Manual Chapter : Web Application Security Policy Templates

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Web Application Security Policy Templates

Applying Web Application Security policy templates

Use a template to populate the attributes of a new Web Application Security policy. Policy templates allow you to reduce the time required to configure a policy for your applications.
Each new security policy, by default, has a Rapid Deployment Policy template. You can replace the default with a user-defined or system-supplied template, and then modify the policy's subcollections as needed. Unlike parent policies, if you modify a policy, once a template is configured, it does not affect the original template's settings.
Whether you are creating, or applying a security policy to an object, keep in mind the BIG-IP device version over which you wish to deploy the policy. Some protection features are not available, or changed from version to version.
System-defined templates (Generic and Application Ready policy templates) are aligned to support devices running versions 13.1 or later. This provides optimal deployment over multiple versions. This can omit certain fields that were added to newer device versions. It is recommended to monitor your security policy's performance to ensure that your existing policy meets your applications needs. For more information about monitoring Web Application Security, see
Modify and Manage Layer 7 Security Objects.
Generic Templates
Generic templates address most aspects of the application security policy suite, while remaining broad enough to protect any application, regardless of its platform. Each template varies based on the level of enforcement and traffic learning settings. For more information about each generic template, its settings, and version limitations, see Generic Web Application Security policy templates.
Application Ready Templates
Application ready security policies are baseline templates designed to secure that specific enterprise application platforms. Similar to generic templates, application ready templates provide a fixed policy that you can adjust settings manually, or configure additional security features. These templates are configured for the following platforms:
  • Drupal v8
  • Microsoft Outlook Web Access Exchange® 2016
  • Sharepoint 2016
  • Wordpress v4.9
Custom Policy Templates
Custom templates are created using existing Web Application Security policies. For more information, see Manage and create policy templates.
Templates are ready aligned to support BIG-IP versions 13.1 or later, which allow for optimal deployment over different device versions. If you

Manage and create policy templates

Create, delete, or export Web Application Security policy templates. You can create a custom template by using an existing Web Application Security policy. This allows you to reduce configuration time required for a new protection policy.
The following is the recommended procedure for managing your policy templates. You can create a template directly from the policies list by selecting a policy, clicking
More
and then
Save as Policy Template
.
  1. Navigate to the Policy Templates screen,
    Configuration
    SECURITY
    Web Application Security
    Policy Templates
    A list of all policy templates are displayed. Custom templates are marked as
    Yes
    in the User Defined column.
  2. To add a new template click
    Add
    .
    1. (Required) On the New Policy Template screen enter a name to identify your new policy template.
    2. (Optional) Add a policy description to better identify the template’s settings.
    3. From the
      Template source
      field you can select
      Policy
      to create a template from a policy that is already configured to the system, or you can select
      File
      to import a policy from your local files.
    4. Click
      Save & Close
      .
      The new template can now be applied to a new Web Application Security policy. Any changes made to the original policy, following template creation, will not affect the template's settings.
  3. To export any template as an XML file, select a template and click
    Export
    .
  4. To delete a custom template, select a user-defined template, and click
    Delete
    .
    The following action deletes the template, but it does not delete the original policy or policies created using the template.
Policy template management is immediately reflected in the list on the Policy Templates screen.

Generic Web Application Security policy templates

The following defines and details the generic policy templates you can apply when creating a new Web Application Security parent or child policy (
Configuration
SECURITY
Web Application Security
Policies
). These templates automatically populate required fields, based on the most common application protection needs. You can use these templates to pilot your security measure to fine-tune as needed.

