WAF engines in general are not designed to examine very large incoming POST bodies. The WAF engine has a hard-coded limit of 100 MB on the size of a POST body that it will examine, and there is also a two-minute time limit on POST body examination. These are fail-safe measures to prevent the engine from becoming a bottleneck due to large incoming POSTs.

To work around this limitation on incoming POST data, the recommended best practice is to configure a Virtual Service with two SubVSs – one with WAF enabled and one without – and apply conditional content rules to each to force upload requests through the non-WAF SubVS.