Any resource to learn the database key value of F5 BIG-IP ASM DoS protection

Question

Hello Everyone,Greetings!There has been a lot of false positive regarding the behavioral and L7 DoS attacks on F5-protected services, and it has been a challenging task to point out the specific threshold values causing false positives in behavioral and L7 DoS attacks. I came across an article suggesting adjusting the 'adm.health.sensitivity' database key to mitigate false positivesRef:https://my.f5.com/manage/s/article/K21040310I'm seeking resources or a list detailing such kind of database keys' functionalities within F5 Big-IP ASM, and any methods to monitor and modify those parameter values based on the client request, especially concerning behavioral protection in F5 Big-IP ASM DoS protection.Any guidance or shared knowledge on this matter would be immensely appreciated.

f5_design_engineer · Answer

for 16.1.4.1 here you can see the list of all the 2509 db variables&nbsp;
[root@F5-Design_Engg02:Active:Standalone] config # tmsh
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys dbDisplay all 2509 items? (y/n) y
Options:all-properties one-linenon-default-properties |Properties:default-value value-rangescf-config {valueConfiguration Items:acceleration.log.color merged.mergeTruncating the results due to 20k characters limitarp.vlanpriority platform.diskmonitor.limitwarn.varasm.asm_malicious_sources_monitoring_interval platform.diskmonitor.limitwarn.var_logasm.brute_force_bypass_non_qualified_url platform.diskmonitor.limitwarn.var_loipcasm.brute_force_end_attack_verification_time platform.diskmonitor.limitwarn.var_promptasm.brute_force_max_tmstat_entries platform.diskmonitor.limitwarn.var_tmstatasm.brute_force_monitoring_interval platform.diskmonitor.limitwarn.vmdiskasm.connlimit platform.diskmonitor.monitor._root_asm.cookie_prefix platform.diskmonitor.monitor.appdataasm.cookie_revision_base platform.diskmonitor.monitor.configasm.cookie_suffix_base platform.diskmonitor.monitor.devasm.credential_stuffing_service platform.diskmonitor.monitor.dev_shmasm.cs_challenge_length platform.diskmonitor.monitor.runasm.cs_qualified_urls platform.diskmonitor.monitor.run_pamcacheasm.cshui_susp_event_bot_score platform.diskmonitor.monitor.sharedasm.csrf_rerun_interval platform.diskmonitor.monitor.shared_rrd.1.2asm.fastl4_allow platform.diskmonitor.monitor.usrasm.fictive_url platform.diskmonitor.monitor.varasm.http_security_headers platform.diskmonitor.monitor.var_logasm.ignore_bewaf platform.diskmonitor.monitor.var_loipcasm.inject_apm_do_not_touch platform.diskmonitor.monitor.var_promptasm.inject_referrer_hook platform.diskmonitor.monitor.var_tmstatasm.mobile_ua platform.diskmonitor.monitor.vmdiskasm.restrict_asm_logs_access platform.diskmonitor.stateasm.risk_engine.salt.restart platform.diskmonitor.timeasm.session_transactions_sampling_rate platform.diskmonitor.time._root_asm.strict_transport_policy platform.diskmonitor.time.appdataasm.strip_asm_cookies platform.diskmonitor.time.configasm.time_to_free_idle_umus_in_sec platform.diskmonitor.time.devasmconffailure.enabled platform.diskmonitor.time.dev_shmasmconffailure.haaction.primary platform.diskmonitor.time.runasmconffailure.haaction.secondary platform.diskmonitor.time.run_pamcacheauto.discover.flow.count platform.diskmonitor.time.sharedauto.discover.mvs.count platform.diskmonitor.time.shared_rrd.1.2
l4bdos.anomaly.detection.frequency tmm.pem.td.expected.num.connl4bdos.anomaly.threshold.floor tmm.pem.td.num.conn.wtl4bdos.baseline.learning.period tmm.pem.td.sample.intervall4bdos.collect.stats.frequency tmm.pem.td.tcpf.os.wtl4bdos.dns.stress.compute.frequency tmm.pem.td.ttl.wtl4bdos.ha.state.update.frequency tmm.pem.td.ua.os.wtl4bdos.netflow.collect.frequency tmm.pkcs11d.invalidatekeyhandlel4bdos.netflow.disable.selective.bins tmm.pkcs11d.loadkeyhandlesl4bdos.packet.sampling.interval tmm.pkcs11d.shmidl4bdos.signature.disable.no_stats.periods tmm.policy.tracelevell4bdos.signature.sample.packet.frequency tmm.pop3.max_partial_connbytesl4bdos.transient.signature.merge.periods tmm.pop3.max_partial_conncountlog.diameter.level tmm.websocket.deflate.memory.thresholdlog.dosl7.acy.level tmm.websocket.inflate.max.ratiolog.dosl7.all.level tmm.wlitelog.dosl7.bot.level tmm.wlite.pinninglog.dosl7.challenge.level tmplugin.schedulerlog.dosl7.conf.level tmplugin.splitplanes.nicelog.dosl7.datasync.level tmrouted.gracefulrestartdelaylog.dosl7.main.level tmrouted.netlinkcmdidletimeoutlog.dosl7.misc.level tmrouted.netlinklistenidletimeoutlog.dosl7.mobile.level tmrouted.rhifailoverdelaylog.dosl7.tcl.level tmrouted.tmos.routinglog.dosprotect.level tmrouted.tmos.routing.statusI also use
