Forum Discussion

Federico_Battag's avatar
Federico_Battag
Icon for Nimbostratus rankNimbostratus
May 22, 2013

disable ASM on a specific URL

 

Hi all,

 

I'm sending this message to ask if someone can tell me a way to disable ASM checks (violations and signature) for a specific URL.

 

 

In particular, I have an application through which is possible to upload files... each upload takes place via the same URL (/uploader.php, for example). The problem is that it isn't possible to determine in advance what kind of files are loaded... Furthermore, the application already conducts checks.

 

The result is a large number of false positives that are generated and this, when the application will be put in production could create important impact.

 

 

If possible I would avoid to use an iRule, is there a way to use only Configuration Utility? Or can anyone suggest me a modus-operandi?

 

Thanks in advance, greetings

 

 

Federico

 

 

6 Replies

  • The html of file upload page will have an input tag with a name that is parsed by ASM as a parameter, so you could create a parameter in the ASM policy and disable signature checking on that.

     

     

     

  • Try this:

     

    create an explicit URL

     

    goto Advanced, header-based Content Profile:

     

    configure ASM to parse the content as "Dont Check" for any header.

     

     

    hope it fits your need!

     

     

    bye

     

    e
    • MSZ_221163's avatar
      MSZ_221163
      Icon for Nimbostratus rankNimbostratus

      Initially it was working fine. This option is not working.

       

  • So the simplest was I see to do this is to create a new HTTP Class that has Application Security disabled and filter for the URL that you don't want inspected. You will all ASM functionality this way but if that is what you are looking for this will do the job.

     

     

  • For anyone else looking for an answer to this, a simple iRule can accomplish what is being asked: https://devcentral.f5.com/wiki/irules.ASM__disable.ashx

     

  • The best way I've found, after an F5 Tech Support call is the LTM Policy rules method described here: https://support.f5.com/kb/en-us/solutions/public/14000/700/sol14709.html

     

    Make sure that when you are done creating the rule, you click the 'ReOrder' button and move your new rule ABOVE the default ASM enable rule, otherwise it may not work depending on if you left it at 'first-match', 'best-match', or 'all-match' in the strategy field of the LTM policy.

     

    We also used it to bypass ASM for large uploads and downloads. The difference in that case was we used the 'extension' selector for the request. The tricky part was finding out what our application was using for an extension in the request, it was not the expected file extension but instead '.download' was appended to the URI string. We were able to find that out using the developer tools in Firefox with a little Fiddler work thrown in. Once we added '.download' to the extension list in the rule conditions, it started working perfectly.

     

    BTW: you can see if your new rule is working on the 'Statistics' tab in the LTM Policy screen.

     

    Hope this helps someone!