My v12.2 F5 BigIP ASM has suggested, as an action in response to a "Null in multi-part parameter value" violation, to "Set Learn to disabled. Set Alarm to disabled. Set Block to disabled." Would this be just for this particular traffic? Or would this apply to the whole policy? If the later, its extreme.
The setting for that violation applies to the parameter for which the violation occurred. Does your application handle or otherwise allow a null value as input? If it does, you could safely disable block on that parameter only, (add the parameter to the policy first) . So it isn't really the whole policy. It's just one security check out of many. The idea is to phase in blocking mode so you prevent false positives. Does that help?