&nbsp;
list sys db all-properties one-line
&nbsp;
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db all-properties one-line Display all 2509 items? (y/n) yroot@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list stsys db all-properties one-line Display all 2509 items? (y/n) yTruncating the results due to 20k characters limitsys db asm.asm_malicious_sources_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:1800" }sys db asm.brute_force_bypass_non_qualified_url { default-value "false" scf-config "true" value "false" value-range "false true" }sys db asm.brute_force_end_attack_verification_time { default-value "120" scf-config "true" value "120" value-range "unsigned integer min:1 max:1000" }sys db asm.brute_force_max_tmstat_entries { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:10000" }sys db asm.brute_force_monitoring_interval { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }sys db asm.connlimit { default-value "6000" scf-config "true" value "6000" value-range "integer min:0 max:4294967295" }sys db asm.cookie_prefix { default-value "TS" scf-config "true" value "TS" value-range "string min-len:2 max-len:20" }sys db asm.cookie_revision_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:240" }sys db asm.cookie_suffix_base { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:900" }sys db asm.credential_stuffing_service { default-value "enable" scf-config "true" value "enable" value-range "disable enable" }sys db asm.cs_challenge_length { default-value "4" scf-config "true" value "4" value-range "unsigned integer min:1 max:7" }sys db asm.cs_qualified_urls { default-value "," scf-config "true" value "," value-range "string" }sys db asm.cshui_susp_event_bot_score { default-value "20" scf-config "true" value "20" value-range "unsigned integer min:0 max:10000000" }sys db asm.csrf_rerun_interval { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:10000" }sys db asm.fastl4_allow { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }sys db asm.fictive_url { default-value "/TSbd/" scf-config "true" value "/TSbd/" value-range "string" }sys db asm.http_security_headers { default-value "enable" scf-config "false" value "enable" value-range "disable enable" }sys db asm.ignore_bewaf { default-value "false" scf-config "true" value "false" value-range "false true" }sys db asm.inject_apm_do_not_touch { default-value "true" scf-config "true" value "true" value-range "false true" }sys db asm.inject_referrer_hook { default-value "true" scf-config "true" value "true" value-range "false true" }sys db asm.mobile_ua { default-value "," scf-config "true" value "," value-range "string" }sys db asm.restrict_asm_logs_access { default-value "false" scf-config "true" value "false" value-range "false true" }sys db asm.risk_engine.salt.restart { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:2091752" }---(less 9%)--- sys db asm.session_transactions_sampling_rate { default-value "10" scf-config "true" value "10" value-range "unsigned integer min:1 max:60" }sys db asm.strict_transport_policy { default-value "disable" scf-config "false" value "disable" value-range "disable enable" }sys db asm.strip_asm_cookies { default-value "true" scf-config "true" value "true" value-range "false true" }sys db asm.time_to_free_idle_umus_in_sec { default-value "0" scf-config "true" value "0" value-range "unsigned integer min:0 max:1800" }sys db asmconffailure.enabled { default-value "true" scf-config "true" value "true" value-range "false true" }sys db asmconffailure.haaction.primary { default-value "restart_all" scf-config "true" value "restart_all" value-range "go_offline go_offline_downlinks no_action restart_all" }sys db asmconffailure.haaction.secondary { default-value "go_offline" scf-config "true" value "go_offline" value-range "go_offline go_offline_downlinks no_action restart_all" }sys db auto.discover.flow.count { default-value "3" scf-config "true" value "3" value-range "unsigned integer min:1 max:65530" }

