BigIP ASM Problems with FileUploads with SOAP
Hi there, actually my ASM Policy is blocking a file upload for one application with the error message: HTTP protocol compliance failed Chunks number exceeds request chunks limit: 1000 I raised the chunks limit blindly from 1000 to 1500 with no success. Where I can see the actually number of chunks without capturing the traffic? After disabling the funktion "Unparsable request content" Upload went through without a problem. But from the notice I would stick this on? Note that disabling this check can result in losing many enforcement features in the ASM. Sametime I get the following syslogs: ASM out of memory error: event code X242 Exceeded maximum memory assigned for XML/JSON processing Cannot allocate 27415074 more bytes for XML parser. current memory size 837505174 (in bytes) As you can see I raised the available memory for XML request from 450MB (default) to nearly the double.
Malformed XML data
Hi all, have xml request like below ASM was detect this request as XML parser attack (Malformed XML data). In policy XML profile is Default When delete all <value> and <field>, request is ok BI It's by desing with default XML profile? is there a solution that would allow the request to be resolved given with this <value> and <field>. ThxCache based on SOAP XML Envelope content
Hi guys! We got a tricky question from our developers. They have a service which gets a bit too much traffic and would like to cache the responses for around 10 seconds based on the content in the envelope tag of a SOAP request. I have an idea but I'd like to check with you guys first before starting to look into it properly. So here's the sample SOAP request (could not paste it here so I needed to use tny): http://tny.cz/bbfdf261 My idea is to parse the SOAP request and create an URI out of the envelope content and cache the request based on the URI: https://subdomain.domain.com/PartnerService/PartnerServices.svc?FetchLiveMarkets=1&siteid=1&numberofmarkets=10&timezonename&gmtstandardtime&partnerref=1 Looking into either using HTTP::payload or the XML commands (not sure if I can trust them in production though as it requires an EA license. The alternative is to throttle the incoming requests and limit them to 1 per second but I prefer not to go down that route if the caching works. Perhaps there's a better way? Grateful for any ideas, suggestions or even warnings. :) Kind regards, Patrik
ASM JSON/XML payload detection & Automatically detect advanced protocols
Hello team, I have a question regarding the learning suggestions, I want to know if it is possible for the ASM to suggest the association of an XML profile to a specific URL. In other words, is there a way to configure the ASM so that when XML traffic passes through it then a learning suggestion rises saying "you have to associate an XML for this URL" In this article : https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-getting-started-12-1-0/3.html The Policy Builder builds the security policy as follows: Examines application content and creates XML or JSON profiles as needed (if the policy includes JSON/XML payload detection) ...etc we can read explicitly that it is possible IF we enable the "JSON/XML payload detection" then the answer to my question is "Yes" . The problem is that I can't find this "JSON/XML payload detection" option in the GUI. Could you please help on this ? Many thanks, Karim
XML Content Based Routing
I am trying to configure my LTM to send VS requests to a specific pool based on the content of an XML document. The XML contains an 'orgName' which is essentially a customer identification number. I want to compare the orgName with the contents of a data group and if there is a match send the request to pool_A else send the request to the pool_B. Any help would be greatly appreciated!
Can I allow Buffer Overflow attack signatures in just an XML request?
The website has an upload page where people can submit receipts. The request looks like this: 4AAQSkD6RXhpZgAuocAAcAAAgMAAAAPgAAAAAc6gAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..... We have determined that the "A"s represent the white space in the image and since it is a receipt, a large area of it is white, but this is throwing the Generic buffer overflow attempt 1 attack signature due to the large sequence of "A"s. The question is if there is a way to just turn off this signature for this URI. Since the overflow false positive is in the XML I do not know of a way to do this, and we do not what to have to turn off buffer overflow signatures for the whole site. We only have one policy for the whole site and are unable to use the LTM side to split up the traffic to different policies. Thank you.
