Manual Chapter : Generic Web Application Security policy templates

Applies To:

Show Versions

BIG-IQ Centralized Management

8.0.0

Generic Web Application Security policy templates

The following defines and details the generic policy templates you can apply when creating a new Web Application Security parent or child policy (

Configuration

SECURITY

Web Application Security

Policies

). These templates automatically populate required fields, based on the most common application protection needs. You can use these templates to pilot your security measure to fine-tune as needed.

Template Overview

Rapid Deployment Policy (RDP): A moderate protection layer that includes manual learning of false positives. This protection template meets the majority of Web Application Security requirements.; Operational Cost: Low; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
API Security: A moderate protection layer that follows the same protection as RDP, with additional support for API security features such as: REST API (JSON, XML) and Websocket security.; Operational Cost: Low; BIG-IP Version Support*: Version 13.1.0.2 or later
Fundamental: A high-to-moderate protection layer that includes automatic learning of false positives, and specific entity types. This template includes a blocking enforcement mode.; Operational Cost: Medium
Comprehensive: A high protection layer with automatic learning for all entity types. This template includes a blocking enforcement mode.; Operational Cost: High; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
Passive Deployment Policy (PDP): A low protection layer with a high level of automatic learning (similar to comprehensive), but fully transparent protection layer and does not interfere with the traffic. This template is designed to protect as many potential threats as possible, without the risk of affecting traffic with false positives.; Operational Cost: High; BIG-IP Version Support*: Version 13.1 or later
Vulnerability Assessment Baseline: Provides the lowest protection, and is used to create a security baseline by identifying, classifying and reporting security holes or weaknesses in your web site's code.; Operational Cost: Medium; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management

*General template support does not include all settings. Variations are indicated with the setting and template type.

This table highlights critical aspects of each template's general properties.

Basic Template Settings
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Mode	Manual	Manual	Automatic	Automatic	Automatic	Manual
Application Language	UTF-8	UTF-8	Auto-detect	Auto-detect	Auto-detect	UTF-8
Attack Signature Set Assignment	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block disabled High Accuracy Detection Evasion Signatures
Signature Staging	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled

This table highlights learning settings per template. Fields that are not listed are either not affected by template settings, or have default settings, unrelated to a selected template.

General Learning Settings
	RPD	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Learn Host Names	False	False	True	True	True	False
Learn Explicit URLs	Never	Never	Never	Compact	Compact	Never
Learn Explicit WebSocket URLs	Never	Never	Never	Always	Always	Never
Learn Explicit Parameters	Never	Never	Selective	Compact	Compact	Never
Learn Explicit Cookies	Never	Never	Never	Selective	Selective	Never
Learn Explicit Redirection Domains	Never	Never	Always	Always	Always	Never

Full Policy Template Settings

The following provides a list of all fields populated by each policy template, per configuration section. Sections and fields that are not affected are not included in this document.

POLICY PROPERTIES
	RPD	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Mode	Manual	Manual	Automatic	Automatic	Automatic	Manual
Enforcement Readiness Period	7 Days
Mask Credit Card Numbers in Request Log	Enabled
Allowed Response Status Codes	400, 401, 404, 407, 417, 503, 403
Dynamic Session ID in URL	Disabled
Trigger ASM iRule Events	Disabled
Trust XFF Header	No
Handle Path Parameters	As Parameter

POLICY BUILDING (Settings)

Blocking Settings
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Speed	Medium

Violation settings include

Learn

Block

, and

Alarm

options. If none of these options are selected, they are marked as "Disabled" in the table.

All Violations
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Policy General Features
Request length exceeds defined buffer size	Learn only *For devices running v13.1 violation is set to Learn only.	Learn only	Learn only	Learn only	Learn only	All Disabled
Failed to convert character	All Enabled* *For devices running v13.1 violation is set to Learn only.	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled
Illegal session ID in URL	All Disabled	All Disabled	All Disabled	All Enabled	Disabled	All Disabled
Illegal HTTP status in response	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled
Illegal Base64 value	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
HTTP Protocol Compliance Failed
Body in GET or HEAD requests	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
POST request with Content-Length: 0	All Disabled	All Disabled	All Disabled	Learn * Violation setting for version 13.0 or later	Learn	All Disabled
Check maximum number of parameters	Learn: 500
CRLF characters before request start	Learn	Learn	Learn o	Learn	Learn	All Disabled
Chunked request with Content-Length header	Disabled
Unparsable request content	Block
Several Content-Length headers	Learn	Learn	Learn	Learn	Learn	All Disabled
High ASCII characters in headers	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
Check maximum number of header	Learn: 20	Learn: 20	Learn: 20	Learn: 20	Learn: 20	All Disabled
Multiple host headers	Learn	Learn	Learn	Learn	Learn	All Disabled
Bad multipart parameters parsing	Learn	Learn	Learn	Learn	Learn	All Disabled
Bad host header value	Learn	Learn	Learn	Learn	Learn	All Enabled
Header name with no header value	Learn	Learn	Learn	Learn	Learn	All Disabled
Content length should be a positive number	Learn	Learn	Learn	Learn	Learn	All Disabled
Null in request	Block
Bad HTTP version	Block
No Host header in HTTP/1.1 request	Learn	Learn	Learn	Learn	Learn	All Disabled
Host header contains IP address	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
Bad multipart/form-data request parsing	All Disabled	All Disabled	All Disabled	Learn	Learn	All Disabled
Evasion Techniques Sub-Violations
Multiple decoding	Learn: 3* For version 12.1 or earlier, setting included 2 decoding passes					All Enabled: 3
IIS backslashes	Learn					All Enabled
Bad unescape	Learn					All Enabled
Directory traversals	Learn					All Enabled
Bare byte decoding	Learn					All Enabled
Apache whitespace	Learn					All Enabled
%u decoding	Learn					All Enabled
URLs
Illegal number of mandatory parameters	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal flow to URL	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Illegal cross-origin request	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Binary content found in text only WebSocket	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal entry point	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Illegal meta character in URL	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal query string or POST data	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal URL	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket binary message length	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket extension	All Disabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Illegal number of frames per message	All Disabled	All Disabled	All Enabled	All Enabled	All Enabled	All Disabled
Text content found in binary only WebSocket	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal request content type	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket frame length	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Parameters
Illegal parameter numeric value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal dynamic parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal empty parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter data type	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Null in multi-part parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal meta character in parameter name	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal meta character in value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter value length	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal repeated parameter name	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal static parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Disallowed file upload content detected	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Parameter value does not comply with regular expression	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Sessions and Logins
Access from disallowed User/Session/IP	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
ASM Cookie Hijacking	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Disabled
Brute Force: Maximum login attempts are exceeded	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Login URL bypassed	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Login URL expired	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Cookies
Modified ASM cookie	All Enabled	All Enabled	All Enabled* Violation setting for version 13.0 or later	All Enabled	All Disabled	All Disabled
Illegal cookie length	All Disabled	All Disabled	Learn Only* Violation setting for version 13.0 or later	Learn Only	Learn Only	All Disabled
Expired timestamp	All Disabled
Cookie not RFC-compliant	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Modified domain cookie(s)	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Content Profiles
Malformed XML data	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
XML data does not comply with schema or WSDL document	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
SOAP method not allowed	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
JSON data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
GWT data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Plain text data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
XML data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Malformed GWT data	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal attachment in SOAP message	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Malformed JSON data	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Web Services Security failure
Web Services Security failure (all subviolations)	All Enabled					Learn Only
CSRF Protection
CSRF authentication expired	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Disabled
CSRF attack detected	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Enabled
IP Addresses / Geolocations
IP is blacklisted	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Access from malicious IP address	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Access from disallowed User/Session/IP	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Headers
Illegal header length	All Disabled	All Disabled	Learn Only* Violation setting for version 13.0 or later	Learn Only	Learn Only	All Disabled
Illegal method	All Enabled	All Enabled	Learn Only* Violation setting for version 13.0 or later	Learn Only* Violation setting for version 13.0 or later	Learn Only	All Enabled (no enforcement)
Illegal meta character in header	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Mandatory HTTP header is missing	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Redirection Protection
Illegal redirection attemp	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Threat Campaigns
Threat Campaign detected* Violation setting supported by version 14.0 or later	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Bot Detection
Web scraping detection	All Enabled
Data Guard
Data Guard: Information leakage detected	All Enabled	All Disabled	All Enabled	All Enabled	All Enabled	All Enabled
Websocket protocol compliance
Null character found in WebSocket text message	All Enabled
Failure in WebSocket framing protocol	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Mask not found in client frame	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Bad WebSocket handshake request	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Antivirus Detection
Virus Detected	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled

Policy builder settings are identical except for the learning mode, and

Learn From Response

attribute (enabled for Comprehensive template type). The following table lists the Policy Building Process values when you select a generic template.

Policy Building Process
Policy Building Process	Value
Trust IP Addresses	Address List
Loosen Policy	Untrusted Traffic Sources : 20 Min Period : 60 minutes Max Period : 7 days	Trusted Traffic Sources : 1 Min Period : 0 (not applicable) Max Period : 7 days
Tighten Policy (stabilize)	Total Requests : 15,000 Days : 1 Maximum modification suggestion score : 50%
Minimize false positives (Track Site Changes)	Status : Enabled From Trusted and Untrusted Traffic : Enabled
Minimize false positives (Track Site Changes)	Untrusted Traffic Sources : 10 Min Period : 20 minutes Max Period : 7 days	Trusted Traffic Sources : 1 Min Period : 0 (not applicable) Max Period : 7 days
Options	Learn from responses : Disabled (Comprehensive template type is enabled) Full Policy Inspection : Enabled

DATA GUARD

	RDP	API Security	PDP	Vulnerability Assessment Baseline
Data Guard	Disabled
Protect credit card numbers	Enabled			Disabled
Protect U.S. Social Security numbers	Enabled			Disabled
Mask sensitive data	Enabled	Enabled	Disabled	Disabled
Custom Patterns	Disabled
Exception Patterns	Disabled
File Content Detection	Disabled

CSRF PROTECTION

	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
CSRF Protection	Disabled	Disabled	Disabled	Disabled	Disabled	Enabled
SSL Only	Disabled
Expiration Time	Disabled
[Default entry] CSRF URL	URL *	URL *	URL *	URL *	Empty	Empty

ANOMALY DETECTION

All templates are populated with a default login page. As of BIG-IP version 13.1, several fields were deprecated, while others were introduced. Deprecated fields not included in the default login page

Brute Force Attack Prevention
	RDP	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Login Page	Default
Brute Force Protection	Disabled* *Default profile protects against all login pages that are not specifically protected by an enabled configuration.	Enabled
Configuration Support	Current (supports versions 13.1 or later)
IP Address Whitelist	Empty
Source-based Brute Force Protection
Detection Period	60 minutes
MaximumPrevention Duration	60 minutes
Username	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA		Trigger: After 3 failed login attempts Action: Alarm	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA
Device ID	Trigger: Never
IP Address	Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA		Trigger: After 20 failed login attempts Action: Alarm	Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA
Client Side Integrity Bypass Mitigation	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA
CAPTCHA Bypass Mitigation	Trigger: After 5 failed login attempts Action: Alarm And Drop
Distributed Brute Force Protection
Detection Period	15 minutes
Maximum Prevention Duration	60 minutes
Detect Distributed Attack	After 100 failed login attempts
Detect Credential Stuffing	After 100 failed login attempts
Mitigation	Alarm And CAPTCHA		Alarm	Alarm And CAPTCHA

HEADERS

Methods: All templates except for Vulnerability Assessment Baseline will include the three HTTP methods: GET, POST and HEAD.; Vulnerability Assessment Baseline includes all available HTTP methods, with their default action as follows
Methods acting as GET: REPORT, HEAD, CHECKOUT, COPY, LOCK, MOVE, CHECKIN, UNLOCK, GET, OPTIONS, MERGE, X-MS-ENUMATTS, NOTIFY, MKCOL, SUBSCRIBE, POLL, CONNECT, ACL, VERSION_CONTROL, PROPFIND, UNSUBSCRIBE, PROPPATCH.
Methods acting as POST: MKWORKSPACE, BPROPPATCH, BPROPFIND, BMOVE, RPC_IN_DATA, SEARCH, RPC_OUT_DATA, BCOPY, POST, UNLINK, LINK, PATCH.

