Knowledge sharing: F5 ASM/Advanced WAF options for granual control and bypassing, when there is a false positive.

1. When a false positive violation or signature is triggered for a url or parameter you don't need to disable the violation/signature for the entire ASM policy as you can always use iRules to just bypass the violation/signature just a specific URL or Parameter :

For signatures:

• https://support.f5.com/csp/article/K8866
• https://support.f5.com/csp/article/K65408955
• https://support.f5.com/csp/article/K52644614

 

 

For violations:

 

• https://support.f5.com/csp/article/K15573541

 

2. You can also bypass attack signatures for XML data by using XML profile as you can do the same for JSON data with the JSON profile:

 

• https://support.f5.com/csp/article/K15638905
• https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/20.html

 

 

 

3. You can also use a Local Traffic policy but it only has the event "ASM::disable" that stops the ASM for everything not just for the one false positive. I hope that the F5 team will add the "ASM::unblock" to the Local Traffic policy options but for now I don't recommend this.

 

• https://support.f5.com/csp/article/K14709

 

 

4. Another note is if you upload files then they in many cases may trigger attack signatures but just adding an explicit custom parameter with Value Type "User-input value" and Data Type "File Upload" will make the ASM to not trigger signatures for the files being uploaded:

 

 

• https://support.f5.com/csp/article/K74535942
• https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-11-5-0/29.html

 

5.Also when using iRules with the ASM check under the ASM policy what is the ASM iRules Event Mode as it could be Compatibility Mode or Normal Mode as the old way was Compatibility Mode and when bypassing the ASM for a violation it also bypassed any other violations that may have triggered after that and not being false positivies:

 

• https://techdocs.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-implementations-13-0-0/31.html

 

6. Also for masking the sensitive Data in the ASM logs as in many cases some information shouldnt be logged because of legal implications see:

 

• https://support.f5.com/csp/article/K52154401
• https://support.f5.com/csp/article/K39482497

 

7. The new Microservices option under the WAF policy is a great way to stop some RFC or evasion checks for a particular host and URL without iRules and the signature violations can just be removed by creating an allowed URL and bypassing this. Just the general violation's will still need  an irule to be bypassed.

 

• https://my.f5.com/manage/s/article/K51802237