1) F5 creating Global parameter when I have already Object parameter 2) Illegal Request and Object Lengths

Question

Greetings, 
&nbsp;  
&nbsp; I had created the parameter called username and made it an object parameter with Object Path HTTPS and /https://secure.stinson.com/bds/Loginsubmit.do.  I allowed the Meta Character @ for that parameter and disabled the Attack Signature SQL-INJ ROOT@ for that parameter so that the user jroot@morrison.com could enter his email address as username.  I had created the object for that page, an object with Basic Object Properties and Protocol HTTPS.  The Object Name is Explicit and has /https://secure.stinson.com/bds/Loginsubmit.do. 
&nbsp;  
&nbsp; During the weekend jroot@morrison.com logged in.  I see in Reports this morning the error.  The Request Violation is Illegal Meta Character In Parameter Value and it says IN STAGING for Learn, Alarm, and Block.  The Requested Object of the error is [HTTPS]/bds/LoginSubmit.do.  The Parameter Name=Value reads username=jroot@morrison.com, the Parameter Violations reads Illegal Meta Character In Parameter Value, and the Parameter Level reads Global Parameter.  The Signature Name is SQL-INJ ROOT@ and the Value is jroot@morrison.com. 
&nbsp;  
&nbsp; So it seems that F5 created a GLOBAL username parameter when I had already an object parameter for this page.  Why did F5 create this username global parameter when I had already the username object parameter?  Should I delete the username global parameter that it seems was created by F5, and if so will F5 create in the future in the same fashion?  Or should I allow the particular Meta Character and disable the particular Attack Sig for this global parameter that it seems F5 created?  Or should I just click ACCEPT on the log/error for this GLOBAL username parameter that F5 must have created of its own accord? 
&nbsp;  
&nbsp; Also, I have been clicking ACCEPT for bunches of logs in Reports section that concern Illegal Request Length and Illegal Object Length.  The Block is not checked though and only Learn and Alarm are checked.  It would seem that blocking would occur if and when I were to check Block.  The director of network security does not want me to change the allowable length globally.  He says to allow White List the specific message/url showing up in the report as acceptable.  I have clicked ACCEPT on these logs as they occur, but new logs with Illegal Request Length and Illegal Object Length keep occurring.  Is clicking on ACCEPT in the logs a way to allow White List the specific message/url showing up as acceptable?  If so, why do new logs arise with the same type of Illegal Request and Object Lengths? 
&nbsp;  
&nbsp; Thanks much in advance! 
&nbsp;  
&nbsp; mwitt

hooleylist · Answer

I think auto-accept will create a global parameter, but to be honest I'm not sure.  If there was some indication as to what the automated tools were going to do before it was done and confirmation of what was done afterwards (and possibly even an option to undo them) I might be willing to use them.  As it is, I think it's far better to use the Manual Policy Building tool (Traffic Learning) and actual manual changes.  This ensures that you know what changes are being made to the policy.   
&nbsp;  
&nbsp; I'm pretty sure there is an open Request For Enhancement on this.  You could open a case with F5 Support and ask them to find it and add your case to the request. 
&nbsp;  
&nbsp; Typically, I'd suggest creating a global parameter for any exception you want to make to the global charsets and/or attack signatures.  This way you can leave the global rules tight and create a more specific relaxation when required. 
&nbsp;  
&nbsp; Aaron

benjamin_9036 · Answer

Hello again! 
&nbsp;  
&nbsp;    I may not understand correctly, so correct me if I'm out in left field. Is your Object created exactly as "/https://secure.stinson.com/bds/Loginsubmit.do" ? Unless the URL in the browser (when browsing to this) is https://secure.stinson.com/bds/Loginsubmit.do/https://secure.stinson.com/bds/Loginsubmit.do, then this contains a bit too much of the path. Presuming that when a you browse to this page, the URL in the address bar looks like this: "https://secure.stinson.com/bds/Loginsubmit.do" then your object should be "/bds/Loginsubmit.do" 
&nbsp;  
&nbsp;    If this is the case, that is probably why you see a global parameter matched, since the more specific Object/Parameter did not match.  
&nbsp;  
&nbsp; Also, the 'Request Length' and 'Object Length' are settings for Object Types, i.e. ".asp", ".php", ".html" rather than for individual objects. The next time one of these violations occurs, investigate it in the 'Policy Building -&gt; Manual' section. As hoolio suggests, that should clarify where the changes are being made. 
&nbsp;  
&nbsp; Cheers! 
&nbsp;  
&nbsp; // Ben

