Manual Chapter :
Generic Web Application Security policy templates
Applies To:
Show Versions
BIG-IQ Centralized Management
- 8.0.0
Generic Web Application Security policy templates
The following defines and details the generic policy templates
you can apply when creating a new Web Application Security parent or child policy (
). These templates automatically populate required fields, based on the most
common application protection needs. You can use these templates to pilot your security measure
to fine-tune as needed.
Template Overview
- Rapid Deployment Policy (RDP)
- A moderate protection layer that includes manual learning of false positives. This protection template meets the majority of Web Application Security requirements.
- Operational Cost: Low
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
- API Security
- A moderate protection layer that follows the same protection as RDP, with additional support for API security features such as: REST API (JSON, XML) and Websocket security.
- Operational Cost: Low
- BIG-IP Version Support*: Version 13.1.0.2 or later
- Fundamental
- A high-to-moderate protection layer that includes automatic learning of false positives, and specific entity types. This template includes a blocking enforcement mode.
- Operational Cost: Medium
- Comprehensive
- A high protection layer with automatic learning for all entity types. This template includes a blocking enforcement mode.
- Operational Cost: High
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
- Passive Deployment Policy (PDP)
- A low protection layer with a high level of automatic learning (similar to comprehensive), but fully transparent protection layer and does not interfere with the traffic. This template is designed to protect as many potential threats as possible, without the risk of affecting traffic with false positives.
- Operational Cost: High
- BIG-IP Version Support*: Version 13.1 or later
- Vulnerability Assessment Baseline
- Provides the lowest protection, and is used to create a security baseline by identifying, classifying and reporting security holes or weaknesses in your web site's code.
- Operational Cost: Medium
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
*General template support does not include all settings. Variations are indicated with the setting and template type.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement
Mode | Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Mode | Manual | Manual | Automatic | Automatic | Automatic | Manual |
Application
Language | UTF-8 | UTF-8 | Auto-detect | Auto-detect | Auto-detect | UTF-8 |
Attack
Signature Set Assignment | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled |
|
Signature
Staging | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
RPD | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Learn Host Names | False | False | True | True | True | False |
Learn Explicit URLs | Never | Never | Never | Compact | Compact | Never |
Learn Explicit WebSocket URLs | Never | Never | Never | Always | Always | Never |
Learn Explicit Parameters | Never | Never | Selective | Compact | Compact | Never |
Learn Explicit Cookies | Never | Never | Never | Selective | Selective | Never |
Learn Explicit Redirection Domains | Never | Never | Always | Always | Always | Never |
Full Policy Template Settings
The following provides a list of all fields populated by each policy
template, per configuration section. Sections and fields that are not affected are not
included in this document.
RPD | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement Mode | Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Mode | Manual | Manual | Automatic | Automatic | Automatic | Manual |
Enforcement Readiness Period | 7 Days | |||||
Mask
Credit Card Numbers in Request Log | Enabled | |||||
Allowed
Response Status Codes | 400, 401, 404, 407, 417, 503,
403 | |||||
Dynamic
Session ID in URL | Disabled | |||||
Trigger
ASM iRule Events | Disabled | |||||
Trust XFF
Header | No | |||||
Handle
Path Parameters | As Parameter |
POLICY BUILDING (Settings)
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement Mode | Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Speed | Medium |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Policy General Features | ||||||
Request length exceeds defined buffer size | Learn only *For devices running
v13.1 violation is set to Learn only. | Learn only | Learn only | Learn only | Learn only | All Disabled |
Failed to convert character | All Enabled* *For devices running
v13.1 violation is set to Learn only. | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled |
Illegal session ID in URL | All Disabled | All Disabled | All Disabled | All Enabled | Disabled | All Disabled |
Illegal HTTP status in response | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled |
Illegal Base64 value | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
HTTP Protocol Compliance
Failed | ||||||
Body in GET or HEAD requests | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
POST request with Content-Length: 0 | All Disabled | All Disabled | All Disabled | Learn * Violation setting for
version 13.0 or later | Learn | All Disabled |
Check maximum number of parameters | Learn: 500 | |||||
CRLF characters before request start | Learn | Learn | Learn o | Learn | Learn | All Disabled |
Chunked request with Content-Length header | Disabled | |||||
Unparsable request content | Block | |||||
Several Content-Length headers | Learn | Learn | Learn | Learn | Learn | All Disabled |
High ASCII characters in headers | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
Check maximum number of header | Learn: 20 | Learn: 20 | Learn: 20 | Learn: 20 | Learn: 20 | All Disabled |
Multiple host headers | Learn | Learn | Learn | Learn | Learn | All Disabled |
Bad multipart parameters parsing | Learn | Learn | Learn | Learn | Learn | All Disabled |
Bad host header value | Learn | Learn | Learn | Learn | Learn | All Enabled |
Header name with no header value | Learn | Learn | Learn | Learn | Learn | All Disabled |
Content length should be a positive number | Learn | Learn | Learn | Learn | Learn | All Disabled |
Null in request | Block | |||||
Bad HTTP version | Block | |||||
No Host header in HTTP/1.1 request | Learn | Learn | Learn | Learn | Learn | All Disabled |
Host header contains IP address | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
Bad multipart/form-data request parsing | All Disabled | All Disabled | All Disabled | Learn | Learn | All Disabled |
Evasion Techniques
Sub-Violations | ||||||
Multiple decoding | Learn: 3* For version 12.1 or earlier, setting included 2 decoding passes | All Enabled: 3 | ||||
IIS backslashes | Learn | All Enabled | ||||
Bad unescape | Learn | All Enabled | ||||
Directory traversals | Learn | All Enabled | ||||
Bare byte decoding | Learn | All Enabled | ||||
Apache whitespace | Learn | All Enabled | ||||
%u decoding | Learn | All Enabled | ||||
URLs | ||||||
Illegal number of mandatory parameters | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal flow to URL | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Illegal cross-origin request | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Binary content found in text only WebSocket | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal entry point | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Illegal meta character in URL | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal query string or POST data | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal URL | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket binary message length | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket extension | All Disabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Illegal number of frames per message | All Disabled | All Disabled | All Enabled | All Enabled | All Enabled | All Disabled |
Text content found in binary only WebSocket | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal request content type | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket frame length | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Parameters | ||||||
Illegal parameter numeric value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal dynamic parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal empty parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter data type | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Null in multi-part parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal meta character in parameter name | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal meta character in value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter value length | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal repeated parameter name | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal static parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Disallowed file upload content detected | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Parameter value does not comply with regular
expression | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Sessions and Logins | ||||||
Access from disallowed User/Session/IP | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
ASM Cookie Hijacking | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Disabled |
Brute Force: Maximum login attempts are exceeded | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Login URL bypassed | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Login URL expired | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Cookies | ||||||
Modified ASM cookie | All Enabled | All Enabled | All Enabled* Violation setting for
version 13.0 or later | All Enabled | All Disabled | All Disabled |
Illegal cookie length | All Disabled | All Disabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only | Learn Only | All Disabled |
Expired timestamp | All Disabled | |||||
Cookie not RFC-compliant | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Modified domain cookie(s) | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Content Profiles | ||||||
Malformed XML data | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
XML data does not comply with schema or WSDL
document | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
SOAP method not allowed | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
JSON data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
GWT data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Plain text data does not comply with format
settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
XML data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Malformed GWT data | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal attachment in SOAP message | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Malformed JSON data | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Web Services Security
failure | ||||||
Web Services Security failure (all
subviolations) | All Enabled | Learn Only | ||||
CSRF Protection | ||||||
CSRF authentication expired | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Disabled |
CSRF attack detected | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Enabled |
IP Addresses / Geolocations | ||||||
IP is blacklisted | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Access from malicious IP address | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Access from disallowed User/Session/IP | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Headers | ||||||
Illegal header length | All Disabled | All Disabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only | Learn Only | All Disabled |
Illegal method | All Enabled | All Enabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only* Violation setting for
version 13.0 or later | Learn Only | All Enabled (no enforcement) |
Illegal meta character in header | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Mandatory HTTP header is missing | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Redirection Protection | ||||||
Illegal redirection attemp | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Threat Campaigns | ||||||
Threat Campaign detected* Violation
setting supported by version 14.0 or later | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Bot Detection | ||||||
Web scraping detection | All Enabled | |||||
Data Guard | ||||||
Data Guard: Information leakage detected | All Enabled | All Disabled | All Enabled | All Enabled | All Enabled | All Enabled |
Websocket protocol
compliance | ||||||
Null character found in WebSocket text message | All Enabled | |||||
Failure in WebSocket framing protocol | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Mask not found in client frame | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Bad WebSocket handshake request | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Antivirus Detection | ||||||
Virus Detected | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Policy Building Process | Value | ||
---|---|---|---|
Trust IP
Addresses | Address List | ||
Loosen
Policy | Untrusted Traffic Sources : 20Min Period : 60 minutesMax
Period : 7 days | Trusted
Traffic Sources : 1Min
Period : 0 (not applicable)Max Period : 7 days | |
Tighten
Policy (stabilize) | Total Requests : 15,000Days :
1Maximum
modification suggestion score : 50% | ||
Minimize false positives (Track Site
Changes) | Status : EnabledFrom Trusted and
Untrusted Traffic : Enabled | ||
Untrusted Traffic Sources : 10Min Period : 20 minutesMax
Period : 7 days | Trusted
Traffic Sources : 1Min
Period : 0 (not applicable)Max Period : 7 days | ||
Options | Learn from responses : Disabled
(Comprehensive template type is enabled)Full Policy Inspection :
Enabled |
DATA GUARD
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Data
Guard | Disabled | |||||
Protect
credit card numbers | Enabled | Disabled | ||||
Protect
U.S. Social Security numbers | Enabled | Disabled | ||||
Mask
sensitive data | Enabled | Enabled | Disabled | Disabled | ||
Custom
Patterns | Disabled | |||||
Exception
Patterns | Disabled | |||||
File
Content Detection | Disabled |
CSRF PROTECTION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
CSRF
Protection | Disabled | Disabled | Disabled | Disabled | Disabled | Enabled |
SSL
Only | Disabled | |||||
Expiration
Time | Disabled | |||||
[Default
entry] CSRF URL | URL
* | URL
* | URL
* | URL
* | Empty | Empty |
ANOMALY DETECTION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Login
Page | Default | |||||
Brute Force Protection | Disabled* *Default profile protects against all
login pages that are not specifically protected by an enabled configuration.
| Enabled | ||||
Configuration Support | Current (supports versions 13.1 or later) | |||||
IP Address Whitelist | Empty | |||||
Source-based Brute Force
Protection | ||||||
Detection Period | 60 minutes | |||||
MaximumPrevention Duration | 60 minutes | |||||
Username | Trigger: After 3 failed login
attempts Action: Alarm And CAPTCHA | Trigger: After 3 failed login attempts Action:
Alarm | Trigger: After 3 failed login attempts Action: Alarm
And CAPTCHA | |||
Device ID | Trigger: Never | |||||
IP Address | Trigger: After 20 failed login attempts Action:
Alarm And CAPTCHA | Trigger: After 20 failed login attempts Action: Alarm | Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA | |||
Client Side Integrity Bypass Mitigation | Trigger: After 3 failed login attempts Action: Alarm
And CAPTCHA | |||||
CAPTCHA Bypass Mitigation | Trigger: After 5 failed login attempts Action: Alarm
And Drop | |||||
Distributed Brute Force
Protection | ||||||
Detection Period | 15 minutes | |||||
Maximum Prevention Duration | 60 minutes | |||||
Detect Distributed Attack | After 100 failed login attempts | |||||
Detect Credential Stuffing | After 100 failed login attempts | |||||
Mitigation | Alarm And CAPTCHA | Alarm | Alarm And CAPTCHA |
HEADERS
- Methods
- All templates except for Vulnerability Assessment Baseline will include the three HTTP methods: GET, POST and HEAD.
- Vulnerability Assessment Baseline includes all available HTTP methods, with their default action as follows
- Methods acting as GET: REPORT, HEAD, CHECKOUT, COPY, LOCK, MOVE, CHECKIN, UNLOCK, GET, OPTIONS, MERGE, X-MS-ENUMATTS, NOTIFY, MKCOL, SUBSCRIBE, POLL, CONNECT, ACL, VERSION_CONTROL, PROPFIND, UNSUBSCRIBE, PROPPATCH.
- Methods acting as POST: MKWORKSPACE, BPROPPATCH, BPROPFIND, BMOVE, RPC_IN_DATA, SEARCH, RPC_OUT_DATA, BCOPY, POST, UNLINK, LINK, PATCH.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
In
Staging | No | No | Yes | Yes | Yes | No |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Redirection Protection | Disabled | Disabled | Enabled | Enabled | Enabled | Enabled |
Redirection Domains | Empty | Empty | * Entity only | * Entity only | * Entity only | Empty |
URLS
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
URL | Wildcard HTTP and HTTPS | |||||
Perform
Staging | Disabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Wildcard
Match Includes Slashes | Enabled | |||||
Clickjacking Protection | Disabled | |||||
Attack Signatures | ||||||
Check
Signatures on this URL | Enabled | |||||
Overridden
Policy Settings | No overrides were selected | |||||
Header-Based Content
Profiles | ||||||
Request
Header Value/Request Body Handling | Form, XML, JSON and Apply Value
and Content Signatures | Apply Value and Content Signatures | ||||
HTML5 Cross-Domain Request
Enforcement | ||||||
Enforcement Mode | Disabled | Disabled | Disabled | Enforce on ASM | Enforce on ASM | Disabled |
Methods Enforcement | ||||||
Override
policy allowed methods | Disabled |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
WebSocket
URL | Wildcard WS and WSS | |||||
Perform
Staging | Disabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Message Handling | ||||||
Check
Message Payload | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
WebSocket
Extensions | Delete Headers | Delete Headers | Delete Headers | Delete Headers | Block | Delete Headers |
Allowed
Message Payload Formats | All Formats | All Formats | All Formats | Plain Text, JSON | Plain Text, JSON | All Formats |
Payload
Enforcement (Maximum Binary Message Size) | Any | Any | Any | 10,000 bytes | 10,000 bytes | Any |
Maximum
Frame Size | Any | Any | Any | 10,000 bytes | 10,000 bytes | Any |
Maximum
Frames per fragmented message | Any | Any | Any | 100 bytes | 100 bytes | Any |
HTML5 Cross-Domain Request
Enforcement | ||||||
Enforcement Mode | Disabled | Disabled | Disabled | Enforce on ASM | Enforce on ASM | Disabled |
CONTENT PROFILES
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Profile
Name | Default | |||||
File
Type | Wildcard | |||||
Perform
Staging | Disabled | Disabled | Enabled | Enabled | Enabled | Disabled |
URL
Length | Any | Any | 1024 Bytes | 1024 Bytes | 1024 Bytes | Any |
Request
Length | Any | Any | 8196 Bytes | 8196 Bytes | 8196 Bytes | Any |
Query
String Length | Any | Any | 4096 Bytes | 4096 Bytes | 4096 Bytes | Any |
POST Data
Length | Any | Any | 4096 Bytes | 4096 Bytes | 4096 Bytes | Any |
Apply
Response Signature Staging | Disabled |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Profile
Name | Default | |||||
Use XML
Blocking Response Page | Disabled | |||||
XML Firewall Configuration | ||||||
Defense
Level | ||||||
Allow
DTDs | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Allow
External References | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
leading White Space | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
Close Tag Shorthand | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
Numeric Names | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Allow
Processing Instructions | Enabled | |||||
Allow
CDATA | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Maximum
Document Size | Any | 1,024,000 Bytes | Any | 1,024,000 Bytes | 1,024,000 Bytes | Any |
Maximum
Elements | Any | 512,000 | Any | 65,536 | 65,536 | Any |
Maximum
Name Length | Any | 1,024 Bytes | Any | 256 Bytes | 256 Bytes | Any |
Maximum
Attribute Value Length | Any | Any | Any | 1,024 Bytes | 1,024 Bytes | Any |
Maximum
Document Depth | Any | Any | Any | 32 | 32 | Any |
Maximum
Children Per Element | Any | 4,096 | Any | 1,024 | 1,024 | Any |
Maximum
Attributes Per Element | Any | 64 | Any | 16 | 16 | Any |
Maximum NS
Declarations | Any | 256 | Any | 64 | 64 | Any |
Maximum
Namespace Length | Any | Any | Any | 256 | 256 | Any |
Attack Signatures | ||||||
Check
Attack | Enabled | |||||
Attack
Signatures Overrides | No Entries | |||||
Meta Characters | ||||||
Check
element value characters | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Check
attribute value characters | Disabled | |||||
Sensitive Data
Configuration | ||||||
Sensistive
Data | No Entries |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Profile
Name | Default | |||||
Maximum
Total Length | Any | Any | Any | 10,000 | 10,000 | Any |
Maximum
Line Length | Any | Any | Any | 100 | 100 | Any |
Perform
Percent Decoding | Disabled | |||||
Attack Signatures Overrides | ||||||
Attack
Signatures Check | Enabled | |||||
Attack
Signatures Overrides | No overrides were selected | |||||
Meta Characters | ||||||
Check
Characters | Disabled |
PARAMETERS
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Name | Wildcard: * | |||||
Level | Global | |||||
Perform
Staging | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Allow
Empty Value | Enabled | |||||
Allow
Repeated Occurrences | Disabled | |||||
Sensitive
Parameter | Disabled | |||||
Value
Type | user-input | |||||
Data
Type | Alpha-Numeric | |||||
Data Type Attributes | ||||||
Maximum
Length | Any | Any | Any | 10 | 10 | Any |
Regular
Exp. | Disabled | |||||
Base64
Decoding | Disabled | |||||
Value Meta Character | ||||||
Value Meta
Character Checks | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Name Meta Character | ||||||
Name Meta
Character Checks | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Attack Signatures | ||||||
Attack
Signatures Checks | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Select
signatures overrides | No overrides were selected |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Learn New
Entities | Password | No sensitive parameters included |
ATTACK SIGNATURES CONFIGURATION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Signature
Staging | Enabled | Disabled | ||||
Place
Updated Signatures in Staging | Enabled (Placed in staging and
retains old version) | Disabled | ||||
Attack
Signature Set Assignment | Generic Detection Signatures set.Learn/Alarm/Block enabled |
| ||||
Apply
Response Signatures | No file types were selected |
THREAT CAMPAIGNS
The Threat Campaigns feature is only available to BIG-IP versions 14.0
or later. All templates, except for Vulnerability Assessment Baseline, have the
Threat Campaign detected
violation, enabled Alarmed
and Blocked
settings, and Enable Campaign staging
disabled. For Vulnerability
Assessment Baseline, both are disabled.SESSIONS AND LOGINS
There are no pre-defined login or logout pages for any generic
template.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Expiration
Time | Disabled | |||||
Authenticated URLs | None |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Session Hijacking | ||||||
Detect
Session Hijacking by Device ID Tracking | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Session Tracking
Configuration | ||||||
Session
Awareness | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Application Username | Use All
Login Pages | Use All
Login Pages | Use All
Login Pages | None | Use All
Login Pages | Use All
Login Pages |
Violation Detection Actions | ||||||
Track
Violations and Perform Actions | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Violation
Detection Period | 900s |