f5_design_engineer · Answer

Hi Nishal,
There is no one sigle doumentation i saw that describes the function of all the sys db variables, what I do in case i need i get a list and try to find the closest match of the words, like for asm modules i keep seaching the different variables for keyword asm ,
&nbsp;
These keys and their default values can be viewed via tmsh:tmsh list sys db [DB KEY]
These keys can be modified as follows:tmsh modify sys db [DB KEY]
Note: DB key values are automatically applied to a system without the need for a save sys config.
On v16.1.4.1 here you can see all SYS DB paramaeters using following command in TMSH mode:
list sys dbDisplay all 2509 items? (y/n) y
&nbsp;
Once you select the parameter take a backup or note down the default value before changing.
Once done you can change the parameter in tmsh mode using following
modify sys db&nbsp;
&nbsp;
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asConfiguration Items:asm.asm_malicious_sources_monitoring_interval asm.fictive_urlasm.brute_force_bypass_non_qualified_url asm.http_security_headersasm.brute_force_end_attack_verification_time asm.ignore_bewafasm.brute_force_max_tmstat_entries asm.inject_apm_do_not_touchasm.brute_force_monitoring_interval asm.inject_referrer_hookasm.connlimit asm.mobile_uaasm.cookie_prefix asm.restrict_asm_logs_accessasm.cookie_revision_base asm.risk_engine.salt.restartasm.cookie_suffix_base asm.session_transactions_sampling_rateasm.credential_stuffing_service asm.strict_transport_policyasm.cs_challenge_length asm.strip_asm_cookiesasm.cs_qualified_urls asm.time_to_free_idle_umus_in_secasm.cshui_susp_event_bot_score asmconffailure.enabledasm.csrf_rerun_interval asmconffailure.haaction.primaryasm.fastl4_allow asmconffailure.haaction.secondaryroot@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimitDisplay all 2509 items? (y/n) n
Options:reset-to-defaultProperties:value {root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify sys db asm.connlimit
&nbsp;

