security anti-fraud profile(1) BIG-IP TMSH Manual security anti-fraud profile(1)
NAME
profile - Configures a Fraud Protection Service profile.
MODULE
security anti-fraud
SYNTAX
Configure the profile component within the security anti-fraud module using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
alert-client-side-caching [enabled | disabled]
alert-identifier [string]
alert-path [string]
alert-pool [[name] | none]
alert-publisher [[name] | none]
alert-token-header [string]
app-layer-encryption {
fail-open [enabled | disabled]
}
app-service [[string] | none]
auto-transactions {
bot-score [integer]
click-score [integer]
integrity-fail-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
not-human-score [integer]
strong-integrity {
hide-encrypted-parameters [enabled | disabled]
parameter [string]
}
tampered-cookie-score [integer]
time-fail-score [integer]
}
before-load-function [[string] | none]
blocking-page {
response-body [[string] | none]
response-headers [string]
}
[case-sensitive | case-insensitive]
cloud-service-pool [[name] | none]
config-location [string]
cookies {
application [none | add | delete | replace-all-with] { [string] ... }
base-domain {
apply [enabled | disabled]
exceptions [none | add | delete | replace-all-with] { [string] ... }
}
client-side [string]
client-side-lifetime [[integer] | session]
components-state [string]
components-state-lifetime [[integer] | session]
components-state-removal-protection [enabled | disabled]
encryption-disabled [string]
encryption-disabled-lifetime [[integer] | session]
encryption-disabled-removal-protection [enabled | disabled]
fingerprint [string]
fingerprint-lifetime [[integer] | session]
fingerprint-removal-protection [enabled | disabled]
html-field-obfuscation [string]
html-field-obfuscation-lifetime [[integer] | session]
malware-forensic [string]
malware-forensic-lifetime [[integer] | session]
malware-guid [string]
malware-guid-lifetime [[integer] | session]
malware-guid-removal-protection [enabled | disabled]
rules [string]
rules-lifetime [[integer] | session]
rules-removal-protection [enabled | disabled]
secure-alert [string]
secure-alert-lifetime [[integer] | session]
secure-alert-removal-protection [enabled | disabled]
secure-channel [string]
secure-channel-lifetime [[integer] | session]
secure-channel-removal-protection [enabled | disabled]
secure-mode [auto | disabled | enabled]
transaction-data [string]
transaction-data-lifetime [[integer] | session]
user-inspection [string]
user-name [string]
user-name-lifetime [[integer] | session]
user-name-removal-protection [enabled | disabled]
}
debug {
console-log {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
send-alert {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
}
defaults-from [[name] | none]
description [[string] | none]
dummy-alert-html-maximum-length [integer]
encryption-staging-mode [enabled | disabled]
fingerprint {
collect [enabled | disabled]
location [string]
}
forensic {
alert-path [string]
client-domains [none | add | delete | replace-all-with] { [string] ... }
cloud-config-path [string]
cloud-forensics-mode [integer]
cloud-remediation-mode [integer]
continue-element [[string] | none]
exe-location [string]
html [[string] | none]
self-post-location [string]
skip-element [[string] | none]
skip-path [string]
}
geolocation [enabled | disabled]
inject-main-javascript {
[after | before]
tag [string]
}
javascript-grace-threshold [integer]
javascript-location [string]
javascript-removal-location [string]
local-syslog-publisher [[name] | none]
malware {
allowed-domains [none | add | delete | replace-all-with] { [string] ... }
bait-check-generic [enabled | disabled]
bait-location [string]
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
detected-malware [none | add | delete | modify | replace-all-with] {
name [string] {
baits [none | add | delete | modify | replace-all-with] {
name [string] {
data-before [string]
data-inject [string]
trigger-url {
name [string]
position [ alone | any | last ]
}
}
}
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
blacklist-js-words [none | add | delete | replace-all-with] { [string] ... }
blacklist-urls [none | add | delete | replace-all-with] { [string] ... }
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
browser-cache {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
domain-availability {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
dom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
attribute-name [[string] | none]
hash-id [string]
html-tag [[string] | none]
match-type [ contains | is ]
search-for [string]
search-in [ all | attribute | html | js-global-variable | text ]
}
}
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
}
}
domain-availability-urls [[string] | none]
external-sources-targets [none | add | delete | replace-all-with] { [string] ... }
flash-cookie-content [[string] | none]
flash-cookie-location [string]
flash-cookies [enabled | disabled]
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
inline-scripts-whitelist-signatures [none | add | delete | replace-all-with] { [string] ... }
removed-scripts {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
same-domain-scripts-validation-header [string]
self-bait-header [string]
source-integrity-location [string]
web-rootkit {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
}
mobilesafe {
alert-custom-config [[string] | none]
alert-threshold [integer]
app-integrity {
custom-config [[string] | none]
[enabled | disabled]
android {
score [integer]
signature [[string] | none]
}
ios {
hashes [none | add | delete | modify | replace-all-with] {
value [string] {
version [[string] | none]
}
}
score [integer]
}
}
general-custom-config [[string] | none]
malware {
android {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
}
}
}
check-custom [enabled | disabled]
check-generic [enabled | disabled]
custom-config [[string] | none]
[enabled | disabled]
ios {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
}
}
}
behaviour-analysis {
run [enabled | disabled]
score [integer]
}
}
mitm {
certificate-custom-config [[string] | none]
dns-custom-config [[string] | none]
domains [none | add | delete | modify | replace-all-with] {
name [string] {
dns {
ip-ranges [none | add | delete | replace-all-with] {address | address-address ... }
spoofing-score [integer]
}
certificate {
forging-score [integer]
hash [string]
}
}
}
[enabled | disabled]
}
os-security {
android {
untrusted-apps-score [integer]
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
custom-config [[string] | none]
[enabled | disabled]
ios {
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
}
rooting-jailbreak {
custom-config [[string] | none]
[enabled | disabled]
jailbreak-score [integer]
rooting-score [integer]
}
}
phishing {
alert-path [string]
allowed-elements [none | add | delete | replace-all-with] { [string] ...}
allowed-referrers [none | add | delete | replace-all-with] { [string] ...}
application-css [enabled | disabled]
application-css-locations [none | add | delete | replace-all-with] { [string] ...}
css-attribute-name [string]
css-location [string]
expiration-checks [enabled | disabled]
image-location [string]
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
protected-elements [none | add | delete | replace-all-with] { [string] ...}
referrer-checks [enabled | disabled]
}
referrer-info-header [string]
risk-engine-path [string]
risk-engine-publisher [[name] | none]
rules [none | add | delete | modify | replace-all-with] {
event [auto-transaction | client-network-connection | client-side-missing-components | encryption-failure |
generic-malware | mandatory-words | phishing | phishing-user | rat-detection | referrer-checks |
server-side-missing-components | source-integrity | web-injection] {
action [block-user | forensic | inspection | redirect | remediation | route | web-service]
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
min-score [integer]
publisher [[name] | none]
payload [[string] | none]
pool [[name] | none]
url [[string] | none]
}
}
suggested-username-header [string]
trigger-irule [enabled | disabled]
urls [none | add | delete | modify | replace-all-with] {
name [string] {
app-layer-encryption {
add-decoy-inputs [enabled | disabled]
auto-complete-block [enabled | disabled]
auto-complete-whitelist-functions [none | add | delete | replace-all-with] { [string] ...}
custom-encryption-function [[string] | none]
[enabled | disabled]
fake-strokes [enabled | disabled]
full-ajax-encryption [enabled | disabled]
hide-password-revealer [enabled | disabled]
html-field-obfuscation [enabled | disabled]
real-time-encryption [enabled | disabled]
remove-element-ids [enabled | disabled]
remove-event-listeners [enabled | disabled]
stolen-creds [enabled | disabled]
substitute-value-function [[string] | none]
}
auto-transactions {
attach-ajax-payload-to-alerts [enabled | disabled]
bot-score [integer]
browser [enabled | disabled]
click-score [integer]
[enabled | disabled]
full-ajax-integrity [enabled | disabled]
integrity-fail-score [integer]
integrity-fail-max-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
non-browser [enabled | disabled]
not-human-score [integer]
strong-integrity [enabled | disabled]
strong-integrity-user-functions [none | add | delete | replace-all-with] { [string] ...}
submit-buttons [none | add | delete | replace-all-with] { [string] ...}
tampered-cookie-score [integer]
time-fail-score [integer]
}
before-load-function [[string] | none]
custom-alerts [none | add | delete | modify | replace-all-with] {
name [string] {
attach-request-part [enabled | disabled]
component [auto-transactions | malware | mobilesafe | phishing]
header-name [[string] | none]
malware-name [[string] | none]
message [[string] | none]
search-in [client-ip | header | payload | query-string]
value [[string] | none]
}
}
description [string]
destination-urls [none | add | delete | replace-all-with] { [string] ...}
fallback-to-base-url [enabled | disabled]
include-query-string [enabled | disabled]
inject-javascript [enabled | disabled]
inject-javascript-removal {
[after | before]
tag [string]
}
inject-main-javascript {
[after | before]
tag [string]
}
login-response {
status-code [[integer] | none]
domain-cookie [[string] | none]
exclude-string [[string] | none]
header [[string] | none]
include-string [[string] | none]
validation [enabled | disabled]
}
malware {
attach-html-to-alerts [enabled | disabled]
auto-learn-form-tags [enabled | disabled]
auto-learn-input-tags [enabled | disabled]
auto-learn-script-tags [enabled | disabled]
blocked-enter-key-detection [enabled | disabled]
deferred-execution [enabled | disabled]
domain-availability [enabled | disabled]
enable-symbols [enabled | disabled]
[enabled | disabled]
external-injection [enabled | disabled]
generic-malware [enabled | disabled]
manual-count-form-tags [integer]
manual-count-input-tags [integer]
manual-count-script-tags [integer]
password-exfiltration-detection [enabled | disabled]
rat-detection [enabled | disabled]
removed-scripts-detection [enabled | disabled]
same-domain-scripts-validation [enabled | disabled]
self-bait [enabled | disabled]
source-integrity [enabled | disabled]
vbklip-detection [enabled | disabled]
visibility-check [enabled | disabled]
visibility-check-items [none | add | delete | replace-all-with] { [string] ...}
web-rootkit-detection [enabled | disabled]
whitelist-dom-signatures [none | add | delete | replace-all-with] { [string] ...}
whitelist-words [none | add | delete | replace-all-with] { [string] ...}
}
mobilesafe-encryption [enabled | disabled]
parameters [none | add | delete | modify | replace-all-with] {
name [string] {
ajax-mapping [string]
attach-to-vtoken-report [enabled | disabled]
check-integrity [enabled | disabled]
encrypt [enabled | disabled]
identify-as-username [enabled | disabled]
method [GET | POST]
mobilesafe-encrypt [enabled | disabled]
mobilesafe-entangle [enabled | disabled]
obfuscate [enabled | disabled]
priority [integer]
protect-by-selector [enabled | disabled]
search-in [payload | query-string | any]
substitute-value [enabled | disabled]
type [explicit | wildcard]
}
}
phishing {
capture-users [enabled | disabled]
copy-detection [enabled | disabled]
css-protection [enabled | disabled]
[enabled | disabled]
field-types-to-send [none | add | delete | replace-all-with] { [string] ...}
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
}
priority [integer]
type [explicit | wildcard]
}
}
users [add | delete | modify] {
name [string] {
modes [add | delete] {
mode [block | forensic | inspection | remediation] {
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
first-login-time [date]
}
}
}
}
whitelist-custom-alerts [none | add | delete | replace-all-with] { [string] ...}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete an Anti-Fraud profile.
Note: The users property may be specified only for the commands modify, edit, and list and only when no other properties
are specified. By default, users are not displayed.
Note: The first-login-time property of user modes may be specified only for the list command.
EXAMPLES
create profile my_antifraud_profile
Creates a custom Anti-Fraud profile named my_antifraud_profile with default parameters.
list profile
Displays the properties of all Anti-Fraud profiles.
OPTIONS
alert-client-side-caching
Specifies whether or not to cache the sent alerts in order to prevent multiple alerts from being sent to the
dashboard.
alert-identifier
Specifies the ID of the customer in the dashboard.
alert-path
Specifies the BIG-IP URL path where the alert is sent. This path cannot be none and must start with '/'.
alert-pool
Specifies the name of the pool used when the system sends alerts.
alert-publisher
Specifies the name of the log publisher used for sending alerts originating from the BIG-IP. If only DPS is licensed,
this publisher is used for reporting encryption failures.
alert-token-header
Specifies the name of the custom HTTP header in alerts for exchanging a random token between the client side and the
BIG-IP.
app-layer-encryption
Specifies how the system performs Application layer encryption. With Application layer encryption, the system detects
an attempt to steal and tamper with end-user passwords (or other protected information), and also prevents it by
encrypting the protected information. You can configure the following options for Application layer encryption:
fail-open
Specifies, when enabled, that upon encryption error the system disables encryption in consecutive requests in the
current session.
app-service
Specifies the name of the application service to which the profile belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
profile. Only the application service can modify or delete the profile.
auto-transactions
Specifies how the system differentiates between human and automatic (bot) transactions. You can configure the
following options for automatic transactions:
bot-score
Deprecated since v13.0.0. Please use bot-score in auto-transactions under urls instead. Specifies the score added
to an alert that is triggered if the system determines that the client is a bot and not a human. The default is a
score of 50.
click-score
Deprecated since v13.0.0. Please use click-score in auto-transactions under urls instead. Specifies the score
added to an alert that is triggered if the min-mouse-over-count and min-mouse-move-count conditions are not met.
The default is a score of 40.
integrity-fail-score
Deprecated since v13.0.0. Please use integrity-fail-score in auto-transactions under urls instead. Specifies the
score added to an alert that is triggered if the system detects a difference between the actual parameter value
and the expected value of a protected parameter sent after a user clicks a web form's Submit button. The default
is a score of 40.
min-mouse-move-count
Deprecated since v13.0.0. Please use min-mouse-move-count in auto-transactions under urls instead. Specifies the
minimum number of mouse movements necessary per page load in order for the system to consider the transaction to
be of human origin. The default is 5 movements.
min-mouse-over-count
Deprecated since v13.0.0. Please use min-mouse-over-count in auto-transactions under urls instead. Specifies the
minimum number of times the client's mouse is positioned over the Submit button in a web form in order for the
system to consider the transaction to be of human origin. The default is 2 button interactions.
min-report-score
Deprecated since v13.0.0. Please use min-report-score in auto-transactions under urls instead. Specifies the
lowest score necessary for the system to send an alert. The default value is 50.
min-time-to-request
Deprecated since v13.0.0. Please use min-time-to-request in auto-transactions under urls instead. Specifies the
minimum amount of time (in seconds) permitted between when a web form is opened and the Submit button is clicked.
The default is 2 seconds.
not-human-score
Deprecated since v13.0.0. Please use not-human-score in auto-transactions under urls instead. Specifies the score
added to an alert that is triggered if the system only suspects that the client is a bot and not a human. The
default is a score of 25.
strong-integrity
Specifies how the system performs strong integrity. You can configure the following options for strong integrity:
hide-encrypted-parameters
Deprecated since v14.1.0. Please use attach-to-vtoken-report under parameters instead. Specifies, when
enabled, that JavaScript does not add the expected value of encrypted parameters to strong integrity
parameter.
parameter
Deprecated since v14.1.0. Specifies the name of the HTTP parameter in POST requests added by JavaScript with
the expected user-input data verified with physical input events.
tampered-cookie-score
Deprecated since v13.0.0. Please use tampered-cookie-score in auto-transactions under urls instead. Specifies the
score added to an alert that is triggered if the system detects that the transaction-data cookie was tampered
with. The default is a score of 50.
time-fail-score
Deprecated since v13.0.0. Please use time-fail-score in auto-transactions under urls instead. Specifies the score
added to an alert that is triggered if the min-time-to-request condition is not met. The default is a score of
20.
before-load-function
Specifies the implementation of additional function to be run before JavaScript load, in the following format:
function(configs){...}. Note: For certain advanced configurations, F5 support may provide relevant code to be entered
here, please do not use it on your own.
blocking-page
Specifies information to display when the profile blocks a user account. You can configure the following options for
blocking page:
response-body
Specifies the HTML code the system sends to the user whose account is blocked.
response-headers
Specifies the set of response headers that the system sends to the user whose account is blocked. Separate each
header with a new line (Ctrl-V followed by Ctrl-J).
[case-sensitive | case-insensitive]
Specifies whether the profile treats protected URL paths as case sensitive, or not. The default value is case-
insensitive. Note: If you create a profile, you can use either property, thereafter it becomes read only. If the
profile is case insensitive, the system stores protected URL paths in lowercase in the profile configuration.
cloud-service-pool
Specifies the name of the pool used by the system for various internal purposes, like signing Forensics tool.
config-location
Specifies the BIG-IP URL directory where the configuration for the injected JavaScript is located. The path here does
not include the actual filename of the configuration for the injected JavaScript. This path cannot be none and must
start with '/'.
cookies
Specifies names and lifetimes for the cookies that the system uses to optimize its detection of malware, data
transactions, and phishing attacks on the web application. If you do not assign a name to a cookie, a random name is
assigned. You can configure the following cookies:
application
Adds, deletes, or replaces a set of application cookies that will be removed if at least one of the protected
cookies is missing.
base-domain
Specifies base domain settings for the cookies. You can configure the following options for base domain:
apply
Specifies, when enabled, that the system applies the cookies to the base domain.
exceptions
Adds, deletes, or replaces a set of exceptional base domains that take precedence when the system resolves
the base domain from a host header.
client-side
Specifies the name of the cookie in which the system inserts plain text with a record about client side alerts
already sent. This is done in order to prevent flooding the system with additional alerts if the page reloads.
client-side-lifetime
Specifies whether the client-side cookie is persistent, and if so, after how many minutes it expires.
components-state
Specifies the name of the cookie that verifies that the system's expected JavaScript can run successfully, and
whether the system successfully decrypted configuration data arriving from server.
components-state-lifetime
Specifies whether the components-state cookie is persistent, and if so, after how many minutes it expires.
components-state-removal-protection
Enables or disables removal detection for the secure-alert cookie.
encryption-disabled
Specifies the name of the cookie that the system adds if the system fails to decrypt a password (to restore the
original password as the user typed it), and the system forwards a request to the server and waits for a login
failure response. In this case, the cookie does not encrypt the password on the next login attempt. This is used
in situations where Application layer encryption is not possible (for example, if the user is using an old
browser that cannot encrypt passwords).
encryption-disabled-lifetime
Specifies whether the encryption-disabled cookie is persistent, and if so, after how many minutes it expires.
encryption-disabled-removal-protection
Enables or disables removal detection for the encryption-disabled cookie.
fingerprint
Specifies the name of the cookie that contains fingerprint data.
fingerprint-lifetime
Specifies whether the fingerprint cookie is persistent, and if so, after how many minutes it expires.
fingerprint-removal-protection
Enables or disables removal detection for the fingerprint cookie.
html-field-obfuscation
Specifies the name of the cookie that the system sets to identify the fields that were created by HTML field
obfuscation, in order to remove them from the request before sending it back to the web application, and to know
which field names to decrypt.
html-field-obfuscation-lifetime
Specifies whether the html-field-obfuscation cookie is persistent, and if so, after how many minutes it expires.
malware-forensic
Specifies the name of the cookie that stores the essential response header values from the web application to be
sent to the user after he finishes or skips downloading and running Forensics tool on his host.
malware-forensic-lifetime
Specifies whether the malware-forensic cookie is persistent, and if so, after how many minutes it expires.
malware-guid
Specifies the name of the cookie set by JavaScript to a random string (12 chars long, not encrypted). The system
sends this cookie value in a special alert to the dashboard in order to associate it with the logged in user.
malware-guid-lifetime
Specifies whether the malware-guid cookie is persistent, and if so, after how many minutes it expires.
malware-guid-removal-protection
Enables or disables removal detection for the malware-guid cookie.
rules
Specifies the name of the cookie that the system sets in order to perform the actions block-user, forensic,
inspection, remediation, or redirect.
rules-lifetime
Specifies whether the rules cookie is persistent, and if so, after how many minutes it expires.
rules-removal-protection
Enables or disables removal detection for the rules cookie.
secure-alert
Specifies the name of the cookie that secures arrival of alerts originating from JavaScript to the dashboard.
secure-alert-lifetime
Specifies whether the secure-alert cookie is persistent, and if so, after how many minutes it expires.
secure-alert-removal-protection
Enables or disables removal detection for the secure-alert cookie.
secure-channel
Specifies the name of the cookie that the system sets when the system provides JavaScript with a public key for
encryption operations. This cookie is used for the system to correlate incoming encrypted data with the private
key when a request comes from the client.
secure-channel-lifetime
Specifies whether the secure-channel cookie is persistent, and if so, after how many minutes it expires.
secure-channel-removal-protection
Enables or disables removal detection for the secure-channel cookie.
secure-mode
Specifies the status of secure mode, to set 'Secure' flag or not for all FPS cookies.
auto Specifies that secure mode for FPS cookies will be set automatically depending on connection type. enabled
for HTTPS (SSL) connections and disabled for HTTP connections. This is the default value.
disabled
Specifies that secure mode for FPS cookies will be disabled and FPS cookies will not have 'Secure' flag.
enabled
Specifies that secure mode for FPS cookies will be enabled and all FPS cookies will have 'Secure' flag.
transaction-data
Specifies the name of the cookie that contains information (such as mouse movement, clicks, and events) in
encrypted format and sends that information to the system.
transaction-data-lifetime
Specifies whether the transaction-data cookie is persistent, and if so, after how many minutes it expires.
user-inspection
Specifies the name of cookie that is set once a user is identified in a web form submitted by the client and this
user is enforced in inspection mode.
user-name
Specifies the name of the cookie with the username value after a username is identified in a request. This
ensures that further transactions from the client are still associated with that user even if they do not include
the username field.
user-name-lifetime
Specifies whether the user-name cookie is persistent, and if so, after how many minutes it expires.
user-name-removal-protection
Enables or disables removal detection for the user-name cookie.
debug
Specifies troubleshooting settings to add and filter debug logs of the system. Note: Only F5 support should configure
this section, please do not use it on your own. F5 support can configure the following debug options:
console-log
Specifies when the system add prints to browser console. TMM logs are also enabled in such cases. F5 support can
configure the following options for console log:
client-ips
Adds, deletes, or replaces a set of client IP addresses for which the system adds prints to browser console.
user-agents
Adds, deletes, or replaces a set of strings contained in user-agent header for which the system adds prints
to browser console.
fingerprints
Adds, deletes, or replaces a set of strings contained in fingerprint data for which the system adds prints
to browser console.
send-alert
Specifies when the system sends debug alerts to the dashboard. TMM logs are also enabled in such cases. F5
support can configure the following options for sending alerts:
client-ips
Adds, deletes, or replaces a set of client IP addresses for which the system sends debug alerts to the
dashboard.
user-agents
Adds, deletes, or replaces a set of strings contained in user-agent header for which the system sends debug
alerts to the dashboard.
fingerprints
Adds, deletes, or replaces a set of strings contained in fingerprint data for which the system sends debug
alerts to the dashboard.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings and values
from the parent profile specified.
description
User defined description.
dummy-alert-html-maximum-length
Specifies the maximum length of HTML attached to dummy alert.
encryption-staging-mode
Specifies, when enabled, that the system activates Anti-fraud encryption staging mode. If decrypted data differs from
original data, an alert will be sent and original data will be used.
fingerprint
Specifies how the system collects fingerprint data. You can configure the following fingerprint options:
collect
Specifies, when enabled, that the system collects fingerprint data.
location
Specifies the BIG-IP URL location of the fingerprint JavaScript. This path cannot be none and must start with
'/'.
forensic
Specifies how the system enforces scanning client host for malware (Forensics) and its removal (remediation). You can
configure the following options for Forensics and remediation:
alert-path
Specifies the BIG-IP URL path for alerts from Forensics tool. This path cannot be none and must start with '/'.
client-domains
Adds, deletes, or replaces a set of client domains to be resolved by Forensics tool.
cloud-config-path
Specifies the BIG-IP URL path for requests from Forensics tool to cloud-service-pool. This path cannot be none
and must start with '/'.
cloud-forensics-mode
Specifies the numeric value sent to cloud-service-pool to download Forensics tool.
cloud-remediation-mode
Specifies the numeric value sent to cloud-service-pool to download Forensics tool in remediation mode.
continue-element
Specifies the HTML element with continue option that replaces %SKIP_PART% in the entire html, when enforce-policy
is enforce. Note: This property may be modified only when the DB variable antifraud.forensic.showgui has value
enable.
exe-location
Specifies the BIG-IP URL path to download Forensics tool that also replaces %EXE_LOCATION% in the entire html.
This path cannot be none and must start with '/'.
html Specifies the HTML code the system sends to the user after successful login with option to download Forensics
tool. Note: This property may be modified only when the DB variable antifraud.forensic.showgui has value enable.
self-post-location
Specifies the BIG-IP URL path for self POST page opened by Forensics tool during scanning. This path cannot be
none and must start with '/'.
skip-element
Specifies the HTML element with skip option that replaces %SKIP_PART% in the entire html, when enforce-policy is
not enforce. Note: This property may be modified only when the DB variable antifraud.forensic.showgui has value
enable.
skip-path
Specifies the BIG-IP URL path for skip / continue option that also replaces %SKIP_PATH% in both continue-element
and skip-element (before their replacement in the entire html). This path cannot be none and must start with '/'.
geolocation
Specifies, when enabled, that the client collects geolocation data which will be sent as part of the alert data.
glob Displays the items that match the glob expression. See help glob for a description of glob expression syntax.
inject-main-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies where
the system injects the main JavaScript. You can configure the following options for main JavaScript injection
position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies
whether the system injects the main JavaScript after an opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies
the HTML tag for injection of the main JavaScript. This tag cannot be none.
javascript-grace-threshold
Specifies the maximum amount of time (in seconds) permitted between when a protected web page is loaded and its
injected JavaScript activates.
javascript-location
Specifies the BIG-IP URL directory where the injected JavaScript is located. The path here does not include the actual
filename of the injected JavaScript. This path cannot be none and must start with '/'.
javascript-removal-location
Specifies the BIG-IP URL location of the JavaScript removal detection location. This path cannot be none and must
start with '/'.
local-syslog-publisher
DPS mode only. Specifies the name of the log publisher used for reporting encryption failures.
malware
Specifies how the system detects a malware attack on the web application. You can configure the following options for
Malware protection:
allowed-domains
Adds, deletes, or replaces a set of whitelisted domains. The system does not send alerts on requests for URLs
from these domains, even if the system detects malware injection on these domains.
bait-check-generic
Specifies, when enabled, that the system checks predefined baits. Note: The configured baits are checked anyway.
bait-location
Specifies the BIG-IP URL location of a file that acts as bait for attackers. This path cannot be none and must
start with '/'.
blacklist-words
Deprecated since v13.0.0. Please use blacklist-js-words and blacklist-words in detected-malware instead. Adds,
deletes, or replaces a set of words that are blacklisted if they appear in the web application's HTML or
JavaScript code. If the system detects these words, the system generates a malware alert.
detected-malware
Adds, deletes, or replaces a set of malware detected by the system. You can configure the following options for
each malware:
baits
Adds, deletes, or replaces a set of baits for this malware. You can configure the following options for each
bait:
data-before
Specifies the HTML code that the malware searches and injects data-inject after it.
data-inject
Specifies the malicious code that the malware injects after data-before.
trigger-url
Specifies trigger URL settings for this bait. You can configure the following options for trigger URL:
name Specifies the URL pattern that triggers the malware to inject malicious code.
position
Specifies the position of this URL pattern in the query string of a bait request.
alone
Specifies that this trigger URL must be alone in the query string of a bait request.
any Specifies that the this trigger URL can be anywhere in the query string of a bait request.
This is the default value.
last Specifies that the this trigger URL must be last in the query string of a bait request.
blacklist-functions
Adds, deletes, or replaces a set of regular expression patterns to detect functions that this malware can
use when executing AJAX requests.
blacklist-js-words
Adds, deletes, or replaces a set of words that are blacklisted if they appear in the JavaScript code. If the
system detects these words, the system generates a malware alert.
blacklist-urls
Adds, deletes, or replaces a set of regular expression patterns to detect URLs that this malware can use for
AJAX requests and external scripts.
blacklist-words
Adds, deletes, or replaces a set of words that are blacklisted if they appear in the web application's HTML
code. If the system detects these words, the system generates a malware alert.
browser-cache
Specifies how the system checks client network connection as targeted method. You can configure the
following options for Browser cache:
blacklist-urls
Adds, deletes, or replaces a set of resources that are loaded by the malware.
whitelist-urls
Adds, deletes, or replaces a set of non-existent resources.
domain-availability
Specifies how the system checks client network connection as generic method. You can configure the following
options for Domain availability:
blacklist-urls
Adds, deletes, or replaces a set of URLs that are not blocked by the malware.
whitelist-urls
Adds, deletes, or replaces a set of URLs that are blocked by the malware.
dom-signatures
Adds, deletes, or replaces a set of DOM signatures for this malware. You can configure the following options
for each DOM signature:
attribute-name
Specifies the name of the attribute in which the pattern should be search for. Used only if search-in
is attribute.
hash-id
Specifies unique ID that identifies this DOM signature in profile.
html-tag
Specifies the name of the HTML tag in which the pattern should be search for.
match-type
Specifies the type of DOM signature pattern matching.
contains
Specifies that this DOM signature pattern should be matched as partial match (not applicable when
search-in is js-global-variable).
is Specifies that this DOM signature pattern should be matched as exact match.
search-for
Specifies the DOM signature pattern to search for.
search-in
Specifies search location for DOM signature.
all Specifies that this DOM signature should be searched in all locations.
attribute
Specifies that this DOM signature pattern should be searched only in an attribute with name
attribute-name.
html Specifies that this DOM signature pattern should be searched only in HTML.
js-global-variable
Specifies that this DOM signature pattern should be searched only in JavaScript global variables
(match-type contains not applicable in such case).
text Specifies that this DOM signature pattern should be searched only in text.
generic-whitelist-words
Deprecated since v15.0.0. Please use whitelist-dom-signatures in urls instead. Adds, deletes, or replaces a
set of generic blacklisted words that are ignored.
domain-availability-urls
Deprecated since v13.0.0. Please use blacklist-urls and whitelist-urls in domain-availability under detected-
malware instead. Specifies a JSON object containing URLs for which client network connectivity should be checked.
external-sources-targets
Adds, deletes, or replaces a set of HTML element types and their attributes for which external injections should
be checked.
flash-cookie-content
Specifies the flash file (in hexadecimal format) used to allow JavaScript to access the Flash object on the
client side. The default content is none. The length is limited to 64k.
flash-cookie-location
Specifies the BIG-IP URL location of the SWF file that JavaScript requests to get the Flash file. This path
cannot be none and must start with '/'.
flash-cookies
Specifies, when enabled, that the system may use a Flash shared object (FSO) as a place to store an alternative
malware cookie. This cookie tells the system, after a login attempt, that this user has malware, and the system
sends an alert.
generic-whitelist-words
Deprecated since v13.0.0. Please use generic-whitelist-words in detected-malware instead. Adds, deletes, or
replaces a set of generic blacklisted words that are ignored.
inline-scripts-whitelist-signatures
Adds, deletes, or replaces a set of signatures for allowed inline scripts. In case a signature appears as part of
JavaScript inline script, the system does not count this script in the source integrity feature.
removed-scripts
Specifies how the system detects self-removed malicious scripts. You can configure the following options for
removed scripts detection:
blacklist-functions
Adds, deletes, or replaces a set of functions that are used for detecting self-removed malicious scripts.
whitelist-functions
Adds, deletes, or replaces a set of functions that are NOT used for detecting self-removed malicious
scripts.
same-domain-scripts-validation-header
Specifies the name of the custom HTTP header used to identify PING-PONG requests between JavaScript and BIG-IP
for same-domain scripts validations. This name cannot be none.
self-bait-header
Specifies the name of the custom HTTP header used to identify self-bait requests from JavaScript to BIG-IP for
malicious injections scan. This name cannot be none.
source-integrity-location
Specifies the BIG-IP URL path where the system collects information about the HTML source from multiple users.
This path cannot be none and must start with '/'.
web-rootkit
Specifies how the system detects Web-RootKit malware. You can configure the following options for Web-RootKit
detection:
blacklist-functions
Adds, deletes, or replaces a set of additional functions to be checked.
whitelist-functions
Adds, deletes, or replaces a set of native functions that are allowed to be overwritten.
mobilesafe
Specifies how the system detects and prevents phishing, Trojan, and pharming attacks on mobile devices in real time.
You can configure the following options for mobile security:
alert-custom-config
Specifies alert custom configuration for SDK forward compatibility. Note: For certain advanced configurations, F5
support may provide a relevant string to be entered here, please do not use it on your own.
alert-threshold
Specifies the minimal score for sending alerts from mobile devices.
app-integrity
Specifies how the system checks if the application on the mobile device has been tampered with. You can configure
the following options for Application integrity:
custom-config
Specifies custom configuration of Application integrity for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a relevant string to be entered here, please do not use it
on your own.
[enabled | disabled]
Enables or disables Application integrity.
android
Specifies Application integrity settings for Android platform. You can configure the following options for
Android Application integrity:
score
Specifies Application integrity score for Android platform.
signature
Specifies signature of Android application (in hexadecimal format).
ios Specifies Application integrity settings for iOS platform. You can configure the following options for iOS
Application integrity:
hashes
Adds, deletes, or replaces a set of iOS Application hashes (in base64-encoded format). You can
configure the following options for iOS Application hash:
version
Specifies iOS Application version for this hash.
score
Specifies Application integrity score for iOS platform.
general-custom-config
Specifies general custom configuration for SDK forward compatibility. Note: For certain advanced configurations,
F5 support may provide a relevant string to be entered here, please do not use it on your own.
malware
Specifies how the system checks for malicious applications on the customer's mobile devices. You can configure
the following options for Malware detection:
android
Specifies Malware detection settings for Android platform. You can configure the following options for
Android Malware detection:
custom-malware
Adds, deletes, or replaces a custom set of checked malware for Android platform. You can configure the
following options for each Android malware:
package
Specifies package of checked Android malware.
score
Specifies score for checked Android malware.
custom-whitelist
Adds, deletes, or replaces a custom set of whitelist applications for Android platform. You can
configure the following options for each whitelist Android application:
package
Specifies package of whitelist Android application.
check-custom
Enables or disables custom malware check.
check-generic
Enables or disables generic malware check.
custom-config
Specifies custom configuration of Malware detection for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a relevant string to be entered here, please do not use it
on your own.