Template Overview

Rapid Deployment Policy (RDP)
A moderate protection layer that includes manual learning of false positives. This protection template meets the majority of Web Application Security requirements.
Operational Cost: Low
BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
API Security
A moderate protection layer that follows the same protection as RDP, with additional support for API security features such as: REST API (JSON, XML) and Websocket security.
Operational Cost: Low
BIG-IP Version Support*: Version 13.1.0.2 or later
Fundamental
A high-to-moderate protection layer that includes automatic learning of false positives, and specific entity types. This template includes a blocking enforcement mode.
Operational Cost: Medium
Comprehensive
A high protection layer with automatic learning for all entity types. This template includes a blocking enforcement mode.
Operational Cost: High
BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
Passive Deployment Policy (PDP)
A low protection layer with a high level of automatic learning (similar to comprehensive), but fully transparent protection layer and does not interfere with the traffic. This template is designed to protect as many potential threats as possible, without the risk of affecting traffic with false positives.
Operational Cost: High
BIG-IP Version Support*: Version 13.1 or later
Vulnerability Assessment Baseline
Provides the lowest protection, and is used to create a security baseline by identifying, classifying and reporting security holes or weaknesses in your web site's code.
Operational Cost: Medium
BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
*General template support does not include all settings. Variations are indicated with the setting and template type.
This table highlights critical aspects of each template's general properties.
Basic Template Settings
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Enforcement Mode
Transparent
Transparent
Blocking
Blocking
Transparent
Transparent
Learning Mode
Manual
Manual
Automatic
Automatic
Automatic
Manual
Application Language
UTF-8
UTF-8
Auto-detect
Auto-detect
Auto-detect
UTF-8
Attack Signature Set Assignment
Generic Detection Signatures
Learn/Alarm/Block enabled
Generic Detection Signatures
Learn/Alarm/Block enabled
Generic Detection Signatures
Learn/Alarm/Block enabled
Generic Detection Signatures
Learn/Alarm/Block enabled
Generic Detection Signatures
Learn/Alarm/Block enabled
  1. Generic Detection Signatures
    Learn/Alarm/Block disabled
  2. High Accuracy Detection Evasion Signatures
Signature Staging
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
This table highlights learning settings per template. Fields that are not listed are either not affected by template settings, or have default settings, unrelated to a selected template.
General Learning Settings
RPD
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Learn Host Names
False
False
True
True
True
False
Learn Explicit URLs
Never
Never
Never
Compact
Compact
Never
Learn Explicit WebSocket URLs
Never
Never
Never
Always
Always
Never
Learn Explicit Parameters
Never
Never
Selective
Compact
Compact
Never
Learn Explicit Cookies
Never
Never
Never
Selective
Selective
Never
Learn Explicit Redirection Domains
Never
Never
Always
Always
Always
Never

Full Policy Template Settings

The following provides a list of all fields populated by each policy template, per configuration section. Sections and fields that are not affected are not included in this document.
POLICY PROPERTIES
RPD
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Enforcement Mode
Transparent
Transparent
Blocking
Blocking
Transparent
Transparent
Learning Mode
Manual
Manual
Automatic
Automatic
Automatic
Manual
Enforcement Readiness Period
7 Days
Mask Credit Card Numbers in Request Log
Enabled
Allowed Response Status Codes
400, 401, 404, 407, 417, 503, 403
Dynamic Session ID in URL
Disabled
Trigger ASM iRule Events
Disabled
Trust XFF Header
No
Handle Path Parameters
As Parameter

POLICY BUILDING (Settings)

