For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Jan 11, 2021
Solved

ASM flagging legitimate traffic as "most likely a threat"

I'm fairly new to managing ASM and I'm learning on the fly. In this case, the protected application is a Jira instance. Most traffic that ASM has blocked for this application so far has been a single...
application delivery
ASM Advanced WAF
  • Scott123456789's avatar
    Scott123456789
    Jan 14, 2021

    According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.

     

    This instructs ASM to not inspect the BODY of the request:

     

    - Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs

    - make sure to 'select' the correct policy

     

    - click 'Create' (for New Allowed URL)

     

    - change view to 'Advanced'.

    - Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)

    - uncheck staging

     

    - click on 'Header-Based Content Profile':

     Request Header Name: Content-Type

     Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet   

     Request body handling: Do nothing

     click 'Add'.

     move it up the list

     

    - click 'Create'.

     - Apply Policy

Erik_Novak's avatar
Erik_Novak
Icon for Employee rankEmployee
Jan 13, 2021

Can you post a screenshot of the blocked request? My guess is that it's not because of attack signatures--because you turned off the block flag (checkbox) and the signatures are most likely in staging unless you enforced them previously.