Cookie Violation - Expired TimeStamp.
Dear Team, I am usually facing an issue with (Cookie Violation-ExpiredTimeStamp), the TS cookies keep are expired always and trigger this violation. I am not sure if i am doing the configurations in the proper way so i need a help how and what is proper way to configure the protection? I mean is there is a relation between the real server session cookie and ASM cookie and how i can avoid the issue which always alarming the violation? it is a general question not specific to any case. Regards, Muhannad
increasing ASM system variable ecard_max_http_req_uri_len
Has anyone needed to increase the ASM system variable ecard_max_http_req_uri_len in a production envinronment? ecard_max_http_req_uri_len 2048 bytes Defines a maximum URI length that the system can support in its internal buffers. If this number is higher (more permissive) than the internal URI-length limit defined per file type, the internal file-type limit is the actual limit. Exceeding this internal limit triggers the HTTP protocol compliance failed violation. If so, how large did you make it?
Bot protection "Browser Verification" results/experience
I am just wondering what everyones user experience has been with "Browser Verification" when enabling anything other than then the defaults via any Bot Protection profile. For instance if I have Browser Verification set to anything other then "Challenge Free Verification" in our Sharepoint environments, "funky" things will happen such as users getting bot error/reference ID page when attempting to sign out or or an EXTREME amount of false positives occur and user traffic is impacted. In environments with older Java based apps, it will cause some browsers to automatically sign out when clicking any link in the web application after login (as if cookie persistence is blocked). I have gone back and forth with F5 in almost all my attempts to enable this future (as browser fingerprinting is something we really would like to utilize) but we just cant get it working in most cases (even with work arounds such as single page application or enable a DOS profile in transparent mode). Is something like Device ID+ the solution for all of my problems? https://www.f5.com/products/security/shape-security/f5-device-idplusUnparsable request content - which security tradeoff ?
Hello all, I am facing a violation for URL length exceeding the default ASM (2048) value. Options to deal with this seems to be : increasing the whole system variable value of 2048 Disable the HTTP compliance check "Unparsable request content" that implies removal of several others HTTP checks for the whole policy. Disabling ASM for the specified URI What do you think that would be the best security tradeoff ? Having no ASM at all for an URI, or releasing some HTTP checks on the whole policy ? or increasing default system value and then increasing ASM load. thanks a lot for any thought
No CAPTCHA - URL is not yet qualified for challenge injection
Hi, I am setting up Brute Force protection in ASM and have noted that I can get this drop traffic and alert, but when attempting to show the CAPTCHA, I only get the blocking page we have configured. The help notes that this occurs when theURL is not yet qualified for challenge injection, but the help also provides no details how to correct this. Can anyone assist? Assuming ASM policy: PolicyX and url: /LoginHere.aspx Thank you[Irule][ASM] Header name with no header value
Hi all I have setup a ASM profile and all my application will through BIG-IP WAF. But I have a issue " HTTP Protocol Compliance Failed: Header name with no header value " for a resquest with header name " abc" has no value. I can bypass it by unblock or disable rule Header name with no header. But This will be applied on all headers. I need to do only with one header. one option I know is to create the iRule. Plz help me for use irule with header name "abc" Thanks Hoang Hung
How to add F5 vendor specific Radius attirbutes to Windows 2008 NPS to authorize external users to different roles
I am running bigip 11.4.1 on a 3900 that is licensed for LTM and ASM with client authentication. I am able to configure user authentication to a Windows NPS radius server and have all external users all get authenticated to the windows radius and authorized to the same default external user role. (This is purely for user login access to the BIG-IP managment interface via a browser). I would now like to create four new Windows user groups: F5-Admin, F5-resource-admin, F5-operator, F5-guest. The goal is to have the Windows NPS radius server return the F5 vendor specific attribute "F5-LTM-User-Role" with the appropriate values for the four roles I need. I have the document: "http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html". It is not clear to me how to add the role attributes to windows 2008 NPS such that the new role attribute will be returned to the F5 after successful authentication. It is also not clear how to configure the F5 to then take the returned role attribute for the user and over-ride (ignore) the default external role setting. thank you for your help.