Blocking Settings
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Enforcement Mode
Transparent
Transparent
Blocking
Blocking
Transparent
Transparent
Learning Speed
Medium
Violation settings include
Learn
,
Block
, and
Alarm
options. If none of these options are selected, they are marked as "Disabled" in the table.
All Violations
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Policy General Features
Request length exceeds defined buffer size
Learn only
*For devices running v13.1 violation is set to
Learn
only.
Learn only
Learn only
Learn only
Learn only
All Disabled
Failed to convert character
All Enabled*
*For devices running v13.1 violation is set to
Learn
only.
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
Illegal session ID in URL
All Disabled
All Disabled
All Disabled
All Enabled
Disabled
All Disabled
Illegal HTTP status in response
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
Illegal Base64 value
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
HTTP Protocol Compliance Failed
Body in GET or HEAD requests
All Disabled
All Disabled
All Disabled
Learn*
Violation setting for version 13.0 or later
Learn
All Disabled
POST request with Content-Length: 0
All Disabled
All Disabled
All Disabled
Learn *
Violation setting for version 13.0 or later
Learn
All Disabled
Check maximum number of parameters
Learn: 500
CRLF characters before request start
Learn
Learn
Learn o
Learn
Learn
All Disabled
Chunked request with Content-Length header
Disabled
Unparsable request content
Block
Several Content-Length headers
Learn
Learn
Learn
Learn
Learn
All Disabled
High ASCII characters in headers
All Disabled
All Disabled
All Disabled
Learn*
Violation setting for version 13.0 or later
Learn
All Disabled
Check maximum number of header
Learn: 20
Learn: 20
Learn: 20
Learn: 20
Learn: 20
All Disabled
Multiple host headers
Learn
Learn
Learn
Learn
Learn
All Disabled
Bad multipart parameters parsing
Learn
Learn
Learn
Learn
Learn
All Disabled
Bad host header value
Learn
Learn
Learn
Learn
Learn
All Enabled
Header name with no header value
Learn
Learn
Learn
Learn
Learn
All Disabled
Content length should be a positive number
Learn
Learn
Learn
Learn
Learn
All Disabled
Null in request
Block
Bad HTTP version
Block
No Host header in HTTP/1.1 request
Learn
Learn
Learn
Learn
Learn
All Disabled
Host header contains IP address
All Disabled
All Disabled
All Disabled
Learn*
Violation setting for version 13.0 or later
Learn
All Disabled
Bad multipart/form-data request parsing
All Disabled
All Disabled
All Disabled
Learn
Learn
All Disabled
Evasion Techniques Sub-Violations
Multiple decoding
Learn: 3*
For version 12.1 or earlier, setting included 2 decoding passes
All Enabled: 3
IIS backslashes
Learn
All Enabled
Bad unescape
Learn
All Enabled
Directory traversals
Learn
All Enabled
Bare byte decoding
Learn
All Enabled
Apache whitespace
Learn
All Enabled
%u decoding
Learn
All Enabled
URLs
Illegal number of mandatory parameters
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal flow to URL
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Illegal cross-origin request
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Binary content found in text only WebSocket
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal entry point
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Illegal meta character in URL
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal query string or POST data
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal URL
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal WebSocket binary message length
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal WebSocket extension
All Disabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Illegal number of frames per message
All Disabled
All Disabled
All Enabled
All Enabled
All Enabled
All Disabled
Text content found in binary only WebSocket
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal request content type
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal WebSocket frame length
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Parameters
Illegal parameter numeric value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal dynamic parameter value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal empty parameter value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal parameter data type
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Null in multi-part parameter value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal meta character in parameter name
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal meta character in value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal parameter value length
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal repeated parameter name
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal static parameter value
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Disallowed file upload content detected
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Parameter value does not comply with regular expression
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal parameter
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Sessions and Logins
Access from disallowed User/Session/IP
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
ASM Cookie Hijacking
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
All Disabled
Brute Force: Maximum login attempts are exceeded
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Login URL bypassed
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Login URL expired
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Cookies
Modified ASM cookie
All Enabled
All Enabled
All Enabled*
Violation setting for version 13.0 or later
All Enabled
All Disabled
All Disabled
Illegal cookie length
All Disabled
All Disabled
Learn Only*
Violation setting for version 13.0 or later
Learn Only
Learn Only
All Disabled
Expired timestamp
All Disabled
Cookie not RFC-compliant
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Modified domain cookie(s)
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Content Profiles
Malformed XML data
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
XML data does not comply with schema or WSDL document
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
SOAP method not allowed
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
JSON data does not comply with format settings
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
GWT data does not comply with format settings
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Plain text data does not comply with format settings
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
XML data does not comply with format settings
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Malformed GWT data
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Illegal attachment in SOAP message
All Disabled
All Enabled
All Disabled
All Enabled
All Enabled
All Disabled
Malformed JSON data
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Web Services Security failure
Web Services Security failure (all subviolations)
All Enabled
Learn Only
CSRF Protection
CSRF authentication expired
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
All Disabled
CSRF attack detected
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
All Enabled
IP Addresses / Geolocations
IP is blacklisted
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Access from malicious IP address
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Access from disallowed User/Session/IP
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Headers
Illegal header length
All Disabled
All Disabled
Learn Only*
Violation setting for version 13.0 or later
Learn Only
Learn Only
All Disabled
Illegal method
All Enabled
All Enabled
Learn Only*
Violation setting for version 13.0 or later
Learn Only*
Violation setting for version 13.0 or later
Learn Only
All Enabled (no enforcement)
Illegal meta character in header
All Disabled
All Disabled
All Disabled
All Enabled
All Enabled
All Disabled
Mandatory HTTP header is missing
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Redirection Protection
Illegal redirection attemp
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Threat Campaigns
Threat Campaign detected*
Violation setting supported by version 14.0 or later
All Enabled
All Enabled
All Enabled
All Enabled
All Enabled
All Disabled
Bot Detection
Web scraping detection
All Enabled
Data Guard
Data Guard: Information leakage detected
All Enabled
All Disabled
All Enabled
All Enabled
All Enabled
All Enabled
Websocket protocol compliance
Null character found in WebSocket text message
All Enabled
Failure in WebSocket framing protocol
Learn Only*
Violation setting for version 13.1 or later
All Enabled
Learn Only
Learn Only
Learn Only
All Disabled
Mask not found in client frame
Learn Only*
Violation setting for version 13.1 or later
All Enabled
Learn Only
Learn Only
Learn Only
All Disabled
Bad WebSocket handshake request
Learn Only*
Violation setting for version 13.1 or later
All Enabled
Learn Only
Learn Only
Learn Only
All Disabled
Antivirus Detection
Virus Detected
All Disabled
All Disabled
All Disabled
All Enabled
All Disabled
All Disabled
Policy builder settings are identical except for the learning mode, and
Learn From Response
attribute (enabled for Comprehensive template type). The following table lists the Policy Building Process values when you select a generic template.
Policy Building Process
Policy Building Process
Value
Trust IP Addresses
Address List
Loosen Policy
Untrusted Traffic
Sources
: 20
Min Period
: 60 minutes
Max Period
: 7 days
Trusted Traffic
Sources
: 1
Min Period
: 0 (not applicable)
Max Period
: 7 days
Tighten Policy (stabilize)
Total Requests
: 15,000
Days
: 1
Maximum modification suggestion score
: 50%
Minimize false positives (Track Site Changes)
Status
: Enabled
From Trusted and Untrusted Traffic
: Enabled
Untrusted Traffic
Sources
: 10
Min Period
: 20 minutes
Max Period
: 7 days
Trusted Traffic
Sources
: 1
Min Period
: 0 (not applicable)
Max Period
: 7 days
Options
Learn from responses
: Disabled (Comprehensive template type is enabled)
Full Policy Inspection
: Enabled

