Forum Discussion
NimbostratusIssue: ASM Violation that is manually disabled is automatically enabled days later
Hi all - we have an interesting dilemma with our F5 ASM policy. We are running two BIG-IP 5050, Software VersionBIG-IP v11.5.2 (Build 0.0.141) configured in an Active-Standby configuration.
We have a Security Policy running in Blocking Enforcement Mode and we've experienced two incidents where we've disabled two sub-violations under the "HTTP protocol compliance failed" list. We would save the configuration and apply the policy as part of the normal process of making changes to the policy, but within a couple of days, we've noticed that the two sub-violations are enabled again. Does anyone know why this is happening? Is this a bug in v11.5.2?
The two sub-violations are:
- "Check maximum number of headers"
- "Check maximum number of parameters"
The attached screenshot shows the two violations that should be disabled, which they are now. Also note that this is the only ASM policy configured on the F5.
Thanks in advance for any insight and assistance.
Ron
Chris_GrantEmployee
Are you running Automatic Policy Builder? Many people will deploy Automatic Policy Builder, and then try to manually tweak their configuration. That's fine so long as you remember to disable Automatic Policy Builder. If not, the APB will happily change settings on your policy to match what it thinks you want. This is not always what you actually want.
RonR10Chris - Are you referring to the "Real Traffic Policy Builder" setting in Application Security\Policy Building\Settings??
- Chris_Grant
Correct. You will want to disable the Real Traffic Policy Builder (or automatic policy builder) to correct this behavior. Note, the behavior is not incorrect, but the machine learning is not as discerning as a human reviewer, and sometimes the choices it makes are not the choices that we would like it to make.
Srini_87152Cirrostratus
Thats correct,you have to disable the APB Thx Srini