Manage File Types¶
Overview¶
In a security policy, you can manually specify the file types that are allowed or disallowed in traffic to the protected web application.
Allowed file types¶
You can manually add allowed file types, which are file types that the security policy accepts in traffic to the web application being protected.
When you create a security policy, a pure wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.
For information about adding file types with wildcard entities, see Wildcard syntax.
Disallowed file types¶
You can manually specify the file types that are disallowed in traffic to the protected application. The WAF policy checks requests to your application to verify whether a file type is valid or invalid. This prevents forceful browsing and access to sensitive information found on operating system files, default installation files, and other files that reside on the server and contain sensitive information.
The following file types are disallowed by default in your policy:
Server side technologies or source code: php, aspx, ashx, jsp, lua, cgi, do, java, py, pl
Certificate files: pem, crt, cer, key, der, p7b, p7c, pfx, p12
Backup files: bak, bkp, bck, old, tmp, temp, sav, save
Configuration files: ini, conf, reg, cfg, config,
Data files: dat, eml, log, hta, htr, htw, ida, idc, idq, nws, pol, printer, shtm, shtml, stm, wmz
Executable files: exe, msi, bin, cmd, com, bat, dll, sys
Wildcard syntax¶
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
Wildcard Character | Matches |
---|---|
* | All characters |
? | Any single character |
[abcde] | Exactly one of the characters listed |
[!abcde] | Any character not listed |
[a-e] | Exactly one character in the range |
[!a-e] | Any character not in the range |
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage policy file types¶
Manage disallowed file types¶
Create, delete, or edit the policy’s management of disallowed file types.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click File Types.
The panel displays a list of disallowed file types defined in the policy.
To create a Disallowed File Type:
Click Create.
In the File Type (Explicit only) field, type the file type that the security policy does not allow (for example, jpg or exe).
Note: File types are case-sensitive unless you cleared Security Policy is case sensitive when you created the policy.
Click Save.
To edit the protection settings of all disallowed file types:
Click Settings.
Select one of the following protection settings:
Alarm - Sends an alert to the event log that the illegal file type was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the illegal file type.
Disabled - Traffic that includes the file type is not specified as illegal.
Click Deploy to deploy changes.
To remove a file type from the Disallowed File Types list:
Select the check box next to one or more file types.
Click Delete.
Click Delete to confirm.
Any changes to your policy are saved, but not yet deployed. Ensure you deploy your changes when you are done.
Manage allowed file types¶
Create, delete, or edit the policy’s management of allowed file types.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click File Types.
The panel displays a list of disallowed file types defined in the policy.
Select the Allowed File Types tab.
The panel displays a list of allowed file types defined in the policy. The pure wildcard (*) file type is added by default to all policies.
To create an Allowed File Type:
Click Create.
Enter a file type Name.
Select a Type:
Explicit - Specifies a unique file type, such as JPG or HTML.
Wildcard - Specifies that the file type is a wildcard expression. Any file type that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it, but you can add other wildcards such as
htm*
.Note: See Wildcard syntax
No Extension - Specifies that the web application has a URL with no file type. The system automatically assigns this file type the name
no_ext
. The slash character (/) is an example of ano_ext
file type.
Toggle the Staging to enable staging on the new file type.
For the length settings, you can select Length and adjust the values as needed:
The default setting is Any. Adding length settings is optional. To manage allowed file type length violations, see Manage file type length violations.
URL Length - The maximum acceptable length, in bytes, for a URL in the context of an HTTP request containing this file type. The default is 100 bytes.
Request Length - The maximum acceptable length, in bytes, for the whole HTTP request that applies to this file type. The default is 5000 bytes.
Query String Length - The maximum acceptable length, in bytes, for the query string portion of a URL that contains the file type. The default is 1000 bytes.
POST Data Length - The maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type. The default is 1000 bytes.
If you want the system to validate responses for this file type, select Enforce. By default, this option is set to Ignore.
Note: Enforcing this option enables attack signatures (that are designed to inspect server responses) to filter responses.
Click Save.
To edit the settings on one or more allowed file types:
Select the file type name.
Change your file type settings and click Save.
To stage or enforce a file type from the Allowed File Types list:
Select the check box next to one or more file types. Check the Status column in the Allowed File Types list.
Click Stage or Enforce.
Confirm the selection. The status is immediately updated in the policy, but is not yet deployed.
To remove a file type from the Allowed File Types list:
Select the check box next to one or more file types.
Click Delete.
Click Delete to confirm.
Any changes to your policy are saved, but not yet deployed. Ensure you deploy your changes when you are done.
Manage file type length violations¶
Change the settings of file type length violations set in Manage allowed file types.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click File Types.
The panel displays a list of disallowed file types defined in the policy.
For general disallowed file type violations, click Violations.
Select a file type violation setting:
Alarm - Sends an alert to the event log that the length violation was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the length violation.
Disabled - The policy does not enforce the file type restriction.
Select the Allowed File Types tab.
The panel displays a list of allowed file types defined in the policy. The pure wildcard (*) file type is added by default to all policies.
Click Violations to display the Allowed File Type Violations panel.
Select a file type violation setting:
Alarm - Sends an alert to the event log that the length violation was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the length violation.
Disabled - The policy does not enforce the file type restriction.
CLick Save.
Resources¶
Configure using API¶
Violation Settings¶
File type management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.