For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
May 17, 2016

Status Code 500

WAF is blocking request due to 500 code. (illegal HTTP status in Response)   Why WAF is blocked requests and how 500 code comes?   When request is blocked by WAF means it did not cross the WAF?...
ASM Advanced WAF
BIG-IP
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
May 17, 2016

Hello,

 

500 status code indicates that you web server had an error for processing the request.

 

ASM offload those response by default to avoid guessing issues. We don't want that the full error stack is displayed on the client browser. Information provided by servers sometimes help attackers to target an attack.

 

You can disable 500 status code offloading by removing this status code from the list of unallowed status code in the main pagz of your security policy

 

  • MSZ's avatar
    MSZ
    Icon for Nimbostratus rankNimbostratus
    May 17, 2016
    If request is blocked at WAF then how a response comes from server? Confusing
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 17, 2016
    Hi, the setting we are talking about is one of them that do not block the request and just change the response because asm receive a 500 status code from the backend
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 17, 2016
    O'm talking about illegal HTTP status in Response violation that you grap in your asm event logs