mwitt_65218 · Answer

Thanks to you both for your replies, Aaron and Ben. 
&nbsp;  
&nbsp; Yesterday Mike at F5 called me about Case Number C526599 that I had created yesterday.  I think I was working at cross purposes because we are in Policy Building Automatic mode with Policy Building on while also I was manually creating objects/parameters.  So I need to decide at this point whether to go with Policy Building Automatic or Policy Building Manual.  I guess that with Policy Building on, F5 can create a global parameter for username even though I had created already an object parameter for username. 
&nbsp;  
&nbsp; Ben, if I understood Justin at F5 correctly when I spoke with him in the past about Case Number C523335 that I had created on 15-MAY-2009, I am to use the full URL path of the web page when I create an object and that then I would use the name of the textbox for the name of the user parameter for the control on that web page.  So if the URL of the web page is https://secure.stinson.com/bds/Login.do for the entry into the controls of username and password, I should use /bds/Loginsubmit.do as the object path?  Just at F5 had told me on the telephone that I should always use a beginning / mark in the path part of the object, and that then I should use the full URL from the browser for the web page.  Here are some notes from when I spoke with Justin: 
&nbsp;  
&nbsp;    When adding the user-input parameter, I use Object Protocal HTTPS.  I use Explicity.   
&nbsp;    In the textbox next to the Object Name Explicit,  
&nbsp;    I type a forward slash mark and the object names appear.   
&nbsp;    I can continue to type the path of the page that is my object to narrow down the choices if there are too many choices.   
&nbsp;    So in the textbox to the right of Object Name Explicit, I have /https://secure.stinson.com/bds/Login.do. 
&nbsp;  
&nbsp; Maybe I misunderstood Justin though. 
&nbsp;  
&nbsp; Thanks though for your replies, Aaron and Ben.  It seems I must decide whether or not at this time I want to go with the Policy Building Automatic On approach or with the Policy Building Manual approach.  Then again, maybe my object path was the problem as Ben mentioned. 
&nbsp;  
&nbsp; mwitt &nbsp;

benjamin_9036 · Answer

Heya, 
&nbsp;  
&nbsp; The object should be the path, not including the protocol, address, and/or port. Here is some of the ASM documentation for creating Web Objects (which are now called 'URLs' in v10).  
&nbsp;  
&nbsp; https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm_945_config_guide/asm_security_policy.html1010165 
&nbsp;  
&nbsp; And here is some web documentation on the portions of the URI: http://en.wikipedia.org/wiki/Uniform_Resource_LocatorSyntax 
&nbsp;  
&nbsp; Using the nomenclature in the syntax section of that article, the "pathname" is the portion that makes up your web object. 
&nbsp;  
&nbsp; You might want to create a new policy, just for looking at, and use one of the Application Templates. So "Policy List -&gt; Create" and add a name, and from the drop-down selection for "Security Policy Template" pick one of the applications, and click "Create". Then you can browse around this policy to see (roughly) what a finished policy would look like. Mainly, you can see the format of the web objects in a policy for a specific application. 
&nbsp;  
&nbsp; Cheers! 
&nbsp;  
&nbsp; // Ben

Forum Discussion

1) F5 creating Global parameter when I have already Object parameter 2) Illegal Request and Object Lengths

4 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Brute Force protection for single parameter like OTP

Wildcard Parameter signature attack

HTTP auth - Calling external API with parameters

AWAF Path Parameters with OPENAPI json file

Parameter Value - Regular Expression