Manual Chapter : Additional Information
Applies To:Show Versions
- 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
The security policy templates provide different security levels and consumes different levels of operational resources. The differences include blocking or transparent mode, manual or automatic learning of entities such as file types, URLs, parameters, cookies, and more, and violations.
The following are recommended predefined policy templates:
- Rapid Deployment Policy (RDP)The Rapid Deployment Policy (RDP) policy template is recommended for beginners. It provides essential security with a low false-positive rate. This policy is transparent. It does not block or learn new entities, but only reports violations and learning suggestions to turn off signatures and features that create false-positives.
- FundamentalThe Fundamental policy template is recommended for intermediate users. It provides better security; actively blocks violations and automatically learns from false positives. It might require more time to operate and tune.
- ComprehensiveThe Comprehensive policy template is recommended for expert users. It provides maximum security with all violations, features, and learning is turned on. It requires more time to operate and tune.
- Passive Deployment Policy (PDP)The Passive Deployment Policy (PDP) policy template is similar to Comprehensive template but is meant to be used with a SPAN port, passively alerting for violations and turning off any feature that modifies the response.
- Vulnerability Assessment BaselineThe Vulnerability Assessment Baseline policy template is meant to be used with the results of a vulnerability assessment tool scan, and it turns off all unrelated security features.
- API SecurityThe API Security policy template is similar to RDP template but includes changes to benefit API Security, such as JSON, XML, and OpenAPI validations.
- Application-Ready and Deprecated TemplatesThe Application-Ready and Deprecated policy templates are meant to be used with specific applications and contain only the relevant signatures and features.
Policy Building Learning Mode
Generic Detection Signatures set
Generic Detection Signatures set
Generic Detection Signatures set
Generic Detection Signatures set
Enable Signature Staging
Learn Explicit URLs
Learn Explicit WebSocket URLs
Learn Explicit Parameters
Learn Host Names
Learn Explicit Cookies
Learn Explicit File Types
The following is a list of the features supported by declarative policies.
Supported in declarative
HTTP Header Settings
JSON Schema Files
Plain Text Profiles
Centralized Policy Builder
Cookie Learning Settings
File Type Learning Settings
HTTP Header Learning Settings
Parameter Learning Settings
Redirection Protection Learning Settings
Policy Builder Settings
Server Technology Learning Settings
Sessions and Logins Learning Settings
URL Learning Settings
Distinguish HTTP and HTTPS URLs
Redirection Protection Domains
Session Awareness Settings
Attack Signature Sets
Threat Campaign Settings
XML Schema Files
API Protection Profile
Disabled Action Items
Policy Full Path
Managed By BeWAF
Available server technologies
The following table is a partial list of the available Server Technologies. Some of them are built on top others on the stack and including them implies the inclusion of the latter. For example, ASP.NET implies both IIS and Microsoft Windows.
Server Technology Name
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat.
SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations.
Oracle Application Server
Oracle Internet Application Server provides a single integrated packaged solution of for middleware infrastructure including Oracle Containers for J2EE, Oracle Web Cache, Oracle HTTP Server, Oracle Forms, Oracle Reports, Oracle Portal and Oracle Discoverer.
Python is an interpreted, high-level, general-purpose programming language. Created by Guido van Rossum and first released in 1991, Python has a design philosophy that emphasizes code readability, notably using significant whitespace. It provides constructs that enable clear programming on both small and large scales.
Oracle Identity Manager
Oracle Identity Manager (OIM) enables enterprises to manage the entire user life-cycle across all enterprise resources both within and beyond a firewall. Within Oracle Identity Management it provides a mechanism for implementing the user-management aspects of a corporate policy.
Spring Boot makes it easy to create Spring-powered, production-grade applications and services with absolute minimum fuss. It takes an opinionated view of the Spring platform so that new and existing users can quickly get to the bits they need.
Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture.
SQLite is a relational database management system contained in a C programming library. In contrast to many other database management systems, SQLite is not a client-server database engine. Rather, it is embedded into the end program.
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration.
Mustache is a simple web template system.
Prototype takes the complexity out of client-side web programming. Built to solve real-world problems, it adds useful extensions to the browser scripting environment and provides elegant APIs around the clumsy interfaces of Ajax and the Document Object Model.
