Forum Discussion
mwitt_65218
Nimbostratus
NimbostratusThis should not be so difficult.
Hello,
We have F5 ASM v9.4.5 running on a production web app (though very few users use it).
We have Automatic Policy Builder running. A parameter named email was created by it. This is for a textbox to enter the email address of a contact when the user is adding a contact. This email parameter that Automatic Policy Builder created is a user-input global.
When I entered jroot@morrison.com (a real email address of a user who uses this small web app), the Report section showed the error about the Attack Signature SQL-INJ @ROOT. So I clicked ACCEPT on the error. I then clicked APPLY POLICY. I again entered jroot@morrison.com and again received another error. Again I clicked on ACCEPT on the error. I processed again, received the error again, clicked ACCEPT, clicked APPLY POLICY, et cetera. But I keep getting the error.
So I went to the email parameter and manually brought to the left the Attack Sig named SQL-INJ ROOT@ and made sure that the drop down showed DISABLED before I clicked UPDATE. Since the RED M showed since I had modified a parameter and therefore the policy, I clicked APPLY POLICY. I processed again to enter jroot@morrison.com and yet again I received in Report section another error about this Attack Sig not liking jroot@morrison.com. So numerous times I have gone into the email parameter which shows already disabled for this Attack Sig since I have processed numerous times today to click UPDATE for that parameter with DISABLED for this Attack Sig, but STILL I keep getting the error when entering that value.
If the Automatic Policy Builder is running and I click ACCEPT on an error in the Report section AND go to the parameter to disable that Attack Sig, clicking APPLY POLICY whenever the RED M shows for the policy, why do I keep getting the error when I process to enter jroot@morrison.com into the textbox that corresponds to Automatic Policy Builder's email parameter?
Thanks much.
mwitt_65218Also, what am I doing to reset Automatic Policy Builder or why is F5 resetting? I have earlier today as well as in the past manually went to parameters (e.g., lastname, firstname, middlename, homestreet, et cetera) to click the ALLOW EMPTY VALUE because I have received errors when I was processing in the web app to test and utilize F5. For a while I might stop getting the errors for those parameters when I do not enter anything while I am processing to test F5 within the web app, but then YET AGAIN I eventually receive an Illegal Empty Parameter Value error.
If Automatic Policy Builder is running and I get an error for one of its parameters, 1) can I click ACCEPT on the error to allow in the future the value entered, and if so, do I then need to click APPLY POLICY for the security policy as I have been doing? 2) can I also go to the parameter directly to click to allow an empty value and then click APPLY POLICY as I have been doing? Are these two valid ways to respond to the error and are they equivalent of each other? Why then do I again receive an error about Illegal Empty Value when I have clicked ACCEPT on these errors for the parameters and then applied the policy numerous times AND when I have gone to the parameters manually to click to allow empty values for these parameters?
Thanks.
naladar_65658Altostratus
I haven't used the automatic policy builder that much. You might try turning off the Policy Builder, set the policy to blocking mode and apply it. Then wait a few minutes and try the e-mail form again. Then go to Policy Building > Manual. Select the web application from the drop down list that you are working on and that screen will show you all of the violations. Go through the list and disable the policies that are keeping the web e-mail form from working. Then click "Apply Policy", wait a few minutes and then try the form again. That's the method I used on our web apps and it has worked like a charm.
You might also verify that the "Accept" button for the violation you are trying to accept is working as intended. There are a few rare cases (like when the value is a / sign) that it may not work as intended. I will look that up on AskF5 and see if I can find the solution article on that. Just want to be sure...- mwitt_65218Hi Naladar,
I thank you very much for your reply.
Somebody at F5 had helped our director of network security to set up everything. The man at F5 was on the speaker 'phone with our director of security and had control of his computer. When I was instructed to start working within the Application Security section for this particular web app, the Automatic Policy Builder was on already.
Yeah, I guess I need to turn off Automatic Policy Builder.
Thanks again,
mwitt - mwitt_65218Naladar,
If I turn off Automatic Policy Builder and am in Manual mode, how do I turn off a particular Attack Signature (e.g., SQL-INJ @ROOT) for a particular parameter? I do not want to turn off for the whole web app this Attack Signature but only want to turn it off for certain controls.
If I click Policy - Blocking - Settings, I see how I could refrain from clicking Blocking for this particular Attack Sig, but I am thinking that this would turn off the Attack Sig completely.
When I am in Manual mode and am not in Automatic Policy Building mode, can I still go to the parameter itself to disable a particular Attack Sig? Of course I have done this already and have disabled the Attack Sig for the email parameter, but for some reason Automatic Policy Builder or F5 keeps showing an error in the Report section.
Thanks much in advance,
mwitt - naladar_65658I forgot to mention that chapter 9 in the ASM manual covers configuring parameters manually. It is roughly 26 pages long, but here is an excerpt... "Configuring parameters for a web application can be a lengthy and arduous task. While you can do this manually, as explained throughout the remainder of this chapter, you can also use the Policy Builder and the Learning process to help you discover the parameters and values that are part of your web application."
The "Learning process" is the one I described in my previous post. - mwitt_65218Thanks very much, Naladar.
Maybe I need to turn Staging off. When I go to Policy Building Manaul and click the Attack Signature Staging, I see the SQL-INJ ROOT@ with the value Disable On Parameters in the drop down rather than the other drop down choices Enable and Disable. So there is no Accept button.
I will read the information you suggested and see if I can figure out the situation.
Thanks very much again, Naladar. I am grateful for your help and suggestions.
mwitt - naladar_65658Hmm... if you are looking at an attack violation, which it sounds like you are, and you DO NOT SEE an accept button in the top right hand corner after you have opened the violation, then I believe that the policy has already been instructed to accept that parameter. Not sure, but does your policy have an "M" beside it? I will have to put some things into staging to test... I can't remember off the top of my head. Best bet maybe to "Apply Policy", clear the logs, wait ten and try again and see if it works now. If not check back on the manual screen and see if any more violations show up.
- mwitt_65218I went to Policy Building Manual and clicked Attack Signature Staging. I clicked the arrow for Signature Name SQL-INJ ROOT@ to expand/show and I see the email parameter with the value Disable in the Action column. So this verifies that I had gone to the Parameter section to disable this Attack Sig for this email parameter.
I processed in the web app again and afterwards I see that there is one more incident for this email parameter in the Attack Signature Staging within Policy Building Manual. So I clicked on the Number of Incidents for this email parameter and went to the last page and clicked to open the error/log. I can see by the time of day of this error/log that this is the most recent error. I clicked ACCEPT for this error/log and then clicked to Apply Policy since I saw the RED M.
Again I processed in the web app to enter the value to the textbox and yet again I get a new error in Reports section and a number higher by 1 in the Number of Incidents part of email parameter within the Attack Signature Staging link of Policy Building Manual.
Maybe I am not waiting long enough though as Naladar mentioned that I need to wait a few minutes. For example, I processed again, received the same error/log in Reports and a higher of incidents in the column for email parameter in Attack Signature Staging link of Policy Building Manual, and I clicked on the of incidents to go to the last incident (most recent) to click to open and click APPLY. There is no RED M yet, so I am thinking that I need to wait a few minutes to apply the policy. But I clicked Apply Policy when there was a RED M already. - mwitt_65218Yes, I do see ACCEPT on the violation.
After I process to enter the value into the email textbox, I see an error/log for it in the Report section and also in the Policy Building Manual section.
After I process to enter the value "jroot@morrison.com", I go to Policy Building Manual. I click Attack Signature Staging. I see the SQL-INJ ROOT@ in the Signature Name column. I click the arrow to show the parameters. I see the email parameter with the value Disable in the Action column. I click on the number (now 41) in the Recent Incidents column of the email parameter and the Dialog Window opens. I click to go to the last page and click the last error in the Dialog Window since it is the most recent per the date/time stamp in the error. I then click the ACCEPT button.
I then see the Automatic Policy Building Configuration written at the top. I see at the top that the Policy Building Is Running for a minute or two. Then I see at the top The Policy Builder Is Not Running. So I see what you mean when you wrote about how briefly the Automatic Policy Builder runs.
I wait ten minutes or so though and I do not see a RED M.
Anyway, when I process again ten or fifteen minutes later, I get another error (the same error).
All along though, from the very beginning, the email parameter has this Attack Sig disabled. So what am I accepting when I click ACCEPT button considering that the error should not have been generated in the first place since I had disabled this Attack Signature for this email parameter? Clicking ACCEPT on each generated error and waiting until after the Automatic Policy Building runs briefly does not help as I keep getting the error every time I process.
Thanks much though for your help. I have created a Case Number C530401 about this issue. - naladar_65658Good deal, they will be able to help you out I bet. If you don't mind posting the answer once you have closed the case I would appreciate it, I am rather curious.
Have a good one!