Overview: WAF Policies

The Web Application Firewall (WAF) security policy configuration uses the declarative format based on a pre-defined base template. The policy is represented in a JSON file. You can edit the policy to add, modify and remove security capabilities with respect to the base template. The way the policy is integrated into the configuration is either via the BIG-IP Next Central Manager, or by referencing the JSON file (using the full path) from your source control system.

Declarative policy structure

Security policies are created using declarative JSON format. Whether you are using a single BIG-IP Next instance, or the BIG-IP Next Central Manager, the security policy is based on a structured JSON format. Note: Within the BIG-IP Next Central Manager UI, you can create or manage a security policy using the declarative policy text editor.

The supported declarative policy structure includes the following logical sections:

Each logical section in the declarative policy JSON schema has a specific purpose.

Core Defined within the root policy property, the core section includes the name, description, and template for the policy.

The name and template fields are mandatory. The following is an example of the core section within the declarative policy:

{
    "name": "AppPolicy01",
    "description": "AppV1.1 - DEMO FOR DECLARATIVE AND WEBHOOKS CAPABILITIES",
    "template": {
        "name": "POLICY_TEMPLATE_FUNDAMENTAL"
    }
}

Adjustments Defined within the root policy property after the core section, the adjustments section includes attributes of the policy that override or add to those defined in the template . Attributes included in this section can include both properties that are particular to the protected application, such as server technologies, URLs, or parameters, and modifications to settings defined by the template. The adjustments section contains all the entities of the security policy. All adjustments are optional. If there are no adjustments, the values are taken from the defined template.

The following is an example of the adjustments section within the declarative policy:

{
    "enforcementMode": "blocking",
    "server-technologies": [
        {
            "serverTechnologyName": "MySQL"
        }
    ],
    "signature-settings": {
        "signatureStaging": false
    }
}

Policy templates

Policy templates provide a starting point to any policy you write. Based on your application protection requirements, a template provides default protection without any further modifications. For more information about available templates, see WAF Policy Templates

How to Create a WAF Policy

Use the following documentation to create a WAF policy:

• How To: Configure WAF Policy on BIG-IP Next Central Manager

• How To: Configure WAF Policy in BIG-IP Next Central Manager’s Policy Editor