F5 ASM - Illegal Metacharacter in URL

HTTP Method
Detected On
Actual URL
cue:

If it is a false positive then, using @ as an example there are 4 options, with the most restrictive being the recommended choice.

Add the metacharacter to the Metacharacter Set

Add the metacharcter @ to the wilcard URL

Create a wildcard URL with the metacharacter as part of the URL: @

Create an explicit URL with @ in it: /api/@/weather

Note: the less restrictive the rule, the less protection the rule provides.

Security ›› Application Security ›› URLs ›› Character Set

Set the Metacharacter to Allow

Delete the Event Logs

Security ›› Application Security ›› URLs ›› Allowed URLs ›› Allowed HTTP URLs ›› click the * ›› click the Meta Characters Tab

Move the metacharacter over from the list on the left to the field on the right

Delete the Event Logs

Security ›› Application Security ›› URLs ›› Allowed URLs ›› Allowed HTTP URLs ›› click the + sign

Change it from Explicit to Wildcard

Type the name of the wildcard URL @

Untick the Perform Staging checkbox

In the Meta Character Tab, move the metacharacter over from the list on the left to the field on the right

Click create

Delete the Event Logs

Security ›› Application Security ›› URLs ›› Allowed URLs ›› Allowed HTTP URLs ›› click the + sign

Type the name of the explicit URL: /api/@/weather

Untick the Perform Staging checkbox

In the Meta Character Tab, move the metacharacter over from the list on the left to the field on the right

Click create

Delete the Event Logs