The following DB keys were added in version 14, to make our captcha feature more robust:
sys db dosl7.captcha_case_sensitivity {&nbsp; &nbsp; default-value "disable"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "disable"&nbsp; &nbsp; value-range "disable enable"}sys db dosl7.captcha_challenge_type {&nbsp; &nbsp; default-value "characters"&nbsp; &nbsp; scf-config "false"&nbsp; &nbsp; value "characters"&nbsp; &nbsp; value-range "arithmetic characters random"}sys db dosl7.captcha_characters_pool {&nbsp; &nbsp; default-value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "ABCDEFGHKLMNPRSTUVWYZabcdefghklmnprstuvwyz23456789"&nbsp; &nbsp; value-range "string"}sys db dosl7.captcha_length_max {&nbsp; &nbsp; default-value "6"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "6"&nbsp; &nbsp; value-range "unsigned integer min:1 max:10"}sys db dosl7.captcha_length_min {&nbsp; &nbsp; default-value "6"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "6"&nbsp; &nbsp; value-range "unsigned integer min:1 max:10"}sys db dosl7.captcha_lines_max {&nbsp; &nbsp; default-value "5"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "5"&nbsp; &nbsp; value-range "unsigned integer min:0 max:20"}sys db dosl7.captcha_lines_min {&nbsp; &nbsp; default-value "5"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "5"&nbsp; &nbsp; value-range "unsigned integer min:0 max:20"}sys db dosl7.captcha_max_cpu_prc {&nbsp; &nbsp; default-value "90"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "90"&nbsp; &nbsp; value-range "unsigned integer min:0 max:100"}sys db dosl7.captcha_noise_max {&nbsp; &nbsp; default-value "2"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "2"&nbsp; &nbsp; value-range "unsigned integer min:0 max:10"}sys db dosl7.captcha_noise_min {&nbsp; &nbsp; default-value "2"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "2"&nbsp; &nbsp; value-range "unsigned integer min:0 max:10"}sys db dosl7.captcha_perturbation_max {&nbsp; &nbsp; default-value "85"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "85"&nbsp; &nbsp; value-range "unsigned integer min:10 max:100"}sys db dosl7.captcha_perturbation_min {&nbsp; &nbsp; default-value "85"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "85"&nbsp; &nbsp; value-range "unsigned integer min:10 max:100"}sys db dosl7.captcha_transparency_percentage_max {&nbsp; &nbsp; default-value "20"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "20"&nbsp; &nbsp; value-range "unsigned integer min:0 max:85"}sys db dosl7.captcha_transparency_percentage_min {&nbsp; &nbsp; default-value "20"&nbsp; &nbsp; scf-config "true"&nbsp; &nbsp; value "20"&nbsp; &nbsp; value-range "unsigned integer min:0 max:85"}
&nbsp;
These are the dos related SYS DB settings that you can search more&nbsp;
dos.allvlansdos.auto.threshold.hysteresisdos.auto.threshold.learnalwaysdos.auto.threshold.stresstestdos.autodosd.alpha_maxdos.autodosd.alpha_mindos.behavioral.analysisdos.blleaklimitdos.debug.noneuron.wldos.dns.respfrag.allowdos.dnsnxdomain.learnperioddos.dnsnxdomain.perioddos.dnsnxdomain.trackersizedos.dnsportdos.dnsvlandos.dropv4mappeddos.forceswdosdos.fragforwardlimitdos.globalsflimitsdos.httpbdos.exclusivitydos.httpbdos.exclusivity.timeoutdos.icmp6msgtype1dos.icmp6msgtype2dos.ip.allow.unknown.proto1dos.ip.allow.unknown.proto2dos.iplowttldos.ipv6.swexthdrdos.ipv6endpoint.prefixdos.ipv6lowhopcntdos.logging.intervaldos.maxdnssizedos.maxewlsizedos.maxicmp6framesizedos.maxicmpframesizedos.maxipv6exthdrsdos.maxipv6extsizedos.maxsynsizedos.mergepersecdos.onehourinitratedos.onehourminratedos.protectedzonedos.scrubtimedos.sip.uri.limitdos.sipportdos.spvabl.checkdynamicwldos.syncookiedeactivatedos.tcp.allow.unknown.opt1dos.tcp.allow.unknown.opt2dos.tcplowwindowsizedos.tier1divisordos.tscookie.vlandos.unmatched.hwsyncookie_activatedos.vcmphwdosdos.wl_spva_entries_maxdos.wlipv6addrseldosl7.allowed_originsdosl7.asm_cs_excluded_headersdosl7.asm_cs_excluded_urlsdosl7.assume_httpsdosl7.captcha_case_sensitivitydosl7.captcha_challenge_typedosl7.captcha_characters_pooldosl7.captcha_length_maxdosl7.captcha_length_mindosl7.captcha_lines_maxdosl7.captcha_lines_mindosl7.captcha_max_cpu_prcdosl7.captcha_noise_maxdosl7.captcha_noise_mindosl7.captcha_perturbation_maxdosl7.captcha_perturbation