Zend Server is a complete and certified PHP distribution stack fully maintained and supported by Zend Technologies. It ships with an updated set of advanced value-add features designed to optimize productivity, performance, scalability and reliability.
Redis is an open-source in-memory data structure project implementing a distributed, in-memory key-value database with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, hyperloglogs, bitmaps, streams and spatial indexes.
ef.js is an elegant HTML template engine & basic framework.
UIkit is a lightweight and modular front-end framework for developing fast and powerful web interfaces.
TYPO3 is a free and open-source web content management system written in PHP. It is released under the GNU General Public License. It can run on several web servers, such as Apache or IIS, on top of many operating systems, among them Linux, Microsoft Windows, FreeBSD, macOS and OS/2.
Laravel is a free, open-source PHP web framework, created by Taylor Otwell and intended for the development of web applications following the model-view-controller architectural pattern and based on Symfony.
GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data. GraphQL was developed internally by Facebook in 2012 before being publicly released in 2015.
Google Web Toolkit
Express.js, or simply Express, is a web application framework for Node.js, released as free and open-source software under the MIT License. It is designed for building web applications and APIs. It has been called the de facto standard server framework for Node.js.
CodeIgniter is an open-source software rapid development web framework, for use in building dynamic web sites with PHP.
Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
Jetty is a Java HTTP (Web) server and Java Servlet container
Joomla is a free and open-source content management system (CMS) for publishing web content.
JavaServer Faces (JSF)
JavaServer Faces (JSF) is a Java specification for building component-based user interfaces for web applications.
Ruby is a dynamic, reflective, object-oriented, general-purpose programming language.
MongoDB is a free and open-source cross-platform document-oriented database program.
Django is a free and open-source web framework, written in Python, which follows the model-view-template (MVT) architectural pattern.
Citrix Systems, Inc. is an American multinational software company that provides server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies.
The JBoss Enterprise Application Platform (or JBoss EAP) is a subscription-based/open-source Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications and services.
Elasticsearch is a search engine based on Lucene.
Apache Struts is an open-source web application framework for developing Java EE web applications.
Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
PostgreSQL, often simply Postgres, is an object-relational database (ORDBMS) - i.e. a RDBMS, with additional (optional use) “object” features - with an emphasis on extensibility and standards-compliance.
IBM DB2 contains database server products developed by IBM.
SAP ASE (Adaptive Server Enterprise), originally known as Sybase SQL Server, and also commonly known as Sybase DB or ASE, is a relational model database server product for businesses developed by Sybase Corporation which became part of SAP AG.
Common Gateway Interface (CGI) offers a standard protocol for web servers to interface with executable programs running on a server that generate web pages dynamically.
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.
SSI (Server Side Includes)
Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the Web.
Cisco Systems, Inc. is an American multinational corporation technology company headquartered in San Jose, California, that designs, manufactures and sells networking equipment worldwide.
Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a network, such as a company’s intranet, from a single point of administration.
JRun is a J2EE application server, originally developed in 1997 as a Java Servlet engine by Live Software and subsequently purchased by Allaire, who brought out the first J2EE compliant version.
BEA Systems WebLogic Server
Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation.
IBM Notes and IBM Domino are the client and server, respectively, of a collaborative client-server software platform sold by IBM.
MySQL is an open-source relational database management system (RDBMS).
Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is an object-relational database management system produced and marketed by Oracle Corporation.
Microsoft SQL Server
Microsoft SQL Server is a relational database management system developed by Microsoft.
PHP is a server-side scripting language designed primarily for web development but is also used as a general-purpose programming language.
Outlook Web Access
Outlook on the web (previously called Exchange Web Connect, Outlook Web Access, and Outlook Web App in Office 365 and Exchange Server 2013) is a personal information manager web app from Microsoft.
ASP.NET, IIS, Microsoft Windows
Apache/NCSA HTTP Server
The Apache HTTP Server, colloquially called Apache, is the world’s most used web server software.
Apache Tomcat, often referred to as Tomcat, is an open-source Java Servlet Container developed by the Apache Software Foundation (ASF).
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL.
Adobe ColdFusion is a commercial rapid web application development platform created by JJ Allaire in 1995.
Unix is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, developed in the 1970s at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.
Microsoft Windows (or simply Windows) is a metafamily of graphical operating systems developed, marketed, and sold by Microsoft.
ASP.NET is an open-source server-side web application framework designed for web development to produce dynamic web pages.
IIS, Microsoft Windows
Front Page Server Extensions (FPSE)
FrontPage Server Extensions are a software technology that allows Microsoft FrontPage clients to communicate with web servers, and provide additional functionality intended for websites.
Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft for use with Windows NT family.
Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations.
Active Server Pages (ASP), later known as Classic ASP or ASP Classic, is Microsoft’s first server-side script engine for dynamically generated web pages.
IIS, Microsoft Windows
A Java servlet is a Java program that extends the capabilities of a server.
A violation rating is a numerical rating that algorithms give to requests based on the presence of violation. Each violation type and severity contributes to the calculation of the final rating. The final rating then defines the action taken for the specific request. As per the default policy, any violation rating of 1, 2, and 3 will not cause the request to be blocked and only a log will be generated with
alertedstatus. If the violation rating is 4 or 5, the request is blocked, a blocking page is displayed and a log generated for the transaction with
blockedstatus. Violation ratings are displayed in the logs by default.
Declarative policy supported violations
The following is a partial list of violations that are supported and can be enabled by turning on the alarm and/or block flags.
Modified ASM cookie
The system checks that the request contains an ASM cookie that has not been modified or tampered with. Blocks modified requests.
Attack signature detected
The system examines the HTTP message for known attacks by matching it against known attack patterns.
Determined per signature set.
IP is blacklisted
The violation is issued when a request comes from an IP address that falls in the range of an IP address exception marked for “always blocking”, that is, the black list of IPs.
Would trigger Violation Rating of 5.
The system checks that the timestamp in the HTTP cookie is not old. An old timestamp indicates that a client session has expired. Blocks expired requests. The timestamp is extracted and validated against the current time. If the timestamp is expired and it is not an entry point, the system issues the Expired Timestamp violation.
Illegal cookie length
The system checks that the request does not include a cookie header that exceeds the acceptable length specified in the security policy.
Determined by policy setting which is disabled in default template.
Cookie not RFC-compliant
This violation occurs when HTTP cookies contain at least one of the following components:
Modified domain cookie(s)
The system checks that the web application cookies within the request have not been tampered, and the system checks that the request includes a web application cookie defined in the security policy.
Determined by cookie type: applied to “enforced” cookies.
Data Guard: Information leakage detected
The system examines responses and searches for sensitive information.
Controlled by the DG enable flag which is disabled in default template.
Failed to convert character
The system detects that one of the characters does not comply with the configured language encoding of the web application’s security policy.
Evasion technique detected
This category contains a list of evasion techniques that attackers use to bypass detection.
Illegal file type
The system checks that the requested file type is configured as a valid file type, or not configured as an invalid file type, within the security policy.
Only for disallowed file types.
Illegal header length
The system checks that the request includes a total HTTP header length that does not exceed the length specified in the security policy.
The actual size in default policy is 4 KB
Illegal meta character in header
The system checks that the values of all headers within the request only contain meta characters defined as allowed in the security policy.
HTTP protocol compliance failed
This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly.
Illegal HTTP response status
The server response contains an HTTP status code that is not defined as valid in the security policy.
JSON data does not comply with format settings
The system checks that the request contains JSON content and complies with the various request limits within the defense configuration in the security policy’s JSON profile. Enforces valid JSON requests and protects the server from JSON parser attacks. This violation is generated when a problem is detected in a JSON request, generally checking the message according to boundaries such as the message’s size and meta characters in parameter value.
Controlled from the default JSON profile.
Malformed JSON data
The system checks that the request contains JSON content that is well-formed. Enforces parsable JSON requests.
The system checks that the request references an HTTP request method that is found in the security policy. Enforces desired HTTP methods; GET and POST are always allowed.
These HTTP methods are supported:
Illegal POST data length
The system checks that the request contains POST data whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. This check is disabled by default.
Illegal query string length
The system checks that the request contains a query string whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. Actual size is 2 KB.
