Bypass the character for Evasion technique Detected violation
Hi, I need help to bypass or allow %", character which has triggered the Detection violation(Bad unescape) in JSON POST Data. This is legitimate request and i don't see this request on learning suggestion. I am able to find with the help support ID provided by user under the event logs.1.1KViews0likes4CommentsAutomate ASM "Ready to Be Enforced" Attack Signatures
Hi All, Problem scenario is this: Multiple F5 ASM deplyoments which use BigIQ to push out updated attack signatures ( works well ) and a 14 day Enforcement Readiness Period. This all works well up to this point, where someone manually has to go and click the "Enforce Ready Entities" button. That sounds like a minor thing to do, but in an Enterprise it includes change control/PVT etc to do... ...but automating this out as a fortnightly thing should reduce risk and I can do other things. So I am comfortable with the API, but looking at v13/v14 API I dont see a functionality that can do this for me. Has anyone done this last step to fully utomate attack signature updates ?Solved2.5KViews1like11CommentsASM Policy in "Blocking" Mode switch to "Transparent" for some IP's
I have a policy that I need to switch to blocking but the business want to have a phased approach. Only the testing team should be in Blocking, while the rest of the business (a different IP range) remains in transparent. I need to keep the same policy so that I can "proof" that everything is running fine. Is there a method to do that ? Was thinking about an iRule but dont know how. I know how to disable ASM with an iRule but, that's something I don't want because I need to keep the learning suggestions. Bye St.433Views0likes6CommentsF5 WAF/ASM block users that trigger too many violations by source ip/device id using the correlation logs
Hello to All, I was thinking of using the iRule tables command to write when a user ip/device id makes too many violations for a time perioud and to get blocked for some time but I see that the F5 ASM has correlation logs that trigger incidents but there is not a lot info if this can be used in iRules or to block user ip addresses / deviceid. https://support.f5.com/csp/article/K92532922Solved1.7KViews1like7CommentsASM cookie, modifying "domain" field
Is it possible to modify "domain" field in the ASM cookie ? As it appears ASM is using a hostname from http header, unfortunately the host is replaced to an internal hostname (required by an app) in an irule. So scanners point that this is a vulnerability.475Views0likes2CommentsCookie Violation - Expired TimeStamp.
Dear Team, I am usually facing an issue with (Cookie Violation-ExpiredTimeStamp), the TS cookies keep are expired always and trigger this violation. I am not sure if i am doing the configurations in the proper way so i need a help how and what is proper way to configure the protection? I mean is there is a relation between the real server session cookie and ASM cookie and how i can avoid the issue which always alarming the violation? it is a general question not specific to any case. Regards, Muhannad1.7KViews0likes4Commentsincreasing ASM system variable ecard_max_http_req_uri_len
Has anyone needed to increase the ASM system variable ecard_max_http_req_uri_len in a production envinronment? ecard_max_http_req_uri_len 2048 bytes Defines a maximum URI length that the system can support in its internal buffers. If this number is higher (more permissive) than the internal URI-length limit defined per file type, the internal file-type limit is the actual limit. Exceeding this internal limit triggers the HTTP protocol compliance failed violation. If so, how large did you make it?555Views0likes3CommentsBot protection "Browser Verification" results/experience
I am just wondering what everyones user experience has been with "Browser Verification" when enabling anything other than then the defaults via any Bot Protection profile. For instance if I have Browser Verification set to anything other then "Challenge Free Verification" in our Sharepoint environments, "funky" things will happen such as users getting bot error/reference ID page when attempting to sign out or or an EXTREME amount of false positives occur and user traffic is impacted. In environments with older Java based apps, it will cause some browsers to automatically sign out when clicking any link in the web application after login (as if cookie persistence is blocked). I have gone back and forth with F5 in almost all my attempts to enable this future (as browser fingerprinting is something we really would like to utilize) but we just cant get it working in most cases (even with work arounds such as single page application or enable a DOS profile in transparent mode). Is something like Device ID+ the solution for all of my problems? https://www.f5.com/products/security/shape-security/f5-device-idplus1.5KViews0likes3CommentsUnparsable request content - which security tradeoff ?
Hello all, I am facing a violation for URL length exceeding the default ASM (2048) value. Options to deal with this seems to be : increasing the whole system variable value of 2048 Disable the HTTP compliance check "Unparsable request content" that implies removal of several others HTTP checks for the whole policy. Disabling ASM for the specified URI What do you think that would be the best security tradeoff ? Having no ASM at all for an URI, or releasing some HTTP checks on the whole policy ? or increasing default system value and then increasing ASM load. thanks a lot for any thought566Views0likes4CommentsNo CAPTCHA - URL is not yet qualified for challenge injection
Hi, I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when theURL is not yet qualified for challenge injection, but the help also provides no details how to correct this. Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx Thank you2.2KViews0likes7Comments