DATA GUARD

RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Data Guard
Disabled
Protect credit card numbers
Enabled
Disabled
Protect U.S. Social Security numbers
Enabled
Disabled
Mask sensitive data
Enabled
Enabled
Disabled
Disabled
Custom Patterns
Disabled
Exception Patterns
Disabled
File Content Detection
Disabled

CSRF PROTECTION

RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
CSRF Protection
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
SSL Only
Disabled
Expiration Time
Disabled
[Default entry] CSRF URL
URL *
URL *
URL *
URL *
Empty
Empty

ANOMALY DETECTION

All templates are populated with a default login page. As of BIG-IP version 13.1, several fields were deprecated, while others were introduced. Deprecated fields not included in the default login page
Brute Force Attack Prevention
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
Login Page
Default
Brute Force Protection
Disabled*
*Default profile protects against all login pages that are not specifically protected by an enabled configuration.
Enabled
Configuration Support
Current (supports versions 13.1 or later)
IP Address Whitelist
Empty
Source-based Brute Force Protection
Detection Period
60 minutes
MaximumPrevention Duration
60 minutes
Username
Trigger: After 3 failed login attempts
Action: Alarm And CAPTCHA
Trigger: After 3 failed login attempts
Action: Alarm
Trigger: After 3 failed login attempts
Action: Alarm And CAPTCHA
Device ID
Trigger: Never
IP Address
Trigger: After 20 failed login attempts
Action: Alarm And CAPTCHA
Trigger: After 20 failed login attempts
Action: Alarm
Trigger: After 20 failed login attempts
Action: Alarm And CAPTCHA
Client Side Integrity Bypass Mitigation
Trigger: After 3 failed login attempts
Action: Alarm And CAPTCHA
CAPTCHA Bypass Mitigation
Trigger: After 5 failed login attempts
Action: Alarm And Drop
Distributed Brute Force Protection
Detection Period
15 minutes
Maximum Prevention Duration
60 minutes
Detect Distributed Attack
After 100 failed login attempts
Detect Credential Stuffing
After 100 failed login attempts
Mitigation
Alarm And CAPTCHA
Alarm
Alarm And CAPTCHA

HEADERS

Methods
All templates except for Vulnerability Assessment Baseline will include the three HTTP methods: GET, POST and HEAD.
Vulnerability Assessment Baseline includes all available HTTP methods, with their default action as follows
  • Methods acting as GET: REPORT, HEAD, CHECKOUT, COPY, LOCK, MOVE, CHECKIN, UNLOCK, GET, OPTIONS, MERGE, X-MS-ENUMATTS, NOTIFY, MKCOL, SUBSCRIBE, POLL, CONNECT, ACL, VERSION_CONTROL, PROPFIND, UNSUBSCRIBE, PROPPATCH.
  • Methods acting as POST: MKWORKSPACE, BPROPPATCH, BPROPFIND, BMOVE, RPC_IN_DATA, SEARCH, RPC_OUT_DATA, BCOPY, POST, UNLINK, LINK, PATCH.
The wildcard '*' cookie is the only cookie entity that is populated generic templates. The following indicates which template enables staging
Cookies
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
In Staging
No
No
Yes
Yes
Yes
No
Redirection Protection
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Redirection Protection
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Redirection Domains
Empty
Empty
*
Entity only
*
Entity only
*
Entity only
Empty

URLS

All templates are populated with two allowed wildcard templates: HTTP* and HTTPS*. The following are the properties and configuration.
[Allowed] HTTP URLs
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
URL
Wildcard
HTTP and HTTPS
Perform Staging
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Wildcard Match Includes Slashes
Enabled
Clickjacking Protection
Disabled
Attack Signatures
Check Signatures on this URL
Enabled
Overridden Policy Settings
No overrides were selected
Header-Based Content Profiles
Request Header Value/Request Body Handling
Form, XML, JSON and Apply Value and Content Signatures
Apply Value and Content Signatures
HTML5 Cross-Domain Request Enforcement
Enforcement Mode
Disabled
Disabled
Disabled
Enforce on ASM
Enforce on ASM
Disabled
Methods Enforcement
Override policy allowed methods
Disabled
All templates are populated with *WebSocket URLs for WS and WSS protocols. The following are the properties and configuration.
[Allowed] Websocket URLs
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
WebSocket URL
Wildcard
WS and WSS
Perform Staging
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Message Handling
Check Message Payload
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
WebSocket Extensions
Delete Headers
Delete Headers
Delete Headers
Delete Headers
Block
Delete Headers
Allowed Message Payload Formats
All Formats
All Formats
All Formats
Plain Text, JSON
Plain Text, JSON
All Formats
Payload Enforcement (Maximum Binary Message Size)
Any
Any
Any
10,000 bytes
10,000 bytes
Any
Maximum Frame Size
Any
Any
Any
10,000 bytes
10,000 bytes
Any
Maximum Frames per fragmented message
Any
Any
Any
100 bytes
100 bytes
Any
HTML5 Cross-Domain Request Enforcement
Enforcement Mode
Disabled
Disabled
Disabled
Enforce on ASM
Enforce on ASM
Disabled

