Illegal Request in Learning Suggestion for 200 OK response

Hey,
I've had similar issue just with SQL injection,
Where it identified the SQL injection but still had 200 OK.
I had to manually enable SQL injection blocking in "Learning and blocking settings", for it to actually block it.
https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-12-1-0/25.html

Dear Shyy,

Thanks for your response.
My concern is not about why the request is not being blocked. The service is in transparent mode right now  and these are just suggestions. I am curious to know why this suggestion flagged the request as illegal despite having the repsonse code 200 OK. Is it because the request triggered violations such as Modified Domain Cookie, Illegal Empty Parameter Value, Illegal Request Length, or JSON not complying with settings? Injeyan_Kostas​  any expert advice here?

Hi,

Yes — a request can show Illegal even though the backend returned 200 OK because the WAF detected one or more violations, and Response Code has no influence on the violation status.

The “Illegal” flag is based only on WAF policy evaluation, not on the application’s response.

 BR
Aswin

Thanks for your response

200 OK is HTTP layer status.
It does not confirm whether the http payload is ok or not.

if you havent done it, WAF learning should be done only for traffic from legitimate testers, not live user traffic.
you can set vserver with waf learning mode to be used by the legitimate testers.
after learning and policy modification is done, apply the resulted waf policy to vserver of live traffic.