The security policy is in transparent mode and when I enable block mode for site. The "Illegal parameter value length" logs are appearing in events request and the requested page is getting blocked. Even the parameter is already at that value.
Moreover, I set maximum value length at "Any" but still no progress into it.
BIG-IP v188.8.131.52 (Build 0.0.2)
Kindly recommend the solution for this issue.
Try adding the parameter, explicitly by name, to the security policy. Ensure that the byte length attribute for the parameter is configured for the appropriate maximum length. You can also try changing the value of the parameter wildcard to "Any" which will also prevent the violation but can leave you vulnerable to buffer overflow attempts or other byte-length related attacks. If you already have all the parameters added to the policy, and you know there won't be any additional parameters in the future, you can remove the wildcard. Don't forget to click both Save and Apply Policy options when you make your changes.
Hi Ivan & Erik,
Thank you for your response and supporting me with this.
Currently, there is in the traffic learning no new suggestions/sample requests are available and no related events we can see into Event Logs > Application > Request.
Below are the parameter and maximum Length which we have accepted from previous suggestions,
d User-input value [HTTPS] /scriptresource.axd Maximum Length: 500
__eventvalidation User-input value [HTTPS] /_login/default.aspx Maximum Length: 10000
__viewstate User-input value [HTTPS] /_login/default.aspx Maximum Length: 10000
ctl00* User-input value Global Maximum Length: Any
Note: Now the security policy is set as transparent mode and when enables blocking mode then user gets started ASM support ids and related violations for above parameter value lengths and it will keep asking to modify the earlier maximum length.
For reference, https://cdn.f5.com/product/bugtracker/ID911729.html
Please suggest if any engineering hotfix is available to get this issue resolved permanently or other workaround solution.
Hi Rahul, the bug report indicates that response logging is a condition for this to occur. Are you logging responses? If so, is it vital to log responses? Also, can you see the value of the parameter in the actual request? How much greater than 10,000 is it? You could try increasing the value of the wildcard parameter if it doesn't cause a security concern, and then see if the suggestions stop. You can also ignore the suggestion.
The detected parameter values are odd numbers (Ex. 5674) and when I accept the suggestion then maximum value length will get change from 1000 to 10000. except than "ctl00" there is no new suggestion currently available in traffic learning.
As per recommendation in bug report, I have disabled the "Learn from responses" feature and now I am monitoring the web application traffic and will ignore the suggestions if the value is lesser than applied one.
Kindly suggest if any other recommendations please.
I am not sure that I got your use case - what are you trying to do?
Do you need to Learn parameters from response or not?
Are you interested in restricting parameters by value length or not? If not, then you can set maximum length to any or just disable appropriate violation (or at least disable Learn flag for it).
My questions is, I have already set maximum length Any to parameter "ctl00" but when I enable block mode for policy then an after again users are getting the WAF blocked error under the category of "Illegal Parameter Value Length" for same parameter.
How I can resolve this problem ? please advice.