ASM - order of precedence in denying rules

Question

Hello,&nbsp;
I have a list of few URLs allowed, which has been enforced OK.I finished the learning process (disabled both RTPB and learning for URL entities (set to Neve - Wildcard Only)I dont have any * wildcard in the allowed-URLs listI do have .php as allowed file extension
Why ASM does not block me a non-exisitng url like hhhhhhhhhh.php (why it uses rule 4 and not 1 to deny this page).&nbsp;
how can i allow only a limited set of URLs with a particular extension?&nbsp;
More in general, if there are overlapping policy rules in URLs/FileTypes, which ones are enforced first?&nbsp;

hannes_rapp_162 · Answer

In regards to first question, do you have

Blocking

tickbox selected for "Illegal URL" violation? You can check this in Security -> App Security -> Blocking -> Settings (If not, select it, save changes, and apply changes to policy)

If you have listed php in your Allowed File Types but have not allowed "/hhhhhhhhhh.php" URL, then any requests to that path will be blocked assuming that:
2.1 You have configured your policy to block requests to "Illegal URLs" (see 1.). "Illegal URL" violation occurs when a matching HTTP path is not found in "Allowed URLs".
2.2 A Wildcard (*) is not in the "Allowed URLs" list

tl;dr: Both are evaluated, the URL as well as the File Type. If a violation is triggered on either condition, the other condition cannot supersede and "unblock the request". Therefore, it's not relevant which condition is evaluated first.

Also note that ASM uses incorrect terminology as 'Allowed URL' is technically a 'Allowed HTTP Path'. What's more, there are some problems with what ASM calls a 'Parameter', but that's not really related here. Just acknowledge that incorrect use of terminology is common in the module, and it will stretch out the learning curve or even contribute to some incidents because of misunderstanding.

hannes_rapp · Answer

In regards to first question, do you have

Blocking

tickbox selected for "Illegal URL" violation? You can check this in Security -> App Security -> Blocking -> Settings (If not, select it, save changes, and apply changes to policy)

If you have listed php in your Allowed File Types but have not allowed "/hhhhhhhhhh.php" URL, then any requests to that path will be blocked assuming that:
2.1 You have configured your policy to block requests to "Illegal URLs" (see 1.). "Illegal URL" violation occurs when a matching HTTP path is not found in "Allowed URLs".
2.2 A Wildcard (*) is not in the "Allowed URLs" list

tl;dr: Both are evaluated, the URL as well as the File Type. If a violation is triggered on either condition, the other condition cannot supersede and "unblock the request". Therefore, it's not relevant which condition is evaluated first.

Also note that ASM uses incorrect terminology as 'Allowed URL' is technically a 'Allowed HTTP Path'. What's more, there are some problems with what ASM calls a 'Parameter', but that's not really related here. Just acknowledge that incorrect use of terminology is common in the module, and it will stretch out the learning curve or even contribute to some incidents because of misunderstanding.

jinshu · Answer

Cheers Hannes.. You rock.!!&nbsp;
-Jinshu&nbsp;

jinshu · Answer

Cheers Hannes.. You rock.!!&nbsp;
-Jinshu&nbsp;

Forum Discussion

ASM - order of precedence in denying rules

4 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

iRule Event Order Flowchart

Verifying Local Traffic Policy and iRule Precedence

Order of cookies

iRule operator evaluation order OR/AND