ASM flagging legitimate traffic as "most likely a threat"
- Jan 14, 2021
According to F5 support, the problem was that ASM was trying to parse the attachment being uploaded. This is the job of anti-virus, not ASM. The solution was to create an allowed URL exception in the policy for this type of content.
This instructs ASM to not inspect the BODY of the request:
- Browse to: Security ›› Application Security : URLs : Allowed URLs : Allowed HTTP URLs
- make sure to 'select' the correct policy
- click 'Create' (for New Allowed URL)
- change view to 'Advanced'.
- Specify the URL (Explicit, [HTTPS] /rest/internal/2/AttachTemporaryFile)
- uncheck staging
- click on 'Header-Based Content Profile':
Request Header Name: Content-Type
Request Header Value: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Request body handling: Do nothing
click 'Add'.
move it up the list
- click 'Create'.
- Apply Policy