Why is 403 excluded in defaults allowed HTTP Status Codes in AWAF/ASM ASP?

epaalx · ‎27-Mar-2022

Hi Experts,

HTTP Status Code 403 seems to be a reasonable response by a web application unwilling to fulfuil a request. So, I'm at loss to understand why F5 excluded it from default allowed HTTP Status Codes in AWAF/ASM ASP - can anyone enlighted?

R's, Alex

epaalx · ‎28-Mar-2022

FYI... Original K52325602 was wrong - now corrected by removing 403 and 500.

View solution in original post

Samir · ‎27-Mar-2022

Not sure which version of ASM7WAF you are running. I haven't face such issue.

https://support.f5.com/csp/article/K52325602

Capture form above link

The default BIG-IP ASM configuration allows by default response codes 200 through 399 and 400, 401, 403, 404, 407, 417, 500 and 503. All other HTTP response codes are blocked by the BIG-IP ASM

epaalx · ‎28-Mar-2022

I had to do a double take.., but no... in my v16.1.0, "403" is excluded from default (for Fundamental template).

Also, in your hyperlink's hyperlink K7922: Overview of BIG-IP ASM HTTP response code filtering, 403 is also excluded for "BIG-IP ASM 11.3.0 and later"

Samir · ‎28-Mar-2022

Link K7922: Overview of BIG-IP ASM HTTP response code filtering, is valid till v14.x as per details has updated.

Link https://support.f5.com/csp/article/K52325602 is valid till v15.x per details.

epaalx · ‎28-Mar-2022

So, back to question - why 403 omitted (before and after v15)?

epaalx · ‎28-Mar-2022

FYI... Original K52325602 was wrong - now corrected by removing 403 and 500.

DevCentral

Why is 403 excluded in defaults allowed HTTP Status Codes in AWAF/ASM ASP?