The wildcard '*' cookie is the only cookie entity that is populated generic templates. The following indicates which template enables staging

Cookies
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
In Staging	No	No	Yes	Yes	Yes	No

Redirection Protection
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Redirection Protection	Disabled	Disabled	Enabled	Enabled	Enabled	Enabled
Redirection Domains	Empty	Empty	* Entity only	* Entity only	* Entity only	Empty

URLS

All templates are populated with two allowed wildcard templates: HTTP* and HTTPS*. The following are the properties and configuration.

[Allowed] HTTP URLs
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
URL	Wildcard HTTP and HTTPS
Perform Staging	Disabled	Enabled	Enabled	Enabled	Enabled	Disabled
Wildcard Match Includes Slashes	Enabled
Clickjacking Protection	Disabled
Attack Signatures
Check Signatures on this URL	Enabled
Overridden Policy Settings	No overrides were selected
Header-Based Content Profiles
Request Header Value/Request Body Handling	Form, XML, JSON and Apply Value and Content Signatures					Apply Value and Content Signatures
HTML5 Cross-Domain Request Enforcement
Enforcement Mode	Disabled	Disabled	Disabled	Enforce on ASM	Enforce on ASM	Disabled
Methods Enforcement
Override policy allowed methods	Disabled

All templates are populated with *WebSocket URLs for WS and WSS protocols. The following are the properties and configuration.

[Allowed] Websocket URLs
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
WebSocket URL	Wildcard WS and WSS
Perform Staging	Disabled	Enabled	Enabled	Enabled	Enabled	Disabled
Message Handling
Check Message Payload	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled
WebSocket Extensions	Delete Headers	Delete Headers	Delete Headers	Delete Headers	Block	Delete Headers
Allowed Message Payload Formats	All Formats	All Formats	All Formats	Plain Text, JSON	Plain Text, JSON	All Formats
Payload Enforcement (Maximum Binary Message Size)	Any	Any	Any	10,000 bytes	10,000 bytes	Any
Maximum Frame Size	Any	Any	Any	10,000 bytes	10,000 bytes	Any
Maximum Frames per fragmented message	Any	Any	Any	100 bytes	100 bytes	Any
HTML5 Cross-Domain Request Enforcement
Enforcement Mode	Disabled	Disabled	Disabled	Enforce on ASM	Enforce on ASM	Disabled

CONTENT PROFILES

All templates are populated with a default JSON profile. The following are the properties and configuration.

JSON Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Profile Name	Default
File Type	Wildcard
Perform Staging	Disabled	Disabled	Enabled	Enabled	Enabled	Disabled
URL Length	Any	Any	1024 Bytes	1024 Bytes	1024 Bytes	Any
Request Length	Any	Any	8196 Bytes	8196 Bytes	8196 Bytes	Any
Query String Length	Any	Any	4096 Bytes	4096 Bytes	4096 Bytes	Any
POST Data Length	Any	Any	4096 Bytes	4096 Bytes	4096 Bytes	Any
Apply Response Signature Staging	Disabled

All templates are populated with a default XML profile. The following are the properties and configuration.

XML Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Profile Name	Default
Use XML Blocking Response Page	Disabled
XML Firewall Configuration
Defense Level
Allow DTDs	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Allow External References	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate leading White Space	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate Close Tag Shorthand	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate Numeric Names	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Allow Processing Instructions	Enabled
Allow CDATA	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Maximum Document Size	Any	1,024,000 Bytes	Any	1,024,000 Bytes	1,024,000 Bytes	Any
Maximum Elements	Any	512,000	Any	65,536	65,536	Any
Maximum Name Length	Any	1,024 Bytes	Any	256 Bytes	256 Bytes	Any
Maximum Attribute Value Length	Any	Any	Any	1,024 Bytes	1,024 Bytes	Any
Maximum Document Depth	Any	Any	Any	32	32	Any
Maximum Children Per Element	Any	4,096	Any	1,024	1,024	Any
Maximum Attributes Per Element	Any	64	Any	16	16	Any
Maximum NS Declarations	Any	256	Any	64	64	Any
Maximum Namespace Length	Any	Any	Any	256	256	Any
Attack Signatures
Check Attack	Enabled
Attack Signatures Overrides	No Entries
Meta Characters
Check element value characters	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Check attribute value characters	Disabled
Sensitive Data Configuration
Sensistive Data	No Entries

All templates are populated with a default plain text profile. The following are the properties and configuration.

