ASM: How to expand length limits for select URLs?

Question

I have an ASM policy where I've left the Request Length and POST Data Length at the defaults (5000/1000).  This is fine for 99.9% of the site, but I do have a /fileUpload URL which is expected to exceed these limits every time it's used.  The parameter named 'file' is used to upload documents and images, so I've created a 'file' parameter which has unlimited length:&nbsp;
&nbsp;
However, file uploads still trigger Illegal POST data length and Illegal request length violations - increasing the limit for that parameter doesn't help because the overall request still violates those restrictions.&nbsp;
&nbsp;
How can I increase the Request and POST data lengths for just this URL?  I only need large uploads on this one URL, but I don't want to loosen the restrictions over the rest of the site to allow it.&nbsp;
Update&nbsp;
Here are two example violations, the first from a Production system in Transparent mode, the second from a Development system in Blocking mode.  The Development policy was exported and then imported into the Production device, and upon re-export they're essentially equivalent except insofar as the signature bases differ between the two systems.&nbsp;
Here's the Transparent system with a .tiff file, HTTP Content-Length is 227323 bytes:&nbsp;
&nbsp;
Here's the Blocking system with a .tiff file, HTTP Content-Length is 11934876 bytes:&nbsp;
&nbsp;
I can't even seem to trigger the same violations on my Development box, and can only trigger by going with a much larger file.  It's a little distressing.&nbsp;

nikhilb_149913 · Answer

When you click on either of the violations what do they say?  (can you post here)&nbsp;
The post/query length relate to file types that you have accepted. Is there one you can associate/create for this upload?&nbsp;
If you uncheck the 'block' button for the 2 violations and leave learn/alarm buttons checks on, how many violations does it pick up on? (are length violations a serious concern for your web app you are trying to protect?)&nbsp;

nikhilb · Answer

When you click on either of the violations what do they say?  (can you post here)&nbsp;
The post/query length relate to file types that you have accepted. Is there one you can associate/create for this upload?&nbsp;
If you uncheck the 'block' button for the 2 violations and leave learn/alarm buttons checks on, how many violations does it pick up on? (are length violations a serious concern for your web app you are trying to protect?)&nbsp;

gowenfawr · Answer

I've updated the initial post with click-throughs on all the details on two different systems; hopefully those details will shed some light.

The F5 determines that these are "no_ext", even though the file upload was .tiff in both cases.  I will try creating a .tiff extension and seeing if I can then exempt these uploads from the size restrictions that way.

This ASM policy has been in Transparent mode on our Production site for 48 hours; in that time it would have blocked 415 uploads as a result of this issue.  There is one URL that is used to upload files; all other forms across the site have much smaller input (e.g., the login form is only going to take a few dozen characters as input).  It is reasonable to want to limit length on the vast majority of the site, but to allow greater lengths on an upload form - the length restrictions wouldn't exist if there wasn't a basic security value on the average form.

I appreciate  your help!

gowenfawr · Answer

I've updated the initial post with click-throughs on all the details on two different systems; hopefully those details will shed some light.

The F5 determines that these are "no_ext", even though the file upload was .tiff in both cases.  I will try creating a .tiff extension and seeing if I can then exempt these uploads from the size restrictions that way.

This ASM policy has been in Transparent mode on our Production site for 48 hours; in that time it would have blocked 415 uploads as a result of this issue.  There is one URL that is used to upload files; all other forms across the site have much smaller input (e.g., the login form is only going to take a few dozen characters as input).  It is reasonable to want to limit length on the vast majority of the site, but to allow greater lengths on an upload form - the length restrictions wouldn't exist if there wasn't a basic security value on the average form.

I appreciate  your help!

nikhilb · Answer

Let know how it goes with creating the .tiff extension if not create a file type of 'no_ext' and apply the right thresholds against it if ASM cant detect the explicit file types. (if you are open to this)&nbsp;
Below link has a reference about this file type:
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-4-0/asm_security_policy.html1037023&nbsp;

Forum Discussion

ASM: How to expand length limits for select URLs?

5 Replies

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

SSL length key

Character Length for Object Names

Introduction to F5 Distributed Cloud Console Rate Limiting Feature

TCL procedures to compress/expand a IPv6 address notation

ASM filtered HTML exceeded limit: event code C190 Filtered Response HTML exceeded max limit