CONTENT PROFILES

All templates are populated with a default JSON profile. The following are the properties and configuration.
JSON Profiles
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Profile Name
Default
File Type
Wildcard
Perform Staging
Disabled
Disabled
Enabled
Enabled
Enabled
Disabled
URL Length
Any
Any
1024 Bytes
1024 Bytes
1024 Bytes
Any
Request Length
Any
Any
8196 Bytes
8196 Bytes
8196 Bytes
Any
Query String Length
Any
Any
4096 Bytes
4096 Bytes
4096 Bytes
Any
POST Data Length
Any
Any
4096 Bytes
4096 Bytes
4096 Bytes
Any
Apply Response Signature Staging
Disabled
All templates are populated with a default XML profile. The following are the properties and configuration.
XML Profiles
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
Profile Name
Default
Use XML Blocking Response Page
Disabled
XML Firewall Configuration
Defense Level
Allow DTDs
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Allow External References
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Tolerate leading White Space
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Tolerate Close Tag Shorthand
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Tolerate Numeric Names
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Allow Processing Instructions
Enabled
Allow CDATA
Enabled
Enabled
Enabled
Disabled
Disabled
Enabled
Maximum Document Size
Any
1,024,000 Bytes
Any
1,024,000 Bytes
1,024,000 Bytes
Any
Maximum Elements
Any
512,000
Any
65,536
65,536
Any
Maximum Name Length
Any
1,024 Bytes
Any
256 Bytes
256 Bytes
Any
Maximum Attribute Value Length
Any
Any
Any
1,024 Bytes
1,024 Bytes
Any
Maximum Document Depth
Any
Any
Any
32
32
Any
Maximum Children Per Element
Any
4,096
Any
1,024
1,024
Any
Maximum Attributes Per Element
Any
64
Any
16
16
Any
Maximum NS Declarations
Any
256
Any
64
64
Any
Maximum Namespace Length
Any
Any
Any
256
256
Any
Attack Signatures
Check Attack
Enabled
Attack Signatures Overrides
No Entries
Meta Characters
Check element value characters
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Check attribute value characters
Disabled
Sensitive Data Configuration
Sensistive Data
No Entries
All templates are populated with a default plain text profile. The following are the properties and configuration.
Plain Text Profiles
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
Profile Name
Default
Maximum Total Length
Any
Any
Any
10,000
10,000
Any
Maximum Line Length
Any
Any
Any
100
100
Any
Perform Percent Decoding
Disabled
Attack Signatures Overrides
Attack Signatures Check
Enabled
Attack Signatures Overrides
No overrides were selected
Meta Characters
Check Characters
Disabled

PARAMETERS

All templates are populated with a default *wildcard parameter. Prior to version 13.1, RDP included the "__VIEWSTATE" paramter, which was set to "Ignore". The following are the properties and configuration.
Parameters
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Properties
Name
Wildcard: *
Level
Global
Perform Staging
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Allow Empty Value
Enabled
Allow Repeated Occurrences
Disabled
Sensitive Parameter
Disabled
Value Type
user-input
Data Type
Alpha-Numeric
Data Type Attributes
Maximum Length
Any
Any
Any
10
10
Any
Regular Exp.
Disabled
Base64 Decoding
Disabled
Value Meta Character
Value Meta Character Checks
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Name Meta Character
Name Meta Character Checks
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Attack Signatures
Attack Signatures Checks
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Select signatures overrides
No overrides were selected
The following lists the sensitive parameters automatically added to the policy.
Sensitive Parameters
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Learn New Entities
Password
No sensitive parameters included

ATTACK SIGNATURES CONFIGURATION

The following lists the settings for each template of attack signatures that are configured to the policy.As indicated in the table below, all templates except for Vulnerability Assessment Baseline include the "Generic Detection" set and place signatures in staging.
Attack Signatures
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Signature Staging
Enabled
Disabled
Place Updated Signatures in Staging
Enabled (Placed in staging and retains old version)
Disabled
Attack Signature Set Assignment
Generic Detection Signatures
set.
Learn/Alarm/Block enabled
  1. Generic Detection Signatures
    set
    Learn/Alarm/Block disabled
  2. High Accuracy Detection Evasion Signatures
    Learn/Alarm/Block disabled
Apply Response Signatures
No file types were selected

THREAT CAMPAIGNS

The Threat Campaigns feature is only available to BIG-IP versions 14.0 or later. All templates, except for Vulnerability Assessment Baseline, have the
Threat Campaign detected
violation, enabled
Alarmed
and
Blocked
settings, and
Enable Campaign staging
disabled. For Vulnerability Assessment Baseline, both are disabled.

SESSIONS AND LOGINS

There are no pre-defined login or logout pages for any generic template.
The following lists the login settings automatically added to the policy.
Login Enforcements
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Expiration Time
Disabled
Authenticated URLs
None
The following lists the session tracking settings added to the policy.
Session Tracking
RDP
API Security
Fundamental
Comprehensive
PDP
Vulnerability Assessment Baseline
Session Hijacking
Detect Session Hijacking by Device ID Tracking
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Session Tracking Configuration
Session Awareness
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Application Username
Use All Login Pages
Use All Login Pages
Use All Login Pages
None
Use All Login Pages
Use All Login Pages
Violation Detection Actions
Track Violations and Perform Actions
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled
Violation Detection Period
900s