Manual Chapter :
Editing Web Application Security Policies
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0
Editing Web Application Security Policies
Editing application security policies
You modify application security
policies to customize how they protect your web application server. Application security
policies can be created in Web Application Security. But more often, they are created on
BIG-IP devices and come into the Web Application Security
configuration when you discover the devices.
- Go to.
- Click the name of a policy you want to edit.The policy is placed under administrative lock. Policy objects that you can view or edit are listed on the left.
- Edit the properties of each policy object as needed.Consult the documentation for each policy object to edit it individually.
- ClickSaveto save the modifications to each object and unlock the policy.
Changes to the policy object are
saved in the working configuration
of the BIG-IQ Centralized Management system. Assuming the policy
is assigned to a virtual server, the next deployment sends the new configuration to one
or more BIG-IP devices.
Manage general property settings
You can manage the general settings of your
Application security policy, whether it was imported from managed BIG-IP devices and
come into the BIG-IQ Web Application Security configuration when you discover the
devices. You can view and modify the properties of individual application security
policies.
- Go to the General Properties screen: click.
- Click the name of the policy to modify, and then on the left clickGeneral Properties.
- Edit the properties as appropriate.
- Save your changes to the general properties of the policy.
The system saves changes in the
working configuration of the BIG-IQ Centralized Management system.
General property settings
These properties are the general configuration options and
settings that determine the overall behavior and functionality of the application security
policy.
Property |
Description |
---|---|
Name |
Unique name of the security policy. You can set the
Name only when you create
the policy. |
Partition |
Partition to which the security policy belongs. Only users
with access to a partition can view the objects that it contains. If the policy
resides in the Common
partition, all users can access it. |
Description |
Optional description of the security policy. Type in any
helpful details about the policy. This field is limited to 255 characters. |
Full
Path |
Full path to the security policy. |
Policy
Type |
Indicates the type of policy.
|
Parent
Policy |
Specifies the parent policy associated with this policy,
if any.
|
Application
Language |
A language encoding for the web application, which
determines how the security policy processes the character sets. The default language
encoding determines the default character sets for URLs, parameter names, and
parameter values. |
Security
Policy is case sensitive |
If enabled, the security policy treats file types, URLs,
and parameters as case-sensitive. When this setting is disabled (not checked), the
system stores these policy elements in lowercase in the policy configuration. |
Application
Templates |
Specifies options for using the policy with application
templates.
templates-default . |
Event
Correlation Reporting |
If enabled, events are reported in groups (correlated),
rather than as individual transactions. You can only disable this setting for BIG-IP
devices version 13.1 or later. |
Learning
Mode |
Select one of the options to indicate how the policy
learns:
|
Enforcement
Mode |
Specifies how the system processes a request that triggers
a security policy violation.
|
Enforcement
Readiness Period |
Indicates the number of days in the period. The default is
7 days. Both security policy entities and attack signatures
remain in staging mode before the system suggests you enforce them. The system does
not enforce policy entities and attack signatures in staging. Staging allows you to
test the policy entities and the attack signatures for false positives without
enforcing them. |
Mask Credit
Card Numbers in Request Log |
When enabled, they system masks credit card numbers in the
request log. If disabled (cleared), credit card numbers are not masked. |
Maximum HTTP
Header Length |
Specifies the maximum length of an HTTP header name and
value that the system processes. The default setting is 8192 bytes. The system
calculates and enforces the HTTP header length based on the sum of the length of the
HTTP header name and value. To specify a value for length, type a different value in
the field. To specify that any length is acceptable, clear the field. An empty field
(a value of any) indicates that there are no restrictions on the HTTP header length up
to 8192 bytes. |
Maximum
Cookie Header Length |
Specifies the maximum length of a cookie header name and
value that the system processes. The default setting is 8192 bytes. The system
calculates and enforces a cookie header length based on the sum of the length of the
cookie header name and value. To specify a value for length, type a different value in
the field. To specify that any length is acceptable, clear the field. An empty field
(a value of any) indicates that there are no restrictions on the cookie header length
up to 8192 bytes. |
Allowed
Response Status Code |
Specifies which requests the security policy permits,
based on the HTTP response status codes they return. Click the gear icon to add or
delete response codes. |
Dynamic
Session ID in URL |
Specifies how the security policy processes URLs that use
dynamic sessions. Click the gear icon to change the setting or create a custom
pattern.
|
Trigger ASM
iRule Events |
When enabled, specifies that Web Application Security
activates ASM™ iRule events. Specifies, when
disabled, that Web Application Security does not activate ASM iRule events. The
default setting is disabled. Leave this option disabled if you either have not written
any ASM iRules® or have written iRules that
are not ASM iRules. iRule events that are not ASM are triggered by the Local Traffic Manager™. Enable this option if you have
written iRules that process ASM iRule events, and assigned them to a specific virtual
server. |
Trust XFF
Header |
When set to No (the default), specifies that the system does not have confidence in
an XFF (X-Forwarded-For) header in the request. Leave this option disabled if you
think the HTTP header may be spoofed, or crafted, by a malicious client. With this
setting disabled, if Web Application Security is deployed behind an internal proxy,
the system uses the internal proxy’s IP address instead of the client’s IP address. If
Web Application Security is deployed behind an internal or other trusted proxy, you
can click the gear icon to change the setting and specify that the system has
confidence in an XFF header in the request. Select the
Trust XFF Headers check
box and add a required custom header (use a-z, A-Z, no whitespace allowed). The
system then uses the IP address that initiated the connection to the proxy instead
of the internal proxy’s IP address. |
Handle Path
Parameters |
Specifies how the system handles path parameters that are
attached to path segments in URIs.
|
Edit inheritance settings
You use the Inheritance Settings
screen to change the properties that are part of a policy by editing the inheritance
settings of a child or parent policy.
- Navigate to the Inheritance Settings screen: click.
- Click the appropriate policy name to display the policy properties screen.
- ClickInheritance Settings.
- Review or modify the inheritance settings.The contents of this screen differ depending on whether the policy is a parent policy, a child policy, or neither.
- If the current policy is neither a parent policy nor a child policy, theParent Policylist is set toNone, and no other properties are shown on the screen.
- If the current policy is a child policy or will be a child policy, do the following.
- From theParent Policylist, review or select a parent policy. By default, the setting isNone.
- Review the list of properties that are displayed, and where needed, selectAcceptorDecline.
- Optionally, you can add comments about the inheritance settings by clicking the comment icon in the Comments column and then typing text in the space provided.
- If the current policy is a parent policy, do the following.
- In the Inheritance column, review or change the inheritance settings for each property in each property row.
- If the property must be inherited by a child policy, clickMandatory.
- If the property is optional for a child policy, clickOptional.
- If the property is not available to the child policy, clickNone.
- The Accepted, Declined, Unread, and Comments columns show the number of child policies for each category for that property. Optionally, you can click the number to display additional information on the Child Policy Overview screen.
- ClickSaveto save your changes.
The inheritance settings for the
policy are updated.
Edit child policy overview
settings
You can edit the inheritance
settings for child policies associated with a parent policy. A parent policy can be
associated with multiple child policies.
- Navigate to the Child Policy Overview screen: click.
- Click the name of the policy you want to review, and clickChild Policy Overview.
- Review the inheritance settings for child policies associated with the parent policy.
- ClickAllto view all properties that could be inherited by a child policy.
- ClickDeclinedto view only the properties that a child policy declined to inherit.
- Expand each policy section in the list to review the inheritance status (declined or accepted) for each child policy.
- Indicate whether you have reviewed declined inheritance properties. In the Policy Section row for a child policy property:
- ClickMark as Readto indicate that you have reviewed a declined property for a child policy.
- ClickMark as Unreadto indicate that you have not reviewed a declined property for a child policy.
- ClickMark All as Readto indicate that you have reviewed all declined properties within that heading.
- To enter a comment, click the comment icon in the row. To remove all comments in a section, clickClear Allin the heading row for a policy section.
- ClickSaveto save your changes.
The child policy overview is
updated.
Response page editing
You can review and change the settings on various types of response pages. Response page
settings specify the response content that the system sends to the user when the security policy
blocks a client request.
Edit Ajax response page settings
You use the Ajax Response Page
screen to view and edit the settings for the Ajax response page, which is one of several
response pages. Response page settings specify the content of the response that the
system sends to the user when the security policy blocks a client request.
- Go to the Ajax Response Page screen: click.
- Click a policy name, and then click.
- In theAJAX Blockingsetting, click theEnabledcheck box to view and edit settings.When this is checked (enabled), the system injects JavaScript code into responses.You must enable this check box to configure an ASM Ajax response page which is returned when the system detects an Ajax request that does not comply with the security policy.
- From theDefault Response Page Actionlist, select an action. Your selection determines the settings.Popup MessageThe screen displays a sample pop up message which you can edit. ClickPreview Onto preview the response.Custom ResponseThe screen displays the default response page which you can edit to create a custom response. Alternatively, you can upload the response.
- You clickChoose Fileto select the file containing the response, and then clickUploadto insert it.
- ClickPreview Onto preview the response.
- If you want to return to the original default response text, clickPaste Default Response Body.
Redirect URLThe system redirects the user to a specific web page instead of displaying a response page. You must enter a URL for the redirect. - In theLogin Page Response Actionlist, select an action.Your selection determines the settings. The actions are the same as those for theDefault Response Page Actionlist.
- In theFailed Login Honeypot Page Response Actionlist, select an action.Your selection determines the settings. The actions are the same as those for theDefault Response Page Actionlist.
- When you are finished, save your changes.
The response page settings are
updated.
Edit CAPTCHA response page
settings
You use the CAPTCHA Response Page
screen to view and edit the settings for CAPTCHA responses. Response page settings
specify the response content that the system sends to the user when the security policy
blocks a client request.
- Click.
- Click a policy name, on the next screen, on the left clickResponse Pagesand then for the Response Pages type, clickCAPTCHA Fail.
- For theResponse Typesetting, specify whether to use the default or a custom response.
- To use the displayed response header and response body, selectDefault Response.
- To use a modified response header or response body, selectCustom Response.
SelectingCustom Responsemakes editing options available. - In theResponse Headersetting, review or change the response header.
- If you selected the default response type, you can review but not modify the response header.
- If you selected the custom response type, you can modify the response header by editing the header text.
- To replace your modifications with the default response header, clickPaste Default Response Header.
- For theResponse Bodysetting, review or change the response body.
- If you selected the default response type, you can review but not modify the response body.
- If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:
- ClickChoose File.
- In the displayed Open dialog box, select the file to import and clickOpen. The Open dialog box closes.
- ClickUpload. The contents of the file are now in the response body text box.
- To replace your modifications with the default response body, clickPaste Default Response Body.
- For thePreviewsetting, specify whether to see a preview of the response body.
- To see a preview of how the response is displayed, clickPreview On.
- To skip the preview, clickPreview Off.
- When you are finished, save your changes.
Edit CAPTCHA fail response page
settings
You use the CAPTCHA Fail Response
Page screen to view and edit the settings for CAPTCHA Fail responses. Response page
settings specify the response content that the system sends to the user when the
security policy blocks a client request.
- Click.
- Click a policy name, on the next screen, on the left clickResponse Pagesand then for the Response Pages type, clickCAPTCHA Fail.
- For theResponse Typesetting, specify whether to use the default or a custom response.
- To use the displayed response header and response body, selectDefault Response.
- To use a modified response header or response body, selectCustom Response.
SelectingCustom Responsemakes editing options available. - For theResponse Headersetting, review or change the response header.
- If you selected the default response type, you can review but not modify the response header.
- If you selected the custom response type, you can modify the response header by editing the header text.
- To replace your modifications with the default response header, clickPaste Default Response Header.
- For theResponse Bodysetting, review or change the response body.
- If you selected the default response type, you can review, but not modify, the response body .
- If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:
- ClickChoose File.
- In the displayed Open dialog box, select the file to import and clickOpen. The Open dialog box closes.
- ClickUpload. The contents of the file are now in the response body text box.
- To replace your modifications with the default response body, clickPaste Default Response Body.
- In thePreviewsetting, select whether to see a preview of the response body.
- To see a preview of how the response is displayed, clickPreview On.
- To skip the preview, clickPreview Off.
- When you are finished, save your changes.
Edit default response page
settings
You use the Default Response Pages screen to view and edit the settings for the
default response page, which is one of several response pages. Response page
settings specify the content of the response that the system sends to the user when
the security policy blocks a client request.
- Go to the Default Response Page screen: click.
- Click a policy name, and then click.
- Select aResponse Typefrom the list. Your selection determines the additional settings.Default ResponseThe screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. ClickPreview Onto preview the response.Custom ResponseThe screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response.
- ClickChoose Fileto select the file containing the response body, and then clickUploadto insert it.
- ClickPreview Onto preview the response.
- If you want to return to the original default response text for the header or the body, clickPaste Default Response HeaderorPaste Default Response Body.
Redirect URLThe system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in theRedirect URLfield.Soap FaultThe system blocks a SOAP request due to an XML-related violation.ClickThe system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text.Preview Onto preview the response.Erase CookiesThe system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. ClickPreview Onto preview the response. - When you are finished, save your changes.
The response page settings are
updated.
Edit failed login honeypot response page
settings
You use the Failed Login Honeypot
screen to view and edit the settings for the Failed Login Honeypot response page.
Response page settings specify the response content that the system sends to the user
when the security policy blocks a client request.
- Click.
- Click a policy name, on the left of the next screen, clickResponse Pagesthen for the Response Pages type, clickFailed Login Honeypot.
- For theResponse Typesetting, specify whether to use the default or a custom response.
- To use the displayed response header and response body, selectDefault Response.
- To use a modified response header or response body, selectCustom Response.
SelectingCustom Responsemakes editing options available. - For theResponse Headersetting, review or change the response header.
- If you selected the default response type, you can review, but not modify the response header.
- If you selected the custom response type, you can modify the response header by editing the header text.
- To replace your modifications with the default response header, clickPaste Default Response Header.
- For theResponse Bodysetting, review or change the response body.
- If you selected the default response type, you can review, but not modify the response body.
- If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:
- ClickChoose File.
- In the displayed Open dialog box, select the file to import and clickOpen. The Open dialog box closes.
- ClickUpload. The contents of the file are now in the response body text box.
- To replace your modifications with the default response body, clickPaste Default Response Body.
- For thePreviewsetting, specify whether to see a preview of the response body.
- To see a preview how the response is displayed, clickPreview On.
- To skip a preview, clickPreview Off.
- When you are finished, save your changes.
Edit cookie hijacking response page
settings
You use the Cookie Hijacking
Response Page screen to view and edit the settings for the Cookie Hijacking response
page. Response page settings specify the response content that the system sends to the
user when the security policy blocks a client request.
- Click.
- Click a policy name, on the left of the next screen, clickResponse Pages, and for the Response Pages type, clickCookie Hijacking.
- For theResponse Typesetting, specify the type of response to use.
- To use the default response header and body, selectDefault Response.
- To use a modified response header or body, selectCustom Response.
- To use the SOAP fault response header and body, selectSOAP Fault.
- To use the erase cookies response header and body, selectErase Cookies.
The response header and body change based on the response type you select. SelectingCustom Responsemakes editing options available. - For theResponse Headersetting, review or change the response header.
- If you did not selectCustom Responseas the response type, you can review but not modify the response header.
- If you selectedCustom Responseas the response type, you can modify the response header by editing the header text.
- To replace your modifications with the default response header, clickPaste Default Response Header.
- For theResponse Bodysetting, review or change the response body.
- If you did not selectCustom Responseas the response type, you can review but not modify the response body.
- If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:
- ClickChoose File.
- In the displayed Open dialog box, select the file to import and clickOpen. The Open dialog box closes.
- ClickUpload. The contents of the file are now in the response body text box.
- To replace your modifications with the default response body, clickPaste Default Response Body.
- For thePreviewsetting, specify whether to see a preview of the response body.
- To see a preview how the response is displayed, clickPreview On.
- To skip a preview, clickPreview Off.
- When you are finished, save your changes.
Edit mobile application response page
settings
You use the Mobile Application
Response Page screen to view and edit the settings for the mobile application response
page. Response page settings specify the response content that the system sends to the
user when the security policy blocks a client request.
- Click.
- Click a policy name, on the left of the next screen clickResponse Pagesand for the Response Pages type, clickMobile Application.
- for theResponse Typesetting, specify whether to use the default or a custom response.
- To use the displayed response header and response body, selectDefault Response.
- To use a modified response header or response body, selectCustom Response.
SelectingCustom Responsemakes editing options available. - For theResponse Headersetting, review or change the response header.
- If you selected the default response type, you can review but not modify the response header.
- If you selected the custom response type, you can modify the response header by editing the header text.
- To replace your modifications with the default response header, clickPaste Default Response Header.
- For theResponse Bodysetting, review or change the response body.
- If you selected the default response type, you can review but not modify the response body.
- If you selected the custom response type, you can modify the response body by editing the body text directly or by importing a file with that text. To import the response body:
- ClickChoose File.
- In the displayed Open dialog box, select the file to import and clickOpen. The Open dialog box closes.
- ClickUpload. The contents of the file are now in the response body text box.
- To replace your modifications with the default response body, clickPaste Default Response Body.
- For thePreviewsetting, specify whether to see a preview of the response body.
- To see a preview how the response is displayed, clickPreview On.
- To skip a preview, clickPreview Off.
- When you are finished, save your changes.
Edit login response page settings
You use the Login Pages Response
Page screen to view and edit the settings for the login page response page, which is one
of several response pages. Response page settings specify the content of the response
that the system sends to the user when the security policy blocks a client
request.
- Go to the Login Pages Response Page screen: click.
- Click a policy name, and then click.
- Select aResponse Typefrom the list. Your selection determines the additional settings.Default ResponseThe screen displays the default response header and response body. The system sends the response body to the client as shown. You cannot edit these fields. ClickPreview Onto preview the response.Custom ResponseThe screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response.
- ClickChoose Fileto select the file containing the response body, and then clickUploadto insert it.
- ClickPreview Onto preview the response.
- If you want to return to the original default response text for the header or the body, clickPaste Default Response HeaderorPaste Default Response Body.
Redirect URLThe system redirects the user to a specific web page instead of displaying a response page. You must enter a URL in theRedirect URLfield.Soap FaultThe system blocks a SOAP request due to an XML-related violation.ClickThe system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text.Preview Onto preview the response.Erase CookiesThe system deletes all client side domain cookies. This is done in order to block web application users once, and not from the entire web application. The system displays this text in the response page. You cannot edit this text. The response header and response body are shown. ClickPreview Onto preview the response. - When you are finished, save your changes.
The response page settings are
updated.
Edit XML response page settings
You use the XML Response Page screen
to view and edit the settings for the XML response page, which is one of several
response pages. Response page settings specify the content of the response that the
system sends to the user when the security policy blocks a client request.
- Go to the XML Response Page screen: click.
- Click a policy name, and then click.
- Select aResponse Typefrom the list. Your selection determines the additional settings.Custom ResponseThe screen displays the default response header and response body which you can edit to create a custom response. Alternatively, for the response body, you can upload a response.
- ClickChoose Fileto select the file containing the response body, and then clickUploadto insert it.
- ClickPreview Onto preview the response.
- If you want to return to the original default response text for the header or the body, clickPaste Default Response HeaderorPaste Default Response Body.
Soap FaultThe system blocks a SOAP request due to an XML-related violation.ClickThe system displays the system-supplied response written in the SOAP fault message structure. You cannot edit this text.Preview Onto preview the response. - When you are finished, save your changes.
The response page settings are
updated.
Add or edit brute force attack prevention
settings
You can protect login URLs against
brute force attacks. A
brute force
attack is an outside attempt by hackers
to access post login pages of a website by guessing user names and passwords. Brute
force attacks are performed when a hacker tries to log in to a URL numerous times,
running many combinations of user names and passwords, until he successfully logs in.
The Default
login URL is used for all defined login URLs that do not
have their own brute force configuration.- Click.
- Click the name of a policy, and on the left click.
- Specify the action to take for brute force attack prevention settings:
- To add a login URL to the security policy, clickAdd.
- To modify the brute force prevention properties for a login URL, click the name of the login URL.
The brute force prevention properties display. - Supply the general properties for brute force attack prevention for the login URL.
- In theLogin Pagesetting, select a login page, or create a login page by clickingCreate login page.
- In theConfiguration Supportsetting, specify whether to use current or legacy settings. The other available properties differ based on this setting.
- SelectCurrentwhen managing a BIG-IP device version later than 13.0.
- Select13.0 And Priorwhen managing a BIG-IP device version 13.0 or earlier.
- In theIP Address Whitelistsetting, review the settings or add new settings. To add an IP address, click theIP Address Whitelistsetting link.
- In the Source-based Brute Force Protection area, supply the source-based protection settings.This area is available only whenConfiguration Supportis set toCurrent.
- In theDetection Periodsetting, type the number of minutes the detection period should last.
- In theMaximum Prevention Durationsetting, type the number of minutes the prevention period should last.
- For each of the other settings in this section, set the trigger and the action:
- In theTriggersetting, specify when the trigger for the action occurs by selecting eitherNeverorAftera specified value is reached.
- For theActionsetting, select the action that occurs when the trigger is reached.
- In the Distributed Brute Force Protection area, supply the distributed protection settings.This area is available only whenConfiguration Supportis set toCurrent.
- In theDetection Periodsetting, type the number of minutes for detection.
- In theMaximum Prevention Durationsetting, type the number of minutes for maximum prevention duration.
- In theDetect Distributed Attacksetting, select when the distributed attack detection occurs.
- SelectNeverto have no distributed brute force attack protection.
- SelectAfter x failed login attemptsto have distributed brute force attacks detected if x failed logins are detected within theDetection Periodconfigured previously.
- In theDetect Credential Stuffingsetting, select when the detection should occur.
- SelectNeverto have no credential stuffing detection.
- SelectAfter x login attempts that match stole credentials dictionaryto have it reported when the configured conditions are met.
- In theMitigationsetting, select the distributed brute force protection mitigation option to use.
- In the Session-based Brute Force Protection area, supply the session-based protection settings.This area is available only when theConfiguration Supportsetting is set to13.0 And Prior.
- In theLogin Attempts from the Same Clientsetting, type the number of attempts to allow.
- In theRe-enable Login Aftersetting, type the number of seconds.
- In theUse Device IDsetting, specify whether it is enabled.
- In the Dynamic Brute Force Protection area, supply the dynamic protection settings.This area is available only when theConfiguration Supportsetting is set to13.0 And Prior.
- For theOperation Modesetting, select one of the modes:Off,Alarm, orAlarm and Block.
- In theMeasurement Periodfield, type the number of seconds.
- In theDetection Criteriafield, type the values that define when a problem is detected.
- For thePrevention Policysetting, select one or of the options to use for the policy. WhenSource IP-Based Client Side Integrity Defenseis selected, theSuspicious Criteria (per IP address)setting is displayed and can be modified.
- In theSuspicious Criteria (per IP address)setting, type the values that define when failed login attempts become suspicious.
- In thePrevention Durationsetting, select the duration. This setting is displayed only whenSource IP-Based Client Side Integrity Defenseis selected in thePrevention Policysetting.
- To have no limit on the duration, selectUnlimited.
- To have a maximum duration, selectMaximumand type a value for the number of seconds.
- Save your work.
Add methods
In the application security policy,
you can specify methods that other web applications may use when requesting a URL from
another domain. All security policies accept standard HTTP methods by default. If your
web application uses HTTP methods other than the default allowed methods (GET, HEAD, and
POST), you can add them to the security policy.
- Click.
- Click the policy name, and then click.
- ClickAddto add a method.
- From theMethodlist, select a method.
- When you are finished, clickSave.The new method is added to the list on the Methods screen. The method appears in blue, meaning that you can edit it. The check box to the left indicates that you can also delete it.
The system updates the policy to use
the new methods.
Add or edit HTTP header settings
In the application security policy,
you can specify a list of HTTP request headers that other web applications hosted in
different domains can use when requesting this URL.
- Click.
- Click the policy name.
- On the left, click.The screen displays a list of HTTP headers. The wildcard header is configured by default.
- Select whether to add a new HTTP header or view or modify an existing HTTP header.
- ClickAddto add a new header.
- Click the name of the header to view or modify the properties.
Only HTTP headers that are displayed in blue can be modified or viewed. - Add aName. When adding a new header, select the name of the HTTP header from the list. When modifying a header, the name cannot be changed.
- Select aType. Specifiesexplicitorwildcard. The only wildcard header in the system is the default pure wildcard header (*).
- EnableMandatoryto require this header to appear in requests.
- EnableCheck Signaturesto all the system to perform attack signature checks on this header.
- Base64 Decoding. When enabled, specifies that the security policy checks the parameter’s value for Base64 encoding, and decodes the value. The default is disabled.
- Normalization. Specifies whether the system normalizes headers. Select the options for which type of normalization the system should perform on headers. There is a performance trade-off when using normalization, so use it only when needed.
- Percent Decoding: Specifies, when enabled, that the system performs the following actions on header content:%XXand%uXX, bad unescaping, Apache whitespace, IIS Unicode codepoints, and plus to space.
- URL Normalization and Percent Decoding:Specifies, when enabled, that the system performs the these actions on header content: multiple slashes, directory traversal, backslash replacement, and path parameter removal, and allPercent Decodingchecks.
- HTML Normalization:Specifies, when enabled, that the system performs the following actions on header content: removes all non-printables, whitespaces and the “+” character, skips comments, decodes HTML entities, performs hex decoding, decimal decoding, 0xXX decoding, style sheet escaping, and removes backslashes.
- EnableEvasion Techniques Violationsallowing the system to log and/or suggest learning suggestions for evasion violations detected during the normalization process if there are problems during the normalization of the specific header. The default is disabled.
- EnableMask Value in Logsto mask sensitive user header information from your report logs.
- To customize signature override settings for headers, select fromOverridden Security Policy Settingssignature overrides from the list and then enable or disable it by clickingEnabledorDisabled.
- ClickSaveto save your changes.
The system updates the policy to use the new
settings.
Edit host name settings
You can review, add, and delete host
names from the policy using the Host Names screen. This list of host names is used by
several features of the application security policy.
- Navigate to the Host Names screen: click.
- Then click the name of the appropriate policy, and on the left click.
- Review the list of host names.If no host names are listed, you can add them by clicking theAdd.
- To modify a host name, click the name of the host name.The Host Name properties screen opens.
- Review the Host Name.
- To allow users to be redirected to a sub-domain of this host name, select theInclude Sub-domainscheck box.
- To set the policy to transparent mode and forward all responses, select the check box forPolicy is always transparent for this host.
- ClickSaveto save your changes.
The host name settings for the policy
are updated.
Add or edit cookie settings
You can review, add, and remove
cookies from a policy, and re-order cookie wildcards using the Cookies screen. You use
the same process to modify or add a cookie. The only difference is that when you modify
a cookie, the
Cookie Name
properties already exist and you cannot
change them.- Click.
- Click the name of the appropriate policy, and on the left click.The screen displays a list of cookies.
- To add a new cookie, clickAdd, or click a cookie name to modify an existing cookie.You use the same process to modify or add a cookie. However, you can specify some properties only when adding a cookie, and not modifying an existing cookie.
- Type or review theCookie Name, and specify whether it isExplicitor is aWildcardexpression.You can specify a cookie name only when adding a new cookie.
- Specify theCookie Type:
- SelectAllowedto indicate the client may change the cookie.
- SelectEnforcedto indicate that the cookie cannot be changed by the client.
Allowedprovides additional options. - Select the settings for the cookie.
- ForPerform Staging, select theEnabledcheck box to indicate that the cookie is placed in staging.
- ForInsert HTTPOnly attribute, select the check box to insert the attribute in the domain cookie response header.
- ForInsert SameSite attribute, specify whether the attribute should be set toNone,Strict, orLax. OnlyNonecan be selected for BIG-IP devices earlier than version 13.1.
- ForInsert Secure attribute, select the check box to insert the attribute into the domain cookie response header.
- ForBase64 Decoding, select the check box to enable decoding of Base64 strings. (This setting is displayed only if theCookie Typeis set toAllowed.)
- ForMask Value in Logs, select theEnabledcheck box to mask sensitive user information in your report logs.
- ForAttack Signatures Check, select the check box to verify attack signatures and display attack signature override settings. (This setting is displayed only if theCookie Typeis set toAllowed.)
- ForAttack Signature Overrides, select a signature from the list, and then clickEnabledorDisabledto indicate whether each signature should be overridden.
Once you have completed setting configuration, clickSaveto save your changes.Once you save, the screen returns to the policy's list of cookies. - To remove a cookie from staging, select the check box for the cookie and clickEnforce Selected.
- To filter the list of cookies by their enforcement readiness, select an option from theEnforcement Readinesssetting.Enforcement readiness is the state of enforcement for each cookie, such as not enforced,, has a suggestion, or is ready to be enforced.
- To list all cookies, selectAll.
- To list cookies that have one or more suggestions, selectHas suggestion.
- To list cookies that are not being enforced, selectNot enforced.
- To list cookies that are ready to be enforced, selectReady to be enforced.
- ClickSaveto save your changes.
The cookie settings for the policy are added or
updated.
Edit redirection protection
settings
You can enable redirection
protection and list those domains that are allowed by your security policy, using the
Redirection Protection screen. By enabling redirection protection, you can help prevent
users from being redirected to questionable, phishing, or malware websites.
- Click.
- Click the name of the appropriate policy, and on the left click.
- For theRedirection Protectionsetting, select theEnabledcheck box.The screen displays other property settings.
- ForDomain Name, type the domain name that is allowed by the security policy.
- To have the security policy also allow sub-domains of the domain, select theInclude Sub-Domainscheck box.
- To add the domain to theAllowed Redirection Domainslist, clickAdd.
- To delete a domain from theAllowed Redirection Domains, click theXto the left of that domain name.The domain is removed without confirmation.
- Save your work.
Edit header character set settings
You can configure the security
policy to allow or disallow certain characters in the value field of an HTTP header and
in uncommon header names.
- Navigate to the Character Set screen: click.
- Click the name of the appropriate policy, expandHEADERSand clickCharacter Set.
- Review the list of characters, and for each, determine whether it should be allowed.You can use the View options to select which group of characters are displayed.
- To allow characters in a header, select the check box in theAllowedcolumn of the table row .
- For characters that should not be allowed in a header, clear the check box in theAllowedcolumn of the table row.
- ClickSaveto save your changes.
Edit IP addresses list settings
You can view and edit configured IP
address exceptions and characteristics.
- Navigate to the IP Address screen: click.
- Select a policy name, expandIP ADDRESSES, and selectIP Addresses List.
- ClickAdd.
- Type anIP Addressthat you want the system to trust.To add a route domain, type%nafter the IP address wherenis the route domain identification number.
- Type aNetmask.If you omit the netmask value, the system uses a default value of255.255.255.255.
- Select whichever of the following options should be enabled.
- Select thePolicy Builder Trusted IPcheck box to specify that the Policy Builder considers traffic from this IP address to be legitimate. The Policy Builder automatically adds to the security policy data logged from traffic sent from this IP address.
- Select theIgnore in Anomaly Detection and do not Collect Device IDcheck box to specify that the system considers traffic from this IP address to be safe. The security policy does not take this IP address into account when performing brute force prevention and web scraping detection.
- Select theIgnore in Learning Suggestioncheck box to specify that the system not generate learning suggestions from traffic sent from this IP address.
- Select theNever log traffic from this IP Addresscheck box to specify that the system not log requests or responses sent from this IP address, even if the security policy is configured to log all traffic.
- Select theIgnore IP Address Intelligencecheck box to specify that the system considers traffic from this IP address to be safe even if it matches an IP address in the IP Address Intelligence database.
- In theBlock this IP Addresssetting, select one of the blocking options.
- SelectPolicy Defaultto use the policy blocking settings.
- SelectNever Block This IPto not block this IP address.
- SelectAlways Block This IPto block this IP address.
IfAlways Block This IPis selected, many of the options become invalid and are removed from the screen. - Type a brief description for the IP address.
- When you are finished, clickSaveto save the modifications and unlock the policy.
The IP Address settings are updated
to use the new configured IP address exceptions, and any changes made are put into
effect in the working configuration of the BIG-IQ Centralized
Management system.
Edit IP address intelligence
settings
You can review and modify IP address
intelligence settings. An
IP intelligence database
is a list of IP
addresses with questionable reputations. Refer to the ASM documentation or online help
for more information on IP address intelligence.- Navigate to the IP Address screen: click.
- Select a policy name, expandIP ADDRESSES, and selectIP Address Intelligence.
- Select theIP Address IntelligenceEnabledcheck box.Other properties display; you can review the descriptions of the properties for additional information.
- For theIP Address White Listsetting, type the IP address and subnet mask for each IP address that should be whitelisted, and clickAddafter each addition.
- In theIP Address Intelligence Categoriesarea, specify the categories that you want to alarm or block.
- Select theAlarmcheck box to specify that whenever a request is sent from a source IP address that matches the category, the system logs the IP Intelligence data.
- Select theBlockcheck box to specify that the system stops requests sent from a source IP address that matches the category.In order for the system to block requests, the security policy must be in Blocking mode.
- ClickSavewhen you are done.
The IP address intelligence settings
are updated.
Add or edit HTTP URL settings
You can view, add, modify, and
remove HTTP URLs that are either allowed or disallowed in an application security
policy.
Allowed URLs
are URLs that the security policy accepts in traffic
to the web application being protected. Disallowed URLs
are URLs that the
security policy denies.- Click.
- Click the name of the appropriate policy, then on the left expandURLs, and clickHTTP.The screen displays the list of HTTP URLs. You can add, delete, or reorder the HTTP URLs that are allowed or disallowed.
- To add an allowed or disallowed HTTP URL to a policy, clickAddfor the allowed or disallowed list.Allowed HTTP URLs are listed at the top of the screen and disallowed HTTP URLs are listed at the bottom. The Add URL screen displays the properties, which differ between allowed URLs and disallowed URLs.
- For disallowed HTTP URLs, specify whether the protocol is HTTP or HTTPS, and type the URL name.
- For allowed HTTP URLs, specify whether the URL is explicit or a wildcard, whether the protocol is HTTP or HTTPS, and type the URL name or wildcard. Specify or modify additional properties for the allowed HTTP URL as needed.
- Save your work.
- To review or edit the properties of a URL, click the URL to open the Properties screen.Allowed URLs are listed in the Allowed URL column in the upper table of URLs. Disallowed URLs are listed in the Disallowed URL column in the bottom table of URLs.
- To change the processing order of allowed URLS with the wildcard type, clickWildcards Order.The Wildcard Order screen opens, where you can move the wildcard entries in the list to change their sequence, and save your work.
- To remove an HTTP URL from staging, select the check box for the HTTP URL and clickEnforce Selected.
- To filter the list of HTTP URLs by their enforcement readiness, select a value from theEnforcement Readinesssetting.
- To list all HTTP URLs, selectAll.
- To list HTTP URLs that have one or more suggestions, selectHas suggestion.
- To list HTTP URLs that are not being enforced, selectNot enforced.
- To list HTTP URLs that are ready to be enforced, selectReady to be enforced.
- To delete an allowed or disallowed HTTP URL from the policy, select the check box in the row for that HTTP URL and clickDeletein the upper or lower portion of the screen, whichever is appropriate.
Add or edit WebSocket URL settings
You can view, add, modify, and
remove WebSocket URLs that are either allowed or disallowed in an application security
policy.
Allowed URLs
are URLs that the security policy accepts in traffic
to the web application being protected. Disallowed URLs
are URLs that the
security policy denies.- Click.
- Click the name of the appropriate policy, then on the left expandURLsand clickWebSocket.The WebSocket URLs screen opens where you can add, or edit, WebSocket URLs.
- To remove the WebSocket URL from staging, select the check box for the WebSocket URL and clickEnforce Selected.
- To edit the properties of a WebSocket URL, click the URL in either theAllowed WebSocket URLsorDisallowed WebSocket URLscolumn.The WebSocket URL properties screen opens, and you can change the properties (as described in the details for adding a URL of that type).
- To add a WebSocket URL to a policy, determine whether it is an allowed or disallowed WebSocket URL.
- To add an allowed WebSocket URL, clickAddin the upper portion of the screen. This opens the Add Allowed WebSocket URL screen, where you can supply the needed properties.
- To add a disallowed WebSocket URL, clickAddin the lower portion of the screen. This opens the Add Disallowed WebSocket URL screen, where you can supply the needed properties.
- For disallowed WebSocket URLs:
- Specify whether the protocol isWSorWSS.
- Type the URL name.
- For allowed WebSocket URLs, supply the needed properties.
- In the Properties area, supply or modify the overall properties for the WebSocket URL.
- In the Message Handling area, supply or modify the message handling properties for the WebSocket URL.
- For wildcard URLs, expand the Meta Characters area to specify how meta characters are handled.
- ForCheck Signatures on this URL, select theEnabledcheck box.
- ForCheck characters on this URL, select the meta characters from the list and then clickAlloworDisallowas needed.
- In the HTML5 Cross-Domain Request Enforcement area, supply or modify the HTML5 cross-domain request enforcement properties for the WebSocket URL.
- To filter the list of WebSocket URLs by their enforcement readiness, select an option from theEnforcement Readinesslist.
- To list all WebSocket URLs, selectAll.
- To list WebSocket URLs that have one or more suggestions, selectHas suggestion.
- To list WebSocket URLs that are not being enforced, selectNot enforced.
- To list WebSocket URLs that are ready to be enforced, selectReady to be enforced.
- Save your work.
Edit URL character set settings
You can view and edit how the
security policy responds to each character contained in a URL.
- Navigate to the Character Sets URL screen: click.
- Click the name of the appropriate policy, on the left expandURLs, and clickCharacter Sets.
- Review the list of characters, and for each, determine whether it should be allowed.You can use the View options to select which group of characters are displayed.
- To allow characters in a URL, select the check box in theAllowedcolumn of the table row.
- For characters that should not be allowed in a URL, clear the check box in theAllowedcolumn of the table row.
- ClickSaveto save your changes.
Add or edit file types settings
You can add and configure settings for
file types that are allowed (or disallowed) in traffic to the web application being protected.
These settings determine how the security policy reacts to requests referring to files with
these extensions.
- Click.
- Click the name of the policy to change, and on the left, clickFile Types.The screen displays a list of file types.
- To remove the file type from staging, select the check box for the file type and clickEnforce Selected.
- To add a file type to the policy, clickAddin either the Allowed File Types area at the top of the screen, or in the Disallowed File Types area at the bottom of the screen.
- Use the Allowed File Types area to add file types that the security policy considers legal, and to view information about each file type.
- Use the Disallowed File Types area to add file types that the security policy considers illegal, and to exclude file types that are included in allowed wildcard file types.
The screen displays fields applicable to your selection. - If you chose to add Disallowed File Types, fill in the name.
- If you chose to add Allowed File Types, fill in these settings.
- ForFile type, select whether the file type is a wildcard or is explicit, and type a wildcard name or an explicit name.
- ForPerform Staging, select theEnabledcheck box to have the system perform staging.
- ForURL Length, type the maximum acceptable length, in bytes, of a URL containing this file type.
- ForRequest Length, type the maximum acceptable length, in bytes, of the request containing this file type.
- ForQuery String Length, type the maximum acceptable length, in bytes, for the query string portion of a URL that contains this file type.
- ForPOST Data Length, type the maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type.
- ForApply Response Signature Staging, select the check box to apply response signature staging.
- To filter the list of file types by their enforcement readiness, select an option from theEnforcement Readinesssetting.
- To list all file types, selectAll.
- To list file types that have one or more suggestions, selectHas suggestion.
- To list file types that are not being enforced, selectNot enforced.
- To list file types that are ready to be enforced, selectReady to be enforced.
- When you are finished, save your work.
The file types settings are updated to
use the new settings, and any changes you made are put into effect in the working
configuration of the BIG-IQ Centralized Management system.
Edit or add JSON content profile
settings
You use JSON content profile
properties to define what the application security policy enforces and considers legal
when it detects traffic that contains JSON data.
- Click.
- Click the name of the policy you want to modify, then on the left expandCONTENT PROFILES, and clickJSON Profiles.
- Click the name of the JSON profile to modify, or clickAddto create a new one.
- Review the existing name, or type aProfile Namefor the new profile.
- Revise or type an optionalDescriptionfor the profile.
- In theMaximum Total Length Of JSON Datafield, type or revise the longest length, in bytes, allowed by the security policy of the request payload, or parameter value, where the JSON data was found.To have no length restriction, you can leave this field blank.
- In theMaximum Value Lengthfield, type or revise the maximum acceptable length, in bytes, of the longest JSON element value in the document allowed by the security policy.To have no length restriction, you can leave this field blank.
- ForMaximum Structure Depth, type or revise the greatest nesting depth found in the JSON structure allowed by the security policy.To have no depth restriction, you can leave this field blank.
- In theMaximum Array Lengthfield, type or revise the largest number of elements allowed for arrays.To have no array length restriction, you can leave this field blank.
- ForTolerate JSON Parsing Warnings, specify whether to enable response signature staging.
- Select theEnabledcheck box to specify that the system does not report when the security enforcer encounters warnings while parsing JSON content.
- Clear the check box to specify that the security policy reports when the security enforcer encounters warnings while parsing JSON content.
- ForParse Parameters, specify whether to enable parameter parsing.
- To enable parsing, select theEnabledcheck box.
- When this setting is disabled, the system displays more main areas (such as Attack Signature Overrides, Meta Characters, and Sensitive Data Configuration) with additional properties for review and modification.
- Expand the Attack Signatures Overrides area to select any signature overrides. (This area is displayed only whenParse Parametersis disabled.)
- For theAttack Signatures Checksetting, select theEnabledcheck box.
- For theAttack Signatures Overridessetting, select the signature from the list and then clickEnabledorDisabledas needed for that signature.
- Expand the Meta Characters area to select how meta characters are handled. (This area is displayed only whenParse Parametersis disabled.)
- For theCheck Characterssetting, select theEnabledcheck box.
- For theOverridessetting, select the meta characters from the list and then clickAllowedorDisallowedas needed.
- Expand the Sensitive Data Configuration area to select how sensitive data is handled. (This area is displayed only whenParse Parametersis disabled.)
- In theSensitive Datasetting, type an element name within the JSON data whose values the system should consider sensitive.
- ClickAddto add the element name to the sensitive data list.
- ClickSaveto save your changes.
Edit or add XML content profile
settings
You use XML content profile
properties to define what the application security policy enforces and considers legal
when it detects traffic that contains XML data.
- Navigate to the XML Profiles screen: click.
- Click the name of the policy you want to work with, then, on the left, expandCONTENT PROFILES, and clickXML Profiles.
- Click the name of the XML profile to modify, or clickAddto create a new one.
- Review the existing name or type aProfile Namefor the new profile.
- Review, revise, or type an optionalDescriptionfor the profile.
- For theUse XML Blocking Response Pageproperty, select the type of response page to send when the security policy blocks a client request that contains URL XML content that does not comply with the settings of this XML profile.
- To have the system send an XML response page, select theEnabledcheck box.
- To have the system send the default response page, do not select theEnabledcheck box.
- To configure the validation and defense settings of an XML profile, expand the XML Firewall Configuration area and modify those settings as needed.
- To configure the system to perform attack signature checks on the XML profile, expand the Attack Signatures area and modify those settings as needed.
- To change the security policy settings for specific meta characters in XML values on the XML profile, expand the Meta Characters area and modify those settings as needed.
- Expand the Sensitive Data Configuration area to program the system to mask sensitive data that appears in an XML document, as shown in the BIG-IP device configuration interface and internal Application Security logs.
- ClickSaveto save your changes.
Edit or add plain text content profile
settings
You use plain text content profile
properties to define what the application security policy enforces and considers legal
when it detects traffic that contains plain text data.
- Navigate to the Plain Text Profiles screen: click.
- Click the name of the policy you want to modify, at the left, expandCONTENT PROFILES, and clickPlain Text Profiles.
- Click the name of the plain text profile to modify, or clickAddto create a new one.
- Review the existing, or type aProfile Namefor the new profile.
- Review, revise, or type an optionalDescriptionfor the profile.
- In theMaximum Total Lengthfield, type the longest length, in bytes, allowed by the security policy.You can leave this field blank to have no length restriction.
- In theMaximum Line Lengthfield, type the longest line length, in bytes, allowed by the security policy.You can leave this field blank to have no length restriction.
- If you want the system to perform percent decoding, select thePerform Percent DecodingEnabledcheck box.
- To configure attack signature overrides, expand Attack Signatures Overrides and supply the needed values.
- In theAttack Signatures Checksetting, select theEnabledcheck box.
- In theAttack Signatures Overridessetting, select one or more attack signatures to override.
- For each attack signature, select whether the override is enabled or disabled.
- To change the security policy settings for specific meta characters in values on the plain text profile, expand Meta Characters and supply the needed values.
- In theCheck Characterssetting, select theEnabledcheck box.
- In theOverridessetting, select one or more meta characters to override.
- For each meta character, select whether the override is allowed or disallowed.
- ClickSaveto save your changes.
Edit character set JSON settings
You can configure the security
policy to allow or disallow certain characters if they appear in JSON values.
- Navigate to the JSON screen: click.
- Click the name of the policy you want to work with, and on the left expandCONTENT PROFILESandCHARACTER SETS, then clickJSON.
- Review the list of characters, and for each, determine whether it should be allowed or not.
- To allow characters, select the check box in the Allowed column of the table row.
- For characters that should not be allowed, clear the check box in the Allowed column of the table row.
Use the View options to select which characters are displayed.- ClickAll Charactersto display all characters.
- ClickAllowedto display only characters that are marked as allowed.
- ClickDisallowedto display only characters that are not allowed.
- ClickSaveto save your changes.
Edit character set plain text
settings
You can configure the security
policy to allow or disallow certain characters if they appear in plain text
values.
- Navigate to the Plain Text screen: click.
- Click the name of the appropriate policy, and on the left expandCONTENT PROFILESandCHARACTER SETS, then clickPlain Text.
- Review the list of characters, and for each, determine whether it should be allowed or not.
- To allow characters, select the check box in the Allowed column of the table row.
- For characters that should not be allowed, clear the check box in the Allowed column of the table row.
Use the View options to select which characters are displayed.- ClickAll Charactersto display all characters.
- ClickAllowedto display only characters that are marked as allowed.
- ClickDisallowedto display only characters that are not allowed.
- ClickSaveto save your changes.
Edit character set XML settings
You can configure the security
policy to allow or disallow certain characters if they appear in XML values.
- Navigate to the XML screen: click.
- Click the name of the appropriate policy, and on the left expandCONTENT PROFILESandCHARACTER SETS, then clickXML.
- Review the list of characters, and for each, determine whether it should be allowed or not.
- To allow characters, select the check box in the Allowed column of the table row .
- For characters that should not be allowed, clear the check box in the Allowed column of the table row.
Use the View options to select which characters are displayed.- ClickAll Charactersto display all characters.
- ClickAllowedto display only characters that are marked as allowed.
- ClickDisallowedto display only characters that are not allowed.
- ClickSaveto save your changes.
Add or edit parameter settings
You can add or edit settings for
parameters that the security policy permits in requests, such as the parameter type and
whether the parameter is allowed to contain an empty value. The default parameter is
displayed for all policies, and can be
edited.
It is indicated by
*
(asterisk). - Click.
- Click a policy name, and on the left, click.
- You can add a new, or edit an existing, parameter.
- To add a new parameter, clickAdd.
- To edit an existing parameter, click the parameter name.
The properties screen opens for the new or existing parameter. - To remove the parameter from staging, select the check box for the parameter and clickEnforce Selected.
- For a new parameter, for theNamesetting, select the type, and then type a name for the new parameter.
- Selectexplicitif this is a regular named parameter.
- Selectwildcardif any parameter name that matches the wildcard expression is permitted by the security policy. (For example, typing the wildcard*specifies that the security policy allows every parameter.) The syntax for wildcard entities is based on shell-style wildcard characters.
- Selectno nameif this parameter does not have a name. The system automatically names the parameterno nameand it behaves the same as an explicit parameter.
The name setting cannot be changed once the parameter is created. - ForLevel, select the level of parameters to be displayed.
- Selectglobalto display global parameters not associated with flows or URLs.
- SelectURLto display parameters associated with flows or URLs, selectHTTPorHTTPSas the protocol, and then select the URL.
If the security policy is configured to differentiate between HTTP and HTTPS URLs, then you can additionally filter URL parameters by the HTTP and HTTPS protocols. - To enable or allow any of these settings, click theEnabledcheck box for the setting:
- SelectPerform Stagingto display the staging status on this parameter.
- SelectAllow Empty Valueto allow empty values.
- SelectAllow Repeated Occurrencesto allow repeated occurrences.
- SelectSensitive Parameterto, in a validated request, protect sensitive user input, such as a password or a credit card number. The contents of sensitive parameters are not visible in logs or in the user interface.
- Specify theValue typefor the parameter.The value type you specify might display additional fields. You cannot change the value type after it is created.
- Selectdynamic-contentfor parameters whose data is dynamic.
- Selectignorefor parameters whose values the system does not check.
- Selectjsonfor JSON parameters fetched from the server that are not editable.
- Selectstatic-contentfor parameters whose data is static. In the Parameter Static values area displayed at the bottom of the screen, supply a value in theAdd New Valuesetting, and clickAdd. Add or subtract values as needed.
- Selectuser-inputfor parameters whose data is provided by user-input. Use theData typesetting to provided additional information about the user input.
- Selectxmlfor XML parameters fetched from the server that are not editable. In the XML Profile area displayed at the bottom of the page, select an XML profile.
- For theData typesetting, select the data type to use for the user input.
- Selectemailto specify that the data must be text in email format only. In the Data type attributes area, specify a value for theMaximum Lengthsetting in bytes.
- Selectalpha-numericto specify that the data can be any text consisting of letters, digits, and the underscore character.
- In the Data type attributes area, specify a value for theMaximum Lengthsetting in bytes, and select whether to enable regular expressions or Base64 encoding. When theRegular Expsetting is enabled, it specifies that the parameter value includes the specified parameter pattern. This is a positive regular expression that defines what is legal.
- In the Value Meta Character area, select theEnabledcheck box and then select which meta character to allow or disallow as a value.
- In the Attack Signatures area, select theEnabledcheck box and then select which attack signature overrides to enable or disable.
- Selectintegerto specify that the data must be whole numbers only (no decimals). In the Data type attribute area, specify values for theMinimum Value,Maximum Value, andMaximum Lengthsettings.
- Selectdecimalto specify that the data is numbers only and can include decimals. In the Data type attributes area, specify values for theMinimum Value,Maximum Value, andMaximum Lengthsettings.
- Selectphoneto specify that the data can be text in telephone number format only. In the Data type attributes area, specify a value for theMaximum Lengthsetting.
- Selectfile uploadto specify there is no text limit for the data (length checks only). In the Data type attributes area, specify a value for theMaximum Lengthsetting, and specify whether to disallow file uploading or enable Base64 encoding.
- To filter the list of parameters by their enforcement readiness, select an option from theEnforcement Readinesssetting.
- To list all parameters, selectAll.
- To list parameters that have one or more suggestions, selectHas suggestion.
- To list parameters that are not being enforced, selectNot enforced.
- To list parameters that are ready to be enforced, selectReady to be enforced.
- When you are finished, save your work.
The application security policy is
updated to use the new settings.
Add or edit extraction settings
You use extraction settings to
manage how the system extracts dynamic values for dynamic parameters from the responses
returned by the web application server. An
extraction
is a subcollection
that isolates a parameter from an object. Other subcollections (such as parameters)
reference extractions by name (not by URL). - Click
- Click the name of the policy and then on the left, click.
- You can add a new or edit an existing extraction.
- To add a new extraction, clickAdd.
- To edit an existing extraction, click the extraction name.
The properties screen opens for the new or existing extraction. - For a new extraction, specify theNameof the dynamic parameter for which the system extracts values from responses.
- For a named parameter, selectNewand type the name in the field.
- For theUNNAMEDparameter, selectno name.
The name setting cannot be changed once the extraction is created. - In the Extracted Items Configuration area, specify the items from which the system should extract the values for dynamic parameters.Extract From
- File Types. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests for file types that exist in the security policy. To add a file type to be extracted, select an file type from the list, and clickAdd.
- URLs. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests for the listed URLs. To specify the URLs from which the system extracts dynamic parameter values, select eitherHTTPorHTTPSfrom the list, type the URL in the adjacent field, and clickAdd. If you enter a URL that does not yet exist in the security policy, the URL is added to the security policy.
- RegEx. Specifies, when checked (enabled), that the system extracts the values of dynamic parameters from responses to requests that match the listed pattern (regular expression). Type the regular expression in the field.
Extract From All ItemsSpecifies when selected (enabled), that the system extracts the values of the dynamic parameters from all URLs found in the web application. Specifies when cleared (disabled), that the system extracts the values of the dynamic parameters from limited items found in the web application. - In the Extracted Method Configuration area, specify the methods by which the system extracts the values for dynamic parameters.Search in LinksSpecifies, when checked (enabled), that the system searches for dynamic parameter values within links that appear in the response body.Search Entire FormSpecifies, when checked (enabled), that the system searches for dynamic parameter values in the entire form found on a web page.Search Within FormSpecifies, when checked (enabled), that the system searches for dynamic parameter values in a specific location within forms found on a web page that contains the dynamic parameter. You must provide all of this information:
- Form Index. Type the HTML index of the form that contains the dynamic parameter.
- Parameter Index. Type the HTML index of the input parameter within the form that contains it.
Search Within XMLSpecifies, when checked (enabled), that the system searches for dynamic parameter values within the URL’s XML. Type the XPath specification in theXPathfield.Search Response BodySpecifies, when checked (enabled), that the system searches for dynamic parameter values in the body of the response. Use the additional options to further refine the search. You can specify one or more of the following options, but you must specify the RegEx value if you enable this setting.- Number of Occurrences.
- Allspecifies a search for all incidences of the parameter values in the body of the request.
- Numberspecifies that the search is restricted to the number you type in the box.
- Prefixspecifies that the system extracts values only if they are preceded by the HTML segment you type in the box.
- Match Regular Expression Valuespecifies that the system extract must match the parameter pattern (regular expression) you type in the box. The default is.+?.
- Suffixspecifies that the system extracts values only if they are followed by the HTML segment that you type in the box.
- When you are finished, save your work.
The application security policy is
updated to use the new settings.
Edit character set parameter name
settings
You use character set parameter
name settings in the security policy to allow or disallow certain characters in
parameter names.
- Go to the Policies screen: Click.
- Continue to the parameter name screen: Click the name of the policy and then, on the left, click.
- Review the list of characters, and for each, determine whether it should be allowed or not.
- Select theAllowedcheck box for characters that should be allowed.
- Clear theAllowedcheck box for characters that should not be allowed.
Use the View options to select which characters are displayed.- ClickAll Charactersto display all characters.
- ClickAllowedto display only characters that are marked as allowed.
- ClickDisallowedto display only characters that are not allowed.
- ClickSaveto save your changes.
The system updates the security
policy to use the new character set parameter name settings.
Edit character set parameter value
settings
You use character set parameter
value settings in the security policy to determine whether the security policy allows
those values in a request.
- Click.
- Click the name of the policy and then, on the left, click.
- Review the list of characters, and for each, determine whether it should be allowed or not.
- Select theAllowedcheck box for characters that should be allowed.
- Clear theAllowedcheck box for characters that should not be allowed.
Use the View options to select which characters are displayed.- ClickAll Charactersto display all characters.
- ClickAllowedto display only characters that are marked as allowed.
- ClickDisallowedto display only characters that are not allowed.
- ClickSaveto save your changes.
The system updates the security
policy to use the new character set parameter value settings.
Add sensitive parameters settings
You can add and delete sensitive
parameters used by your security policy. Some requests include sensitive data, such as
account numbers, in parameters. If you create sensitive parameters, the data in those
parameters is replaced with asterisks (
***
) in the stored request and in
logs.- Click.
- Click the name of the appropriate policy, and on the left click.
- ClickAddto add a sensitive parameter.The Sensitive Parameter properties screen opens.
- In theNamesetting, type the name of the sensitive parameter.
- Save your work.
Configure attack signatures
Attack signatures
are
rules or patterns that identify attacks or classes of attacks on a web application and
its components. You can configure aspects of attack signatures to specify whether the
signatures should be put into staging before being enforced, and whether or not to apply
signatures to
responses.- Go to the Policies screen: Click.
- Continue to the Attack Signatures Configuration screen: Click the name of a policy, and on the left clickAttack Signatures Configuration.
- Revise the settings as needed.
- To enable staging of signatures, select theSignature StagingEnabledcheck box.
- To place updated signatures in staging, select thePlace updated signatures in stagingEnabledcheck box. New signatures are always placed in staging, regardless of this setting.
- ForAttack Signature Set Assignment, select one or more signature sets from the list to be assigned to the policy, and then select the appropriate options for that signature set.
- Select or clear theLearn,Alarm, andBlockoptions for each signature set.
- SelectLearnto have the security policy learn all requests that match enabled signatures in the signature set.
- SelectAlarmto have the security policy logs the request data if a request matches a signature in the signature set.
- SelectBlock, to have the security policy block all requests that match a signature included in the signature set.
- From theActionslist, select, if needed, whether to enable or enforce signatures in the signature set.
- ForApply Response Signatures, select a file type, if needed. The default wildcard character indicates all file types.
- When you are finished, save your work.
The system updates the application
security policy attack signatures settings.
View and modify attack signatures
You can view the list of attack
signatures that belong to signature sets assigned to the policy, and specify whether
they are enabled or in staging.
- Click.
- Click the name of a policy, and on the left clickAttack Signatures.
- To restrict the number of signatures displayed, use the filter field at the upper right of the screen.You can select both basic and advanced filter options by clicking the arrow to the left of the field.
- To specify whether or not the attack signature is enabled, select the check box in the Enabled column of the table for that row.
- To have an attack signature placed in staging, select the check box in the In Staging column of the table for that row.
- When you are finished, save your work.
The system updates any modified
attack signature settings.
Edit geolocation enforcement
settings
You use geolocation enforcement to
select which geolocations the policy does not allow.
- Navigate to the Geolocation Enforcement screen: click.
- Click the name of the appropriate policy, and on the left, clickGeolocation Enforcement.
- Select a geolocation that is not allowed by the policy from theDisallowed Geolocationslist.Once you have selected the geolocation, it is listed below the drop-down list.
- You remove a selected geolocation from the list by clicking theXto the left of the geolocation name.
- ClickSaveto save your changes.
The system updates the list of
geolocations that the policy does not allow.
Add or edit login page settings
You can view and manage login page
settings for the security policy to better protect the login page URLs used by your web
applications.
- Click.
- Click the name of the policy to manage, and on the left click.
- You can add new, or edit existing login page settings.
- ClickAddto add a login page and settings.
- Click the name of the login page to edit the settings.
The Login Page Properties screen opens. - In theLogin URLsetting, select the appropriate options for the URL.
- Specify whether the URL uses wildcards or is explicitly named. SelectWildcardorExplicit.
- Specify the URL protocol. SelectHTTPorHTTPS.
- Select the URL to use, or selectCustom URLand specify the URL.
- In theAuthentication Typesetting, select the type of authentication to use.
- In the Access Validation area, specify how the login page should be validated by typing one or more setting values.You define validation criteria on the response of the login URL. You must configure at least one of the validation criteria. If you configure more than one validation criteria, then all the criteria must be fulfilled in order to access the authenticated URL.
- Save your work.
Add or edit logout page settings
You can view and manage logout page
settings for the security policy to better protect the logout page URLs used by your web
applications.
- Click.
- Click the name of the appropriate policy, and on the left click.
- Specify whether you are adding or editing logout page settings.
- ClickAddto add a logout page and settings.
- Click the name of the logout page to edit the settings.
The Logout Page Properties screen opens. - In theLogout URL (explicit only)setting, select the appropriate options for the URL.
- Specify the URL protocol. SelectHTTPorHTTPS.
- Select the URL to use, or selectCustom URLand specify the URL.
- In theA string that should appear in the responsesetting, type a string that should appear in the request (either the query string or in its payload) to indicate that the request is a logout request.
- In theA string that should NOT appear in the responsesetting, type a string that should not appear in the request (either the query string or in its payload) to indicate that the request is a logout request.
- Save your work.
Add or edit login enforcement
settings
You can add and modify login
enforcement properties. Login enforcement specifies the authenticated login URLs and
logout URLs for the web application.
- Click.
- Click the name of the appropriate policy, and on the left click.
- For theExpiration Timesetting, specify whether you want the login session to expire.
- If you do not want the login session to expire, clickDisabled.
- If you want the login URL to be valid for a limited time, click the button to the left of theSecondsfield, and type a value, in seconds (1-99999), that indicates how long the session will last. The login session ends after the number of seconds has passed.
- For theAuthenticated URLssetting, specify the target URLs that users can access only by using the login URL.
- In the provided field, type the target URL name in the format/private.php.Wildcards are allowed.
- ClickAddto add the URL to the list of authenticated URLs.
- Repeat to add as many authenticated URLs as needed.You can remove a URL from the list of authenticated URLs by clickingX.
- Save your work.
Edit session tracking settings
You can enable session hijacking and
session tracking to track, enforce, and report on user sessions and IP
addresses.
- Click.
- Click the name of the policy to work on, and on the left click.
- To enable session hijack detection, for theDetect Session Hijacking by Device ID Trackingsetting, select theEnabledcheck box.Review the notes displayed.
- To configure session tracking, supply values for the following settings.
- Select theSession AwarenessEnabledcheck box.
- For theApplication Usernamesetting, select the form of the username.
- To use no application username, selectNone.
- To use APM usernames and session IDs, selectUse APM Usernames and Session ID.
- To use individual login pages, selectUse Individual Login Pagesand then select the login page in the area provided.
- To use all login pages, selectUse All Login Pages.
- To configure violation detection actions, specify additional settings.
- ForTrack Violations and Perform Actions, select theEnabledcheck box.
- ForViolation Detection Period, type the number of seconds for the detection period.
- In the Block All area, specify how the system performs when the Block All action is triggered.
- In the Log All Requests area, specify how the system performs when the Log All Requests action is triggered.
- In the Delay Blocking area, specify how the system performs when the Delay Blocking action is triggered.
- Save your work.
Applying Web Application Security policy templates
Use a template to populate the attributes of a new Web Application Security policy.
Policy templates allow you to reduce the time required to configure a policy for your
applications.
Each new security policy, by default, has a Rapid Deployment Policy template. You can
replace the default with a user-defined or system-supplied template, and then modify the
policy's subcollections as needed. Unlike parent policies, if you modify a policy, once
a template is configured, it does not affect the original template's settings.
Whether you are creating, or applying a security policy to an
object, keep in mind the BIG-IP device version over which you wish to deploy the
policy. Some protection features are not available, or changed from version to
version.
System-defined templates (Generic and Application Ready policy templates) are aligned to support devices running versions 13.1 or later. This provides optimal deployment over multiple versions. This can omit certain fields that were added to newer device versions. It is recommended to monitor your security policy's performance to ensure that your existing policy meets your applications needs. For more information about monitoring Web Application Security, see
Modify and Manage Layer 7 Security Objects.
- Generic Templates
- Generic templates address most aspects of the application security policy suite, while remaining broad enough to protect any application, regardless of its platform. Each template varies based on the level of enforcement and traffic learning settings. For more information about each generic template, its settings, and version limitations, see Generic Web Application Security policy templates.
- Application Ready Templates
- Application ready security policies are baseline templates designed to secure that specific enterprise application platforms. Similar to generic templates, application ready templates provide a fixed policy that you can adjust settings manually, or configure additional security features. These templates are configured for the following platforms:
- Drupal v8
- Microsoft Outlook Web Access Exchange® 2016
- Sharepoint 2016
- Wordpress v4.9
- Custom Policy Templates
- Custom templates are created using existing Web Application Security policies. For more information, see Manage and create policy templates.Templates are ready aligned to support BIG-IP versions 13.1 or later, which allow for optimal deployment over different device versions. If you
Manage and create policy templates
Create, delete, or export Web Application Security
policy templates. You can create a custom template by using an existing Web Application
Security policy. This allows you to reduce configuration time required for a new
protection policy.
The following is the recommended procedure for managing your
policy templates. You can create a template directly from the policies list by
selecting a policy, clicking
More
and then Save as
Policy Template
.- Navigate to the Policy Templates screen,A list of all policy templates are displayed. Custom templates are marked asYesin the User Defined column.
- To add a new template clickAdd.
- (Required) On the New Policy Template screen enter a name to identify your new policy template.
- (Optional) Add a policy description to better identify the template’s settings.
- From theTemplate sourcefield you can selectPolicyto create a template from a policy that is already configured to the system, or you can selectFileto import a policy from your local files.
- ClickSave & Close.The new template can now be applied to a new Web Application Security policy. Any changes made to the original policy, following template creation, will not affect the template's settings.
- To export any template as an XML file, select a template and clickExport.
- To delete a custom template, select a user-defined template, and clickDelete.The following action deletes the template, but it does not delete the original policy or policies created using the template.
Policy template management is immediately reflected in the list on the Policy
Templates screen.
Generic Web Application Security policy templates
The following defines and details the generic policy templates
you can apply when creating a new Web Application Security parent or child policy (
). These templates automatically populate required fields, based on the most
common application protection needs. You can use these templates to pilot your security measure
to fine-tune as needed.
Template Overview
- Rapid Deployment Policy (RDP)
- A moderate protection layer that includes manual learning of false positives. This protection template meets the majority of Web Application Security requirements.
- Operational Cost: Low
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
- API Security
- A moderate protection layer that follows the same protection as RDP, with additional support for API security features such as: REST API (JSON, XML) and Websocket security.
- Operational Cost: Low
- BIG-IP Version Support*: Version 13.1.0.2 or later
- Fundamental
- A high-to-moderate protection layer that includes automatic learning of false positives, and specific entity types. This template includes a blocking enforcement mode.
- Operational Cost: Medium
- Comprehensive
- A high protection layer with automatic learning for all entity types. This template includes a blocking enforcement mode.
- Operational Cost: High
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
- Passive Deployment Policy (PDP)
- A low protection layer with a high level of automatic learning (similar to comprehensive), but fully transparent protection layer and does not interfere with the traffic. This template is designed to protect as many potential threats as possible, without the risk of affecting traffic with false positives.
- Operational Cost: High
- BIG-IP Version Support*: Version 13.1 or later
- Vulnerability Assessment Baseline
- Provides the lowest protection, and is used to create a security baseline by identifying, classifying and reporting security holes or weaknesses in your web site's code.
- Operational Cost: Medium
- BIG-IP Version Support*: All versions supported by BIG-IQ centralized management
*General template support does not include all settings. Variations are indicated with the setting and template type.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement
Mode
| Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Mode | Manual | Manual | Automatic | Automatic | Automatic | Manual |
Application
Language | UTF-8 | UTF-8 | Auto-detect | Auto-detect | Auto-detect | UTF-8 |
Attack
Signature Set Assignment
| Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled | Generic Detection Signatures Learn/Alarm/Block enabled |
|
Signature
Staging | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
RPD | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Learn Host Names | False | False | True | True | True | False |
Learn Explicit URLs | Never | Never | Never | Compact | Compact | Never |
Learn Explicit WebSocket URLs | Never | Never | Never | Always | Always | Never |
Learn Explicit Parameters | Never | Never | Selective | Compact | Compact | Never |
Learn Explicit Cookies | Never | Never | Never | Selective | Selective | Never |
Learn Explicit Redirection Domains | Never | Never | Always | Always | Always | Never |
Full Policy Template Settings
The following provides a list of all fields populated by each policy
template, per configuration section. Sections and fields that are not affected are not
included in this document.
RPD | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement Mode | Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Mode | Manual | Manual | Automatic | Automatic | Automatic | Manual |
Enforcement Readiness Period | 7 Days | |||||
Mask
Credit Card Numbers in Request Log | Enabled | |||||
Allowed
Response Status Codes | 400, 401, 404, 407, 417, 503,
403 | |||||
Dynamic
Session ID in URL | Disabled | |||||
Trigger
ASM iRule Events | Disabled | |||||
Trust XFF
Header | No | |||||
Handle
Path Parameters | As Parameter |
POLICY BUILDING (Settings)
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Enforcement Mode
| Transparent | Transparent | Blocking | Blocking | Transparent | Transparent |
Learning
Speed | Medium |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Policy General Features | ||||||
Request length exceeds defined buffer size | Learn only *For devices running
v13.1 violation is set to Learn only. | Learn only | Learn only | Learn only | Learn only | All Disabled |
Failed to convert character | All Enabled* *For devices running
v13.1 violation is set to Learn only. | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled |
Illegal session ID in URL | All Disabled | All Disabled | All Disabled | All Enabled | Disabled | All Disabled |
Illegal HTTP status in response | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled |
Illegal Base64 value | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
HTTP Protocol Compliance
Failed | ||||||
Body in GET or HEAD requests | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
POST request with Content-Length: 0 | All Disabled | All Disabled | All Disabled | Learn * Violation setting for
version 13.0 or later | Learn | All Disabled |
Check maximum number of parameters | Learn: 500 | |||||
CRLF characters before request start | Learn | Learn | Learn o | Learn | Learn | All Disabled |
Chunked request with Content-Length header | Disabled | |||||
Unparsable request content | Block | |||||
Several Content-Length headers | Learn | Learn | Learn | Learn | Learn | All Disabled |
High ASCII characters in headers | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
Check maximum number of header | Learn: 20 | Learn: 20 | Learn: 20 | Learn: 20 | Learn: 20 | All Disabled |
Multiple host headers | Learn | Learn | Learn | Learn | Learn | All Disabled |
Bad multipart parameters parsing | Learn | Learn | Learn | Learn | Learn | All Disabled |
Bad host header value | Learn | Learn | Learn | Learn | Learn | All Enabled |
Header name with no header value | Learn | Learn | Learn | Learn | Learn | All Disabled |
Content length should be a positive number | Learn | Learn | Learn | Learn | Learn | All Disabled |
Null in request | Block | |||||
Bad HTTP version | Block | |||||
No Host header in HTTP/1.1 request | Learn | Learn | Learn | Learn | Learn | All Disabled |
Host header contains IP address | All Disabled | All Disabled | All Disabled | Learn* Violation setting for
version 13.0 or later | Learn | All Disabled |
Bad multipart/form-data request parsing | All Disabled | All Disabled | All Disabled | Learn | Learn | All Disabled |
Evasion Techniques
Sub-Violations | ||||||
Multiple decoding | Learn: 3* For version 12.1 or earlier, setting included 2 decoding passes | All Enabled: 3 | ||||
IIS backslashes | Learn | All Enabled | ||||
Bad unescape | Learn | All Enabled | ||||
Directory traversals | Learn | All Enabled | ||||
Bare byte decoding | Learn | All Enabled | ||||
Apache whitespace | Learn | All Enabled | ||||
%u decoding | Learn | All Enabled | ||||
URLs | ||||||
Illegal number of mandatory parameters | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal flow to URL | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Illegal cross-origin request | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Binary content found in text only WebSocket | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal entry point | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Illegal meta character in URL | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal query string or POST data | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal URL | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket binary message length | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket extension | All Disabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Illegal number of frames per message | All Disabled | All Disabled | All Enabled | All Enabled | All Enabled | All Disabled |
Text content found in binary only WebSocket | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal request content type | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal WebSocket frame length | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Parameters | ||||||
Illegal parameter numeric value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal dynamic parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal empty parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter data type | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Null in multi-part parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal meta character in parameter name | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal meta character in value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter value length | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal repeated parameter name | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal static parameter value | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Disallowed file upload content detected | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Parameter value does not comply with regular
expression | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal parameter | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Sessions and Logins | ||||||
Access from disallowed User/Session/IP | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
ASM Cookie Hijacking | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Disabled |
Brute Force: Maximum login attempts are exceeded | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Login URL bypassed | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Login URL expired | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Cookies | ||||||
Modified ASM cookie | All Enabled | All Enabled | All Enabled* Violation setting for
version 13.0 or later | All Enabled | All Disabled | All Disabled |
Illegal cookie length | All Disabled | All Disabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only | Learn Only | All Disabled |
Expired timestamp | All Disabled | |||||
Cookie not RFC-compliant | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Modified domain cookie(s) | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Content Profiles | ||||||
Malformed XML data | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
XML data does not comply with schema or WSDL
document | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
SOAP method not allowed | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
JSON data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
GWT data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Plain text data does not comply with format
settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
XML data does not comply with format settings | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Malformed GWT data | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Illegal attachment in SOAP message | All Disabled | All Enabled | All Disabled | All Enabled | All Enabled | All Disabled |
Malformed JSON data | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Web Services Security
failure | ||||||
Web Services Security failure (all
subviolations) | All Enabled | Learn Only | ||||
CSRF Protection | ||||||
CSRF authentication expired | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Disabled |
CSRF attack detected | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled | All Enabled |
IP Addresses / Geolocations | ||||||
IP is blacklisted | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Access from malicious IP address | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Access from disallowed User/Session/IP | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Headers | ||||||
Illegal header length | All Disabled | All Disabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only | Learn Only | All Disabled |
Illegal method | All Enabled | All Enabled | Learn Only* Violation setting for
version 13.0 or later | Learn Only* Violation setting for
version 13.0 or later | Learn Only | All Enabled (no enforcement) |
Illegal meta character in header | All Disabled | All Disabled | All Disabled | All Enabled | All Enabled | All Disabled |
Mandatory HTTP header is missing | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Redirection Protection | ||||||
Illegal redirection attemp | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Threat Campaigns | ||||||
Threat Campaign detected* Violation
setting supported by version 14.0 or later | All Enabled | All Enabled | All Enabled | All Enabled | All Enabled | All Disabled |
Bot Detection | ||||||
Web scraping detection | All Enabled | |||||
Data Guard | ||||||
Data Guard: Information leakage detected | All Enabled | All Disabled | All Enabled | All Enabled | All Enabled | All Enabled |
Websocket protocol
compliance | ||||||
Null character found in WebSocket text message | All Enabled | |||||
Failure in WebSocket framing protocol | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Mask not found in client frame | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Bad WebSocket handshake request | Learn Only* Violation setting for
version 13.1 or later | All Enabled | Learn Only | Learn Only | Learn Only | All Disabled |
Antivirus Detection | ||||||
Virus Detected | All Disabled | All Disabled | All Disabled | All Enabled | All Disabled | All Disabled |
Policy Building Process | Value | ||
---|---|---|---|
Trust IP
Addresses | Address List | ||
Loosen
Policy | Untrusted Traffic Sources : 20Min Period : 60 minutesMax
Period : 7 days | Trusted
Traffic Sources : 1Min
Period : 0 (not applicable)Max Period : 7 days | |
Tighten
Policy (stabilize) | Total Requests : 15,000Days :
1Maximum
modification suggestion score : 50% | ||
Minimize false positives (Track Site
Changes) | Status : EnabledFrom Trusted and
Untrusted Traffic : Enabled | ||
Untrusted Traffic Sources : 10Min Period : 20 minutesMax
Period : 7 days | Trusted
Traffic Sources : 1Min
Period : 0 (not applicable)Max Period : 7 days | ||
Options | Learn from responses : Disabled
(Comprehensive template type is enabled)Full Policy Inspection :
Enabled |
DATA GUARD
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Data
Guard
| Disabled | |||||
Protect
credit card numbers | Enabled | Disabled | ||||
Protect
U.S. Social Security numbers | Enabled | Disabled | ||||
Mask
sensitive data
| Enabled | Enabled | Disabled | Disabled | ||
Custom
Patterns | Disabled | |||||
Exception
Patterns | Disabled | |||||
File
Content Detection | Disabled |
CSRF PROTECTION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
CSRF
Protection
| Disabled | Disabled | Disabled | Disabled | Disabled | Enabled |
SSL
Only | Disabled | |||||
Expiration
Time | Disabled | |||||
[Default
entry] CSRF URL | URL
* | URL
* | URL
* | URL
* | Empty | Empty |
ANOMALY DETECTION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Login
Page
| Default | |||||
Brute Force Protection | Disabled* *Default profile protects against all
login pages that are not specifically protected by an enabled configuration.
| Enabled | ||||
Configuration Support | Current (supports versions 13.1 or later) | |||||
IP Address Whitelist | Empty | |||||
Source-based Brute Force
Protection | ||||||
Detection Period | 60 minutes | |||||
MaximumPrevention Duration | 60 minutes | |||||
Username | Trigger: After 3 failed login
attempts Action: Alarm And CAPTCHA | Trigger: After 3 failed login attempts Action:
Alarm | Trigger: After 3 failed login attempts Action: Alarm
And CAPTCHA | |||
Device ID | Trigger: Never | |||||
IP Address | Trigger: After 20 failed login attempts Action:
Alarm And CAPTCHA | Trigger: After 20 failed login attempts Action: Alarm | Trigger: After 20 failed login attempts Action: Alarm And CAPTCHA | |||
Client Side Integrity Bypass Mitigation | Trigger: After 3 failed login attempts Action: Alarm
And CAPTCHA | |||||
CAPTCHA Bypass Mitigation | Trigger: After 5 failed login attempts Action: Alarm
And Drop | |||||
Distributed Brute Force
Protection | ||||||
Detection Period | 15 minutes | |||||
Maximum Prevention Duration | 60 minutes | |||||
Detect Distributed Attack | After 100 failed login attempts | |||||
Detect Credential Stuffing | After 100 failed login attempts | |||||
Mitigation | Alarm And CAPTCHA | Alarm | Alarm And CAPTCHA |
HEADERS
- Methods
- All templates except for Vulnerability Assessment Baseline will include the three HTTP methods: GET, POST and HEAD.
- Vulnerability Assessment Baseline includes all available HTTP methods, with their default action as follows
- Methods acting as GET: REPORT, HEAD, CHECKOUT, COPY, LOCK, MOVE, CHECKIN, UNLOCK, GET, OPTIONS, MERGE, X-MS-ENUMATTS, NOTIFY, MKCOL, SUBSCRIBE, POLL, CONNECT, ACL, VERSION_CONTROL, PROPFIND, UNSUBSCRIBE, PROPPATCH.
- Methods acting as POST: MKWORKSPACE, BPROPPATCH, BPROPFIND, BMOVE, RPC_IN_DATA, SEARCH, RPC_OUT_DATA, BCOPY, POST, UNLINK, LINK, PATCH.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
In
Staging
| No | No | Yes | Yes | Yes | No |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Redirection Protection
| Disabled | Disabled | Enabled | Enabled | Enabled | Enabled |
Redirection Domains | Empty | Empty | * Entity only | * Entity only | * Entity only | Empty |
URLS
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
URL
| Wildcard HTTP and HTTPS | |||||
Perform
Staging | Disabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Wildcard
Match Includes Slashes | Enabled | |||||
Clickjacking Protection | Disabled | |||||
Attack Signatures | ||||||
Check
Signatures on this URL | Enabled | |||||
Overridden
Policy Settings | No overrides were selected | |||||
Header-Based Content
Profiles | ||||||
Request
Header Value/Request Body Handling | Form, XML, JSON and Apply Value
and Content Signatures | Apply Value and Content Signatures | ||||
HTML5 Cross-Domain Request
Enforcement | ||||||
Enforcement Mode | Disabled | Disabled | Disabled | Enforce on ASM | Enforce on ASM | Disabled |
Methods Enforcement | ||||||
Override
policy allowed methods | Disabled |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
WebSocket
URL
| Wildcard WS and WSS | |||||
Perform
Staging | Disabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Message Handling | ||||||
Check
Message Payload | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
WebSocket
Extensions | Delete Headers | Delete Headers | Delete Headers | Delete Headers | Block | Delete Headers |
Allowed
Message Payload Formats | All Formats | All Formats | All Formats | Plain Text, JSON | Plain Text, JSON | All Formats |
Payload
Enforcement (Maximum Binary Message Size) | Any | Any | Any | 10,000 bytes | 10,000 bytes | Any |
Maximum
Frame Size | Any | Any | Any | 10,000 bytes | 10,000 bytes | Any |
Maximum
Frames per fragmented message | Any | Any | Any | 100 bytes | 100 bytes | Any |
HTML5 Cross-Domain Request
Enforcement | ||||||
Enforcement Mode | Disabled | Disabled | Disabled | Enforce on ASM | Enforce on ASM | Disabled |
CONTENT PROFILES
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Profile
Name | Default | |||||
File
Type
| Wildcard | |||||
Perform
Staging | Disabled | Disabled | Enabled | Enabled | Enabled | Disabled |
URL
Length | Any | Any | 1024 Bytes | 1024 Bytes | 1024 Bytes | Any |
Request
Length | Any | Any | 8196 Bytes | 8196 Bytes | 8196 Bytes | Any |
Query
String Length | Any | Any | 4096 Bytes | 4096 Bytes | 4096 Bytes | Any |
POST Data
Length | Any | Any | 4096 Bytes | 4096 Bytes | 4096 Bytes | Any |
Apply
Response Signature Staging | Disabled |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Profile
Name | Default | |||||
Use XML
Blocking Response Page
| Disabled | |||||
XML Firewall Configuration | ||||||
Defense
Level | ||||||
Allow
DTDs | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Allow
External References | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
leading White Space | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
Close Tag Shorthand | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Tolerate
Numeric Names | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Allow
Processing Instructions | Enabled | |||||
Allow
CDATA | Enabled | Enabled | Enabled | Disabled | Disabled | Enabled |
Maximum
Document Size | Any | 1,024,000 Bytes | Any | 1,024,000 Bytes | 1,024,000 Bytes | Any |
Maximum
Elements | Any | 512,000 | Any | 65,536 | 65,536 | Any |
Maximum
Name Length | Any | 1,024 Bytes | Any | 256 Bytes | 256 Bytes | Any |
Maximum
Attribute Value Length | Any | Any | Any | 1,024 Bytes | 1,024 Bytes | Any |
Maximum
Document Depth | Any | Any | Any | 32 | 32 | Any |
Maximum
Children Per Element | Any | 4,096 | Any | 1,024 | 1,024 | Any |
Maximum
Attributes Per Element | Any | 64 | Any | 16 | 16 | Any |
Maximum NS
Declarations | Any | 256 | Any | 64 | 64 | Any |
Maximum
Namespace Length | Any | Any | Any | 256 | 256 | Any |
Attack Signatures | ||||||
Check
Attack | Enabled | |||||
Attack
Signatures Overrides | No Entries | |||||
Meta Characters | ||||||
Check
element value characters | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Check
attribute value characters | Disabled | |||||
Sensitive Data
Configuration | ||||||
Sensistive
Data | No Entries |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Profile
Name | Default | |||||
Maximum
Total Length | Any | Any | Any | 10,000 | 10,000 | Any |
Maximum
Line Length | Any | Any | Any | 100 | 100 | Any |
Perform
Percent Decoding | Disabled | |||||
Attack Signatures Overrides | ||||||
Attack
Signatures Check | Enabled | |||||
Attack
Signatures Overrides | No overrides were selected | |||||
Meta Characters | ||||||
Check
Characters | Disabled |
PARAMETERS
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Properties | ||||||
Name | Wildcard: * | |||||
Level | Global | |||||
Perform
Staging | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Allow
Empty Value | Enabled | |||||
Allow
Repeated Occurrences | Disabled | |||||
Sensitive
Parameter | Disabled | |||||
Value
Type | user-input | |||||
Data
Type | Alpha-Numeric | |||||
Data Type Attributes | ||||||
Maximum
Length | Any | Any | Any | 10 | 10 | Any |
Regular
Exp. | Disabled | |||||
Base64
Decoding | Disabled | |||||
Value Meta Character | ||||||
Value Meta
Character Checks | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Name Meta Character | ||||||
Name Meta
Character Checks | Disabled | Disabled | Disabled | Enabled | Enabled | Disabled |
Attack Signatures | ||||||
Attack
Signatures Checks | Enabled | Enabled | Enabled | Enabled | Enabled | Disabled |
Select
signatures overrides | No overrides were selected |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Learn New
Entities | Password | No sensitive parameters included |
ATTACK SIGNATURES CONFIGURATION
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Signature
Staging | Enabled | Disabled | ||||
Place
Updated Signatures in Staging | Enabled (Placed in staging and
retains old version) | Disabled | ||||
Attack
Signature Set Assignment | Generic Detection Signatures set.Learn/Alarm/Block enabled |
| ||||
Apply
Response Signatures | No file types were selected |
THREAT CAMPAIGNS
The Threat Campaigns feature is only available to BIG-IP versions 14.0
or later. All templates, except for Vulnerability Assessment Baseline, have the
Threat Campaign detected
violation, enabled Alarmed
and Blocked
settings, and Enable Campaign staging
disabled. For Vulnerability
Assessment Baseline, both are disabled.SESSIONS AND LOGINS
There are no pre-defined login or logout pages for any generic
template.
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Expiration
Time | Disabled | |||||
Authenticated URLs | None |
RDP | API Security | Fundamental | Comprehensive | PDP | Vulnerability Assessment Baseline | |
---|---|---|---|---|---|---|
Session Hijacking | ||||||
Detect
Session Hijacking by Device ID Tracking | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Session Tracking
Configuration | ||||||
Session
Awareness | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Application Username | Use All
Login Pages | Use All
Login Pages | Use All
Login Pages | None | Use All
Login Pages | Use All
Login Pages |
Violation Detection Actions | ||||||
Track
Violations and Perform Actions | Disabled | Disabled | Disabled | Enabled | Disabled | Disabled |
Violation
Detection Period | 900s |