Manage URLs¶
Overview¶
In a security policy, you can manually specify the HTTP URLs that are allowed in traffic to the protected application. When you first create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the allowed URLs list. After all possible URLs are included in the security policy, you can remove the * wildcards from the allowed URLs lists.
Wildcard syntax¶
If you are adding URLs to your policy, the syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of URLs, file types, parameters, or cookies so that the entity name can match multiple objects.
| Wildcard Character | Matches |
|---|---|
| * | All characters |
| ? | Any single character |
| [abcde] | Exactly one of the characters listed |
| [!abcde] | Any character not listed |
| [a-e] | Exactly one character in the range |
| [!a-e] | Any character not in the range |
Prerequisites¶
Verify any attached application services to ensure proper security after changes are deployed.
You need to have a user role of Security Manager or Administrator to manage a WAF policy.
How to manage policy URLs¶
Add allowed URLs - Add an allowed URL to your policy.
Modify allowed URLs - Change settings for an allowed URL.
Modify a URL enforcement status - Manually change the URL status to enforced or staging.
Delete a URL - Remove an allowed URL from the policy list.
Modify URL violation settings - Modify how your policy handles known URL violation.
Add allowed URLs¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click URLs.
The panel displays the policy’s allowed URLs.
Click Create.
The Allowed URL Properties panel opens.
If you would like the policy restrict allowed URLs with disallowing file upload and required message body enable Advanced View to the top right of the panel.
Enter a URL.
Select the URL Type:
Explicit (Default) - The policy identifies the URL by its specific name.
Wildcard - The policy identifies the URL by regular expression.
Note: The pure wildcard () is automatically added to the policy so you do not need to add it. You can add more specified wildcards such assite.com. See Wildcard syntax for more information.
Choose the URL’s HTTP request method from the Select Method list.
Add an optional Description to the URL.
Enable Staging if you want the security policy to evaluate traffic before allowing traffic.
(Advanced View enabled) Enable Disallow File Upload of Executables if you want the policy to disallow file upload of executable code from an allowed URL.
Because most web applications do not legitimately allow users to upload executable code, you can disallow a URL containing binary executable content.
(Advanced View enabled) Enable Body is Mandatory if you want the policy to allow the URL only if the request contains a body.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
Modify allowed URLs¶
You can change the enforcement properties of an existing allowed URL. The URL name, type, and method cannot be modified.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click URLs.
The panel displays the policy’s allowed URLs.
Click the URL name.
The Allowed URL Properties panel opens.
Make the required changes to the URL properties. See steps in Add allowed URLs for more information about each property.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
Modify a URL enforcement status¶
Manually change an allowed URL’s status to enforced or staging. A staging status can help the policy learn from traffic before allowing listed URLs. Once enforced, the policy will manage traffic with an allowed URL according to your policy’s settings.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click URLs.
The panel displays the policy’s allowed URLs.
Click the check box next to the URL row.
Click Stage to stage the allowed URL, and click Stage again to confirm the action.
Click Enforce to enforce the allowed URL, and click Enforce again to confirm the action.
The URL’s status is immediately updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Delete a URL¶
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click URLs.
The panel displays the policy’s allowed URLs.
Click the check box next to the URL row.
Click Delete to remove allowed URL from the policy, and click Delete again to confirm the action.
The URL’s status is immediately updated, but policy changes are not yet deployed. You can click Deploy to deploy changes to the BIG-IP Next instances.
Modify URL violation settings¶
You can specify how the WAF policy handles traffic with known illegal URLs.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the General Settings opens.
From the panel menu, click URLs.
The panel displays the policy’s allowed URLs.
Click Violations.
The Allowed URLs Violations panel opens.
Modify the policy violation settings:
Check violation defaults per template.
Alarm - Sends an alert to the event log that the URL violation was detected in traffic to protected applications.
Alarm & Block - Sends an alert to the event log and blocks traffic that includes the URL violation.
Disabled - The policy does not enforce URL violations.
Click Save. The changes are saved to the policy, but are not yet deployed to the BIG-IP Next instance.
Click Deploy to deploy changes.
Resources¶
Configure using API¶
Violation Settings¶
URL management using the policy Editor¶
Edit the WAF policy JSON declaration directly through the WAF policy editor.