F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Declarative Security Policies
  3. Additional Information
Manual Chapter : Additional Information

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Additional Information

Policy schema

For information on policy schema, refer Policy Schema.

Predefined templates

The security policy templates provide different security levels and consumes different levels of operational resources. The differences include blocking or transparent mode, manual or automatic learning of entities such as file types, URLs, parameters, cookies, and more, and violations.
The following are recommended predefined policy templates:
  • Rapid Deployment Policy (RDP)
    The Rapid Deployment Policy (RDP) policy template is recommended for beginners. It provides essential security with a low false-positive rate. This policy is transparent. It does not block or learn new entities, but only reports violations and learning suggestions to turn off signatures and features that create false-positives.
  • Fundamental
    The Fundamental policy template is recommended for intermediate users. It provides better security; actively blocks violations and automatically learns from false positives. It might require more time to operate and tune.
  • Comprehensive
    The Comprehensive policy template is recommended for expert users. It provides maximum security with all violations, features, and learning is turned on. It requires more time to operate and tune.
  • Passive Deployment Policy (PDP)
    The Passive Deployment Policy (PDP) policy template is similar to Comprehensive template but is meant to be used with a SPAN port, passively alerting for violations and turning off any feature that modifies the response.
  • Vulnerability Assessment Baseline
    The Vulnerability Assessment Baseline policy template is meant to be used with the results of a vulnerability assessment tool scan, and it turns off all unrelated security features.
  • API Security
    The API Security policy template is similar to RDP template but includes changes to benefit API Security, such as JSON, XML, and OpenAPI validations.
  • Application-Ready and Deprecated Templates
    The Application-Ready and Deprecated policy templates are meant to be used with specific applications and contain only the relevant signatures and features.
RDP
API Security
Fundamental
Comprehensive
Enforcement Mode
Transparent
Blocking
Blocking
Blocking
Policy Building Learning Mode
Manual
Manual
Automatic
Automatic
Application Language
UTF-8
UTF-8
Auto-detect
Auto-detect
Signature Sets
Generic Detection Signatures set
Generic Detection Signatures set
Generic Detection Signatures set
Generic Detection Signatures set
Enable Signature Staging
True
True
True
True
Learn Explicit URLs
Never
Never
Never
Compact
Learn Explicit WebSocket URLs
Never
Never
Never
Always
Learn Explicit Parameters
Never
Never
Selective
Compact
Learn Host Names
False
False
True
True
Learn Explicit Cookies
Never
Never
Never
Selective
Learn Explicit File Types
Never
Never
Compact
Compact

Supported features

The following is a list of the features supported by declarative policies.
Property types in a declarative policy
Property
Supported in declarative
Language
Yes
Blocking Settings
Yes
Brute Force
Yes
Case Sensitivity
Yes
Character Sets
Yes
Cookies
Yes
Cookie Settings
Yes
CSRF
Yes
CSRF URLs
Yes
Data Guard
Yes
Description
Yes
Disallowed Geolocations
Yes
Passive Mode
Yes
Enforcement Mode
Yes
File Types
Yes
General Settings
Yes
GWT Profiles
Yes
HTTP Headers
Yes
HTTP Header Settings
Yes
Host Names
Yes
IP Intelligence
Yes
JSON Profiles
Yes
JSON Schema Files
Yes
Login Enforcement
Yes
HTTP Methods
Yes
Microservices
Yes
Policy Name
Yes
OpenAPI Files
Yes
Parameters
Partial support
Partition
Yes
Plain Text Profiles
Yes
Centralized Policy Builder
Yes
Cookie Learning Settings
Yes
File Type Learning Settings
Yes
HTTP Header Learning Settings
Yes
Parameter Learning Settings
Yes
Redirection Protection Learning Settings
Yes
Policy Builder Settings
Yes
Server Technology Learning Settings
Yes
Sessions and Logins Learning Settings
Yes
URL Learning Settings
Yes
Distinguish HTTP and HTTPS URLs
Yes
Redirection Protection Domains
Yes
Response Pages
Yes
Sensitive Parameters
Yes
Server Technologies
Yes
Session Awareness Settings
Yes
Attack Signatures
Yes
Attack Signature Sets
Yes
Template
Yes
Threat Campaigns
Yes
Threat Campaign Settings
Yes
HTTP URLs
Partial support
Webhooks
Yes
WebSocket URLs
Yes
IP Exception
Yes
XML Profiles
Yes
XML Schema Files
Yes
API Protection Profile
No
Application Service
No
Behavioral Enforcement
No
Database Protection
No
Deception Pages
No
Deception Settings
No
Disabled Action Items
No
Parameter Extractions
No
Flows
No
Policy Full Path
No
Managed By BeWAF
No
Navigation Parameters
No
Parent Policy
No
Antivirus
No
Policy Groups
No
Section Inheritance
No
Sub Path
No
Learning Suggestion
No
Policy Type
No
Vulnerability Assessment
No
Vulnerabilities
No

Available server technologies

The following table is a partial list of the available Server Technologies. Some of them are built on top others on the stack and including them implies the inclusion of the latter. For example, ASP.NET implies both IIS and Microsoft Windows.
Server technologies
Server Technology Name
Description
Implied Technologies
Jenkins
Jenkins is an open source automation server written in Java. Jenkins helps to automate the non-human part of the software development process, with continuous integration and facilitating technical aspects of continuous delivery. It is a server-based system that runs in servlet containers such as Apache Tomcat.
SharePoint
SharePoint is a web-based collaborative platform that integrates with Microsoft Office. Launched in 2001, SharePoint is primarily sold as a document management and storage system, but the product is highly configurable and usage varies substantially among organizations.
Oracle Application Server
Oracle Internet Application Server provides a single integrated packaged solution of for middleware infrastructure including Oracle Containers for J2EE, Oracle Web Cache, Oracle HTTP Server, Oracle Forms, Oracle Reports, Oracle Portal and Oracle Discoverer.
Python
Python is an interpreted, high-level, general-purpose programming language. Created by Guido van Rossum and first released in 1991, Python has a design philosophy that emphasizes code readability, notably using significant whitespace. It provides constructs that enable clear programming on both small and large scales.
Oracle Identity Manager
Oracle Identity Manager (OIM) enables enterprises to manage the entire user life-cycle across all enterprise resources both within and beyond a firewall. Within Oracle Identity Management it provides a mechanism for implementing the user-management aspects of a corporate policy.
Spring Boot
Spring Boot makes it easy to create Spring-powered, production-grade applications and services with absolute minimum fuss. It takes an opinionated view of the Spring platform so that new and existing users can quickly get to the bits they need.
CouchDB
Apache CouchDB is open source database software that focuses on ease of use and having a scalable architecture.
SQLite
SQLite is a relational database management system contained in a C programming library. In contrast to many other database management systems, SQLite is not a client-server database engine. Rather, it is embedded into the end program.
Handlebars
Handlebars provides the power necessary to let you build semantic templates effectively with no frustration.
Mustache
Mustache is a simple web template system.
Prototype
Prototype takes the complexity out of client-side web programming. Built to solve real-world problems, it adds useful extensions to the browser scripting environment and provides elegant APIs around the clumsy interfaces of Ajax and the Document Object Model.
Zend
Zend Server is a complete and certified PHP distribution stack fully maintained and supported by Zend Technologies. It ships with an updated set of advanced value-add features designed to optimize productivity, performance, scalability and reliability.
Redis
Redis is an open-source in-memory data structure project implementing a distributed, in-memory key-value database with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, hyperloglogs, bitmaps, streams and spatial indexes.
Underscore.js
Underscore.js is a JavaScript library which provides utility functions for common programming tasks. It is comparable to features provided by Prototype.js and the Ruby language, but opts for a functional programming design instead of extending object prototypes
Ember.js
Ember.js is an open-source JavaScript web framework, based on the Model-view-viewmodel pattern. It allows developers to create scalable single-page web applications by incorporating common idioms and best practices into the framework.
ZURB Foundation
Foundation is a responsive front-end framework. Foundation provides a responsive grid and HTML and CSS UI components, templates, and code snippets, including typography, forms, buttons, navigation and other interface elements, as well as optional functionality provided by JavaScript extensions. Foundation is maintained by ZURB and is an open source project.
ef.js
ef.js is an elegant HTML template engine & basic framework.
Vue.js
Vue.js is an open-source JavaScript framework for building user interfaces and single-page applications.
UIKit
UIkit is a lightweight and modular front-end framework for developing fast and powerful web interfaces.
TYPO3 CMS
TYPO3 is a free and open-source web content management system written in PHP. It is released under the GNU General Public License. It can run on several web servers, such as Apache or IIS, on top of many operating systems, among them Linux, Microsoft Windows, FreeBSD, macOS and OS/2.
RequireJS
RequireJS is a JavaScript library and file loader which manages the dependencies between JavaScript files and in modular programming. It also helps to improve the speed and quality of the code.
React
React is a JavaScript library for building user interfaces. It is maintained by Facebook and a community of individual developers and companies. React can be used as a base in the development of single-page or mobile applications.
MooTools
MooTools is a lightweight, object-oriented JavaScript framework. It is released under the free, open-source MIT License.
Laravel
Laravel is a free, open-source PHP web framework, created by Taylor Otwell and intended for the development of web applications following the model-view-controller architectural pattern and based on Symfony.
GraphQL
GraphQL is an open-source data query and manipulation language for APIs, and a runtime for fulfilling queries with existing data. GraphQL was developed internally by Facebook in 2012 before being publicly released in 2015.
Google Web Toolkit
Google Web Toolkit, or GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain complex JavaScript front-end applications in Java. Other than a few native libraries, everything is Java source that can be built on any supported platform with the included GWT Ant build files.
Express.js
Express.js, or simply Express, is a web application framework for Node.js, released as free and open-source software under the MIT License. It is designed for building web applications and APIs. It has been called the de facto standard server framework for Node.js.
CodeIgniter
CodeIgniter is an open-source software rapid development web framework, for use in building dynamic web sites with PHP.
Backbone.js
Backbone.js is a JavaScript library with a RESTful JSON interface and is based on the Model-view-presenter application design paradigm. Backbone is known for being lightweight, as its only hard dependency is on one JavaScript library, Underscore.js, plus jQuery for use of the full library.
AngularJS
AngularJS is a JavaScript-based open-source front-end web application framework mainly maintained by Google and by a community of individuals and corporations to address many of the challenges encountered in developing single-page applications.
JavaScript
JavaScript, often abbreviated as JS, is a high-level, interpreted programming language that conforms to the ECMAScript specification. It is a language which is also characterized as dynamic, weakly typed, prototype-based and multi-paradigm.
Nginx
Nginx is a web server which can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
Jetty
Jetty is a Java HTTP (Web) server and Java Servlet container
Java Servlets/JSP
Joomla
Joomla is a free and open-source content management system (CMS) for publishing web content.
PHP
JavaServer Faces (JSF)
JavaServer Faces (JSF) is a Java specification for building component-based user interfaces for web applications.
Java Servlets/JSP
Ruby
Ruby is a dynamic, reflective, object-oriented, general-purpose programming language.
MongoDB
MongoDB is a free and open-source cross-platform document-oriented database program.
Django
Django is a free and open-source web framework, written in Python, which follows the model-view-template (MVT) architectural pattern.
Node.js
Node.js is an open-source, cross-platform JavaScript runtime environment for developing a diverse variety of tools and applications.
Citrix
Citrix Systems, Inc. is an American multinational software company that provides server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies.
JBoss
The JBoss Enterprise Application Platform (or JBoss EAP) is a subscription-based/open-source Java EE-based application server runtime platform used for building, deploying, and hosting highly-transactional Java applications and services.
Java Servlets/JSP
Elasticsearch
Elasticsearch is a search engine based on Lucene.
Apache Struts
Apache Struts is an open-source web application framework for developing Java EE web applications.
Java Servlets/JSP
XML
Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
PostgreSQL
PostgreSQL, often simply Postgres, is an object-relational database (ORDBMS) - i.e. a RDBMS, with additional (optional use) “object” features - with an emphasis on extensibility and standards-compliance.
IBM DB2
IBM DB2 contains database server products developed by IBM.
Sybase/ASE
SAP ASE (Adaptive Server Enterprise), originally known as Sybase SQL Server, and also commonly known as Sybase DB or ASE, is a relational model database server product for businesses developed by Sybase Corporation which became part of SAP AG.
CGI
Common Gateway Interface (CGI) offers a standard protocol for web servers to interface with executable programs running on a server that generate web pages dynamically.
Proxy Servers
A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers.
SSI (Server Side Includes)
Server Side Includes (SSI) is a simple interpreted server-side scripting language used almost exclusively for the Web.
Cisco
Cisco Systems, Inc. is an American multinational corporation technology company headquartered in San Jose, California, that designs, manufactures and sells networking equipment worldwide.
Novell
Novell Directory Services (NDS) is a popular software product for managing access to computer resources and keeping track of the users of a network, such as a company’s intranet, from a single point of administration.
Macromedia JRun
JRun is a J2EE application server, originally developed in 1997 as a Java Servlet engine by Live Software and subsequently purchased by Allaire, who brought out the first J2EE compliant version.
BEA Systems WebLogic Server
Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation.
Java Servlets/JSP
Lotus Domino
IBM Notes and IBM Domino are the client and server, respectively, of a collaborative client-server software platform sold by IBM.
MySQL
MySQL is an open-source relational database management system (RDBMS).
Oracle
Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is an object-relational database management system produced and marketed by Oracle Corporation.
Microsoft SQL Server
Microsoft SQL Server is a relational database management system developed by Microsoft.
PHP
PHP is a server-side scripting language designed primarily for web development but is also used as a general-purpose programming language.
Outlook Web Access
Outlook on the web (previously called Exchange Web Connect, Outlook Web Access, and Outlook Web App in Office 365 and Exchange Server 2013) is a personal information manager web app from Microsoft.
ASP.NET, IIS, Microsoft Windows
Apache/NCSA HTTP Server
The Apache HTTP Server, colloquially called Apache, is the world’s most used web server software.
Apache Tomcat
Apache Tomcat, often referred to as Tomcat, is an open-source Java Servlet Container developed by the Apache Software Foundation (ASF).
Java Servlets/JSP
WordPress
WordPress is a free and open-source content management system (CMS) based on PHP and MySQL.
XML, PHP
Macromedia ColdFusion
Adobe ColdFusion is a commercial rapid web application development platform created by JJ Allaire in 1995.
Unix/Linux
Unix is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, developed in the 1970s at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and others.
Microsoft Windows
Microsoft Windows (or simply Windows) is a metafamily of graphical operating systems developed, marketed, and sold by Microsoft.
ASP.NET
ASP.NET is an open-source server-side web application framework designed for web development to produce dynamic web pages.
IIS, Microsoft Windows
Front Page Server Extensions (FPSE)
FrontPage Server Extensions are a software technology that allows Microsoft FrontPage clients to communicate with web servers, and provide additional functionality intended for websites.
IIS
Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created by Microsoft for use with Windows NT family.
Microsoft Windows
WebDAV
Web Distributed Authoring and Versioning (WebDAV) is an extension of the Hypertext Transfer Protocol (HTTP) that allows clients to perform remote Web content authoring operations.
ASP
Active Server Pages (ASP), later known as Classic ASP or ASP Classic, is Microsoft’s first server-side script engine for dynamically generated web pages.
IIS, Microsoft Windows
Java Servlets/JSP
A Java servlet is a Java program that extends the capabilities of a server.
jQuery
jQuery is a cross-platform JavaScript library designed to simplify the client-side scripting of HTML.

Violations

A violation rating is a numerical rating that algorithms give to requests based on the presence of violation. Each violation type and severity contributes to the calculation of the final rating. The final rating then defines the action taken for the specific request. As per the default policy, any violation rating of 1, 2, and 3 will not cause the request to be blocked and only a log will be generated with
alerted
 status. If the violation rating is 4 or 5, the request is blocked, a blocking page is displayed and a log generated for the transaction with
blocked
 status. Violation ratings are displayed in the logs by default.

Declarative policy supported violations

The following is a partial list of violations that are supported and can be enabled by turning on the alarm and/or block flags.
Supported violations
Violation Name
Title
Description
Comment
VIOL_ASM_COOKIE_MODIFIED
Modified ASM cookie
The system checks that the request contains an ASM cookie that has not been modified or tampered with. Blocks modified requests.
VIOL_ATTACK_SIGNATURE
Attack signature detected
The system examines the HTTP message for known attacks by matching it against known attack patterns.
Determined per signature set.
VIOL_BLACKLISTED_IP
IP is blacklisted
The violation is issued when a request comes from an IP address that falls in the range of an IP address exception marked for “always blocking”, that is, the black list of IPs.
Would trigger Violation Rating of 5.
VIOL_COOKIE_EXPIRED
Expired timestamp
The system checks that the timestamp in the HTTP cookie is not old. An old timestamp indicates that a client session has expired. Blocks expired requests. The timestamp is extracted and validated against the current time. If the timestamp is expired and it is not an entry point, the system issues the Expired Timestamp violation.
VIOL_COOKIE_LENGTH
Illegal cookie length
The system checks that the request does not include a cookie header that exceeds the acceptable length specified in the security policy.
Determined by policy setting which is disabled in default template.
VIOL_COOKIE_MALFORMED
Cookie not RFC-compliant
This violation occurs when HTTP cookies contain at least one of the following components:
  • Quotation marks in the cookie name.
  • A space in the cookie name.
  • An equal sign (=) in the cookie name. Note: A space between the cookie name and the equal sign (=), and between the equal sign (=) and cookie value is allowed.
  • An equal sign (=) before the cookie name.
  • A carriage return (hexadecimal value of 0xd) in the cookie name.
VIOL_COOKIE_MODIFIED
Modified domain cookie(s)
The system checks that the web application cookies within the request have not been tampered, and the system checks that the request includes a web application cookie defined in the security policy.
Determined by cookie type: applied to “enforced” cookies.
VIOL_DATA_GUARD
Data Guard: Information leakage detected
The system examines responses and searches for sensitive information.
Controlled by the DG enable flag which is disabled in default template.
VIOL_ENCODING
Failed to convert character
The system detects that one of the characters does not comply with the configured language encoding of the web application’s security policy.
VIOL_EVASION
Evasion technique detected
This category contains a list of evasion techniques that attackers use to bypass detection.
VIOL_FILETYPE
Illegal file type
The system checks that the requested file type is configured as a valid file type, or not configured as an invalid file type, within the security policy.
Only for disallowed file types.
VIOL_HEADER_LENGTH
Illegal header length
The system checks that the request includes a total HTTP header length that does not exceed the length specified in the security policy.
The actual size in default policy is 4 KB
VIOL_HEADER_METACHAR
Illegal meta character in header
The system checks that the values of all headers within the request only contain meta characters defined as allowed in the security policy.
VIOL_HTTP_PROTOCOL
HTTP protocol compliance failed
This category contains a list of validation checks that the system performs on HTTP requests to ensure that the requests are formatted properly.
VIOL_HTTP_RESPONSE_STATUS
Illegal HTTP response status
The server response contains an HTTP status code that is not defined as valid in the security policy.
VIOL_JSON_FORMAT
JSON data does not comply with format settings
The system checks that the request contains JSON content and complies with the various request limits within the defense configuration in the security policy’s JSON profile. Enforces valid JSON requests and protects the server from JSON parser attacks. This violation is generated when a problem is detected in a JSON request, generally checking the message according to boundaries such as the message’s size and meta characters in parameter value.
Controlled from the default JSON profile.
VIOL_JSON_MALFORMED
Malformed JSON data
The system checks that the request contains JSON content that is well-formed. Enforces parsable JSON requests.
VIOL_METHOD
Illegal method
The system checks that the request references an HTTP request method that is found in the security policy. Enforces desired HTTP methods; GET and POST are always allowed.
These HTTP methods are supported:
  • GET
  • HEAD
  • POST
  • PUT
  • PATCH
  • DELETE
  • OPTIONS
VIOL_POST_DATA_LENGTH
Illegal POST data length
The system checks that the request contains POST data whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. This check is disabled by default.
VIOL_QUERY_STRING_LENGTH
Illegal query string length
The system checks that the request contains a query string whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. Actual size is 2 KB.
VIOL_REQUEST_LENGTH
Illegal request length
The system checks that the request length does not exceed the acceptable length specified in the security policy per the requested file type.
In * file type entity. This check is disabled by default.
VIOL_REQUEST_MAX_LENGTH
Request length exceeds defined buffer size
The system checks that the request length is not larger than the maximum memory buffer size of the ASM. Note that this is a BIG-IP unit parameter that protects the ASM from consuming too much memory across all security policies which are active on the device.
Default is 10MB
VIOL_URL_LENGTH
Illegal URL length
The system checks that the request is for a URL whose length does not exceed the acceptable length specified in the security policy.
In * file type entity. Actual size is 2 KB.
VIOL_URL_METACHAR
Illegal meta character in URL
The system checks that the incoming request includes a URL that contains only meta characters defined as allowed in the security policy. Enforces a desired set of acceptable characters.
VIOL_XML_FORMAT
XML data does not comply with format settings
The system checks that the request contains XML data that complies with the various document limits within the defense configuration in the security policy’s XML profile. Enforces proper XML requests and the data failed format/defense settings such as the maximum document length. This violation is generated when a problem in an XML document is detected (for example, an XML bomb), generally checking the message according to boundaries such as the message’s size, maximum depth, and maximum number of children.
Controlled by the default XML profile
VIOL_XML_MALFORMED
Malformed XML data
The system checks that the request contains XML data that is well-formed, according to W3C standards. Enforces proper XML requests.
VIOL_RATING_THREAT
Request is likely a threat
The combination of violations in this request determined that the request is likely to be a threat.
For VR = 4 or 5
VIOL_RATING_NEED_EXAMINATION
Request needs further examination
The combination of violations could not determine whether the request is a threat or violations are false positives thus requiring more examination.
For VR = 3
VIOL_PARAMETER_MULTIPART_NULL_VALUE
Null in multi-part parameter value
The system checks that the multi-part request has a parameter value that does not contain the NULL character (0x00). If a multipart parameter with binary content type contains NULL in its value, the enforcer issues this violation. The exceptions to this are:
  • If that parameter is configured in the policy as “Ignore value”.
  • If that parameter is configured in the security policy as “user-input file upload”.
  • If the parameter has a content-type that contains the string ‘XML’ and the parameter value contains a valid UTF16 encoded XML document (the encoding is valid). In this case NULL is allowed as it is part of the UTF16 encoding.
VIOL_PARAMETER_NAME_METACHAR
Illegal meta character in parameter name
The system checks that all parameter names within the incoming request only contain meta characters defined as allowed in the security policy.
VIOL_PARAMETER_VALUE_METACHAR
Illegal meta character in value
The system checks that all parameter values, XML element/attribute values, or JSON values within the request only contain meta characters defined as allowed in the security policy. Enforces proper input values.

Declarative policy HTTP sub-violations

The following table specifies the HTTP Compliance sub-violation settings.
HTTP sub-violations
Sub-Violation
Description
Comment
Unparsable request content
This violation is triggered when the system’s parser cannot parse the message.
Several Content-Length headers
More than one content-length header is a non RFC violation. Indicates an HTTP response splitting attack.
POST request with Content-Length: 0
Null in request
The system issues a violation for requests with a NULL character anywhere in the request (except for a NULL in the binary part of a multipart request).
Null in body
No Host header in HTTP/1.1 request
Examines requests using HTTP/1.1 to see whether they contain a “Host” header.
Multiple host headers
Examines requests to ensure that they contain only a single “Host” header.
Host header contains IP address
The system verifies that the request’s host header value is not an IP address to prevent non-standard requests.
High ASCII characters in headers
Checks for high ASCII characters in headers (greater than 127).
Header name with no header value
The system checks for a header name without a header value.
CRLF characters before request start
Examines whether there is a CRLF character before the request method. If there is, the system issues a violation.
Content length should be a positive number
The Content-Length header value should be greater than zero; only a numeric positive number value is accepted.
Chunked request with Content-Length header
The system checks for a Content-Length header within chunked requests.
Check maximum number of parameters
The system compares the number of parameters in the request to the maximum configured number of parameters.
Check maximum number of headers
The system compares the request headers to the maximal configured number of headers.
Body in GET or HEAD requests
Examines GET and HEAD requests which have a body.
Bad multipart/form-data request parsing
When the content type of a request header contains the substring “Multipart/form-data”, the system checks whether each multipart request chunk contains the strings “Content-Disposition” and “Name”. If they do not, the system issues a violation.
Bad multipart parameters parsing
The system checks the following:
  1. A boundary follows immediately after request headers.
  2. The parameter value matches the format: ‘name=”param_key”;rn.
  3. A chunked body contains at least one CRLF.
  4. A chunked body ends with CRLF.
  5. Final boundary was found on multipart request.
  6. There is no payload after final boundary.
If one of these is false, the system issues a violation.
Bad HTTP version
Enforces legal HTTP version number (only 0.9 or higher allowed).
Bad host header value
BIG-IP

Declarative policy evasion sub-violations

The following table specifies the Evasion Techniques sub-violation settings
Evasion technique sub-violations
Sub-Violation
Description
Comment
%u decoding
Performs Microsoft %u unicode decoding (%UXXXX where X is a hexadecimal digit). For example, the system turns a%u002fb to a/b. The system performs this action on URI and parameter input to evaluate if the request contains an attack.
Apache whitespace
The system detects the following characters in the URI: 9 (0x09), 11 (0x0B), 12 (0x0C), and 13 (0x0D).
Bad unescape
The system detects illegal HEX encoding. Reports unescaping errors (such as %RR).
Bare byte decoding
The system detects higher ASCII bytes (greater than 127).
Directory traversals
Ensures that directory traversal commands like ../ are not part of the URL. While requests generated by a browser should not contain directory traversal instructions, sometimes requests generated by JavaScript have them.
IIS backslashes
Normalizes backslashes () to slashes (/) for further processing.
IIS Unicode codepoints
Handles the mapping of IIS specific non-ASCII codepoints. Indicates that, when a character is greater than ‘0x00FF’, the system decodes %u according to an ANSI Latin 1 (Windows 1252) code page mapping. For example, the system turns a%u2044b to a/b. The system performs this action on URI and parameter input.
Multiple decoding
The system decodes URI and parameter values multiple times according to the number specified before the request is considered an evasion.

List of endpoints

The following is list of endpoints that can be used for external object referencing.
Endpoints
antivirus
behavioral-enforcement
brute-force-attack-preventions
character-sets
cookie-settings
cookies
csrf-protection
csrf-urls
data-guard
database-protection
deception-response-pages
disabled-action-items
disallowed-geolocations
filetypes
general
graphql-profiles
gwt-profiles
header-settings
headers
host-names
ip-intelligence
json-profiles
json-validation-files
login-enforcement
login-pages
methods
microservices
navigation-parameters
open-api-files
parameters
plain-text-profiles
policy-builder
policy-builder-central-configuration
policy-builder-cookie
policy-builder-filetype
policy-builder-header
policy-builder-parameter
policy-builder-redirection-protection
policy-builder-server-technologies
policy-builder-sessions-and-logins
policy-builder-url
redirection-protection
redirection-protection-domains
response-pages
sensitive-parameters
server-technologies
session-tracking
session-tracking-statuses
signature-requirements
signature-sets
signature-settings
signatures
threat-campaign-settings
threat-campaigns
urls
webhooks
websocket-urls
whitelist-ips
xml-profiles
xml-validation-files
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information