Illegal request length
The system checks that the request length does not exceed the acceptable length specified in the security policy per the requested file type.
In * file type entity. This check is disabled by default.
Request length exceeds defined buffer size
The system checks that the request length is not larger than the maximum memory buffer size of the ASM. Note that this is a BIG-IP unit parameter that protects the ASM from consuming too much memory across all security policies which are active on the device.
Default is 10MB
Illegal URL length
The system checks that the request is for a URL whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. Actual size is 2 KB.
Illegal meta character in URL
The system checks that the incoming request includes a URL that contains only meta characters defined as allowed in the security policy. Enforces a desired set of acceptable characters.
XML data does not comply with format settings
The system checks that the request contains XML data that complies with the various document limits within the defense configuration in the security policy’s XML profile. Enforces proper XML requests and the data failed format/defense settings such as the maximum document length. This violation is generated when a problem in an XML document is detected (for example, an XML bomb), generally checking the message according to boundaries such as the message’s size, maximum depth, and maximum number of children.
Controlled by the default XML profile
Malformed XML data
The system checks that the request contains XML data that is well-formed, according to W3C standards. Enforces proper XML requests.
Request is likely a threat
The combination of violations in this request determined that the request is likely to be a threat.
For VR = 4 or 5
Request needs further examination
The combination of violations could not determine whether the request is a threat or violations are false positives thus requiring more examination.
For VR = 3
Null in multi-part parameter value
The system checks that the multi-part request has a parameter value that does not contain the NULL character (0x00). If a multipart parameter with binary content type contains NULL in its value, the enforcer issues this violation. The exceptions to this are:
Illegal meta character in parameter name
The system checks that all parameter names within the incoming request only contain meta characters defined as allowed in the security policy.
Illegal meta character in value
The system checks that all parameter values, XML element/attribute values, or JSON values within the request only contain meta characters defined as allowed in the security policy. Enforces proper input values.
Declarative policy HTTP sub-violations
The following table specifies the HTTP Compliance sub-violation settings.
Unparsable request content
This violation is triggered when the system’s parser cannot parse the message.
Several Content-Length headers
More than one content-length header is a non RFC violation. Indicates an HTTP response splitting attack.
POST request with Content-Length: 0
Null in request
The system issues a violation for requests with a NULL character anywhere in the request (except for a NULL in the binary part of a multipart request).
Null in body
No Host header in HTTP/1.1 request
Examines requests using HTTP/1.1 to see whether they contain a “Host” header.
Multiple host headers
Examines requests to ensure that they contain only a single “Host” header.
Host header contains IP address
The system verifies that the request’s host header value is not an IP address to prevent non-standard requests.
High ASCII characters in headers
Checks for high ASCII characters in headers (greater than 127).
Header name with no header value
The system checks for a header name without a header value.
CRLF characters before request start
Examines whether there is a CRLF character before the request method. If there is, the system issues a violation.
Content length should be a positive number
The Content-Length header value should be greater than zero; only a numeric positive number value is accepted.
Chunked request with Content-Length header
The system checks for a Content-Length header within chunked requests.
Check maximum number of parameters
The system compares the number of parameters in the request to the maximum configured number of parameters.
Check maximum number of headers
The system compares the request headers to the maximal configured number of headers.
Body in GET or HEAD requests
Examines GET and HEAD requests which have a body.
Bad multipart/form-data request parsing
When the content type of a request header contains the substring “Multipart/form-data”, the system checks whether each multipart request chunk contains the strings “Content-Disposition” and “Name”. If they do not, the system issues a violation.
Bad multipart parameters parsing
The system checks the following:
If one of these is false, the system issues a violation.
Bad HTTP version
Enforces legal HTTP version number (only 0.9 or higher allowed).
Bad host header value
Declarative policy evasion sub-violations
The following table specifies the Evasion Techniques sub-violation settings
Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack.
The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D).
The system detects illegal HEX encoding. Reports unescaping errors (such as %RR).
Bare byte decoding
The system detects higher ASCII bytes (greater than 127).
Normalizes backslashes () to slashes (/) for further processing.
IIS Unicode codepoints
Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than ‘0x00FF’, the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion.