Bug ID 664618: Protocol Security HTTP Protocol Check Maximum Number of Headers 'Alarm' mode results in 'Block'

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP AFM, LTM(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4

Fixed In:
14.1.0, 14.0.0.5, 13.1.1.5, 12.1.4.1

Opened: May 12, 2017
Severity: 4-Minor

Symptoms

When using Protocol Security profiles for HTTP, the HTTP Protocol Checks 'Alarm' vs. 'Block' setting will not be honored for the 'Check maximum number of headers' check. If an HTTP response contains more than the configured maximum number of headers, the connection will be reset. Client traffic with more than the maximum allowed headers will be allowed through to the server, and an alert will be generated, as expected. The server response will also have too many headers, but the connection will be reset.

Impact

Connections are reset, when only alerting is expected.

Conditions

-- PSM HTTP Protocol Checks configured in 'Alarm' mode ('Block' disabled). -- The maximum number of headers is exceeded for server responses.

Workaround

None.

Fix Information

Two threshold values are now available for monitoring the number of HTTP headers: -- Use the HTTP security profile and select 'alarm' (as opposed to 'block'). -- Use the HTTP service protocol profile. When the 'alarm' threshold is hit, the HTTP traffic remains intact, and logging can be seen in the PSM event logs. When the HTTP service protocol profile's threshold is hit, the HTTP traffic will be blocked, and logging to be seen in both LTM log and PSM event logs.

Behavior Change