ASM - order of precedence in denying rules

Nimbostratus

In regards to first question, do you have
```
Blocking
```
tickbox selected for "Illegal URL" violation? You can check this in Security -> App Security -> Blocking -> Settings (If not, select it, save changes, and apply changes to policy)
If you have listed php in your Allowed File Types but have not allowed "/hhhhhhhhhh.php" URL, then any requests to that path will be blocked assuming that:
- 2.1 You have configured your policy to block requests to "Illegal URLs" (see 1.). "Illegal URL" violation occurs when a matching HTTP path is not found in "Allowed URLs".
- 2.2 A Wildcard (*) is not in the "Allowed URLs" list
- tl;dr: Both are evaluated, the URL as well as the File Type. If a violation is triggered on either condition, the other condition cannot supersede and "unblock the request". Therefore, it's not relevant which condition is evaluated first.

Also note that ASM uses incorrect terminology as 'Allowed URL' is technically a 'Allowed HTTP Path'. What's more, there are some problems with what ASM calls a 'Parameter', but that's not really related here. Just acknowledge that incorrect use of terminology is common in the module, and it will stretch out the learning curve or even contribute to some incidents because of misunderstanding.

Forum Discussion

ASM - order of precedence in denying rules

Recent Discussions

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Portal Access to HTTPS resources slow

How to Implement 2 Way SSL in F5 LTM

Azure DP-100 Exam Questions

Related Content

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

iRule Event Order Flowchart

Verifying Local Traffic Policy and iRule Precedence

Order of cookies

iRule operator evaluation order OR/AND