Applies To:
Show VersionsBIG-IP ASM
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Fine-tuning XML defense configuration
The system checks requests that contain XML data to be sure that the data complies with the various document limits defined in the defense configuration of the security policy's XML profile. The system generally examines the message for compliance to boundaries such as the message's size, maximum depth, and maximum number of children. When the system detects a problem in an XML document, it causes the XML data does not comply with format settings violation, if the violation is set to Alarm or Block.
Advanced XML defense configuration settings
This table describes the defense configuration settings. The Defense Level setting in an XML profile determines the default values for the setting, or you can adjust them. A value of Any indicates unlimited; that is, up to the boundaries of an integer type.
Setting | Description | Default Values |
---|---|---|
Defense Level | Specifies the level of protection that the system applies to XML documents, applications, and services. If you change any of the default settings, the system automatically changes the defense level to Custom. | High, Medium, Low |
Allow DTDs | Specifies, when enabled, that the XML document can contain Document Type Definitions (DTDs). | High: Disabled, Medium: Enabled, Low: Enabled |
Allow External References | Specifies, when enabled, that the XML document is allowed to list external references using operators, such as schemaLocation and SYSTEM. | High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Leading White Space | Specifies, when enabled, that leading white spaces at the beginning of an XML document are acceptable. | High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Close Tag Shorthand | Specifies, when enabled, that the close tag format </>, which is used in the XML encoding for Microsoft Office Outlook Web Access, is acceptable. | High: Disabled, Medium: Disabled, Low: Enabled |
Tolerate Numeric Names | Specifies, when enabled, that the entity and namespace names can start with an integer (0-9). Note that this is a compatibility option for use with Microsoft Office Outlook Web Access. | High: Disabled, Medium: Disabled, Low: Enabled |
Allow Processing Instructions | Specifies, when enabled, that the system allows processing instructions in the XML request. If you upload a WSDL file that references valid SOAP methods, this setting is inactive. | High: Enabled, Medium: Enabled, Low: Enabled |
Allow CDATA | Specifies, when enabled, that the system permits the existence of character data (CDATA) sections in the XML document part of a request. | High: Disabled, Medium: Enabled, Low: Enabled |
Maximum Document Size | Specifies, in bytes, the largest acceptable document size. | High: 1024000, Medium: 10240000, Low: Any |
Maximum Elements | Specifies the maximum number of elements that can be in a single document. | High: 65536, Medium: 512000, Low: Any |
Maximum Name Length | Specifies, in bytes, the maximum acceptable length for element and attribute names. | High: 256, Medium: 1024, Low: Any |
Maximum Attribute Value Length | Specifies, in bytes, the maximum acceptable length for attribute values. | High: 1024, Medium: 4096, Low: Any |
Maximum Document Depth | Specifies the maximum depth of nested elements. | High: 32, Medium: 128, Low: Any |
Maximum Children Per Element | Specifies the maximum acceptable number of child elements for each parent element. | High: 1024, Medium: 4096, Low: Any |
Maximum Attributes Per Element | Specifies the maximum number of attributes for each element. | High: 16, Medium: 64, Low: Any |
Maximum NS Declarations | Specifies the maximum number of namespace declarations allowed in a single document. | High: 64, Medium: 256, Low: Any |
Maximum Namespace Length | Specifies the largest allowed size, in bytes, for a namespace prefix in the XML part of a request. | High: 256, Medium: 1024, Low: Any |