Declarative WAF Policy Schema¶
policy¶
Field Name |
Reference |
Type |
Description |
Allowed Values |
---|---|---|---|---|
Yes |
object |
|||
|
No |
string |
The character encoding for the web application. The character encoding determines how the policy processes the character sets. The default is Auto detect. |
|
Yes |
object |
This section defines policy block/alarm/learn behaviors. |
||
Yes |
object |
This section defines the properties of the bot defense feature. |
||
Yes |
array of objects |
|||
Yes |
array of objects |
Defines configuration for Brute Force Protection feature. There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. |
||
|
No |
boolean |
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration. |
|
Yes |
array of objects |
|||
Yes |
object |
The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. |
||
Yes |
array of objects |
This section defines Cookie entities for your policy. You can specify the cookies that you want to allow, and the ones you want to enforce in a security policy:
|
||
Yes |
object |
|||
Yes |
array of objects |
|||
Yes |
object |
Data Guard feature can prevent responses from exposing sensitive information by masking the data. |
||
|
No |
string |
Specifies the description of the policy. |
|
Yes |
array of objects |
Specifies a list of countries that may not access the web application. |
||
Yes |
object |
|||
|
No |
boolean |
Passive Mode allows the policy to be associated with a Performance L4 Virtual Server (using a FastL4 profile). With FastL4, traffic is analyzed but is not modified in any way. |
|
|
No |
string |
|
|
Yes |
array of objects |
File types are categorization of the URLs in the request by the extension appearing past the last dot at the end of the URL. For example, the file type of /index.php is “php”. Other well known file types are html, aspx, png, jpeg and many more. A special case is the “empty” file type called “no-ext” meaning, no extension in which the URL has no dot at its last segment as in /foo_no_dot File types usually imply the expected content type in the response. For example, html and php return HTML content, while jpeg, png and gif return images, each in its respective format. File types also imply the server technology deployed for rendering the page. For example, php (PHP), aspx (ASP) and many others. The security policy uses file types for several purposes: 1. Ability to define which file types are allowed and which are disallowed. By including the pure wildcard “*” file type and a list of disallowed file types you have a file type denylist. By having a list of explicit file type without the pure wildcard “*” you have a file type allowlist. 2. Each file type implies maximum length restrictions for the requests of that file type. The checked lengths are per the URL, Query String, total request length, and payload (POST data). 3. Each file type determines whether to detect response signatures for requests of that file type. Typically, one would never check signatures for image file types. |
||
|
No |
string |
The full name of the policy including partition. |
|
Yes |
object |
This section includes several advanced policy configuration settings. |
||
Yes |
array of objects |
|||
Yes |
array of objects |
|||
Yes |
object |
The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. |
||
Yes |
array of objects |
This section defines Header entities for your policy. |
||
Yes |
array of objects |
|||
Yes |
object |
|||
Yes |
array of objects |
|||
Yes |
array of objects |
|||
Yes |
object |
|||
Yes |
array of objects |
A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. |
||
Yes |
array of objects |
|||
|
No |
string |
The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). |
|
Yes |
array of objects |
|||
Yes |
array of objects |
|||
Yes |
array of objects |
This section defines parameters that the security policy permits in requests. |
||
|
No |
boolean |
Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. |
|
Yes |
object |
|||
Yes |
object |
|||
Yes |
object |
Defines Policy Builder behavior for filetypes |
||
Yes |
object |
|||
Yes |
object |
Defines Policy Builder behavior for parameters |
||
Yes |
object |
|||
Yes |
object |
Defines Policy Builder behavior for Server Technologies |
||
Yes |
object |
|||
Yes |
object |
|||
|
No |
boolean |
When creating a security policy, you can determine whether a security policy differentiates between HTTP and HTTPS URLs. If enabled, the security policy differentiates between HTTP and HTTPS URLs. If disabled, the security policy configures URLs without specifying a specific protocol. This is useful for applications that behave the same for HTTP and HTTPS, and it keeps the security policy from including the same URL twice. |
|
Yes |
object |
|||
Yes |
array of objects |
|||
Yes |
array of objects |
The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. The system also has a login response page for login violations. You can change the way the system responds to blocked logins or blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. |
||
Yes |
array of objects |
This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of “password” is always defined as sensitive by default. |
||
Yes |
array of objects |
The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
||
Yes |
array of objects |
|||
Yes |
array of objects |
Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. |
||
Yes |
object |
|||
Yes |
array of objects |
This section defines the properties of a signature on the policy. |
||
|
No |
string |
||
Yes |
array of objects |
|||
Yes |
object |
Specifies the template to populate the attributes of a new policy. The template is only used when creating the policy - a security policy is always created based on a user-defined or system-supplied template. Unlike parent policies, the templates do not affect the policy after it is created. If you modify a template, policies created from it in the past are not affected. |
||
Yes |
object |
|||
Yes |
array of objects |
This section defines the enforcement state for the threat campaigns in the security policy. |
||
|
No |
string |
|
|
Yes |
array of objects |
In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. If you are using automatic policy building (and the policy includes learning URLs), the system can determine which URLs to add, based on legitimate traffic. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the allowed HTTP URLs lists. During the enforcement readiness period, the system examines the URLs in the traffic and makes learning suggestions that you can review and add the URLs to the policy as needed. This way, the security policy includes the HTTP URLs that are typically used. When you think all the URLs are included in the security policy, you can remove the * wildcards from the allowed URLs lists. |
||
Yes |
array of objects |
|||
|
No |
string |
||
Yes |
array of objects |
An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. For example, you can specify IP addresses from which the system should always trust traffic, IP addresses for which you do not want the system to generate learning suggestions for the traffic, and IP addresses for which you want to exclude information from the logs. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception and instruct the system how to handle traffic coming from that address. |
||
Yes |
array of objects |
|||
Yes |
array of objects |
open-api-files¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
template¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
Specifies the name of the template used for the policy creation. |
|
user-defined-signatures¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
array of objects |
|||
|
string |
||
|
string |
signatures¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
object |
|||
|
string |
||
|
boolean |
||
|
boolean |
||
array of objects |
|||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
array of objects |
|||
|
string |
||
|
string |
|
|
|
string |
||
|
integer |
The signature ID which identifies the signature. |
|
|
string |
|
|
array of objects |
|||
|
string |
The signature tag which, along with the signature name, identifies the signature. |
attackType¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
keywords¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
|
|
boolean |
||
|
string |
references¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
systems¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
app-protection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
blocking-settings¶
Field Name |
Reference |
Type |
Description |
Allowed Values |
---|---|---|---|---|
Yes |
array of objects |
This section defines behavior of ‘Evasion technique detected’ (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked) and/or learned. Behavior of sub-violations depends on the block/alarm/learn settings of ‘Evasion technique detected’ violation, defined in /policy/blocking-settings/violations section:
|
||
Yes |
array of objects |
This section defines behavior of ‘HTTP protocol compliance failed’ (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked) and/or learned. Behavior of sub-violations depends on the block/alarm/learn settings of ‘HTTP protocol compliance failed’ violation, defined in /policy/blocking-settings/violations section:
|
||
Yes |
array of objects |
|||
Yes |
array of objects |
bot-defense¶
Field Name |
Reference |
Type |
Description |
Allowed Values |
---|---|---|---|---|
Yes |
object |
This section defines the mitigation to each class or signature. |
||
Yes |
object |
This section contains all bot defense settings. |
browser-definitions¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
||
|
string |
||
|
string |
brute-force-attack-preventions¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
When enabled, enables Brute Force Protection for all configured login URLs. When disabled, only brute force configurations for specific login pages are applied in case they exist. |
|
object |
Specifies configuration for CAPTCHA Bypass Mitigation. |
||
object |
Specifies configuration for Client Side Integrity Bypass Mitigation. |
||
object |
Specifies configuration for detecting distributed brute force attacks. |
||
object |
Specifies configuration for Leaked Credentials Detection. |
||
object |
Specifies configuration for detecting brute force attacks for Device ID. |
||
object |
Specifies configuration for detecting brute force attacks from IP Address. |
||
object |
Specifies configuration for detecting brute force attacks for Username. |
||
|
integer minimum: 60 maximum: 90000 |
Defines detection period (measured in seconds) for distributed brute force attacks. |
|
|
|
Defines prevention period (measured in seconds) for distributed brute force attacks. |
|
|
integer minimum: 60 maximum: 90000 |
Defines prevention period (measured in seconds) for source-based brute force attacks. |
|
|
integer minimum: 60 maximum: 90000 |
Defines detection period (measured in seconds) for source-based brute force attacks. |
|
object |
Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature. |
captchaBypassCriteria¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when defined threshold is reached.
|
|
|
boolean |
When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID. |
|
|
integer minimum: 1 maximum: 100 |
After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt |
clientSideIntegrityBypassCriteria¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when defined threshold is reached.
|
|
|
integer minimum: 1 maximum: 100 |
After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt |
detectionCriteria¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.
|
|
|
integer minimum: 1 maximum: 10000 |
After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt. |
|
|
integer minimum: 1 maximum: 10000 |
After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. |
leakedCredentialsCriteria¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action when leaked credentials detected.
|
|
loginAttemptsFromTheSameDeviceId¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when defined threshold is reached.
|
|
|
integer minimum: 1 maximum: 100 |
After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt. |
loginAttemptsFromTheSameIp¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when defined threshold is reached.
|
|
|
boolean |
When enabled, the system counts failed login attempts from IP Address. |
|
|
integer minimum: 1 maximum: 1000 |
After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt. |
loginAttemptsFromTheSameUser¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies action that is applied when defined threshold is reached.
|
|
|
boolean |
When enabled, the system counts failed login attempts for each Username. |
|
|
integer minimum: 1 maximum: 100 |
After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt. |
character-sets¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
array of objects |
|||
|
string |
|
characterSet¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
cookie-settings¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
|
Maximum Cookie Header Length must be greater than 0 and less than 65536 bytes (64K). Note: if 0 or any are set, then no restriction on the cookie header length is applied. |
|
cookies¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies, when true, that the system adds the HttpOnly attribute to the domain cookie’s response header. This is done to expose the cookie to only HTTP and HTTPS entities. This prevents the cookie from being modified, or intercepted even if it is not modified, by unwanted third parties that run scripts on the web page.
|
|
|
boolean |
Specifies, when true, that you want attack signatures and threat campaigns to be detected on this cookie and possibly override the security policy settings of an attack signature or threat campaign specifically for this cookie. After you enable this setting, the system displays a list of attack signatures and threat campaigns. |
|
|
string |
Specifies how the system treats this cookie.
|
|
|
string |
The introduction of the SameSite http attribute (defined in [RFC6265bis](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00)) allows you to declare if your cookie should be restricted to a first-party or same-site context. Introducing the SameSite attribute on a cookie provides three different ways of controlling same-site vs. cross-site cookie sending:
|
|
|
boolean |
You can enable the security policy to check whether cookie values contain a Base64 encoded string. If the value is indeed Base64 encoded, the system decodes this value and continues with its security checks. Specifies, when true, that the security policy checks the cookie’s value for Base64 encoding, and decodes the value. Note: This setting is only available if Cookie Type is set to Allowed. |
|
|
boolean |
Specifies, when true, that the cookie’s value will be masked in the request log. |
|
|
string |
Specifies the cookie name as appearing in the http cookie header. The cookie name length is limited to 500 characters. Names can be one of the following according to the type attribute:
The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
|
boolean |
If true then any violation associated to the respective cookie will not be enforced, and the request will not be considered illegal. |
|
|
boolean |
Specifies, when true, that the system adds the Secure attribute to the domain cookie’s response header. This is done to ensure that the cookies are returned to the server only over SSL (by using the HTTPS protocol). This prevents the cookie from being intercepted, but does not guarantee its integrity.
|
|
array of objects |
Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this cookie, and which action the security policy takes when it discovers a request for this cookie that matches these attack signatures. |
||
|
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
|
|
integer |
Specifies the order index for wildcard cookies matching. Wildcard cookies with lower wildcard order will get checked for a match prior to cookies with higher wildcard order. |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies, when true, that the overridden signature is enforced |
|
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
|
integer |
The signature ID which identifies the signature. |
|
|
string |
The signature tag which, along with the signature name, identifies the signature. |
csrf-protection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
|
|
|
|
boolean |
csrf-urls¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
|
|
array of strings |
||
|
string |
|
|
|
string |
||
|
integer |
data-guard¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
If true the system considers credit card numbers as sensitive data. |
|
|
boolean |
If true the system recognizes customized patterns as sensitive data. |
|
|
array of strings |
List of PCRE regular expressions that specify the sensitive data patterns. |
|
|
boolean |
If true the system protects sensitive data. |
|
|
string |
Specifies the URLs for which the system enforces data guard protection.
|
|
|
array of strings |
List of URLS to be enforced based on enforcement mode of data guard protection. |
|
|
boolean |
If true the system recognizes exception patterns as not being sensitive data. |
|
|
array of strings |
List of PCRE regular expressions that specify the data patterns that are not recognized as sensitive data. |
|
|
boolean |
If true the system checks responses for file content. |
|
array of objects |
|
||
|
integer minimum: 0 maximum: 255 |
Specifies the number of first alphanumeric characters in Custom patterns that are exposed. |
|
|
integer minimum: 0 maximum: 20 |
Specifies the number of last digits in credit card numbers that are exposed. |
|
|
integer minimum: 0 maximum: 255 |
Specifies the number of last alphanumeric characters in Custom patterns that are exposed. |
|
|
integer minimum: 0 maximum: 20 |
Specifies the number of last digits in U.S Social Security numbers that are exposed. |
|
|
boolean |
If true the system intercepts the returned responses to mask sensitive data. |
|
|
boolean |
If true the system considers U.S Social Security numbers as sensitive data. |
fileContentDetectionFormats¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
disallowed-geolocations¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies the ISO country code of the selected country. |
|
|
string |
Specifies the name of the country. |
|
dos-protection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
object |
filetypes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Determines whether the file type is allowed or disallowed. In either of these cases the VIOL_FILETYPE violation is issued (if enabled) for an incoming request- 1. No allowed file type matched the file type of the request. 2. The file type of the request matched a disallowed file type. |
|
|
boolean |
Determines whether to enforce maximum length restriction for the body, a.k.a. “POST data” part of the requests that match the respective file type. The maximum length is determined by postDataLength attribute. Although named “POST data”, this applies to any content type and not restricted to POST requests, e.g. PUT requests are also checked. This attribute is relevant only to allowed file types. |
|
|
boolean |
Determines whether to enforce maximum length restriction for the query string of the requests that match the respective file type. The maximum length is determined by queryStringLength attribute. This attribute is relevant only to allowed file types. |
|
|
boolean |
Determines whether to enforce maximum length restriction for the total length of requests that match the respective file type. The maximum length is determined by requestLength attribute. This attribute is relevant only to allowed file types. |
|
|
boolean |
Determines whether to enforce maximum length restriction for the URL of the requests that match the respective file type. The URL does not include the query string, past the &. The maximum length is determined by urlLength attribute. This attribute is relevant only to allowed file types. |
|
|
string |
Specifies the file type name as appearing in the URL extension. Names can be one of the following according to the type attribute:
The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
|
boolean |
If true then any violation associated to the respective file type will not be enforced, and the request will not be considered illegal. |
|
|
integer minimum: 0 |
The maximum length in bytes of the body (POST data) of the request matching the file type. Enforced only if checkPostDataLength is set to true. If the value is exceeded then VIOL_POST_DATA_LENGTH violation is issued. This attribute is relevant only to allowed file types. |
|
|
integer minimum: 0 |
The maximum length in bytes of the query string of the request matching the file type. Enforced only if checkQueryStringLength is set to true. If the value is exceeded then VIOL_QUERY_STRING_LENGTH violation is issued. This attribute is relevant only to allowed file types. |
|
|
integer minimum: 0 |
The maximum total length in bytes of the request matching the file type. Enforced only if checkRequestLength is set to true. If the value is exceeded then VIOL_REQUEST_LENGTH violation is issued. This attribute is relevant only to allowed file types. |
|
|
boolean |
Determines whether the responses to requests that match the respective file types are inspected for attack signature detection. This attribute is relevant only to allowed file types. |
|
|
integer minimum: 0 maximum: 10000000000 |
Determines how much of the response body will be checked for signatures. When value is set to 0, only the header will be checked. This attribute is relevant only to allowed file types. |
|
|
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
|
|
integer minimum: 0 |
The maximum length in bytes of the URL of the request matching the file type, excluding the query string. Enforced only if checkUrlLength is set to true. If the value is exceeded then VIOL_URL_LENGTH violation is issued. This attribute is relevant only to allowed file types. |
|
|
integer |
general¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
array of integers |
You can specify which responses a security policy permits. By default, the system accepts all response codes from 100 to 399 as valid responses. Response codes from 400 to 599 are considered invalid unless added to the Allowed Response Status Codes list. By default, 400, 401, 404, 407, 417, and 503 are on the list as allowed HTTP response status codes. |
|
|
array of strings |
If you require the system to trust a server further than one hop toward the client (the last proxy traversed), you can use the Custom XFF Headers setting to define a specific header that is inserted closer to, or at the client, that the system will trust. Additionally, if you require the system to trust a proxy server that uses a different header name than the X-Forwarded-For header name, you can add the desired header name to the Custom XFF Headers setting. When adding a custom header, the X-Forwarded-For header is not trusted anymore. In case the X-Forwarded-For header is to be trusted along with other headers, you must add it to the custom headers list. |
|
|
string |
A description of user-defined regular expression that the security policy uses to recognize dynamic sessions in URLs. |
|
|
string |
A user-defined regular expression that the security policy uses to recognize dynamic sessions in URLs. |
|
|
boolean |
This feature designed to provide an aggregated view of security events in the Configuration utility. When two or more illegal requests are sent to the web application within a short period of time, the system correlates them as a security event. For example, the system aggregates requests into a single event if a single user causes multiple violations over time. When enabled, Event Correlation Reporting logs are collected. |
|
|
integer minimum: 0 maximum: 999 |
For each security policy, you can configure the number of days used as the enforcement readiness period, also called staging. Security policy entities and attack signatures remain in staging for this period of time before the system suggests that you enforce them. Staging allows you to test security policy entities and attack signatures for false positives without enforcing them. The default value of 7 days works for most situations so you typically do not need to change it. |
|
|
boolean |
When enabled, the security policy masks credit card numbers that appear in any part of requests. The system does not mask the information in the actual requests, but rather in various logs: * Credit card numbers appearing in entity names are masked in the requests of the Requests log. * Credit card numbers appearing in entity values are masked wherever requests can be viewed: the Requests log, violation details within that log, manual learning, and reports. This setting is enabled by default, and exists in addition to masking parameters defined as containing sensitive information. |
|
|
string |
A URI path parameter is the part of a path segment that occurs after its name. You can configure how a security policy handles path parameters that are attached to path segments in URIs. You can enforce different levels of security based on your needs:
|
|
|
string |
When enabled, the system activates ASM iRule events. When disabled, the system does not activate ASM iRule events. Enable this option if you have written iRules that process ASM iRule events, and assigned them to a specific virtual server. The default setting is disabled.
|
|
|
boolean |
When enabled, the system has confidence in an XFF (X-Forwarded-For) header in the request. When disabled, that the system does not have confidence in an XFF header in the request. The default setting is disabled. Select this option if the system is deployed behind an internal or other trusted proxy. Then, the system uses the IP address that initiated the connection to the proxy instead of the internal proxy’s IP address. Leave this option disabled if you think the HTTP header may be spoofed, or crafted, by a malicious client. With this setting disabled, if the system is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address. |
|
|
boolean |
How the security policy processes URLs that use dynamic sessions. When disabled the security policy does not enforce dynamic sessions in URLs. When enabled the system will use a default or user-defined pattern for recognizing dynamic sessions in URLs. |
graphql-profiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
object |
|||
|
string |
||
|
boolean |
||
|
boolean |
||
array of objects |
|||
|
string |
||
object |
|||
array of objects |
|||
array of objects |
defenseAttributes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
boolean |
metacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
responseEnforcement¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
array of strings |
sensitiveData¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
||
|
integer |
||
|
string |
gwt-profiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
object |
|||
|
string |
||
|
boolean |
||
array of objects |
|||
|
string |
||
array of objects |
defenseAttributes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
|
|
|
|
|
|
|
|
boolean |
metacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
||
|
integer |
||
|
string |
header-settings¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
|
Maximum HTTP Header Length must be greater than 0 and less than 65536 bytes (64K). Note: if 0 or any are set, then no restriction on the HTTP header length is applied. |
|
headers¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
Specifies, when true, that the headers’s value will be masked in the request log. |
|
|
string |
Specifies the HTTP header name. The header name length is limited to 254 characters. Names can be one of the following according to the type attribute:
The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
|
boolean |
||
|
boolean |
||
array of objects |
Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this header, and which action the security policy takes when it discovers a request for this header that matches these attack signatures. |
||
|
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
|
|
boolean |
||
|
integer |
Specifies the order index for wildcard header matching. Wildcard headers with lower wildcard order will get checked for a match prior to headers with higher wildcard order. |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies, when true, that the overridden signature is enforced |
|
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
|
integer |
The signature ID which identifies the signature. |
|
|
string |
The signature tag which, along with the signature name, identifies the signature. |
host-names¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
ip-intelligence¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
array of objects |
ipIntelligenceCategories¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
string |
|
json-profiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
object |
|||
|
string |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
array of objects |
|||
|
string |
||
array of objects |
|||
array of objects |
|||
array of objects |
defenseAttributes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
boolean |
metacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
sensitiveData¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
||
|
integer |
||
|
string |
validationFiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
boolean |
||
|
|
json-validation-files¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
boolean |
login-enforcement¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
array of strings |
||
|
|
|
|
array of objects |
login-pages¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL. |
||
|
string |
Authentication Type is method the web server uses to authenticate the login URL’s credentials with a web user.
|
|
|
string |
A name of parameter which will contain password string. |
|
object |
URL string used for login page. |
||
|
string |
A name of parameter which will contain username string. |
accessValidation¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL. |
|
|
string |
A header name and value that the response to the login URL must match to permit user access to the authenticated URL. |
|
|
string |
A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL. |
|
|
string |
A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL. |
|
|
string |
A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, “Successful Login”. |
|
|
string |
An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, “200”. |
|
|
array of strings |
An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL. |
|
|
string |
A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, “Authentication failed”. |
methods¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
parameters¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Determines whether an empty value is allowed for a parameter. |
|
|
boolean |
Determines whether multiple parameter instances with the same name are allowed in one request. |
|
|
string |
Specifies type of serialization for array of primitives parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:
Notes:
|
|
|
boolean |
Determines whether items in an array parameter must be unique. This attribute is relevant only for parameters with array valueType. |
|
|
boolean |
Determines whether attack signatures and threat campaigns must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric or binary dataType. |
|
|
boolean |
Determines whether an array parameter has a restricted maximum number of items. This attribute is relevant only for parameters with array valueType. |
|
|
boolean |
Determines whether the parameter has a restricted maximum value. This attribute is relevant only for parameters with integer or decimal dataType. |
|
|
boolean |
Determines whether a parameter has a restricted maximum length for value. |
|
|
boolean |
Determines whether disallowed metacharacters must be detected in a parameter’s name. This attribute is relevant only for wildcard parameters with alpha-numeric dataType. |
|
|
boolean |
Determines whether an array parameter has a restricted minimum number of items. This attribute is relevant only for parameters with array valueType. |
|
|
boolean |
Determines whether a parameter has a restricted minimum value. This attribute is relevant only for parameters with integer or decimal dataType. |
|
|
boolean |
Determines whether a parameter has a restricted minimum length for value. |
|
|
boolean |
Determines whether a parameter’s value is a multiple of a number defined in multipleOf. This attribute is relevant only for parameters with integer or decimal dataType. |
|
object |
|||
|
string |
Specifies data type of parameter’s value:
|
|
|
boolean |
Determines whether a parameter’s value cannot have binary executable content. This attribute is relevant only for parameters with binary dataType. |
|
|
boolean |
Determines whether the parameter value includes the pattern defined in regularExpression. This attribute is relevant only for parameters with alpha-numeric dataType. |
|
|
boolean |
Determines whether the maximum value defined in maximumValue attribute is exclusive. This attribute is relevant only if checkMaxValue is set to true. |
|
|
boolean |
Determines whether a minimum value defined in minimumValue attribute is exclusive. This attribute is relevant only if checkMinValue is set to true. |
|
|
boolean |
Specifies whether an array or object parameters should have separate values for each array item or object property. This attribute is relevant only if objectSerializationStyle is defined.
|
|
|
string |
|
|
|
boolean |
Determines whether a parameter’s value contains a Base64 encoded string. If the value is indeed Base64 encoded, the system decodes this value and continues with its security checks. This attribute is relevant only for parameters with alpha-numeric or binary dataType. |
|
|
boolean |
Determines whether a parameter is located in the value of Cookie header. parameterLocation attribute is ignored if isCookie is set to true. |
|
|
boolean |
Determines whether a parameter is located in headers as one of the headers. parameterLocation attribute is ignored if isHeader is set to true. |
|
|
string |
Specifies whether the parameter is associated with a URL, a flow, or neither. |
|
|
boolean |
Determines whether a parameter must exist in the request. |
|
|
integer minimum: 0 |
Determines the restriction for the maximum number of items in an array parameter. This attribute is relevant only if checkMaxItemsInArray is set to true. |
|
|
integer minimum: 0 |
Determines the restriction for the maximum length of parameter’s value. This attribute is relevant only if checkMaxValueLength is set to true. |
|
|
number |
Determines the restriction for the maximum value of parameter. This attribute is relevant only if checkMaxValue is set to true. |
|
|
boolean |
Determines whether disallowed metacharacters must be detected in a parameter’s value. This attribute is relevant only for parameters with alpha-numeric dataType. |
|
|
integer minimum: 0 |
Determines the restriction for the minimum number of items in an array parameter. This attribute is relevant only if checkMinItemsInArray is set to true. |
|
|
integer minimum: 0 |
Determines the restriction for the minimum length of parameter’s value. This attribute is relevant only if checkMinValueLength is set to true. |
|
|
number |
Determines the restriction for the minimum value of a parameter. This attribute is relevant only if checkMinValue is set to true. |
|
|
number |
Determines the number by which a parameter’s value is divisible without remainder. This number must be positive and it may be a floating-point number. This attribute is relevant only if checkMultipleOfValue is set to true. |
|
|
string |
Specifies the name of a parameter which must be permitted in requests. Format of parameter name attribute differs depending on type attribute:
The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.
|
|
array of objects |
Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that has these metacharacters in the name. This attribute is relevant only if checkMetachars is set to true. |
||
|
string |
Specifies the type of serialization for an object or complex array parameter. Serialization defines how multiple values are delimited - format that can be transmitted and reconstructed later:
Notes:
|
|
|
array of strings |
Determines the set of possible parameter’s values. This attribute is not relevant for parameters with phone, email or binary dataType. |
|
|
string |
Specifies location of parameter in request:
|
|
|
boolean |
Determines the staging state of a parameter. If you place an entity in staging, the system does not block requests for this entity. Tip: Use staging on wildcard entities to build the security policy without explicit entities of this type, rather than configuring the wildcard entity itself to be enforced with the settings found on it. |
|
|
string |
Determines a positive regular expression (PCRE) for a parameter’s value. This attribute is relevant only if enableRegularExpression is set to true.
|
|
|
boolean |
Determines whether a parameter is sensitive and must be not visible in logs nor in the user interface. Instead of the actual value, a string of asterisks is shown for this parameter. Use it to protect sensitive user input, such as a password or a credit card number, in a validated request. |
|
array of objects |
Determines attack signatures whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request for this parameter that matches these attack signatures. This attribute is relevant only if signatureOverrides is set to true. |
||
|
array of strings |
Determines the set of possible parameter’s values. This attribute is relevant for parameters with static-content valueType only. |
|
|
string |
Specifies the type of the name attribute. |
|
object |
|||
array of objects |
Determines metacharacters whose security policy settings are overridden for this parameter, and which action the security policy takes when it discovers a request parameter that has these metacharacters in its value. This attribute is relevant only if metacharsOnParameterValueCheck is set to true. |
||
|
string |
Specifies type of parameter’s value:
|
|
|
integer |
Specifies the order in which wildcard entities are organized. Matching of an enforced parameter with a defined wildcard parameter happens based on order from smaller to larger. |
contentProfile¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
contentProfile¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
nameMetacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies permission of metachar - when false, then character is prohibited. |
|
|
string |
Specifies character in hexadecimal format with special allowance. |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies, when true, that the overridden signature is enforced |
|
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
|
integer |
The signature ID which identifies the signature. |
|
|
string |
The signature tag which, along with the signature name, identifies the signature. |
valueMetacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies permission of metachar - when false, then character is prohibited. |
|
|
string |
Specifies character in hexadecimal format with special allowance. |
policy-builder¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
|||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
number minimum: 0.0001 maximum: 999 |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
string |
|
|
|
array of strings |
||
object |
|||
|
boolean |
||
object |
|||
object |
|||
object |
|||
object |
autoApply¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
string |
||
|
string |
|
|
|
string |
trafficTighten¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 maximum: 100 |
||
|
number minimum: 0 maximum: 999 |
||
|
integer minimum: 1 maximum: 2147483647 |
trustedTrafficLoosen¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 maximum: 2147483647 |
||
|
number minimum: 0.0001 maximum: 999 |
||
|
number minimum: 0 maximum: 9999 |
trustedTrafficSiteChangeTracking¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 maximum: 2147483647 |
||
|
number minimum: 0.0001 maximum: 999 |
||
|
number minimum: 0 maximum: 99999 |
untrustedTrafficLoosen¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 maximum: 2147483647 |
||
|
number minimum: 0.0001 maximum: 999 |
||
|
number minimum: 0 maximum: 9999 |
untrustedTrafficSiteChangeTracking¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 maximum: 2147483647 |
||
|
number minimum: 0.0001 maximum: 999 |
||
|
number minimum: 0 maximum: 99999 |
policy-builder-cookie¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 2 |
||
|
boolean |
||
|
boolean |
||
|
string |
|
|
|
integer minimum: 1 |
policy-builder-filetype¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies under which circumstances the Policy Builder adds, or suggests you add, explicit file types to the security policy:
|
|
|
integer minimum: 1 |
Specifies approximately the largest number of file types that Policy Builder will learn |
policy-builder-header¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 1 |
||
|
boolean |
policy-builder-parameter¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
When enabled, if the Policy Builder detects legitimate XML or JSON data to parameters configured in the security policy, the Policy Builder adds XML or JSON profiles to the security policy and configures their attributes according to the data it detects |
|
|
integer minimum: 2 |
Defines how many common explicit parameters the Policy Builder must detect (the number of occurrences) before collapsing them to one wildcard parameter. The minimum number of occurrences allowed is 2. |
|
|
boolean |
When enabled, the system collapses many common parameters into one wildcard parameter. |
|
object |
Defines the conditions under which the Policy Builder adds dynamic parameters to the security policy To enabled this functionality there are several prerequisites:
|
||
|
string |
Specifies under which circumstances the Policy Builder adds, or suggests you add, explicit parameters to the security policy:
|
|
|
integer minimum: 1 |
Specifies approximately the largest number of parameters that Policy Builder will learn |
|
|
string |
Defines how the Policy Builder determines on which level to add, or suggest you add, parameters to the security policy
|
|
|
boolean |
When enabled, the Policy Builder learns integer parameters (parameters with a Data Type of Integer). |
dynamicParameters¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
When enabled, the Policy Builder adds to the security policy all HIDDEN form input parameters, seen in responses, as dynamic content value parameters |
|
|
boolean |
When enabled, the Policy Builder adds parameters, found in forms, to the security policy as dynamic content value if a number of unique value sets are seen in responses for that parameter. Use uniqueValueSets to specify how many different value sets must be seen for that parameter in order for the Policy Builder to consider it dynamic content value. A value set is an aggregation of server-supplied value(s) of the parameter as seen in the web form, for example, all the values of a radio button or select boxes taken together are a value set. |
|
|
boolean |
When enabled, the Policy Builder adds parameters, found in links, to the security policy as dynamic content value if a number of unique values are seen in responses for that parameter. Use the uniqueValueSets to specify how many different values must be seen for that parameter in order for the Policy Builder to consider it dynamic content value. |
|
|
integer minimum: 1 |
Specifies how many different values must be seen for that parameter in order for the Policy Builder to consider it dynamic content value |
policy-builder-redirection-protection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
integer minimum: 1 |
policy-builder-server-technologies¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
When enabled, the Policy Builder suggests to add Server Technologies that have not yet been added to the policy. The system learns server technologies from responses regardless of the learnFromResponses flag setting in the policy-builder endpoint. |
policy-builder-sessions-and-logins¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
policy-builder-url¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
integer minimum: 1 |
||
|
integer minimum: 1 |
||
|
boolean |
||
|
string |
|
|
|
string |
|
|
|
boolean |
||
|
integer minimum: 1 |
||
|
integer minimum: 1 |
||
|
array of strings |
redirection-protection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
array of objects |
|||
|
boolean |
redirectionDomains¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
boolean |
||
|
string |
|
|
|
integer |
request-loggers¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 0 maximum: 2147483647 |
||
|
integer minimum: 0 maximum: 2147483647 |
||
|
string |
||
array of objects |
|||
array of objects |
|||
|
string |
||
|
string |
|
|
|
boolean |
||
|
integer |
||
|
string |
||
|
string |
||
|
string |
||
|
string |
|
|
|
string |
|
|
object |
|||
|
boolean |
||
|
string |
|
escapingCharacters¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
filter¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
array of strings |
tls¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
string |
.. _policy/response-pages:
response-pages¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
Custom message typed by user as a response for blocked AJAX request. |
|
|
boolean |
When enabled, the system injects JavaScript code into responses. You must enable this toggle in order to configure an Application Security Manager AJAX response page which is returned when the system detects an AJAX request that does not comply with the security policy. |
|
|
string |
Default message provided by the system as a response for blocked AJAX request. Can be manipulated by user, but <%TS.request.ID()%> must be included in this message. |
|
|
string |
The system redirects the user to a specific web page instead of viewing a response page. Type the web page’s full URL path, for example, http://www.redirectpage.com. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID. |
|
|
|
|
|
|
string |
||
|
string |
|
|
|
string |
The content the system sends to the client in response to an illegal blocked request. |
|
|
string |
The response headers that the system sends to the client as a response to an illegal blocked request. |
|
|
string |
|
|
|
string |
The particular URL to which the system redirects the user. To redirect the blocking page to a URL with a support ID in the query string, type the URL and the support ID in the following format: http://www.example.com/blocking_page.php?support_id=<%TS.request.ID()%>. The system replaces <%TS.request.ID%> with the relevant support ID so that the blocked request is redirected to the URL with the relevant support ID. |
sensitive-parameters¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Name of a parameter whose values the system should consider sensitive. |
server-technologies¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies the name of the selected policy. For example, PHP will add attack signatures that cover known PHP vulnerabilities. |
|
signature-requirements¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
string |
signature-sets¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
If enabled - when a signature from this signature set is detected in a request - the request is logged. |
|
|
boolean |
If enabled - when a signature from this signature set is detected in a request (and the signature is not in staging and the policy is in blocking mode) - the request is blocked. |
|
|
boolean |
If enabled - when a signature from this signature set is detected in a request -the policy builder creates a learning suggestion to disable it. |
|
|
string |
Signature set name. |
|
object |
Defines signature set. |
||
|
string |
signatureSet¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
Specifies filter that defines signature set. |
||
array of objects |
|||
array of objects |
|||
|
string |
|
filter¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
|
object |
|||
|
string |
|
|
|
string |
|
|
|
string |
||
|
string |
|
|
|
string |
|
|
|
string |
|
|
|
string |
Filter by signature tagValue.
|
|
|
string |
Value for the tagFilter. Relevant only for the eq value of tagFilter. |
|
|
string |
|
attackType¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
signatures¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
integer |
||
|
string |
systems¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
signature-settings¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
|
|
boolean |
||
|
boolean |
||
|
string |
signatures¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
boolean |
Specifies, if true, that the signature is enabled on the security policy. When false, the signature is disable on the security policy. |
|
|
string |
|
|
|
boolean |
||
|
boolean |
||
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
|
boolean |
Specifies, if true, that the signature is in staging. The system does not enforce signatures in staging. Instead, the system records the request information and keeps it for a period of time (the Enforcement Readiness Period whose default time period is 7 days). Specifies, when false, that the staging feature is not in use, and that the system enforces the signatures’ Learn/Alarm/Block settings immediately. (Blocking is performed only if the security policy’s enforcement mode is Blocking.) |
|
|
integer |
The signature ID which identifies the signature. |
|
|
string |
The signature tag which, along with the signature name, identifies the signature. |
ssrf-hosts¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
||
|
integer |
threat-campaign-settings¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
integer minimum: 0 maximum: 999 |
||
|
boolean |
threat-campaigns¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
boolean |
If enabled - threat campaign is enforced in the security policy. |
|
|
string |
Name of the threat campaign. |
|
|
boolean |
If enabled - there will be only reporting (no blocking) for requests with a detected treat campaign. For this feature to work, threatCampaignStaging should be enabled in threat-campaign-settings. After staging period (threatCampaignEnforcementReadinessPeriod in threat-campaign-settings), the system will suggest to enforce (disable staging) for the threat campaign. |
urls¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Specifies the conditions for when the browser should allow this URL to be rendered in a frame or iframe. Never: Specifies that this URL must never be rendered in a frame or iframe. The web application instructs browsers to hide, or disable, frame and iframe parts of this URL. Same Origin Only: Specifies that the browser may load the frame or iframe if the referring page is from the same protocol, port, and domain as this URL. This limits the user to navigate only within the same web application. Only From URL: Specifies that the browser may load the frame or iframe from a specified domain. Type the protocol and domain in URL format for example, http://www.mywebsite.com. Do not enter a sub-URL, such as http://www.mywebsite.com/index. |
|
|
string |
Specifies that the browser may load the frame or iframe from a specified domain. Type the protocol and domain in URL format for example, http://www.mywebsite.com. Do not enter a sub-URL, such as http://www.mywebsite.com/index. |
|
|
boolean |
Specifies, when true, that you want attack signatures and threat campaigns to be detected on this URL and possibly override the security policy settings of an attack signature or threat campaign specifically for this URL. After you enable this setting, the system displays a list of attack signatures and threat campaigns. |
|
array of objects |
|||
|
boolean |
||
|
boolean |
Specifies that the system adds the X-Frame-Options header to the domain URL’s response header. This is done to protect the web application against clickjacking. Clickjacking occurs when an attacker lures a user to click illegitimate frames and iframes because the attacker hid them on legitimate visible website buttons. Therefore, enabling this option protects the web application from other web sites hiding malicious code behind them. The default is disabled. After you enable this option, you can select whether, and under what conditions, the browser should allow this URL to be rendered in a frame or iframe. |
|
|
string |
Describes the URL (optional). |
|
|
boolean |
||
array of objects |
|||
object |
The system extracts the Origin (domain) of the request from the Origin header. |
||
|
boolean |
If true, the URLs allowed by the security policy. |
|
|
boolean |
A request body is mandatory. This is relevant for any method acting as POST. |
|
array of objects |
To allow or disallow specific meta characters in the name of this specific URL (and thus override the global meta character settings). |
||
|
boolean |
Specifies, when true, that you want meta characters to be detected on this URL and possibly override the security policy settings of a meta character specifically for this URL. After you enable this setting, the system displays a list of meta characters. |
|
|
string |
Unique ID of a URL with a protocol type and name. Select a Method for the URL to create an API endpoint: URL + Method. |
|
array of objects |
Specifies a list of methods that are allowed or disallowed for a specific URL. The list overrides the list of methods allowed or disallowed globally at the policy level. |
||
|
boolean |
Specifies, when true, that you want methods to be detected on this URL and possibly override the security policy settings of a method specifically for this URL. After you enable this setting, the system displays a list of methods. |
|
|
string |
Specifies an HTTP URL that the security policy allows. The available types are:
The syntax for wildcard entities is based on shell-style wildcard characters. The list below describes the wildcard characters that you can use so that the entity name can match multiple objects.
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
|
string |
The attribute operationId is used as an OpenAPI endpoint identifier. |
|
|
boolean |
If true then any violation associated to the respective URL will not be enforced, and the request will not be considered illegal. |
|
array of objects |
When checked (enabled), positional parameters are enabled in the URL. |
||
|
string |
Specifies whether the protocol for the URL is HTTP or HTTPS. |
|
array of objects |
Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this URL, and which action the security policy takes when it discovers a request for this URL that matches these attack signatures. |
||
|
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
|
array of objects |
Specifies how the system recognizes and enforces requests for this URL according to the requests’ header content. The system automatically creates a default header-based content profile for HTTP, and you cannot delete it. However, requests for a URL may contain other types of content, such as JSON, XML, or other proprietary formats. |
||
|
boolean |
Specifies that an asterisk in a wildcard URL matches any number of path segments (separated by slashes); when cleared, specifies that an asterisk matches at most one segment. For example: the wildcard /art/* matches /art/abc/index.html if the wildcard match includes slashes (default value), but does not match it if the check box is cleared. In that case, it matches /art/go.html (only one segment below /art). |
|
|
integer |
Specifies the order index for wildcard URLs matching. Wildcard URLs with lower wildcard order will get checked for a match prior to URLs with higher wildcard order. |
authorizationRules¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
dynamicFlows¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
string |
html5CrossOriginRequestsEnforcement¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies whether requests from other web applications hosted in different domains may include user credentials. |
|
|
string |
Allows you to specify a list of origins allowed to share data returned by this URL. |
|
|
boolean |
Allows you to specify a list of request headers that other web applications hosted in different domains can use when requesting this URL. Or you can delete non-simple headers returned in response to requests. |
|
|
boolean |
Allows you to specify a list of methods that other web applications hosted in different domains can use when requesting this URL. |
|
|
boolean |
If false, requests from other web applications hosted in different domains are not allowed to include user credentials. |
|
|
boolean |
Optionally, for Exposed Headers, select Replace with, then specify the headers that JavaScript can expose and share with other applications when requesting this URL from another domain. Exposed headers are the headers the server returns in the response. For example, to discover server side web application technology, type X-Powered-By. |
|
|
boolean |
Optionally, for Maximum Age, select Replace with, then specify the number of seconds that the results of a preflight request can be cached or use the default. |
|
array of objects |
|||
array of objects |
Allows you to specify a list of methods that other web applications hosted in different domains can use when requesting this URL. |
||
array of objects |
Allows you to specify a list of origins allowed to share data returned by this URL. |
||
array of objects |
Exposed headers are the headers the server returns in the response. For example, to discover server side web application technology, type X-Powered-By. |
||
|
string |
Specify the option to determine how to handle CORS requests. Disabled: Do nothing related to cross-domain requests. Pass CORS requests exactly as set by the server. Remove all CORS headers: Remove all CORS headers from the response. The response is sent to the browser, and the browser does not allow cross-origin requests. Replace CORS headers: Replace the CORS header in the response with another header specified on the tab, including allowed origins, allowed methods, allowed headers, and so on. The browser enforces the policy. Then after Replace with specify the protocol, origin, and port for replacing CORS headers. Enforce on the system: Allow cross-origin resource sharing as configured in the Allowed Origins setting. CORS requests are allowed from the domains specified as allowed origins. The system enforces the policy. Specify the protocol, origin, and port of allowed origins |
|
|
integer minimum: 1 maximum: 99999 |
Specifies how long (in seconds) to cache in the browser the results of a preflight request (a special request that the browser sends to your web application to determine if JavaScript from another domain may access your resource). |
crossDomainAllowedHeader¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Optionally, for Allowed Headers, select Replace with, then type the headers that other applications can use when requesting this URL from another domain. |
crossDomainAllowedMethod¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Optionally, for Allowed Methods, specify which methods other applications may use when requesting this URL from another domain. |
crossDomainAllowedOrigin¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
If true, sub-domains of the allowed origin are also allowed to receive data from your web application. |
|
|
string |
Type the domain name or IP address with which the URL can share data. Wildcards are allowed in the names. For example: *.f5.com will match b.f5.com; however it will not match a.b.f5.com. |
|
|
|
Select the port that other web applications can use to request data from your web application, or use the * wildcard for all ports. |
|
|
string |
Select the appropriate protocol for the allowed origin. |
|
crossDomainExposedHeader¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Optionally, for Exposed Headers, select Replace with, then specify the headers that JavaScript can expose and share with other applications when requesting this URL from another domain. |
metacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
If true, metacharacters and other characters are allowed in a URL. |
|
|
string |
ASCII representation of the character in Hex format |
methodOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies that the system allows you to override allowed methods for this URL. When selected, the global policy settings for methods are listed, and you can change what is allowed or disallowed for this URL. |
|
|
string |
Specifies a list of existing HTTP methods. All security policies accept standard HTTP methods by default. |
|
positionalParameters¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
|||
|
integer minimum: 1 |
Select which to add: Text or Parameter and enter your desired segments. You can add multiple text and parameter segments. |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
Specifies, when true, that the overridden signature is enforced |
|
|
string |
The signature name which, along with the signature tag, identifies the signature. |
|
|
integer |
The signature ID which identifies the signature. |
|
|
string |
The signature tag which, along with the signature name, identifies the signature. |
urlContentProfiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
|||
|
string |
Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive. |
|
|
|
Displays the order in which the system checks header content of requests for this URL. |
|
|
string |
Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive. |
|
|
string |
|
|
contentProfile¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
whitelist-ips¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
Specifies a brief description of the IP address. |
|
|
boolean |
Specifies when enabled that the system considers this IP address legitimate and does not take it into account when performing brute force prevention. Specifies when disabled that the system does not consider traffic from this IP address as being any safer than traffic from any other IP address. The system performs brute force prevention to traffic from this IP address according to the configuration of the security policy. |
|
|
boolean |
Specifies when enabled that the system considers this IP address legitimate even if it is found in the IP Intelligence database (a database of questionable IP addresses). Specifies when disabled that the system does not consider traffic from this IP address as being any safer than traffic from any other IP address. Therefore, if the IP Intelligence feature is enabled, the system checks whether this IP address matches any IP addresses in the IP Intelligence database. |
|
|
string |
Specifies the IP address that you want the system to trust. |
|
|
string |
Specifies the netmask of the exceptional IP address. This is an optional field. |
|
|
boolean |
Specifies when enabled that the system should not generate learning suggestions from traffic sent from this IP address. Specifies when disabled that the system should generate learning suggestions from traffic sent from this IP address for violations with the Learn flag enabled on the Policy Building Settings. |
|
|
boolean |
Specifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic. |
|
|
boolean |
Specifies when enabled the Policy Builder considers traffic from this IP address as being safe. The Policy Builder automatically adds to the security policy the data logged from traffic sent from this IP address. Specifies when disabled that the Policy Builder does not consider traffic from this IP address as being any different than traffic from any other IP address. |
xml-profiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
object |
|||
|
string |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
array of objects |
|||
|
string |
||
array of objects |
|||
array of objects |
|||
array of objects |
|||
|
boolean |
||
array of objects |
|||
|
boolean |
||
object |
defenseAttributes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
boolean |
||
|
boolean |
||
|
boolean |
metacharOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
sensitiveData¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
string |
signatureOverrides¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
string |
||
|
integer |
||
|
string |
soapMethods¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
boolean |
||
|
string |
||
|
string |
validationFiles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
boolean |
||
|
|
wssConfiguration¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
boolean |
||
|
boolean |
||
array of objects |
|||
|
boolean |
||
array of objects |
|||
|
boolean |
||
|
boolean |
||
|
string |
|
|
|
boolean |
||
|
string |
|
|
|
integer |
||
|
string |
||
array of objects |
|||
|
string |
|
|
array of objects |
|||
|
string |
|
|
|
boolean |
||
|
boolean |
clientCertificates¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
elements¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
|
|
string |
namespaceMapping¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
roles¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
|
xml-validation-files¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
||
|
string |
||
|
boolean |
evasions¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Human-readable name of sub-violation. |
|
|
boolean |
Defines if sub-violation is enforced - alarmed or blocked, according to the ‘Evasion technique detected’ (VIOL_EVASION) violation blocking settings. |
|
|
boolean |
Defines if sub-violation is learned. Sub-violations are learned only when learn is enabled for the ‘Evasion technique detected’ (VIOL_EVASION) violation. |
|
|
integer minimum: 2 maximum: 5 |
Defines how many times the system decodes URI and parameter values before the request is considered an evasion. Relevant only for the ‘Multiple decoding’ sub-violation. |
http-protocols¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
Human-readable name of sub-violation |
|
|
boolean |
Defines if sub-violation is enforced - alarmed or blocked, according to the ‘HTTP protocol compliance failed’ (VIOL_HTTP_PROTOCOL) violation blocking settings |
|
|
boolean |
Defines if sub-violation is learned. Sub-violations is learned only when learn is enabled for the ‘HTTP protocol compliance failed’ (VIOL_HTTP_PROTOCOL) violation |
|
|
integer minimum: 1 maximum: 100 |
||
|
integer minimum: 1 maximum: 150 |
Defines maximum allowed number of headers in request. Relevant only for the ‘Check maximum number of headers’ sub-violation |
|
|
integer minimum: 1 maximum: 5000 |
Defines maximum allowed number of parameters in request. Relevant only for the ‘Check maximum number of parameters’ sub-violation |
violations¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
||
|
string |
||
|
boolean |
||
|
string |
|
web-services-securities¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
boolean |
||
|
boolean |
mitigations¶
Field Name |
Reference |
Type |
Description |
Allowed Values |
---|---|---|---|---|
Yes |
array of objects |
|||
Yes |
array of objects |
|||
Yes |
array of objects |
List of classes and their actions. |
||
Yes |
array of objects |
List of signatures and their actions. If a signature is not in the list - its action will be taken according to the class it belongs to. |
settings¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
If false the system will not check header name with case sensitivity for both relevant anomalies: Invalid HTTP Headers, Suspicious HTTP Headers. |
|
|
boolean |
If true the system detects bots. |
behavioral-dos¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
object |
|||
|
boolean |
||
|
boolean |
||
|
string |
|
badActorDetection¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
boolean |
||
|
boolean |
anomalies¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
string |
||
|
|
|
browsers¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
|
|
|
integer minimum: 0 maximum: 2147483647 |
||
|
integer minimum: 0 maximum: 2147483647 |
||
|
string |
classes¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
The action we set for this class.
|
|
|
string |
The class we set the action to. |
|
signatures¶
Field Name |
Type |
Description |
Allowed Values |
---|---|---|---|
|
string |
The action we set for this signature.
|
|
|
string |
The name of the signature we want to change action for. |