_mindosl7.captcha_transparency_percentage_maxdosl7.captcha_transparency_percentage_mindosl7.chal_data_cookie_max_agedosl7.cors_ajax_urlsdosl7.cors_font_urlsdosl7.cors_related_domainsdosl7.cs_encodedosl7.cs_encryptdosl7.cs_excluded_headersdosl7.cs_excluded_urlsdosl7.cs_expire_secdosl7.cs_max_request_sizedosl7.cs_max_resenddosl7.cs_qualified_urlsdosl7.cs_validate_ipdosl7.cscloud_enableddosl7.cscloud_timeoutdosl7.cscloud_urldosl7.customheadersdosl7.early_renewal_perioddosl7.efoxy_cookiedosl7.efoxy_local_storagedosl7.efoxy_websqldosl7.efoxy_window_namedosl7.fastl4_allowdosl7.geolocation_drop_private_ipsdosl7.idle_fast_pathdosl7.internal_url_cookie_expiration_timedosl7.long_ua_header_sizedosl7.max_captcha_solution_agedosl7.max_captcha_solution_timedosl7.max_cookie_lengthdosl7.max_dynamic_params_injection_lengthdosl7.max_lookup_lengthdosl7.max_num_headersdosl7.max_user_agent_occurrencesdosl7.min_captcha_solution_timedosl7.mobile_cookie_expire_secdosl7.noscript_textdosl7.p3p_headerdosl7.paramsdosl7.parse_html_content_typesdosl7.parse_html_excluded_accept_header_valuesdosl7.parse_html_excluded_extentionsdosl7.parse_html_excluded_urlsdosl7.parse_html_inject_tagsdosl7.prg_cookie_urlsdosl7.prg_iframe_urlsdosl7.proactive_defense_cookie_namedosl7.proactive_defense_excluded_headersdosl7.proactive_defense_fictive_urldosl7.proactive_defense_log_rate_limitdosl7.proactive_defense_max_http_request_lengthdosl7.proactive_defense_prefixdosl7.proactive_defense_renew_secdosl7.proactive_defense_simple_redirectdosl7.proactive_defense_simple_redirect_on_gracedosl7.proactive_defense_validate_ipdosl7.proactive_defense_validation_percentdosl7.report_acy_perfdosl7.selenium_timeoutdosl7.sign_embeded_scriptdosl7.testdosl7.use_secure_cookiesdosl7.web_rootkit_report_min_scoredosl7d.attack_wait_timeoutdosl7d.auto_below_thresh_timeoutdosl7d.auto_cold_start_first_period_lengthdosl7d.auto_cold_start_first_period_switch_perioddosl7d.auto_cold_start_second_period_lengthdosl7d.auto_drop_ratiodosl7d.auto_geo_slice_lengthdosl7d.auto_normal_switch_perioddosl7d.auto_num_of_top_device_iddosl7d.auto_num_of_top_geolocationdosl7d.auto_num_of_top_ipdosl7d.auto_num_of_top_urldosl7d.auto_stress_thresh_multiplierdosl7d.auto_time_scale_factordosl7d.auto_tps_thresh_multiplierdosl7d.clean_bot_publisher_anomaliesdosl7d.conf_change_freeze_on_perioddosl7d.cs_legitimate_successful_ratedosl7d.cs_max_reply_timedosl7d.cs_min_requests_for_repliesdosl7d.force_core_on_sigabrtdosl7d.grafana_reportdosl7d.grafana_report_top_onlydosl7d.heaviness_factordosl7d.max_attack_durationdosl7d.max_icc_buffer_sizedosl7d.max_tcpdump_cpu_usagedosl7d.max_tcpdump_filesdosl7d.max_tcpdump_sizedosl7d.min_challenge_drop_timedosl7d.min_challenge_rpsdosl7d.min_challenge_success_ratiodosl7d.min_geo_reliable_timedosl7d.min_heavy_url_drop_ratedosl7d.min_time_between_attacksdosl7d.min_time_for_attack_enddosl7d.min_transaction_count_per_intervaldosl7d.publish_custom_messagedosl7d.shun_listdosl7d.shun_prevention_timedosl7d.sliding_window_longdosl7d.sliding_window_mediumdosl7d.sliding_window_shortdosl7d.static_uri_protectiondosl7d.stress_absolute_thresholddosl7d.stress_relative_thresholddosl7d.susp_max_entitiesdosl7d.tcpdump_rstcausedosl7d.trigger_logging
&nbsp;
for ASM here you can seeasm.asm_malicious_sources_monitoring_intervalasm.brute_force_bypass_non_qualified_urlasm.brute_force_end_attack_verification_timeasm.brute_force_max_tmstat_entriesasm.brute_force_monitoring_intervalasm.connlimitasm.cookie_prefixasm.cookie_revision_baseasm.cookie_suffix_baseasm.credential_stuffing_serviceasm.cs_challenge_lengthasm.cs_qualified_urlsasm.cshui_susp_event_bot_scoreasm.csrf_rerun_intervalasm.fastl4_allowasm.fictive_urlasm.http_security_headersasm.ignore_bewafasm.inject_apm_do_not_touchasm.inject_referrer_hookasm.mobile_uaasm.restrict_asm_logs_accessasm.risk_engine.salt.restartasm.session_transactions_sampling_rateasm.strict_transport_policyasm.strip_asm_cookiesasm.time_to_free_idle_umus_in_secasmconffailure.enabledasmconffailure.haaction.primaryasmconffailure.haaction.secondary
For DDos best practes you can refer here:
https://www.f5.com/pdf/products/ddos-protection-recommended-practices.pdf
There are tons of documentaiton available for DoS and DDos on f5 site.
&nbsp;
Hope that Helps
🙏

jrahm · Answer

Hi&nbsp;Nishal_Rai,&nbsp;F5_Design_Engineer&nbsp;provides some great information here. There isn't a catch-all document that describes all the db keys, and I'd be cautious to mess around with any of them, particularly in a production environment, that aren't documented in a knowledge article on MyF5 or covered in an article here on DevCentral without the guidance of a support exchange.

nishal_rai · Answer

Hello,Thanks,&nbsp;F5_Design_Engineer&nbsp;for the database key insights and&nbsp;JRahm&nbsp;for the cautionary advice!I'm curious if logs from dosl7d can help uncover the cause of specific database keys behind triggered behavioral/L7 DoS attacks. Here's a sample log:Any tips on deciphering these logs for root cause analysis would be appreciated.

f5_design_engineer · Answer

Hi Nihal,
It's a Seen behavior which is caused by a known issue tracked with the bug ID&nbsp;922597, not sure which OS version you are using in your environment.&nbsp;
For older software versions default adm.health.sensitivity default value is 50. In newer versions it was increased to 500 in order to minimize false-positives.
Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some sites

Affected Product(s):BIG-IP&nbsp;ASM

Known Affected Versions:14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 14.1.2.7, 14.1.2.8, 14.1.3, 14.1.3.1, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.0.1.4, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 16.0.0, 16.0.0.1, 16.0.1, 16.0.1.1, 16.0.1.2

Fixed In:16.1.0, 15.1.3, 14.1.4
In my test box 16.1.4.1&nbsp; it has been already fixed as follows by default value as 500&nbsp;
root@(F5-Design_Engg02)(cfg-sync Standalone)(Active)(/Common)(tmos)# list sys db adm.health.sensitivity valuesys db adm.health.sensitivity {value "500"}
Recommended Actions
If your&nbsp; db parameter value anythig other than 500 then you may have to modify the default sensitivity value from 50 to 500, sometimes even to 1000 that oyu need to find out the suitable number for your environment. Try first to go with 500, if that does not work you can try incresing this value.

Connect to CLI
First check the sensitivity valuetmsh list sys db adm.health.sensitivity value
Change the sensitivity value to 500
tmsh modify sys db adm.health.sensitivity value 500
K34122128: Controlling BaDoS sensitivity using db variable 'adm.health.sensitivity'https://my.f5.com/manage/s/article/K34122128
Bug ID 922597: BADOS default sensitivity of 50 creates false positive attack on some siteshttps://cdn.f5.com/product/bugtracker/ID922597.html
K21040310: Behavioral Dos (ASM) false positive blocks legitimate traffichttps://my.f5.com/manage/s/article/K21040310
Hope this Helps
🙏

Forum Discussion

Any resource to learn the database key value of F5 BIG-IP ASM DoS protection

6 Replies

Recent Discussions

HTTP Host Header replacement using AS3

what is impact enable analytic profile on local ltm

Sugar Defender:Order from sugar.defender.com

Fitspresso: The Perfect Morning Coffee to Jumpstart Your Weight Loss

Tetra Bliss CBD Gummies Reviews and Where to buy

Related Content

DevCentral Resources

Beyond REST: Protecting GraphQL

Deploying WAF in production using Azure Resource Manager template with F5 Nginx App Protect

OWASP Resources for Security Education and Training

L7 DoS Protection with NGINX App Protect DoS