Plain Text Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Profile Name	Default
Maximum Total Length	Any	Any	Any	10,000	10,000	Any
Maximum Line Length	Any	Any	Any	100	100	Any
Perform Percent Decoding	Disabled
Attack Signatures Overrides
Attack Signatures Check	Enabled
Attack Signatures Overrides	No overrides were selected
Meta Characters
Check Characters	Disabled

PARAMETERS

All templates are populated with a default *wildcard parameter. Prior to version 13.1, RDP included the "__VIEWSTATE" paramter, which was set to "Ignore". The following are the properties and configuration.

Parameters
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Name	Wildcard: *
Level	Global
Perform Staging	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Allow Empty Value	Enabled
Allow Repeated Occurrences	Disabled
Sensitive Parameter	Disabled
Value Type	user-input
Data Type	Alpha-Numeric
Data Type Attributes
Maximum Length	Any	Any	Any	10	10	Any
Regular Exp.	Disabled
Base64 Decoding	Disabled
Value Meta Character
Value Meta Character Checks	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Name Meta Character
Name Meta Character Checks	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Attack Signatures
Attack Signatures Checks	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled
Select signatures overrides	No overrides were selected

The following lists the sensitive parameters automatically added to the policy.

Sensitive Parameters
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Learn New Entities	Password					No sensitive parameters included

ATTACK SIGNATURES CONFIGURATION

The following lists the settings for each template of attack signatures that are configured to the policy.As indicated in the table below, all templates except for Vulnerability Assessment Baseline include the "Generic Detection" set and place signatures in staging.

Attack Signatures
	RDP	Vulnerability Assessment Baseline
Signature Staging	Enabled	Disabled
Place Updated Signatures in Staging	Enabled (Placed in staging and retains old version)	Disabled
Attack Signature Set Assignment	Generic Detection Signatures set. Learn/Alarm/Block enabled	Generic Detection Signatures set Learn/Alarm/Block disabled High Accuracy Detection Evasion Signatures Learn/Alarm/Block disabled
Apply Response Signatures	No file types were selected

THREAT CAMPAIGNS

The Threat Campaigns feature is only available to BIG-IP versions 14.0 or later. All templates, except for Vulnerability Assessment Baseline, have the Threat Campaign detected
violation, enabled

Alarmed

and

Blocked

settings, and Enable Campaign staging
disabled. For Vulnerability Assessment Baseline, both are disabled.

SESSIONS AND LOGINS

There are no pre-defined login or logout pages for any generic template.

The following lists the login settings automatically added to the policy.

Login Enforcements
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Expiration Time	Disabled
Authenticated URLs	None

The following lists the session tracking settings added to the policy.

Session Tracking
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Session Hijacking
Detect Session Hijacking by Device ID Tracking	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Session Tracking Configuration
Session Awareness	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Application Username	Use All Login Pages	Use All Login Pages	Use All Login Pages	None	Use All Login Pages	Use All Login Pages
Violation Detection Actions
Track Violations and Perform Actions	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Violation Detection Period	900s

Web Application Security Policy Templates

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Centralized Management

Generic Web Application Security policy templates

Template Overview

Full Policy Template Settings

POLICY BUILDING (Settings)

DATA GUARD

CSRF PROTECTION

ANOMALY DETECTION

HEADERS

URLS

CONTENT PROFILES

PARAMETERS

ATTACK SIGNATURES CONFIGURATION

THREAT CAMPAIGNS

SESSIONS AND LOGINS

Have a Question?

About F5

Education

F5 Sites

Support Tasks

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Centralized Management

Generic Web Application Security policy templates

Template Overview

Full Policy Template Settings

POLICY BUILDING (Settings)

DATA GUARD

CSRF PROTECTION

ANOMALY DETECTION

HEADERS

URLS

CONTENT PROFILES

PARAMETERS

ATTACK SIGNATURES CONFIGURATION

THREAT CAMPAIGNS

SESSIONS AND LOGINS

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks