Manual Chapter : Editing Web Application Security Policies

Applies To:

Show Versions

BIG-IQ Centralized Management

8.3.0, 8.2.0, 8.1.0

Editing Web Application Security Policies

Editing application security policies

You modify application security policies to customize how they protect your web application server. Application security policies can be created in Web Application Security. But more often, they are created on BIG-IP devices and come into the Web Application Security configuration when you discover the devices.

Go to

Configuration

SECURITY

Web Application Security

Policies

Click the name of a policy you want to edit.

The policy is placed under administrative lock. Policy objects that you can view or edit are listed on the left.

Edit the properties of each policy object as needed.

Consult the documentation for each policy object to edit it individually.

Click

Save

to save the modifications to each object and unlock the policy.

Changes to the policy object are saved in the working configuration of the BIG-IQ Centralized Management system. Assuming the policy is assigned to a virtual server, the next deployment sends the new configuration to one or more BIG-IP devices.

Manage general property settings

You can manage the general settings of your Application security policy, whether it was imported from managed BIG-IP devices and come into the BIG-IQ Web Application Security configuration when you discover the devices. You can view and modify the properties of individual application security policies.

Go to the General Properties screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy to modify, and then on the left click

General Properties

Edit the properties as appropriate.

Save your changes to the general properties of the policy.

The system saves changes in the working configuration of the BIG-IQ Centralized Management system.

General property settings

These properties are the general configuration options and settings that determine the overall behavior and functionality of the application security policy.

Property	Description
Name	Unique name of the security policy. You can set the Name only when you create the policy.
Partition	Partition to which the security policy belongs. Only users with access to a partition can view the objects that it contains. If the policy resides in the Common partition, all users can access it.
Description	Optional description of the security policy. Type in any helpful details about the policy. This field is limited to 255 characters.
Full Path	Full path to the security policy.
Policy Type	Indicates the type of policy. Security Policy specifies a policy that does not use inheritance, or that uses inheritance and is a child policy. Parent Policy specifies a policy that uses inheritance, and is a parent policy.
Parent Policy	Specifies the parent policy associated with this policy, if any. Select None to indicate that there is no parent policy. Select the appropriate parent policy from the list if there is a parent policy.
Application Language	A language encoding for the web application, which determines how the security policy processes the character sets. The default language encoding determines the default character sets for URLs, parameter names, and parameter values.
Security Policy is case sensitive	If enabled, the security policy treats file types, URLs, and parameters as case-sensitive. When this setting is disabled (not checked), the system stores these policy elements in lowercase in the policy configuration.
Application Templates	Specifies options for using the policy with application templates. To make this policy the default for application templates, select Default Policy for Application Templates . To make this policy available to application templates, select Make available in Application Templates . A default policy for application templates is provided with the BIG-IQ system named templates-default .
Event Correlation Reporting	If enabled, events are reported in groups (correlated), rather than as individual transactions. You can only disable this setting for BIG-IP devices version 13.1 or later.
Learning Mode	Select one of the options to indicate how the policy learns: Automatic : The system examines traffic, makes suggestions, and enforces most suggestions after sufficient traffic over a period of time from various users make it reasonable to add them. A few suggestions must be enforced manually. Manual : The system examines traffic and makes suggestions on what to add to the security policy. You manually examine the changes and accept, delete, or ignore the suggestions. Disabled : The system does not do any learning for the security policy, and makes no suggestions.
Enforcement Mode	Specifies how the system processes a request that triggers a security policy violation. Transparent specifies that when the system receives a request that violates a policy parameter, the system logs the violation event, but does not block the request. Blocking specifies that when the system receives a request that violates a policy parameter, the system logs the violation event, blocks the request, and responds to the request by sending the Blocking Response page and Support ID information to the client.
Enforcement Readiness Period	Indicates the number of days in the period. The default is 7 days. Both security policy entities and attack signatures remain in staging mode before the system suggests you enforce them. The system does not enforce policy entities and attack signatures in staging. Staging allows you to test the policy entities and the attack signatures for false positives without enforcing them.
Mask Credit Card Numbers in Request Log	When enabled, they system masks credit card numbers in the request log. If disabled (cleared), credit card numbers are not masked.
Maximum HTTP Header Length	Specifies the maximum length of an HTTP header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the HTTP header length up to 8192 bytes.
Maximum Cookie Header Length	Specifies the maximum length of a cookie header name and value that the system processes. The default setting is 8192 bytes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. To specify a value for length, type a different value in the field. To specify that any length is acceptable, clear the field. An empty field (a value of any) indicates that there are no restrictions on the cookie header length up to 8192 bytes.
Allowed Response Status Code	Specifies which requests the security policy permits, based on the HTTP response status codes they return. Click the gear icon to add or delete response codes.
Dynamic Session ID in URL	Specifies how the security policy processes URLs that use dynamic sessions. Click the gear icon to change the setting or create a custom pattern. Disabled : The policy does not enforce dynamic sessions in URLs. Default pattern : The policy uses the default regular expression for recognizing dynamic sessions in URLs. The default pattern is (\/sap\([^)]+\)). Note that you cannot edit the default regular expression. Custom pattern : Specifies a user-defined regular expression that the security policy uses to recognize dynamic sessions in URLs. Type an appropriate regular expression in the Value field, and a description in the Description field.
Trigger ASM iRule Events	When enabled, specifies that Web Application Security activates ASM™ iRule events. Specifies, when disabled, that Web Application Security does not activate ASM iRule events. The default setting is disabled. Leave this option disabled if you either have not written any ASM iRules® or have written iRules that are not ASM iRules. iRule events that are not ASM are triggered by the Local Traffic Manager™. Enable this option if you have written iRules that process ASM iRule events, and assigned them to a specific virtual server.
Trust XFF Header	When set to No (the default), specifies that the system does not have confidence in an XFF (X-Forwarded-For) header in the request. Leave this option disabled if you think the HTTP header may be spoofed, or crafted, by a malicious client. With this setting disabled, if Web Application Security is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address. If Web Application Security is deployed behind an internal or other trusted proxy, you can click the gear icon to change the setting and specify that the system has confidence in an XFF header in the request. Select the Trust XFF Headers check box and add a required custom header (use a-z, A-Z, no whitespace allowed). The system then uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address.
Handle Path Parameters	Specifies how the system handles path parameters that are attached to path segments in URIs. As parameter : The system normalizes and enforces path parameters. For each path parameter, the system removes it from URLs as part of the normalization process, finds a corresponding parameter in the security policy (first at the matching URL level, and if not found, then at the global level), and enforces it according to its attributes like any other parameters. As URL : The system does not normalize nor enforce path parameters. Path parameters are considered an integral part of the URL. Ignore : The system removes path parameters from URLs as part of the normalization process, but does not enforce them. The maximum number of path parameters collected in one URI path is 10. All the rest of the parameters (from the eleventh on, counting from left to right) are ignored as parameters, but are still stripped off the URI as part of the normalization process. Path parameters are extracted from requests, but not extracted in responses.

Edit inheritance settings

You use the Inheritance Settings screen to change the properties that are part of a policy by editing the inheritance settings of a child or parent policy.

Navigate to the Inheritance Settings screen: click

Configuration

SECURITY

Web Application Security

Threat Campaigns

Click the appropriate policy name to display the policy properties screen.

Click

Inheritance Settings

Review or modify the inheritance settings.

The contents of this screen differ depending on whether the policy is a parent policy, a child policy, or neither.

If the current policy is neither a parent policy nor a child policy, the

Parent Policy

list is set to

None

, and no other properties are shown on the screen.

If the current policy is a child policy or will be a child policy, do the following.

From the

Parent Policy

list, review or select a parent policy. By default, the setting is

None

Review the list of properties that are displayed, and where needed, select

Decline

Optionally, you can add comments about the inheritance settings by clicking the comment icon in the Comments column and then typing text in the space provided.

If the current policy is a parent policy, do the following.

In the Inheritance column, review or change the inheritance settings for each property in each property row.

If the property must be inherited by a child policy, click

Mandatory

If the property is optional for a child policy, click

Optional

If the property is not available to the child policy, click

None

The Accepted, Declined, Unread, and Comments columns show the number of child policies for each category for that property. Optionally, you can click the number to display additional information on the Child Policy Overview screen.

Click

Save

to save your changes.

The inheritance settings for the policy are updated.

Edit child policy overview settings

You can edit the inheritance settings for child policies associated with a parent policy. A parent policy can be associated with multiple child policies.

Navigate to the Child Policy Overview screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy you want to review, and click

Child Policy Overview

Review the inheritance settings for child policies associated with the parent policy.

Click

All

to view all properties that could be inherited by a child policy.

Click

Declined

to view only the properties that a child policy declined to inherit.

Expand each policy section in the list to review the inheritance status (declined or accepted) for each child policy.

Indicate whether you have reviewed declined inheritance properties. In the Policy Section row for a child policy property:

Click

Mark as Read

to indicate that you have reviewed a declined property for a child policy.

Click

Mark as Unread

to indicate that you have not reviewed a declined property for a child policy.

Click

Mark All as Read

to indicate that you have reviewed all declined properties within that heading.

To enter a comment, click the comment icon in the row. To remove all comments in a section, click

Clear All

in the heading row for a policy section.

Click

Save

to save your changes.

The child policy overview is updated.

Response page editing

You can review and change the settings on various types of response pages. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Edit Ajax response page settings

You use the Ajax Response Page screen to view and edit the settings for the Ajax response page, which is one of several response pages. Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request.

Go to the Ajax Response Page screen: click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, and then click

RESPONSE PAGES

Ajax

In the

AJAX Blocking

setting, click the

Enabled

check box to view and edit settings.

When this is checked (enabled), the system injects JavaScript code into responses.

You must enable this check box to configure an ASM Ajax response page which is returned when the system detects an Ajax request that does not comply with the security policy.

From the

Default Response Page Action

list, select an action. Your selection determines the settings.

Popup Message	The screen displays a sample pop up message which you can edit. Click Preview On to preview the response.
Custom Response	The screen displays the default response page which you can edit to create a custom response. Alternatively, you can upload the response. You click Choose File to select the file containing the response, and then click Upload to insert it. Click Preview On to preview the response. If you want to return to the original default response text, click Paste Default Response Body .
Redirect URL	The system redirects the user to a specific web page instead of displaying a response page. You must enter a URL for the redirect.

In the

list, select an action.

Your selection determines the settings. The actions are the same as those for the

Default Response Page Action

list.

In the

Failed Login Honeypot Page Response Action

list, select an action.

Your selection determines the settings. The actions are the same as those for the

Default Response Page Action

list.

When you are finished, save your changes.

The response page settings are updated.

Edit CAPTCHA response page settings

You use the CAPTCHA Response Page screen to view and edit the settings for CAPTCHA responses. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, on the next screen, on the left click

Response Pages

and then for the Response Pages type, click

CAPTCHA Fail

For the

Response Type

setting, specify whether to use the default or a custom response.

To use the displayed response header and response body, select

Default Response

To use a modified response header or response body, select

Custom Response

Selecting

Custom Response

makes editing options available.

In the

Response Header

setting, review or change the response header.

If you selected the default response type, you can review but not modify the response header.

If you selected the custom response type, you can modify the response header by editing the header text.

To replace your modifications with the default response header, click

Paste Default Response Header

For the

Response Body

setting, review or change the response body.

If you selected the default response type, you can review but not modify the response body.

If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:

Click

Choose File

In the displayed Open dialog box, select the file to import and click

Open

. The Open dialog box closes.

Click

Upload

. The contents of the file are now in the response body text box.

To replace your modifications with the default response body, click

Paste Default Response Body

For the

Preview

setting, specify whether to see a preview of the response body.

To see a preview of how the response is displayed, click

Preview On

To skip the preview, click

Preview Off

When you are finished, save your changes.

Edit CAPTCHA fail response page settings

You use the CAPTCHA Fail Response Page screen to view and edit the settings for CAPTCHA Fail responses. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, on the next screen, on the left click

Response Pages

and then for the Response Pages type, click

CAPTCHA Fail

For the

Response Type

setting, specify whether to use the default or a custom response.

To use the displayed response header and response body, select

Default Response

To use a modified response header or response body, select

Custom Response

Selecting

Custom Response

makes editing options available.

For the

Response Header

setting, review or change the response header.

If you selected the default response type, you can review but not modify the response header.

If you selected the custom response type, you can modify the response header by editing the header text.

To replace your modifications with the default response header, click

Paste Default Response Header

For the

Response Body

setting, review or change the response body.

If you selected the default response type, you can review, but not modify, the response body .

If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:

Click

Choose File

In the displayed Open dialog box, select the file to import and click

Open

. The Open dialog box closes.

Click

Upload

. The contents of the file are now in the response body text box.

To replace your modifications with the default response body, click

Paste Default Response Body

In the

Preview

setting, select whether to see a preview of the response body.

To see a preview of how the response is displayed, click

Preview On

To skip the preview, click

Preview Off

When you are finished, save your changes.

Edit default response page settings

You use the Default Response Pages screen to view and edit the settings for the default response page, which is one of several response pages. Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request.

Go to the Default Response Page screen: click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, and then click

RESPONSE PAGES

Default

Select a

Response Type

from the list. Your selection determines the additional settings.

Default Response	The screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. Click Preview On to preview the response.
Custom Response	The screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response. Click Choose File to select the file containing the response body, and then click Upload to insert it. Click Preview On to preview the response. If you want to return to the original default response text for the header or the body, click Paste Default Response Header or Paste Default Response Body .
Redirect URL	The system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in the Redirect URL field.
Soap Fault	The system blocks a SOAP request due to an XML-related violation. The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text. Click Preview On to preview the response.
Erase Cookies	The system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. Click Preview On to preview the response.

When you are finished, save your changes.

The response page settings are updated.

Edit failed login honeypot response page settings

You use the Failed Login Honeypot screen to view and edit the settings for the Failed Login Honeypot response page. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, on the left of the next screen, click

Response Pages

then for the Response Pages type, click

Failed Login Honeypot

For the

Response Type

setting, specify whether to use the default or a custom response.

To use the displayed response header and response body, select

Default Response

To use a modified response header or response body, select

Custom Response

Selecting

Custom Response

makes editing options available.

For the

Response Header

setting, review or change the response header.

If you selected the default response type, you can review, but not modify the response header.

If you selected the custom response type, you can modify the response header by editing the header text.

To replace your modifications with the default response header, click

Paste Default Response Header

For the

Response Body

setting, review or change the response body.

If you selected the default response type, you can review, but not modify the response body.

If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:

Click

Choose File

In the displayed Open dialog box, select the file to import and click

Open

. The Open dialog box closes.

Click

Upload

. The contents of the file are now in the response body text box.

To replace your modifications with the default response body, click

Paste Default Response Body

For the

Preview

setting, specify whether to see a preview of the response body.

To see a preview how the response is displayed, click

Preview On

To skip a preview, click

Preview Off

When you are finished, save your changes.

Edit cookie hijacking response page settings

You use the Cookie Hijacking Response Page screen to view and edit the settings for the Cookie Hijacking response page. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, on the left of the next screen, click

Response Pages

, and for the Response Pages type, click

Cookie Hijacking

For the

Response Type

setting, specify the type of response to use.

To use the default response header and body, select

Default Response

To use a modified response header or body, select

Custom Response

To use the SOAP fault response header and body, select

SOAP Fault

To use the erase cookies response header and body, select

Erase Cookies

The response header and body change based on the response type you select. Selecting

Custom Response

makes editing options available.

For the

Response Header

setting, review or change the response header.

If you did not select

Custom Response

as the response type, you can review but not modify the response header.

If you selected

Custom Response

as the response type, you can modify the response header by editing the header text.

To replace your modifications with the default response header, click

Paste Default Response Header

For the

Response Body

setting, review or change the response body.

If you did not select

Custom Response

as the response type, you can review but not modify the response body.

If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:

Click

Choose File

In the displayed Open dialog box, select the file to import and click

Open

. The Open dialog box closes.

Click

Upload

. The contents of the file are now in the response body text box.

To replace your modifications with the default response body, click

Paste Default Response Body

For the

Preview

setting, specify whether to see a preview of the response body.

To see a preview how the response is displayed, click

Preview On

To skip a preview, click

Preview Off

When you are finished, save your changes.

Edit mobile application response page settings

You use the Mobile Application Response Page screen to view and edit the settings for the mobile application response page. Response page settings specify the response content that the system sends to the user when the security policy blocks a client request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, on the left of the next screen click

Response Pages

and for the Response Pages type, click

Mobile Application

for the

Response Type

setting, specify whether to use the default or a custom response.

To use the displayed response header and response body, select

Default Response

To use a modified response header or response body, select

Custom Response

Selecting

Custom Response

makes editing options available.

For the

Response Header

setting, review or change the response header.

If you selected the default response type, you can review but not modify the response header.

If you selected the custom response type, you can modify the response header by editing the header text.

To replace your modifications with the default response header, click

Paste Default Response Header

For the

Response Body

setting, review or change the response body.

If you selected the default response type, you can review but not modify the response body.

If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:

Click

Choose File

In the displayed Open dialog box, select the file to import and click

Open

. The Open dialog box closes.

Click

Upload

. The contents of the file are now in the response body text box.

To replace your modifications with the default response body, click

Paste Default Response Body

For the

Preview

setting, specify whether to see a preview of the response body.

To see a preview how the response is displayed, click

Preview On

To skip a preview, click

Preview Off

When you are finished, save your changes.

Edit login response page settings

You use the Login Pages Response Page screen to view and edit the settings for the login page response page, which is one of several response pages. Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request.

Go to the Login Pages Response Page screen: click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, and then click

RESPONSE PAGES

Select a

Response Type

from the list. Your selection determines the additional settings.

Default Response	The screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. Click Preview On to preview the response.
Custom Response	The screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response. Click Choose File to select the file containing the response body, and then click Upload to insert it. Click Preview On to preview the response. If you want to return to the original default response text for the header or the body, click Paste Default Response Header or Paste Default Response Body .
Redirect URL	The system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in the Redirect URL field.
Soap Fault	The system blocks a SOAP request due to an XML-related violation. The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text. Click Preview On to preview the response.
Erase Cookies	The system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. Click Preview On to preview the response.

When you are finished, save your changes.

The response page settings are updated.

Edit XML response page settings

You use the XML Response Page screen to view and edit the settings for the XML response page, which is one of several response pages. Response page settings specify the content of the response that the system sends to the user when the security policy blocks a client request.

Go to the XML Response Page screen: click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, and then click

RESPONSE PAGES

XML

Select a

Response Type

from the list. Your selection determines the additional settings.

Custom Response

The screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response.

Click

Choose File

to select the file containing the response body, and then click

Upload

to insert it.

Click

Preview On

to preview the response.

If you want to return to the original default response text for the header or the body, click

Paste Default Response Header

Paste Default Response Body

Soap Fault

The system blocks a SOAP request due to an XML-related violation.

The system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text.

Click

Preview On

to preview the response.

When you are finished, save your changes.

The response page settings are updated.

Add or edit brute force attack prevention settings

You can protect login URLs against brute force attacks. A

brute force

attack is an outside attempt by hackers to access post login pages of a website by guessing user names and passwords. Brute force attacks are performed when a hacker tries to log in to a URL numerous times, running many combinations of user names and passwords, until he successfully logs in. The

Default

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of a policy, and on the left click

ANOMALY DETECTION

Brute Force Attack Prevention

Specify the action to take for brute force attack prevention settings:

To add a login URL to the security policy, click

Add

To modify the brute force prevention properties for a login URL, click the name of the login URL.

The brute force prevention properties display.

Supply the general properties for brute force attack prevention for the login URL.

In the

setting, select a login page, or create a login page by clicking

Create login page

In the

Configuration Support

setting, specify whether to use current or legacy settings. The other available properties differ based on this setting.

Select

Current

when managing a BIG-IP device version later than 13.0.

Select

13.0 And Prior

when managing a BIG-IP device version 13.0 or earlier.

In the

IP Address Whitelist

setting, review the settings or add new settings. To add an IP address, click the

IP Address Whitelist

setting link.

In the Source-based Brute Force Protection area, supply the source-based protection settings.

This area is available only when

Configuration Support

is set to

Current

In the

Detection Period

setting, type the number of minutes the detection period should last.

In the

Maximum Prevention Duration

setting, type the number of minutes the prevention period should last.

For each of the other settings in this section, set the trigger and the action:

In the

Trigger

setting, specify when the trigger for the action occurs by selecting either

Never

After

a specified value is reached.

For the

Action

setting, select the action that occurs when the trigger is reached.

In the Distributed Brute Force Protection area, supply the distributed protection settings.

This area is available only when

Configuration Support

is set to

Current

In the

Detection Period

setting, type the number of minutes for detection.

In the

Maximum Prevention Duration

setting, type the number of minutes for maximum prevention duration.

In the

Detect Distributed Attack

setting, select when the distributed attack detection occurs.

Select

Never

to have no distributed brute force attack protection.

Select

After x failed login attempts

to have distributed brute force attacks detected if x failed logins are detected within the

Detection Period

configured previously.

In the

Detect Credential Stuffing

setting, select when the detection should occur.

Select

Never

to have no credential stuffing detection.

Select

After x login attempts that match stole credentials dictionary

to have it reported when the configured conditions are met.

In the

Mitigation

setting, select the distributed brute force protection mitigation option to use.

In the Session-based Brute Force Protection area, supply the session-based protection settings.

This area is available only when the

Configuration Support

setting is set to

13.0 And Prior

In the

setting, type the number of attempts to allow.

In the

Re-enable Login After

setting, type the number of seconds.

In the

Use Device ID

setting, specify whether it is enabled.

In the Dynamic Brute Force Protection area, supply the dynamic protection settings.

This area is available only when the

Configuration Support

setting is set to

13.0 And Prior

For the

Operation Mode

setting, select one of the modes:

Off

Alarm

, or

Alarm and Block

In the

Measurement Period

field, type the number of seconds.

In the

Detection Criteria

field, type the values that define when a problem is detected.

For the

Prevention Policy

setting, select one or of the options to use for the policy. When

Source IP-Based Client Side Integrity Defense

is selected, the

Suspicious Criteria (per IP address)

setting is displayed and can be modified.

In the

Suspicious Criteria (per IP address)

setting, type the values that define when failed login attempts become suspicious.

In the

Prevention Duration

setting, select the duration. This setting is displayed only when

Source IP-Based Client Side Integrity Defense

is selected in the

Prevention Policy

setting.

To have no limit on the duration, select

Unlimited

To have a maximum duration, select

Maximum

and type a value for the number of seconds.

Save your work.

Add methods

In the application security policy, you can specify methods that other web applications may use when requesting a URL from another domain. All security policies accept standard HTTP methods by default. If your web application uses HTTP methods other than the default allowed methods (GET, HEAD, and POST), you can add them to the security policy.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the policy name, and then click

HEADERS

Methods

Click

Add

to add a method.

From the

Method

list, select a method.

When you are finished, click

Save

The new method is added to the list on the Methods screen. The method appears in blue, meaning that you can edit it. The check box to the left indicates that you can also delete it.

The system updates the policy to use the new methods.

Add or edit HTTP header settings

In the application security policy, you can specify a list of HTTP request headers that other web applications hosted in different domains can use when requesting this URL.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the policy name.

On the left, click

HEADERS

HTTP Headers

The screen displays a list of HTTP headers. The wildcard header is configured by default.

Select whether to add a new HTTP header or view or modify an existing HTTP header.

Click

Add

to add a new header.

Click the name of the header to view or modify the properties.

Only HTTP headers that are displayed in blue can be modified or viewed.

Add a

Name

. When adding a new header, select the name of the HTTP header from the list. When modifying a header, the name cannot be changed.

Select a

Type

. Specifies

explicit

wildcard

. The only wildcard header in the system is the default pure wildcard header (*).

Enable

Mandatory

to require this header to appear in requests.

Enable

Check Signatures

to all the system to perform attack signature checks on this header.

Base64 Decoding

. When enabled, specifies that the security policy checks the parameter’s value for Base64 encoding, and decodes the value. The default is disabled.

Normalization

. Specifies whether the system normalizes headers. Select the options for which type of normalization the system should perform on headers. There is a performance trade-off when using normalization, so use it only when needed.

Percent Decoding

: Specifies, when enabled, that the system performs the following actions on header content:

%XX

and

%uXX

, bad unescaping, Apache whitespace, IIS Unicode codepoints, and plus to space.

URL Normalization and Percent Decoding:

Specifies, when enabled, that the system performs the these actions on header content: multiple slashes, directory traversal, backslash replacement, and path parameter removal, and all

Percent Decoding

checks.

HTML Normalization:

Specifies, when enabled, that the system performs the following actions on header content: removes all non-printables, whitespaces and the “+” character, skips comments, decodes HTML entities, performs hex decoding, decimal decoding, 0xXX decoding, style sheet escaping, and removes backslashes.

Enable

Evasion Techniques Violations

allowing the system to log and/or suggest learning suggestions for evasion violations detected during the normalization process if there are problems during the normalization of the specific header. The default is disabled.

Enable

Mask Value in Logs

to mask sensitive user header information from your report logs.

To customize signature override settings for headers, select from

Overridden Security Policy Settings

signature overrides from the list and then enable or disable it by clicking

Enabled

Disabled

Click

Save

to save your changes.

The system updates the policy to use the new settings.

Edit host name settings

You can review, add, and delete host names from the policy using the Host Names screen. This list of host names is used by several features of the application security policy.

Navigate to the Host Names screen: click

Configuration

SECURITY

Web Application Security

Policies

Then click the name of the appropriate policy, and on the left click

HEADERS

Host Names

Review the list of host names.

If no host names are listed, you can add them by clicking the

Add

To modify a host name, click the name of the host name.

The Host Name properties screen opens.

Review the Host Name.

To allow users to be redirected to a sub-domain of this host name, select the

Include Sub-domains

check box.

To set the policy to transparent mode and forward all responses, select the check box for

Policy is always transparent for this host

Click

Save

to save your changes.

The host name settings for the policy are updated.

Add or edit cookie settings

You can review, add, and remove cookies from a policy, and re-order cookie wildcards using the Cookies screen. You use the same process to modify or add a cookie. The only difference is that when you modify a cookie, the

Cookie Name

properties already exist and you cannot change them.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left click

HEADERS

The screen displays a list of cookies.

To add a new cookie, click

Add

, or click a cookie name to modify an existing cookie.

You use the same process to modify or add a cookie. However, you can specify some properties only when adding a cookie, and not modifying an existing cookie.

Type or review the

Cookie Name

, and specify whether it is

Explicit

or is a

Wildcard

expression.

You can specify a cookie name only when adding a new cookie.

Specify the

Cookie Type

Select

Allowed

to indicate the client may change the cookie.

Select

Enforced

to indicate that the cookie cannot be changed by the client.

Allowed

provides additional options.

Select the settings for the cookie.

For

Perform Staging

, select the

Enabled

check box to indicate that the cookie is placed in staging.

For

Insert HTTPOnly attribute

, select the check box to insert the attribute in the domain cookie response header.

For

Insert SameSite attribute

, specify whether the attribute should be set to

None

Strict

, or

Lax

. Only

None

can be selected for BIG-IP devices earlier than version 13.1.

For

Insert Secure attribute

, select the check box to insert the attribute into the domain cookie response header.

For

Base64 Decoding

, select the check box to enable decoding of Base64 strings. (This setting is displayed only if the

Cookie Type

is set to

Allowed

For

Mask Value in Logs

, select the

Enabled

check box to mask sensitive user information in your report logs.

For

Attack Signatures Check

, select the check box to verify attack signatures and display attack signature override settings. (This setting is displayed only if the

Cookie Type

is set to

Allowed

For

Attack Signature Overrides

, select a signature from the list, and then click

Enabled

Disabled

to indicate whether each signature should be overridden.

Once you have completed setting configuration, click

Save

to save your changes.

Once you save, the screen returns to the policy's list of cookies.

To remove a cookie from staging, select the check box for the cookie and click

Enforce Selected

To filter the list of cookies by their enforcement readiness, select an option from the

Enforcement Readiness

setting.

Enforcement readiness is the state of enforcement for each cookie, such as not enforced,, has a suggestion, or is ready to be enforced.

To list all cookies, select

All

To list cookies that have one or more suggestions, select

Has suggestion

To list cookies that are not being enforced, select

Not enforced

To list cookies that are ready to be enforced, select

Ready to be enforced

Click

Save

to save your changes.

The cookie settings for the policy are added or updated.

Edit redirection protection settings

You can enable redirection protection and list those domains that are allowed by your security policy, using the Redirection Protection screen. By enabling redirection protection, you can help prevent users from being redirected to questionable, phishing, or malware websites.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left click

HEADERS

Redirection Protection

For the

Redirection Protection

setting, select the

Enabled

check box.

The screen displays other property settings.

For

Domain Name

, type the domain name that is allowed by the security policy.

To have the security policy also allow sub-domains of the domain, select the

Include Sub-Domains

check box.

To add the domain to the

Allowed Redirection Domains

list, click

Add

To delete a domain from the

Allowed Redirection Domains

, click the

to the left of that domain name.

The domain is removed without confirmation.

Save your work.

Edit header character set settings

You can configure the security policy to allow or disallow certain characters in the value field of an HTTP header and in uncommon header names.

Navigate to the Character Set screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, expand

HEADERS

and click

Character Set

Review the list of characters, and for each, determine whether it should be allowed.

You can use the View options to select which group of characters are displayed.

To allow characters in a header, select the check box in the

Allowed

column of the table row .

For characters that should not be allowed in a header, clear the check box in the

Allowed

column of the table row.

Click

Save

to save your changes.

Edit IP addresses list settings

You can view and edit configured IP address exceptions and characteristics.

Navigate to the IP Address screen: click

Configuration

SECURITY

Web Application Security

Policies

Select a policy name, expand

IP ADDRESSES

, and select

IP Addresses List

Click

Add

Type an

IP Address

that you want the system to trust.

To add a route domain, type

after the IP address where n is the route domain identification number.

Type a

Netmask

If you omit the netmask value, the system uses a default value of

255.255.255.255

Select whichever of the following options should be enabled.

Select the

Policy Builder Trusted IP

check box to specify that the Policy Builder considers traffic from this IP address to be legitimate. The Policy Builder automatically adds to the security policy data logged from traffic sent from this IP address.

Select the

Ignore in Anomaly Detection and do not Collect Device ID

check box to specify that the system considers traffic from this IP address to be safe. The security policy does not take this IP address into account when performing brute force prevention and web scraping detection.

Select the

Ignore in Learning Suggestion

check box to specify that the system not generate learning suggestions from traffic sent from this IP address.

Select the

Never log traffic from this IP Address

check box to specify that the system not log requests or responses sent from this IP address, even if the security policy is configured to log all traffic.

Select the

Ignore IP Address Intelligence

check box to specify that the system considers traffic from this IP address to be safe even if it matches an IP address in the IP Address Intelligence database.

In the

Block this IP Address

setting, select one of the blocking options.

Select

Policy Default

to use the policy blocking settings.

Select

Never Block This IP

to not block this IP address.

Select

Always Block This IP

to block this IP address.

Always Block This IP

is selected, many of the options become invalid and are removed from the screen.

Type a brief description for the IP address.

When you are finished, click

Save

to save the modifications and unlock the policy.

The IP Address settings are updated to use the new configured IP address exceptions, and any changes made are put into effect in the working configuration of the BIG-IQ Centralized Management system.

Edit IP address intelligence settings

You can review and modify IP address intelligence settings. An

IP intelligence database

is a list of IP addresses with questionable reputations. Refer to the ASM documentation or online help for more information on IP address intelligence.

Navigate to the IP Address screen: click

Configuration

SECURITY

Web Application Security

Policies

Select a policy name, expand

IP ADDRESSES

, and select

IP Address Intelligence

Select the

IP Address Intelligence

Enabled

check box.

Other properties display; you can review the descriptions of the properties for additional information.

For the

IP Address White List

setting, type the IP address and subnet mask for each IP address that should be whitelisted, and click

Add

after each addition.

In the

IP Address Intelligence Categories

area, specify the categories that you want to alarm or block.

Select the

Alarm

check box to specify that whenever a request is sent from a source IP address that matches the category, the system logs the IP Intelligence data.

Select the

Block

check box to specify that the system stops requests sent from a source IP address that matches the category.

In order for the system to block requests, the security policy must be in Blocking mode.

Click

Save

when you are done.

The IP address intelligence settings are updated.

Add or edit HTTP URL settings

You can view, add, modify, and remove HTTP URLs that are either allowed or disallowed in an application security policy.

Allowed URLs

are URLs that the security policy accepts in traffic to the web application being protected.

Disallowed URLs

are URLs that the security policy denies.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, then on the left expand

URLs

, and click

HTTP

The screen displays the list of HTTP URLs. You can add, delete, or reorder the HTTP URLs that are allowed or disallowed.

To add an allowed or disallowed HTTP URL to a policy, click

Add

for the allowed or disallowed list.

Allowed HTTP URLs are listed at the top of the screen and disallowed HTTP URLs are listed at the bottom. The Add URL screen displays the properties, which differ between allowed URLs and disallowed URLs.

For disallowed HTTP URLs, specify whether the protocol is HTTP or HTTPS, and type the URL name.

For allowed HTTP URLs, specify whether the URL is explicit or a wildcard, whether the protocol is HTTP or HTTPS, and type the URL name or wildcard. Specify or modify additional properties for the allowed HTTP URL as needed.

Save your work.

To review or edit the properties of a URL, click the URL to open the Properties screen.

Allowed URLs are listed in the Allowed URL column in the upper table of URLs. Disallowed URLs are listed in the Disallowed URL column in the bottom table of URLs.

To change the processing order of allowed URLS with the wildcard type, click

Wildcards Order

The Wildcard Order screen opens, where you can move the wildcard entries in the list to change their sequence, and save your work.

To remove an HTTP URL from staging, select the check box for the HTTP URL and click

Enforce Selected

To filter the list of HTTP URLs by their enforcement readiness, select a value from the

Enforcement Readiness

setting.

To list all HTTP URLs, select

All

To list HTTP URLs that have one or more suggestions, select

Has suggestion

To list HTTP URLs that are not being enforced, select

Not enforced

To list HTTP URLs that are ready to be enforced, select

Ready to be enforced

To delete an allowed or disallowed HTTP URL from the policy, select the check box in the row for that HTTP URL and click

Delete

in the upper or lower portion of the screen, whichever is appropriate.

Add or edit WebSocket URL settings

You can view, add, modify, and remove WebSocket URLs that are either allowed or disallowed in an application security policy.

Allowed URLs

are URLs that the security policy accepts in traffic to the web application being protected.

Disallowed URLs

are URLs that the security policy denies.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, then on the left expand

URLs

and click

WebSocket

The WebSocket URLs screen opens where you can add, or edit, WebSocket URLs.

To remove the WebSocket URL from staging, select the check box for the WebSocket URL and click

Enforce Selected

To edit the properties of a WebSocket URL, click the URL in either the

Allowed WebSocket URLs

Disallowed WebSocket URLs

column.

The WebSocket URL properties screen opens, and you can change the properties (as described in the details for adding a URL of that type).

To add a WebSocket URL to a policy, determine whether it is an allowed or disallowed WebSocket URL.

To add an allowed WebSocket URL, click

Add

in the upper portion of the screen. This opens the Add Allowed WebSocket URL screen, where you can supply the needed properties.

To add a disallowed WebSocket URL, click

Add

in the lower portion of the screen. This opens the Add Disallowed WebSocket URL screen, where you can supply the needed properties.

For disallowed WebSocket URLs:

Specify whether the protocol is

WSS

Type the URL name.

For allowed WebSocket URLs, supply the needed properties.

In the Properties area, supply or modify the overall properties for the WebSocket URL.

In the Message Handling area, supply or modify the message handling properties for the WebSocket URL.

For wildcard URLs, expand the Meta Characters area to specify how meta characters are handled.

For

Check Signatures on this URL

, select the

Enabled

check box.

For

Check characters on this URL

, select the meta characters from the list and then click

Allow

Disallow

as needed.

In the HTML5 Cross-Domain Request Enforcement area, supply or modify the HTML5 cross-domain request enforcement properties for the WebSocket URL.

To filter the list of WebSocket URLs by their enforcement readiness, select an option from the

Enforcement Readiness

list.

To list all WebSocket URLs, select

All

To list WebSocket URLs that have one or more suggestions, select

Has suggestion

To list WebSocket URLs that are not being enforced, select

Not enforced

To list WebSocket URLs that are ready to be enforced, select

Ready to be enforced

Save your work.

Edit URL character set settings

You can view and edit how the security policy responds to each character contained in a URL.

Navigate to the Character Sets URL screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, on the left expand

URLs

, and click

Character Sets

Review the list of characters, and for each, determine whether it should be allowed.

You can use the View options to select which group of characters are displayed.

To allow characters in a URL, select the check box in the

Allowed

column of the table row.

For characters that should not be allowed in a URL, clear the check box in the

Allowed

column of the table row.

Click

Save

to save your changes.

Add or edit file types settings

You can add and configure settings for file types that are allowed (or disallowed) in traffic to the web application being protected. These settings determine how the security policy reacts to requests referring to files with these extensions.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy to change, and on the left, click

File Types

The screen displays a list of file types.

To remove the file type from staging, select the check box for the file type and click

Enforce Selected

To add a file type to the policy, click

Add

in either the Allowed File Types area at the top of the screen, or in the Disallowed File Types area at the bottom of the screen.

Use the Allowed File Types area to add file types that the security policy considers legal, and to view information about each file type.

Use the Disallowed File Types area to add file types that the security policy considers illegal, and to exclude file types that are included in allowed wildcard file types.

The screen displays fields applicable to your selection.

If you chose to add Disallowed File Types, fill in the name.

If you chose to add Allowed File Types, fill in these settings.

For

File type

, select whether the file type is a wildcard or is explicit, and type a wildcard name or an explicit name.

For

Perform Staging

, select the

Enabled

check box to have the system perform staging.

For

URL Length

, type the maximum acceptable length, in bytes, of a URL containing this file type.

For

Request Length

, type the maximum acceptable length, in bytes, of the request containing this file type.

For

Query String Length

, type the maximum acceptable length, in bytes, for the query string portion of a URL that contains this file type.

For

POST Data Length

, type the maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type.

For

Apply Response Signature Staging

, select the check box to apply response signature staging.

To filter the list of file types by their enforcement readiness, select an option from the

Enforcement Readiness

setting.

To list all file types, select

All

To list file types that have one or more suggestions, select

Has suggestion

To list file types that are not being enforced, select

Not enforced

To list file types that are ready to be enforced, select

Ready to be enforced

When you are finished, save your work.

The file types settings are updated to use the new settings, and any changes you made are put into effect in the working configuration of the BIG-IQ Centralized Management system.

Edit or add JSON content profile settings

You use JSON content profile properties to define what the application security policy enforces and considers legal when it detects traffic that contains JSON data.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy you want to modify, then on the left expand

CONTENT PROFILES

, and click

JSON Profiles

Click the name of the JSON profile to modify, or click

Add

to create a new one.

Review the existing name, or type a

Profile Name

for the new profile.

Revise or type an optional

Description

for the profile.

In the

Maximum Total Length Of JSON Data

field, type or revise the longest length, in bytes, allowed by the security policy of the request payload, or parameter value, where the JSON data was found.

To have no length restriction, you can leave this field blank.

In the

Maximum Value Length

field, type or revise the maximum acceptable length, in bytes, of the longest JSON element value in the document allowed by the security policy.

To have no length restriction, you can leave this field blank.

For

Maximum Structure Depth

, type or revise the greatest nesting depth found in the JSON structure allowed by the security policy.

To have no depth restriction, you can leave this field blank.

In the

Maximum Array Length

field, type or revise the largest number of elements allowed for arrays.

To have no array length restriction, you can leave this field blank.

For

Tolerate JSON Parsing Warnings

, specify whether to enable response signature staging.

Select the

Enabled

check box to specify that the system does not report when the security enforcer encounters warnings while parsing JSON content.

Clear the check box to specify that the security policy reports when the security enforcer encounters warnings while parsing JSON content.

For

Parse Parameters

, specify whether to enable parameter parsing.

To enable parsing, select the

Enabled

check box.

When this setting is disabled, the system displays more main areas (such as Attack Signature Overrides, Meta Characters, and Sensitive Data Configuration) with additional properties for review and modification.

Expand the Attack Signatures Overrides area to select any signature overrides. (This area is displayed only when

Parse Parameters

is disabled.)

For the

Attack Signatures Check

setting, select the

Enabled

check box.

For the

Attack Signatures Overrides

setting, select the signature from the list and then click

Enabled

Disabled

as needed for that signature.

Expand the Meta Characters area to select how meta characters are handled. (This area is displayed only when

Parse Parameters

is disabled.)

For the

Check Characters

setting, select the

Enabled

check box.

For the

Overrides

setting, select the meta characters from the list and then click

Allowed

Disallowed

as needed.

Expand the Sensitive Data Configuration area to select how sensitive data is handled. (This area is displayed only when

Parse Parameters

is disabled.)

In the

Sensitive Data

setting, type an element name within the JSON data whose values the system should consider sensitive.

Click

Add

to add the element name to the sensitive data list.

Click

Save

to save your changes.

Edit or add XML content profile settings

You use XML content profile properties to define what the application security policy enforces and considers legal when it detects traffic that contains XML data.

Navigate to the XML Profiles screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy you want to work with, then, on the left, expand

CONTENT PROFILES

, and click

XML Profiles

Click the name of the XML profile to modify, or click

Add

to create a new one.

Review the existing name or type a

Profile Name

for the new profile.

Review, revise, or type an optional

Description

for the profile.

For the

Use XML Blocking Response Page

property, select the type of response page to send when the security policy blocks a client request that contains URL XML content that does not comply with the settings of this XML profile.

To have the system send an XML response page, select the

Enabled

check box.

To have the system send the default response page, do not select the

Enabled

check box.

To configure the validation and defense settings of an XML profile, expand the XML Firewall Configuration area and modify those settings as needed.

To configure the system to perform attack signature checks on the XML profile, expand the Attack Signatures area and modify those settings as needed.

To change the security policy settings for specific meta characters in XML values on the XML profile, expand the Meta Characters area and modify those settings as needed.

Expand the Sensitive Data Configuration area to program the system to mask sensitive data that appears in an XML document, as shown in the BIG-IP device configuration interface and internal Application Security logs.

Click

Save

to save your changes.

Edit or add plain text content profile settings

You use plain text content profile properties to define what the application security policy enforces and considers legal when it detects traffic that contains plain text data.

Navigate to the Plain Text Profiles screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy you want to modify, at the left, expand

CONTENT PROFILES

, and click

Plain Text Profiles

Click the name of the plain text profile to modify, or click

Add

to create a new one.

Review the existing, or type a

Profile Name

for the new profile.

Review, revise, or type an optional

Description

for the profile.

In the

Maximum Total Length

field, type the longest length, in bytes, allowed by the security policy.

You can leave this field blank to have no length restriction.

In the

Maximum Line Length

field, type the longest line length, in bytes, allowed by the security policy.

You can leave this field blank to have no length restriction.

If you want the system to perform percent decoding, select the

Perform Percent Decoding

Enabled

check box.

To configure attack signature overrides, expand Attack Signatures Overrides and supply the needed values.

In the

Attack Signatures Check

setting, select the

Enabled

check box.

In the

Attack Signatures Overrides

setting, select one or more attack signatures to override.

For each attack signature, select whether the override is enabled or disabled.

To change the security policy settings for specific meta characters in values on the plain text profile, expand Meta Characters and supply the needed values.

In the

Check Characters

setting, select the

Enabled

check box.

In the

Overrides

setting, select one or more meta characters to override.

For each meta character, select whether the override is allowed or disallowed.

Click

Save

to save your changes.

Edit character set JSON settings

You can configure the security policy to allow or disallow certain characters if they appear in JSON values.

Navigate to the JSON screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy you want to work with, and on the left expand

CONTENT PROFILES

and

CHARACTER SETS

, then click

JSON

Review the list of characters, and for each, determine whether it should be allowed or not.

To allow characters, select the check box in the Allowed column of the table row.

For characters that should not be allowed, clear the check box in the Allowed column of the table row.

Use the View options to select which characters are displayed.

Click

All Characters

to display all characters.

Click

Allowed

to display only characters that are marked as allowed.

Click

Disallowed

to display only characters that are not allowed.

Click

Save

to save your changes.

Edit character set plain text settings

You can configure the security policy to allow or disallow certain characters if they appear in plain text values.

Navigate to the Plain Text screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left expand

CONTENT PROFILES

and

CHARACTER SETS

, then click

Plain Text

Review the list of characters, and for each, determine whether it should be allowed or not.

To allow characters, select the check box in the Allowed column of the table row.

For characters that should not be allowed, clear the check box in the Allowed column of the table row.

Use the View options to select which characters are displayed.

Click

All Characters

to display all characters.

Click

Allowed

to display only characters that are marked as allowed.

Click

Disallowed

to display only characters that are not allowed.

Click

Save

to save your changes.

Edit character set XML settings

You can configure the security policy to allow or disallow certain characters if they appear in XML values.

Navigate to the XML screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left expand

CONTENT PROFILES

and

CHARACTER SETS

, then click

XML

Review the list of characters, and for each, determine whether it should be allowed or not.

To allow characters, select the check box in the Allowed column of the table row .

For characters that should not be allowed, clear the check box in the Allowed column of the table row.

Use the View options to select which characters are displayed.

Click

All Characters

to display all characters.

Click

Allowed

to display only characters that are marked as allowed.

Click

Disallowed

to display only characters that are not allowed.

Click

Save

to save your changes.

Add or edit parameter settings

You can add or edit settings for parameters that the security policy permits in requests, such as the parameter type and whether the parameter is allowed to contain an empty value. The default parameter is displayed for all policies, and can be edited. It is indicated by

(asterisk).

Click

Configuration

SECURITY

Web Application Security

Policies

Click a policy name, and on the left, click

PARAMETERS

Parameters

You can add a new, or edit an existing, parameter.

To add a new parameter, click

Add

To edit an existing parameter, click the parameter name.

The properties screen opens for the new or existing parameter.

To remove the parameter from staging, select the check box for the parameter and click

Enforce Selected

For a new parameter, for the

Name

setting, select the type, and then type a name for the new parameter.

Select

explicit

if this is a regular named parameter.

Select

wildcard

if any parameter name that matches the wildcard expression is permitted by the security policy. (For example, typing the wildcard

specifies that the security policy allows every parameter.) The syntax for wildcard entities is based on shell-style wildcard characters.

Select

no name

if this parameter does not have a name. The system automatically names the parameter

no name

and it behaves the same as an explicit parameter.

The name setting cannot be changed once the parameter is created.

For

Level

, select the level of parameters to be displayed.

Select

global

to display global parameters not associated with flows or URLs.

Select

URL

to display parameters associated with flows or URLs, select

HTTP

HTTPS

as the protocol, and then select the URL.

If the security policy is configured to differentiate between HTTP and HTTPS URLs, then you can additionally filter URL parameters by the HTTP and HTTPS protocols.

To enable or allow any of these settings, click the

Enabled

check box for the setting:

Select

Perform Staging

to display the staging status on this parameter.

Select

Allow Empty Value

to allow empty values.

Select

Allow Repeated Occurrences

to allow repeated occurrences.

Select

Sensitive Parameter

to, in a validated request, protect sensitive user input, such as a password or a credit card number. The contents of sensitive parameters are not visible in logs or in the user interface.

Specify the

Value type

for the parameter.

The value type you specify might display additional fields. You cannot change the value type after it is created.

Select

dynamic-content

for parameters whose data is dynamic.

Select

ignore

for parameters whose values the system does not check.

Select

json

for JSON parameters fetched from the server that are not editable.

Select

static-content

for parameters whose data is static. In the Parameter Static values area displayed at the bottom of the screen, supply a value in the

Add New Value

setting, and click

Add

. Add or subtract values as needed.

Select

user-input

for parameters whose data is provided by user-input. Use the

Data type

setting to provided additional information about the user input.

Select

xml

for XML parameters fetched from the server that are not editable. In the XML Profile area displayed at the bottom of the page, select an XML profile.

For the

Data type

setting, select the data type to use for the user input.

Select

to specify that the data must be text in email format only. In the Data type attributes area, specify a value for the

Maximum Length

setting in bytes.

Select

alpha-numeric

to specify that the data can be any text consisting of letters, digits, and the underscore character.

In the Data type attributes area, specify a value for the

Maximum Length

setting in bytes, and select whether to enable regular expressions or Base64 encoding. When the

Regular Exp

setting is enabled, it specifies that the parameter value includes the specified parameter pattern. This is a positive regular expression that defines what is legal.

In the Value Meta Character area, select the

Enabled

check box and then select which meta character to allow or disallow as a value.

In the Attack Signatures area, select the

Enabled

check box and then select which attack signature overrides to enable or disable.

Select

integer

to specify that the data must be whole numbers only (no decimals). In the Data type attribute area, specify values for the

Minimum Value

Maximum Value

, and

Maximum Length

settings.

Select

decimal

to specify that the data is numbers only and can include decimals. In the Data type attributes area, specify values for the

Minimum Value

Maximum Value

, and

Maximum Length

settings.

Select

phone

to specify that the data can be text in telephone number format only. In the Data type attributes area, specify a value for the

Maximum Length

setting.

Select

file upload

to specify there is no text limit for the data (length checks only). In the Data type attributes area, specify a value for the

Maximum Length

setting, and specify whether to disallow file uploading or enable Base64 encoding.

To filter the list of parameters by their enforcement readiness, select an option from the

Enforcement Readiness

setting.

To list all parameters, select

All

To list parameters that have one or more suggestions, select

Has suggestion

To list parameters that are not being enforced, select

Not enforced

To list parameters that are ready to be enforced, select

Ready to be enforced

When you are finished, save your work.

The application security policy is updated to use the new settings.

Add or edit extraction settings

You use extraction settings to manage how the system extracts dynamic values for dynamic parameters from the responses returned by the web application server. An

extraction

is a subcollection that isolates a parameter from an object. Other subcollections (such as parameters) reference extractions by name (not by URL).

Click

Configuration

SECURITY

Web Application Security

Policies.

Click the name of the policy and then on the left, click

PARAMETERS

Extractions

You can add a new or edit an existing extraction.

To add a new extraction, click

Add

To edit an existing extraction, click the extraction name.

The properties screen opens for the new or existing extraction.

For a new extraction, specify the

Name

of the dynamic parameter for which the system extracts values from responses.

For a named parameter, select

New

and type the name in the field.

For the

UNNAMED

parameter, select

no name

The name setting cannot be changed once the extraction is created.

In the Extracted Items Configuration area, specify the items from which the system should extract the values for dynamic parameters.

Extract From

File Types

. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests for file types that exist in the security policy. To add a file type to be extracted, select an file type from the list, and click

Add

URLs

. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests for the listed URLs. To specify the URLs from which the system extracts dynamic parameter values, select either

HTTP

HTTPS

from the list, type the URL in the adjacent field, and click

Add

. If you enter a URL that does not yet exist in the security policy, the URL is added to the security policy.

RegEx

. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests that match the listed pattern (regular expression). Type the regular expression in the field.

Extract From All Items

Specifies when selected (enabled), that the system extracts the values of the dynamic parameters from all URLs found in the web application. Specifies when cleared (disabled), that the system extracts the values of the dynamic parameters from limited items found in the web application.

In the Extracted Method Configuration area, specify the methods by which the system extracts the values for dynamic parameters.

Search in Links	Specifies, when checked (enabled), that the system searches for dynamic parameter values within links that appear in the response body.
Search Entire Form	Specifies, when checked (enabled), that the system searches for dynamic parameter values in the entire form found on a web page.
Search Within Form	Specifies, when checked (enabled), that the system searches for dynamic parameter values in a specific location within forms found on a web page that contains the dynamic parameter. You must provide all of this information: Form Index . Type the HTML index of the form that contains the dynamic parameter. Parameter Index . Type the HTML index of the input parameter within the form that contains it.
Search Within XML	Specifies, when checked (enabled), that the system searches for dynamic parameter values within the URL’s XML. Type the XPath specification in the XPath field.
Search Response Body	Specifies, when checked (enabled), that the system searches for dynamic parameter values in the body of the response. Use the additional options to further refine the search. You can specify one or more of the following options, but you must specify the RegEx value if you enable this setting. Number of Occurrences . All specifies a search for all incidences of the parameter values in the body of the request. Number specifies that the search is restricted to the number you type in the box. Prefix specifies that the system extracts values only if they are preceded by the HTML segment you type in the box. Match Regular Expression Value specifies that the system extract must match the parameter pattern (regular expression) you type in the box. The default is .+? . Suffix specifies that the system extracts values only if they are followed by the HTML segment that you type in the box.

When you are finished, save your work.

The application security policy is updated to use the new settings.

Edit character set parameter name settings

You use character set parameter name settings in the security policy to allow or disallow certain characters in parameter names.

Go to the Policies screen: Click

Configuration

SECURITY

Web Application Security

Policies

Continue to the parameter name screen: Click the name of the policy and then, on the left, click

PARAMETERS

CHARACTER SETS

Parameter Name

Review the list of characters, and for each, determine whether it should be allowed or not.

Select the

Allowed

check box for characters that should be allowed.

Clear the

Allowed

check box for characters that should not be allowed.

Use the View options to select which characters are displayed.

Click

All Characters

to display all characters.

Click

Allowed

to display only characters that are marked as allowed.

Click

Disallowed

to display only characters that are not allowed.

Click

Save

to save your changes.

The system updates the security policy to use the new character set parameter name settings.

Edit character set parameter value settings

You use character set parameter value settings in the security policy to determine whether the security policy allows those values in a request.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy and then, on the left, click

PARAMETERS

CHARACTER SETS

Parameter Value

Review the list of characters, and for each, determine whether it should be allowed or not.

Select the

Allowed

check box for characters that should be allowed.

Clear the

Allowed

check box for characters that should not be allowed.

Use the View options to select which characters are displayed.

Click

All Characters

to display all characters.

Click

Allowed

to display only characters that are marked as allowed.

Click

Disallowed

to display only characters that are not allowed.

Click

Save

to save your changes.

The system updates the security policy to use the new character set parameter value settings.

Add sensitive parameters settings

You can add and delete sensitive parameters used by your security policy. Some requests include sensitive data, such as account numbers, in parameters. If you create sensitive parameters, the data in those parameters is replaced with asterisks (

***

) in the stored request and in logs.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left click

PARAMETERS

Sensitive Parameters

Click

Add

to add a sensitive parameter.

The Sensitive Parameter properties screen opens.

In the

Name

setting, type the name of the sensitive parameter.

Save your work.

Configure attack signatures

Attack signatures

are rules or patterns that identify attacks or classes of attacks on a web application and its components. You can configure aspects of attack signatures to specify whether the signatures should be put into staging before being enforced, and whether or not to apply signatures to responses.

Go to the Policies screen: Click

Configuration

SECURITY

Web Application Security

Policies

Continue to the Attack Signatures Configuration screen: Click the name of a policy, and on the left click

Attack Signatures Configuration

Revise the settings as needed.

To enable staging of signatures, select the

Signature Staging

Enabled

check box.

To place updated signatures in staging, select the

Place updated signatures in staging

Enabled

check box. New signatures are always placed in staging, regardless of this setting.

For

Attack Signature Set Assignment

, select one or more signature sets from the list to be assigned to the policy, and then select the appropriate options for that signature set.

Select or clear the

Learn

Alarm

, and

Block

options for each signature set.

Select

Learn

to have the security policy learn all requests that match enabled signatures in the signature set.

Select

Alarm

to have the security policy logs the request data if a request matches a signature in the signature set.

Select

Block

, to have the security policy block all requests that match a signature included in the signature set.

From the

Actions

list, select, if needed, whether to enable or enforce signatures in the signature set.

For

Apply Response Signatures

, select a file type, if needed. The default wildcard character indicates all file types.

When you are finished, save your work.

The system updates the application security policy attack signatures settings.

View and modify attack signatures

You can view the list of attack signatures that belong to signature sets assigned to the policy, and specify whether they are enabled or in staging.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of a policy, and on the left click

Attack Signatures

To restrict the number of signatures displayed, use the filter field at the upper right of the screen.

You can select both basic and advanced filter options by clicking the arrow to the left of the field.

To specify whether or not the attack signature is enabled, select the check box in the Enabled column of the table for that row.

To have an attack signature placed in staging, select the check box in the In Staging column of the table for that row.

When you are finished, save your work.

The system updates any modified attack signature settings.

Edit geolocation enforcement settings

You use geolocation enforcement to select which geolocations the policy does not allow.

Navigate to the Geolocation Enforcement screen: click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left, click

Geolocation Enforcement

Select a geolocation that is not allowed by the policy from the

Disallowed Geolocations

list.

Once you have selected the geolocation, it is listed below the drop-down list.

You remove a selected geolocation from the list by clicking the

to the left of the geolocation name.

Click

Save

to save your changes.

The system updates the list of geolocations that the policy does not allow.

Add or edit login page settings

You can view and manage login page settings for the security policy to better protect the login page URLs used by your web applications.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy to manage, and on the left click

SESSIONS AND LOGINS

You can add new, or edit existing login page settings.

Click

Add

to add a login page and settings.

Click the name of the login page to edit the settings.

The Login Page Properties screen opens.

In the

setting, select the appropriate options for the URL.

Specify whether the URL uses wildcards or is explicitly named. Select

Wildcard

Explicit

Specify the URL protocol. Select

HTTP

HTTPS

Select the URL to use, or select

Custom URL

and specify the URL.

In the

Authentication Type

setting, select the type of authentication to use.

In the Access Validation area, specify how the login page should be validated by typing one or more setting values.

You define validation criteria on the response of the login URL. You must configure at least one of the validation criteria. If you configure more than one validation criteria, then all the criteria must be fulfilled in order to access the authenticated URL.

Save your work.

Add or edit logout page settings

You can view and manage logout page settings for the security policy to better protect the logout page URLs used by your web applications.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left click

SESSIONS AND LOGINS

Logout Pages

Specify whether you are adding or editing logout page settings.

Click

Add

to add a logout page and settings.

Click the name of the logout page to edit the settings.

The Logout Page Properties screen opens.

In the

Logout URL (explicit only)

setting, select the appropriate options for the URL.

Specify the URL protocol. Select

HTTP

HTTPS

Select the URL to use, or select

Custom URL

and specify the URL.

In the

A string that should appear in the response

setting, type a string that should appear in the request (either the query string or in its payload) to indicate that the request is a logout request.

In the

A string that should NOT appear in the response

setting, type a string that should not appear in the request (either the query string or in its payload) to indicate that the request is a logout request.

Save your work.

Add or edit login enforcement settings

You can add and modify login enforcement properties. Login enforcement specifies the authenticated login URLs and logout URLs for the web application.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the appropriate policy, and on the left click

SESSIONS AND LOGINS

For the

Expiration Time

setting, specify whether you want the login session to expire.

If you do not want the login session to expire, click

Disabled

If you want the login URL to be valid for a limited time, click the button to the left of the

Seconds

field, and type a value, in seconds (1-99999), that indicates how long the session will last. The login session ends after the number of seconds has passed.

For the

Authenticated URLs

setting, specify the target URLs that users can access only by using the login URL.

In the provided field, type the target URL name in the format

/private.php

Wildcards are allowed.

Click

Add

to add the URL to the list of authenticated URLs.

Repeat to add as many authenticated URLs as needed.

You can remove a URL from the list of authenticated URLs by clicking

Save your work.

Edit session tracking settings

You can enable session hijacking and session tracking to track, enforce, and report on user sessions and IP addresses.

Click

Configuration

SECURITY

Web Application Security

Policies

Click the name of the policy to work on, and on the left click

SESSIONS AND LOGINS

Session Tracking

To enable session hijack detection, for the

Detect Session Hijacking by Device ID Tracking

setting, select the

Enabled

check box.

Review the notes displayed.

To configure session tracking, supply values for the following settings.

Select the

Session Awareness

Enabled

check box.

For the

Application Username

setting, select the form of the username.

To use no application username, select

None

To use APM usernames and session IDs, select

Use APM Usernames and Session ID

To use individual login pages, select

Use Individual Login Pages

and then select the login page in the area provided.

To use all login pages, select

Use All Login Pages

To configure violation detection actions, specify additional settings.

For

Track Violations and Perform Actions

, select the

Enabled

check box.

For

Violation Detection Period

, type the number of seconds for the detection period.

In the Block All area, specify how the system performs when the Block All action is triggered.

In the Log All Requests area, specify how the system performs when the Log All Requests action is triggered.

In the Delay Blocking area, specify how the system performs when the Delay Blocking action is triggered.

Save your work.

Applying Web Application Security policy templates

Use a template to populate the attributes of a new Web Application Security policy. Policy templates allow you to reduce the time required to configure a policy for your applications.

Each new security policy, by default, has a Rapid Deployment Policy template. You can replace the default with a user-defined or system-supplied template, and then modify the policy's subcollections as needed. Unlike parent policies, if you modify a policy, once a template is configured, it does not affect the original template's settings.

Whether you are creating, or applying a security policy to an object, keep in mind the BIG-IP device version over which you wish to deploy the policy. Some protection features are not available, or changed from version to version.

System-defined templates (Generic and Application Ready policy templates) are aligned to support devices running versions 13.1 or later. This provides optimal deployment over multiple versions. This can omit certain fields that were added to newer device versions. It is recommended to monitor your security policy's performance to ensure that your existing policy meets your applications needs. For more information about monitoring Web Application Security, see

Modify and Manage Layer 7 Security Objects.

Generic Templates: Generic templates address most aspects of the application security policy suite, while remaining broad enough to protect any application, regardless of its platform. Each template varies based on the level of enforcement and traffic learning settings. For more information about each generic template, its settings, and version limitations, see Generic Web Application Security policy templates.

Application Ready Templates: Application ready security policies are baseline templates designed to secure that specific enterprise application platforms. Similar to generic templates, application ready templates provide a fixed policy that you can adjust settings manually, or configure additional security features. These templates are configured for the following platforms:
Drupal v8
Microsoft Outlook Web Access Exchange® 2016
Sharepoint 2016
Wordpress v4.9

Custom Policy Templates: Custom templates are created using existing Web Application Security policies. For more information, see Manage and create policy templates.
Templates are ready aligned to support BIG-IP versions 13.1 or later, which allow for optimal deployment over different device versions. If you

Manage and create policy templates

Create, delete, or export Web Application Security policy templates. You can create a custom template by using an existing Web Application Security policy. This allows you to reduce configuration time required for a new protection policy.

The following is the recommended procedure for managing your policy templates. You can create a template directly from the policies list by selecting a policy, clicking

and then

Save as Policy Template

Navigate to the Policy Templates screen,

Configuration

SECURITY

Web Application Security

Policy Templates

A list of all policy templates are displayed. Custom templates are marked as

Yes

in the User Defined column.

To add a new template click

Add

(Required) On the New Policy Template screen enter a name to identify your new policy template.

(Optional) Add a policy description to better identify the template’s settings.

From the

Template source

field you can select

Policy

to create a template from a policy that is already configured to the system, or you can select

File

to import a policy from your local files.

Click

Save & Close

The new template can now be applied to a new Web Application Security policy. Any changes made to the original policy, following template creation, will not affect the template's settings.

To export any template as an XML file, select a template and click

Export

To delete a custom template, select a user-defined template, and click

Delete

The following action deletes the template, but it does not delete the original policy or policies created using the template.

Policy template management is immediately reflected in the list on the Policy Templates screen.

Generic Web Application Security policy templates

The following defines and details the generic policy templates you can apply when creating a new Web Application Security parent or child policy (

Configuration

SECURITY

Web Application Security

Policies

). These templates automatically populate required fields, based on the most common application protection needs. You can use these templates to pilot your security measure to fine-tune as needed.

Template Overview

Rapid Deployment Policy (RDP): A moderate protection layer that includes manual learning of false positives. This protection template meets the majority of Web Application Security requirements.; Operational Cost: Low; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
API Security: A moderate protection layer that follows the same protection as RDP, with additional support for API security features such as: REST API (JSON, XML) and Websocket security.; Operational Cost: Low; BIG-IP Version Support*: Version 13.1.0.2 or later
Fundamental: A high-to-moderate protection layer that includes automatic learning of false positives, and specific entity types. This template includes a blocking enforcement mode.; Operational Cost: Medium
Comprehensive: A high protection layer with automatic learning for all entity types. This template includes a blocking enforcement mode.; Operational Cost: High; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
Passive Deployment Policy (PDP): A low protection layer with a high level of automatic learning (similar to comprehensive), but fully transparent protection layer and does not interfere with the traffic. This template is designed to protect as many potential threats as possible, without the risk of affecting traffic with false positives.; Operational Cost: High; BIG-IP Version Support*: Version 13.1 or later
Vulnerability Assessment Baseline: Provides the lowest protection, and is used to create a security baseline by identifying, classifying and reporting security holes or weaknesses in your web site's code.; Operational Cost: Medium; BIG-IP Version Support*: All versions supported by BIG-IQ centralized management

*General template support does not include all settings. Variations are indicated with the setting and template type.

This table highlights critical aspects of each template's general properties.

Basic Template Settings
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Mode	Manual	Manual	Automatic	Automatic	Automatic	Manual
Application Language	UTF-8	UTF-8	Auto-detect	Auto-detect	Auto-detect	UTF-8
Attack Signature Set Assignment	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block enabled	Generic Detection Signatures Learn/Alarm/Block disabled High Accuracy Detection Evasion Signatures
Signature Staging	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled

This table highlights learning settings per template. Fields that are not listed are either not affected by template settings, or have default settings, unrelated to a selected template.

General Learning Settings
	RPD	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Learn Host Names	False	False	True	True	True	False
Learn Explicit URLs	Never	Never	Never	Compact	Compact	Never
Learn Explicit WebSocket URLs	Never	Never	Never	Always	Always	Never
Learn Explicit Parameters	Never	Never	Selective	Compact	Compact	Never
Learn Explicit Cookies	Never	Never	Never	Selective	Selective	Never
Learn Explicit Redirection Domains	Never	Never	Always	Always	Always	Never

Full Policy Template Settings

The following provides a list of all fields populated by each policy template, per configuration section. Sections and fields that are not affected are not included in this document.

POLICY PROPERTIES
	RPD	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Mode	Manual	Manual	Automatic	Automatic	Automatic	Manual
Enforcement Readiness Period	7 Days
Mask Credit Card Numbers in Request Log	Enabled
Allowed Response Status Codes	400, 401, 404, 407, 417, 503, 403
Dynamic Session ID in URL	Disabled
Trigger ASM iRule Events	Disabled
Trust XFF Header	No
Handle Path Parameters	As Parameter

POLICY BUILDING (Settings)

Blocking Settings
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Enforcement Mode	Transparent	Transparent	Blocking	Blocking	Transparent	Transparent
Learning Speed	Medium

Violation settings include

Learn

Block

, and

Alarm

options. If none of these options are selected, they are marked as "Disabled" in the table.

All Violations
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Policy General Features
Request length exceeds defined buffer size	Learn only *For devices running v13.1 violation is set to Learn only.	Learn only	Learn only	Learn only	Learn only	All Disabled
Failed to convert character	All Enabled* *For devices running v13.1 violation is set to Learn only.	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled
Illegal session ID in URL	All Disabled	All Disabled	All Disabled	All Enabled	Disabled	All Disabled
Illegal HTTP status in response	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled
Illegal Base64 value	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
HTTP Protocol Compliance Failed
Body in GET or HEAD requests	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
POST request with Content-Length: 0	All Disabled	All Disabled	All Disabled	Learn * Violation setting for version 13.0 or later	Learn	All Disabled
Check maximum number of parameters	Learn: 500
CRLF characters before request start	Learn	Learn	Learn o	Learn	Learn	All Disabled
Chunked request with Content-Length header	Disabled
Unparsable request content	Block
Several Content-Length headers	Learn	Learn	Learn	Learn	Learn	All Disabled
High ASCII characters in headers	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
Check maximum number of header	Learn: 20	Learn: 20	Learn: 20	Learn: 20	Learn: 20	All Disabled
Multiple host headers	Learn	Learn	Learn	Learn	Learn	All Disabled
Bad multipart parameters parsing	Learn	Learn	Learn	Learn	Learn	All Disabled
Bad host header value	Learn	Learn	Learn	Learn	Learn	All Enabled
Header name with no header value	Learn	Learn	Learn	Learn	Learn	All Disabled
Content length should be a positive number	Learn	Learn	Learn	Learn	Learn	All Disabled
Null in request	Block
Bad HTTP version	Block
No Host header in HTTP/1.1 request	Learn	Learn	Learn	Learn	Learn	All Disabled
Host header contains IP address	All Disabled	All Disabled	All Disabled	Learn* Violation setting for version 13.0 or later	Learn	All Disabled
Bad multipart/form-data request parsing	All Disabled	All Disabled	All Disabled	Learn	Learn	All Disabled
Evasion Techniques Sub-Violations
Multiple decoding	Learn: 3* For version 12.1 or earlier, setting included 2 decoding passes					All Enabled: 3
IIS backslashes	Learn					All Enabled
Bad unescape	Learn					All Enabled
Directory traversals	Learn					All Enabled
Bare byte decoding	Learn					All Enabled
Apache whitespace	Learn					All Enabled
%u decoding	Learn					All Enabled
URLs
Illegal number of mandatory parameters	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal flow to URL	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Illegal cross-origin request	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Binary content found in text only WebSocket	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal entry point	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Illegal meta character in URL	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal query string or POST data	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal URL	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket binary message length	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket extension	All Disabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Illegal number of frames per message	All Disabled	All Disabled	All Enabled	All Enabled	All Enabled	All Disabled
Text content found in binary only WebSocket	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal request content type	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal WebSocket frame length	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Parameters
Illegal parameter numeric value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal dynamic parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal empty parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter data type	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Null in multi-part parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal meta character in parameter name	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal meta character in value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter value length	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal repeated parameter name	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal static parameter value	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Disallowed file upload content detected	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Parameter value does not comply with regular expression	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal parameter	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Sessions and Logins
Access from disallowed User/Session/IP	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
ASM Cookie Hijacking	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Disabled
Brute Force: Maximum login attempts are exceeded	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Login URL bypassed	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Login URL expired	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Cookies
Modified ASM cookie	All Enabled	All Enabled	All Enabled* Violation setting for version 13.0 or later	All Enabled	All Disabled	All Disabled
Illegal cookie length	All Disabled	All Disabled	Learn Only* Violation setting for version 13.0 or later	Learn Only	Learn Only	All Disabled
Expired timestamp	All Disabled
Cookie not RFC-compliant	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Modified domain cookie(s)	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled
Content Profiles
Malformed XML data	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
XML data does not comply with schema or WSDL document	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
SOAP method not allowed	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
JSON data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
GWT data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Plain text data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
XML data does not comply with format settings	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Malformed GWT data	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Illegal attachment in SOAP message	All Disabled	All Enabled	All Disabled	All Enabled	All Enabled	All Disabled
Malformed JSON data	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Web Services Security failure
Web Services Security failure (all subviolations)	All Enabled					Learn Only
CSRF Protection
CSRF authentication expired	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Disabled
CSRF attack detected	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled	All Enabled
IP Addresses / Geolocations
IP is blacklisted	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Access from malicious IP address	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Access from disallowed User/Session/IP	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Headers
Illegal header length	All Disabled	All Disabled	Learn Only* Violation setting for version 13.0 or later	Learn Only	Learn Only	All Disabled
Illegal method	All Enabled	All Enabled	Learn Only* Violation setting for version 13.0 or later	Learn Only* Violation setting for version 13.0 or later	Learn Only	All Enabled (no enforcement)
Illegal meta character in header	All Disabled	All Disabled	All Disabled	All Enabled	All Enabled	All Disabled
Mandatory HTTP header is missing	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Redirection Protection
Illegal redirection attemp	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Threat Campaigns
Threat Campaign detected* Violation setting supported by version 14.0 or later	All Enabled	All Enabled	All Enabled	All Enabled	All Enabled	All Disabled
Bot Detection
Web scraping detection	All Enabled
Data Guard
Data Guard: Information leakage detected	All Enabled	All Disabled	All Enabled	All Enabled	All Enabled	All Enabled
Websocket protocol compliance
Null character found in WebSocket text message	All Enabled
Failure in WebSocket framing protocol	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Mask not found in client frame	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Bad WebSocket handshake request	Learn Only* Violation setting for version 13.1 or later	All Enabled	Learn Only	Learn Only	Learn Only	All Disabled
Antivirus Detection
Virus Detected	All Disabled	All Disabled	All Disabled	All Enabled	All Disabled	All Disabled

Policy builder settings are identical except for the learning mode, and

Learn From Response

attribute (enabled for Comprehensive template type). The following table lists the Policy Building Process values when you select a generic template.

Policy Building Process
Policy Building Process	Value
Trust IP Addresses	Address List
Loosen Policy	Untrusted Traffic Sources : 20 Min Period : 60 minutes Max Period : 7 days	Trusted Traffic Sources : 1 Min Period : 0 (not applicable) Max Period : 7 days
Tighten Policy (stabilize)	Total Requests : 15,000 Days : 1 Maximum modification suggestion score : 50%
Minimize false positives (Track Site Changes)	Status : Enabled From Trusted and Untrusted Traffic : Enabled
Minimize false positives (Track Site Changes)	Untrusted Traffic Sources : 10 Min Period : 20 minutes Max Period : 7 days	Trusted Traffic Sources : 1 Min Period : 0 (not applicable) Max Period : 7 days
Options	Learn from responses : Disabled (Comprehensive template type is enabled) Full Policy Inspection : Enabled

DATA GUARD

	RDP	API Security	PDP	Vulnerability Assessment Baseline
Data Guard	Disabled
Protect credit card numbers	Enabled			Disabled
Protect U.S. Social Security numbers	Enabled			Disabled
Mask sensitive data	Enabled	Enabled	Disabled	Disabled
Custom Patterns	Disabled
Exception Patterns	Disabled
File Content Detection	Disabled

CSRF PROTECTION

	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
CSRF Protection	Disabled	Disabled	Disabled	Disabled	Disabled	Enabled
SSL Only	Disabled
Expiration Time	Disabled
[Default entry] CSRF URL	URL *	URL *	URL *	URL *	Empty	Empty

ANOMALY DETECTION

All templates are populated with a default login page. As of BIG-IP version 13.1, several fields were deprecated, while others were introduced. Deprecated fields not included in the default login page

Brute Force Attack Prevention
	RDP	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Login Page	Default
Brute Force Protection	Disabled* *Default profile protects against all login pages that are not specifically protected by an enabled configuration.	Enabled
Configuration Support	Current (supports versions 13.1 or later)
IP Address Whitelist	Empty
Source-based Brute Force Protection
Detection Period	60 minutes
MaximumPrevention Duration	60 minutes
Username	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA		Trigger: After 3 failed login attempts Action: Alarm	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA
Device ID	Trigger: Never
IP Address	Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA		Trigger: After 20 failed login attempts Action: Alarm	Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA
Client Side Integrity Bypass Mitigation	Trigger: After 3 failed login attempts Action: Alarm And CAPTCHA
CAPTCHA Bypass Mitigation	Trigger: After 5 failed login attempts Action: Alarm And Drop
Distributed Brute Force Protection
Detection Period	15 minutes
Maximum Prevention Duration	60 minutes
Detect Distributed Attack	After 100 failed login attempts
Detect Credential Stuffing	After 100 failed login attempts
Mitigation	Alarm And CAPTCHA		Alarm	Alarm And CAPTCHA

HEADERS

Methods: All templates except for Vulnerability Assessment Baseline will include the three HTTP methods: GET, POST and HEAD.; Vulnerability Assessment Baseline includes all available HTTP methods, with their default action as follows
Methods acting as GET: REPORT, HEAD, CHECKOUT, COPY, LOCK, MOVE, CHECKIN, UNLOCK, GET, OPTIONS, MERGE, X-MS-ENUMATTS, NOTIFY, MKCOL, SUBSCRIBE, POLL, CONNECT, ACL, VERSION_CONTROL, PROPFIND, UNSUBSCRIBE, PROPPATCH.
Methods acting as POST: MKWORKSPACE, BPROPPATCH, BPROPFIND, BMOVE, RPC_IN_DATA, SEARCH, RPC_OUT_DATA, BCOPY, POST, UNLINK, LINK, PATCH.

The wildcard '*' cookie is the only cookie entity that is populated generic templates. The following indicates which template enables staging

Cookies
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
In Staging	No	No	Yes	Yes	Yes	No

Redirection Protection
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Redirection Protection	Disabled	Disabled	Enabled	Enabled	Enabled	Enabled
Redirection Domains	Empty	Empty	* Entity only	* Entity only	* Entity only	Empty

URLS

All templates are populated with two allowed wildcard templates: HTTP* and HTTPS*. The following are the properties and configuration.

[Allowed] HTTP URLs
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
URL	Wildcard HTTP and HTTPS
Perform Staging	Disabled	Enabled	Enabled	Enabled	Enabled	Disabled
Wildcard Match Includes Slashes	Enabled
Clickjacking Protection	Disabled
Attack Signatures
Check Signatures on this URL	Enabled
Overridden Policy Settings	No overrides were selected
Header-Based Content Profiles
Request Header Value/Request Body Handling	Form, XML, JSON and Apply Value and Content Signatures					Apply Value and Content Signatures
HTML5 Cross-Domain Request Enforcement
Enforcement Mode	Disabled	Disabled	Disabled	Enforce on ASM	Enforce on ASM	Disabled
Methods Enforcement
Override policy allowed methods	Disabled

All templates are populated with *WebSocket URLs for WS and WSS protocols. The following are the properties and configuration.

[Allowed] Websocket URLs
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
WebSocket URL	Wildcard WS and WSS
Perform Staging	Disabled	Enabled	Enabled	Enabled	Enabled	Disabled
Message Handling
Check Message Payload	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled
WebSocket Extensions	Delete Headers	Delete Headers	Delete Headers	Delete Headers	Block	Delete Headers
Allowed Message Payload Formats	All Formats	All Formats	All Formats	Plain Text, JSON	Plain Text, JSON	All Formats
Payload Enforcement (Maximum Binary Message Size)	Any	Any	Any	10,000 bytes	10,000 bytes	Any
Maximum Frame Size	Any	Any	Any	10,000 bytes	10,000 bytes	Any
Maximum Frames per fragmented message	Any	Any	Any	100 bytes	100 bytes	Any
HTML5 Cross-Domain Request Enforcement
Enforcement Mode	Disabled	Disabled	Disabled	Enforce on ASM	Enforce on ASM	Disabled

CONTENT PROFILES

All templates are populated with a default JSON profile. The following are the properties and configuration.

JSON Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Profile Name	Default
File Type	Wildcard
Perform Staging	Disabled	Disabled	Enabled	Enabled	Enabled	Disabled
URL Length	Any	Any	1024 Bytes	1024 Bytes	1024 Bytes	Any
Request Length	Any	Any	8196 Bytes	8196 Bytes	8196 Bytes	Any
Query String Length	Any	Any	4096 Bytes	4096 Bytes	4096 Bytes	Any
POST Data Length	Any	Any	4096 Bytes	4096 Bytes	4096 Bytes	Any
Apply Response Signature Staging	Disabled

All templates are populated with a default XML profile. The following are the properties and configuration.

XML Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Profile Name	Default
Use XML Blocking Response Page	Disabled
XML Firewall Configuration
Defense Level
Allow DTDs	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Allow External References	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate leading White Space	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate Close Tag Shorthand	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Tolerate Numeric Names	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Allow Processing Instructions	Enabled
Allow CDATA	Enabled	Enabled	Enabled	Disabled	Disabled	Enabled
Maximum Document Size	Any	1,024,000 Bytes	Any	1,024,000 Bytes	1,024,000 Bytes	Any
Maximum Elements	Any	512,000	Any	65,536	65,536	Any
Maximum Name Length	Any	1,024 Bytes	Any	256 Bytes	256 Bytes	Any
Maximum Attribute Value Length	Any	Any	Any	1,024 Bytes	1,024 Bytes	Any
Maximum Document Depth	Any	Any	Any	32	32	Any
Maximum Children Per Element	Any	4,096	Any	1,024	1,024	Any
Maximum Attributes Per Element	Any	64	Any	16	16	Any
Maximum NS Declarations	Any	256	Any	64	64	Any
Maximum Namespace Length	Any	Any	Any	256	256	Any
Attack Signatures
Check Attack	Enabled
Attack Signatures Overrides	No Entries
Meta Characters
Check element value characters	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Check attribute value characters	Disabled
Sensitive Data Configuration
Sensistive Data	No Entries

All templates are populated with a default plain text profile. The following are the properties and configuration.

Plain Text Profiles
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Profile Name	Default
Maximum Total Length	Any	Any	Any	10,000	10,000	Any
Maximum Line Length	Any	Any	Any	100	100	Any
Perform Percent Decoding	Disabled
Attack Signatures Overrides
Attack Signatures Check	Enabled
Attack Signatures Overrides	No overrides were selected
Meta Characters
Check Characters	Disabled

PARAMETERS

All templates are populated with a default *wildcard parameter. Prior to version 13.1, RDP included the "__VIEWSTATE" paramter, which was set to "Ignore". The following are the properties and configuration.

Parameters
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Properties
Name	Wildcard: *
Level	Global
Perform Staging	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Allow Empty Value	Enabled
Allow Repeated Occurrences	Disabled
Sensitive Parameter	Disabled
Value Type	user-input
Data Type	Alpha-Numeric
Data Type Attributes
Maximum Length	Any	Any	Any	10	10	Any
Regular Exp.	Disabled
Base64 Decoding	Disabled
Value Meta Character
Value Meta Character Checks	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Name Meta Character
Name Meta Character Checks	Disabled	Disabled	Disabled	Enabled	Enabled	Disabled
Attack Signatures
Attack Signatures Checks	Enabled	Enabled	Enabled	Enabled	Enabled	Disabled
Select signatures overrides	No overrides were selected

The following lists the sensitive parameters automatically added to the policy.

Sensitive Parameters
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Learn New Entities	Password					No sensitive parameters included

ATTACK SIGNATURES CONFIGURATION

The following lists the settings for each template of attack signatures that are configured to the policy.As indicated in the table below, all templates except for Vulnerability Assessment Baseline include the "Generic Detection" set and place signatures in staging.

Attack Signatures
	RDP	Vulnerability Assessment Baseline
Signature Staging	Enabled	Disabled
Place Updated Signatures in Staging	Enabled (Placed in staging and retains old version)	Disabled
Attack Signature Set Assignment	Generic Detection Signatures set. Learn/Alarm/Block enabled	Generic Detection Signatures set Learn/Alarm/Block disabled High Accuracy Detection Evasion Signatures Learn/Alarm/Block disabled
Apply Response Signatures	No file types were selected

THREAT CAMPAIGNS

The Threat Campaigns feature is only available to BIG-IP versions 14.0 or later. All templates, except for Vulnerability Assessment Baseline, have the Threat Campaign detected
violation, enabled

Alarmed

and

Blocked

settings, and Enable Campaign staging
disabled. For Vulnerability Assessment Baseline, both are disabled.

SESSIONS AND LOGINS

There are no pre-defined login or logout pages for any generic template.

The following lists the login settings automatically added to the policy.

Login Enforcements
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Expiration Time	Disabled
Authenticated URLs	None

The following lists the session tracking settings added to the policy.

Session Tracking
	RDP	API Security	Fundamental	Comprehensive	PDP	Vulnerability Assessment Baseline
Session Hijacking
Detect Session Hijacking by Device ID Tracking	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Session Tracking Configuration
Session Awareness	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Application Username	Use All Login Pages	Use All Login Pages	Use All Login Pages	None	Use All Login Pages	Use All Login Pages
Violation Detection Actions
Track Violations and Perform Actions	Disabled	Disabled	Disabled	Enabled	Disabled	Disabled
Violation Detection Period	900s

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IQ Centralized Management

Editing Web Application Security Policies

Editing application security policies

Manage general property settings

General property settings

Edit inheritance settings

Edit child policy overview settings

Response page editing

Edit Ajax response page settings

Edit CAPTCHA response page settings

Edit CAPTCHA fail response page settings

Edit default response page settings

Edit failed login honeypot response page settings

Edit cookie hijacking response page settings

Edit mobile application response page settings

Edit login response page settings

Edit XML response page settings

Add or edit brute force attack prevention settings

Add methods

Add or edit HTTP header settings

Edit host name settings

Add or edit cookie settings

Edit redirection protection settings

Edit header character set settings

Edit IP addresses list settings

Edit IP address intelligence settings

Add or edit HTTP URL settings

Add or edit WebSocket URL settings

Edit URL character set settings

Add or edit file types settings

Edit or add JSON content profile settings

Edit or add XML content profile settings

Edit or add plain text content profile settings

Edit character set JSON settings

Edit character set plain text settings

Edit character set XML settings

Add or edit parameter settings

Add or edit extraction settings

Edit character set parameter name settings

Edit character set parameter value settings

Add sensitive parameters settings

Configure attack signatures

View and modify attack signatures

Edit geolocation enforcement settings

Add or edit login page settings

Add or edit logout page settings

Add or edit login enforcement settings

Edit session tracking settings

Applying Web Application Security policy templates

Manage and create policy templates

Generic Web Application Security policy templates

Template Overview

Full Policy Template Settings

POLICY BUILDING (Settings)

DATA GUARD

CSRF PROTECTION

ANOMALY DETECTION

HEADERS

URLS

CONTENT PROFILES

PARAMETERS

ATTACK SIGNATURES CONFIGURATION

THREAT CAMPAIGNS

SESSIONS AND LOGINS

Have a Question?

Follow Us

About F5

Education

F5 Sites

Support Tasks