Suggested action "Set Learn to disabled. Set Alarm to disabled. Set Block to disabled."

Question

My v12.2 F5 BigIP ASM has suggested, as an action in response to a "Null in multi-part parameter value" violation, to "Set Learn to disabled. Set Alarm to disabled. Set Block to disabled."  Would this be just for this particular traffic? Or would this apply to the whole policy?  If the later, its extreme.

erik_novak · Answer

The setting for that violation applies to the parameter for which the violation occurred.  Does your application handle or otherwise allow a null value as input? If it does, you could safely disable block on that parameter only, (add the parameter to the policy first) . So it isn't really the whole policy. It's just one security check out of many.  The idea is to phase in blocking mode so you prevent false positives. Does that help?

Forum Discussion

Suggested action "Set Learn to disabled. Set Alarm to disabled. Set Block to disabled."

Recent Discussions

Oracle JDBC SSL Termination failing on F5

APM for banner and cert

An Irule for Client Ssl Profile that Allows Unassigned TLS Extension Values (17516)

How to Renew F5 Device Certificate

How to export a list of paired external service providers from APM?

Related Content

XC HTTP loadbalancer returns "WAF like" error page even if WAF is disabled

What does "EPS" in ddos threshold setting stands for?

what protocol and service port are used when the health monitor is set to "bigip"?

HA pair in VMware v7 update 3 - Should "power on connect" be enabled, or disabled for vlans/network?

No Learning Suggestions But could see Violations in the event logs

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS