Reference: File Types

In a security policy, you can manually specify the file types that are allowed or disallowed in traffic to the protected web application.

If you are using Policy Builder, file types are added based on legitimate traffic.

For more information about file type violations and their default template settings, see Reference: Violation Protection.

Allowed file types

You can manually add allowed file types, which are file types that the security policy accepts in traffic to the web application being protected.

When you create a security policy, a pure wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.

For information about adding file types with wildcard entities, see Wildcard syntax.

Disallowed file types

You can manually specify the file types that are disallowed in traffic to the protected application. The WAF policy checks requests to your application to verify whether a file type is valid or invalid. This prevents forceful browsing and access to sensitive information found on operating system files, default installation files, and other files that reside on the server and contain sensitive information.

The following file types are disallowed by default in your Web Application Firewall (WAF) policy:

  • Server side technologies or source code: php, aspx, ashx, jsp, lua, cgi, do, java, py, pl

  • Certificate files: pem, crt, cer, key, der, p7b, p7c, pfx, p12

  • Backup files: bak, bkp, bck, old, tmp, temp, sav, save

  • Configuration files: ini, conf, reg, cfg, config,

  • Data files: dat, eml, log, hta, htr, htw, ida, idc, idq, nws, pol, printer, shtm, shtml, stm, wmz

  • Executable files: exe, msi, bin, cmd, com, bat, dll, sys

Wildcard syntax

The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.

Wildcard Character Matches
* All characters
? Any single character
[abcde] Exactly one of the characters listed
[!abcde] Any character not listed
[a-e] Exactly one character in the range
[!a-e] Any character not in the range