Why can't I be intercepted on Awaf by configuring Request Content AND does not contain string? What's the reason?

Question

Why can't I be intercepted on Awaf by configuring Request Content AND does not contain string? What's the reason?&nbsp;

samstep · Answer

It looks like your requirement is to allow only two URLs in your ASM policy to protect an API, however what you are trying to do is to write a an attack signature which will block all requests and only allow API ones. This is inefficient and difficult to configure and debug as you may have noticed.&nbsp;
A better and cleaner approach would be to simply create those two API URLs (ending *r_code and *r_key) as the only allowed URLs in the policy (e.g. delete the * wildcard) and make sure that 'Illegal URL' is set to 'Block' - that's it! All other requests will be blocked automatically without a need to write and maintain custom Attack Signatures.&nbsp;

Forum Discussion

Why can't I be intercepted on Awaf by configuring Request Content AND does not contain string? What's the reason?

1 Reply

How I did it - "High-Performance S3 Load Balancing of Dell ObjectScale with F5 BIG-IP"

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

SSL Orchestrator and Traffic Flows

ISV logging in 17.1.2.2

Issue with 2 parallel F5 clusters

Version 17.5.1 as next move?

Upgrade Path for BIG-IP 2000 – Out of Warranty and EoRMA Status

Related Content

DNS Interception: Protecting the Client

F5 BIG-IP Advanced WAF – DOS profile configuration options.

LTM Diameter iRules and Profile Configurations with Support for Server Initiated Request

Logging DNS Requests

Advanced Threat Mitigations via SSL Intercept

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS