Forum Discussion

RonR10_181817's avatar
RonR10_181817
Icon for Nimbostratus rankNimbostratus
Dec 14, 2017

Issue: ASM Violation that is manually disabled is automatically enabled days later

Hi all - we have an interesting dilemma with our F5 ASM policy. We are running two BIG-IP 5050, Software VersionBIG-IP v11.5.2 (Build 0.0.141) configured in an Active-Standby configuration.

 

We have a Security Policy running in Blocking Enforcement Mode and we've experienced two incidents where we've disabled two sub-violations under the "HTTP protocol compliance failed" list. We would save the configuration and apply the policy as part of the normal process of making changes to the policy, but within a couple of days, we've noticed that the two sub-violations are enabled again. Does anyone know why this is happening? Is this a bug in v11.5.2?

 

The two sub-violations are:

 

  1. "Check maximum number of headers"
  2. "Check maximum number of parameters"

 

The attached screenshot shows the two violations that should be disabled, which they are now. Also note that this is the only ASM policy configured on the F5.

 

Thanks in advance for any insight and assistance.

 

Ron

 

4 Replies

  • Are you running Automatic Policy Builder? Many people will deploy Automatic Policy Builder, and then try to manually tweak their configuration. That's fine so long as you remember to disable Automatic Policy Builder. If not, the APB will happily change settings on your policy to match what it thinks you want. This is not always what you actually want.

     

  • RonR10's avatar
    RonR10
    Icon for Nimbostratus rankNimbostratus

    Chris - Are you referring to the "Real Traffic Policy Builder" setting in Application Security\Policy Building\Settings??

     

     

  • Correct. You will want to disable the Real Traffic Policy Builder (or automatic policy builder) to correct this behavior. Note, the behavior is not incorrect, but the machine learning is not as discerning as a human reviewer, and sometimes the choices it makes are not the choices that we would like it to make.