F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Naveenkumar_Sh2's avatar
Naveenkumar_Sh2
Icon for Nimbostratus rankNimbostratus
Apr 25, 2018

WAF is blocking legitimate traffic for 500 response code

Hi,   We are observing WAF is blocking the request under violation "illegal response code in Http request". Waf is prompting the error 500 response code, Hence Web Application is responding the re...
ASM Advanced WAF
security
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Apr 26, 2018

Hello Naveenkumar,

 

First of you can manage Allowed Response Status Codes in Security ›› Application Security : Policy : Policy Properties.

 

In all case it good to block all application error code this can give information used to the hacker.

 

So in order to check the response code of your application you can check events logs (Request and response) it's reliable.

 

otherwise you can also make an irule to check status code in response.

 

are you sure that part of the request is not truncated, blocked (by asm) or alter which could cause a 500 error. you can for example have an ajax request that is blocked and not visible in the request ... (not in your case but as an example).

 

Regards