF
Hannes_Rapp_162's avatar
Hannes_Rapp_162
Icon for Nacreous rankNacreous
Jul 26, 2016

Security -> Application Security -> Parameters -> Character Set -> Parameter Value -> Select "meta characters only" -> Disallow/Allow individual meta characters as needed

To find out which meta characters are causing the violations, you must check your ASM request/blocking logs.

  • SIEM_281457's avatar
    SIEM_281457
    Icon for Nimbostratus rankNimbostratus
    Jul 26, 2016

    I dont have access to the F5 device as the appliance is manage by the other team.I am investigating on SIEM solution.and observing these alert for the traffic relay from ASM to exchange server. for one of the policy “/Common/Exchange_asm_policy”

     

    Kindly let me know what possible information i need to gather from concern team.

     

  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Jul 26, 2016

    Provide them the full request log for an investigation. They can pick the solution they prefer themselves. One option is to allow the conflicting meta-character to exist in parameter value. This solution is applicable if they conclude there's no chance the request could be malicious.

     

  • SIEM_281457's avatar
    SIEM_281457
    Icon for Nimbostratus rankNimbostratus
    Jul 26, 2016

    Thanks Hannes Rapp for your valuable information and support.