Reference: WAF Policy Templates¶
WAF policy templates are required for creating a new Web Application Firewall (WAF) security policy. Each template includes default settings that provide protection according to the most common application needs. Review the list below to select a policy template, and fine-tune as needed.
See How To: Manage and Edit a WAF Policy on BIG-IP Next Central Manager for information about how general settings are populated for each template.
See Reference: Violation Protection for more information about policy violations and violation detection.
WAF Policy Templates¶
Rating-Based Template - Moderate security template intended for applications that need minimal administrative or fine-tuning requirements.
Comprehensive Template - Maximum security template for applications that need high administrative or fine-tuning requirements.
Fundamental Template - High security template for applications that need moderate-to-high administrative or fine-tuning requirements.
Rapid Template - Essential security for applications that need rapid deployment, moderate protection and low administrative requirements.
Note: The following list provides a general overview of each template.
Rating-Based Template¶
The Rating-Based template is the default WAF policy template. Protection against attacks applies blocking (or alarm depending on your configured settings) traffic that includes a high risk violation. This ensures the highest protection against malicious traffic and lowered rate of false-positives, without having to modify the policy on a regular basis.
Rating-based protection enforces violations by violation rating scale, which is system-based assessment of the request’s risk.
For more information about rate-based protection see Overview: WAF Rating-Based Protection.
Comprehensive Template¶
The Comprehensive template is intended to provide maximum security with all violations, features, and learning is turned on. The template is recommended for expert security operations managers.
Fundamental Template¶
The Fundamental template provides enhanced security during the policy building process as the policy actively blocks violations. This template is recommended for intermediate users and may require more time to fine-tune.
Rapid Template¶
The Rapid template provides security features that minimize the number of false positive alarms and reduce the complexity and length of policy staging period. With the Rapid template, you can quickly create a security policy that meets the majority of web application security requirements.
The system creates a simple security policy that protects against known security problems, such as evasion attacks, data leakage, and buffer overflow attacks. The rapid deployment security policy operates in transparent mode (meaning that it does not block traffic unless you changed the enforcement mode and enforce the policy). If the system receives a request that violates the security policy, the system logs the violation event, but does not block the request. Suggestions for changes to the policy are added to the learning suggestions
General policy template overview¶
This table provides a high-level description of the security settings provided by each template. For more information about the violation protection from each template, see Reference: Violation Protection.
General Setting | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|
Enforcement Mode | Blocking | Transparent | Blocking | Blocking |
Application Language | UTF-8 | UTF-8 | Auto detect | Auto detect |
Bot Defense | Enabled | Enabled | Enabled | Enabled |
Threat Campaigns | Enabled | Enabled | Enabled | Enabled |
IP Intelligence | Enabled | Enabled | Enabled | Enabled |
Log Events | Illegal | Illegal | Illegal | Illegal |
Signature Sets | High accuracy attack signature set | Generic Detection Signatures | Generic Detection Signatures | Generic Detection Signatures |
Enable Signature Staging | True | True | True | True |
Learn Explicit URLs | Never | Never (wildcard only) | Never (wildcard only) | Compact |
Learn Explicit Web Socket URLs | Never | Never (wildcard only) | Never (wildcard only) | Always |
Learn Explicit Web Parameters | Never | Never | Selective | Compact |
Learn Host Names | False | False | True | True |
Learn Explicit Cookies | Never | Never | Selective | Selective |
Learn Explicit File Types | Never | Never | Compact | Compact |
Policy Building Learning Mode | N/A | Manual | Automatic | Automatic |
Cookie settings template defaults¶
Cookie Setting | Rating-Based | Rapid | Fundamental | Comprehensive |
---|---|---|---|---|
Cookie not RFC-compliant | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified WAF cookie | Alarm & Block | Alarm & Block | Alarm & Block | Alarm & Block |
Modified domain cookie(s) | Alarm | Disabled | Disabled | Disabled |
Expired timestamp | Disabled | Disabled | Disabled | Disabled |
Illegal cookie length | Alarm | Disabled | Disabled | Disabled |