[enabled | disabled]
Enables or disables Malware detection.
ios Specifies Malware detection settings for iOS platform. You can configure the following options for iOS
Malware detection:
custom-malware
Adds, deletes, or replaces a custom set of checked malware for iOS platform. You can configure the
following options for each iOS malware:
path Specifies path of checked iOS malware.
score
Specifies score for checked iOS malware.
custom-whitelist
Adds, deletes, or replaces a custom set of whitelist applications for iOS platform. You can configure
the following options for each whitelist iOS application:
path Specifies path of whitelist iOS application.
behaviour-analysis
Specifies how the system checks for suspicious behavior and characteristics on all applications on the
customer's mobile devices. You can configure the following options for behavior analysis:
run Enables or disables behaviour analysis run.
score
Specifies score for behavior analysis.
mitm Specifies how the system checks the defined domains for DNS Spoofing and Certificate Forging on customer devices.
You can configure the following options for Man-in-the-middle detection:
certificate-custom-config
Specifies custom configuration of Certificate forging detection for SDK forward compatibility. Note: For
certain advanced configurations, F5 support may provide a relevant string to be entered here, please do not
use it on your own.
dns-custom-config
Specifies custom configuration of DNS spoofing detection for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a relevant string to be entered here, please do not use it
on your own.
domains
Adds, deletes, or replaces a set of domains for Man-in-the-middle detection. You can configure the following
options for a MITM domain:
dns Specifies DNS spoofing detection settings for this domain. You can configure the following options for
DNS spoofing detection:
ip-ranges
Adds, deletes, or replaces a set of IP address ranges for DNS spoofing detection.
spoofing-score
Specifies score for DNS spoofing detection.
certificate
Specifies Certificate forging detection settings for this domain. You can configure the following
options for Certificate forging detection:
forging-score
Specifies score for Certificate forging detection.
hash Specifies certificate hash.
[enabled | disabled]
Enables or disables Man-in-the-middle detection.
os-security
Specifies how the system checks the customer's mobile devices for old, unsupported, and unpatched operation
system (OS) versions. You can configure the following options for OS security:
android
Specifies OS security settings for Android platform. You can configure the following options for Android OS
security:
versions
Adds, deletes, or replaces an ordered set of version ranges for Android platform. You can configure the
following options for Android version range:
from Specifies Android version number from which OS is unpatched.
priority
Specifies a unique ordinal number for Android version range in the set. This option is required
for the operations add, delete, modify, and replace-all-with.
score
Specifies score for Android version range.
to Specifies Android version number to which OS is unpatched.
custom-config
Specifies custom configuration of OS security for SDK forward compatibility. Note: For certain advanced
configurations, F5 support may provide a relevant string to be entered here, please do not use it on your
own.
[enabled | disabled]
Enables or disables OS security.
ios Specifies OS security settings for iOS platform. You can configure the following options for iOS OS
security:
versions
Adds, deletes, or replaces an ordered set of version ranges for iOS platform. You can configure the
following options for iOS version range:
from Specifies iOS version number from which OS is unpatched.
priority
Specifies a unique ordinal number for iOS version range in the set. This option is required for
the operations add, delete, modify, and replace-all-with.
score
Specifies score for iOS version range.
to Specifies iOS version number to which OS is unpatched.
untrusted-apps-score
Specifies score for untrusted applications.
rooting-jailbreak
Specifies how the system checks customer's mobile devices to determine if they are rooted / jailbroken. You can
configure the following options for Rooting / Jailbreak detection:
custom-config
Specifies custom configuration of Rooting / Jailbreak detection for SDK forward compatibility. Note: For
certain advanced configurations, F5 support may provide a relevant string to be entered here, please do not
use it on your own.
[enabled | disabled]
Enables or disables Rooting / Jailbreak detection.
jailbreak-score
Specifies score for jailbreak on iOS platform.
rooting-score
Specifies score for rooting on Android platform.
name Specifies a unique name for the component. This option is required for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component resides.
phishing
Specifies how the system detects a phishing attempt. You can configure the following options for phishing site
detection:
alert-path
Specifies the BIG-IP URL path for alerts from the phishing inline script. This path cannot be none and must start
with '/'.
allowed-elements
Adds, deletes, or replaces a set of URLs in requests for which the system does not verify (check) the referrer
header value.
allowed-referrers
Adds, deletes, or replaces a set of domain names that are allowed to appear in the referrer header when
requesting protected resources.
application-css
Specifies, when enabled, that the system injects the CSS content to the existing application CSS files.
application-css-locations
Adds, deletes, or replaces a set of server URL locations of the application CSS files, used when application-css
is enabled.
css-attribute-name
Specifies the attribute name as part of the CSS content. This name cannot be none.
css-location
Specifies the BIG-IP URL location of the CSS file, used when application-css is disabled. Injecting JavaScript
protects the web application against phishing attempts because even if an attacker removes the injected
JavaScript from the copied web page, the CSS element is not modified, and this triggers an alert. This path
cannot be none and must start with '/'.
expiration-checks
Specifies, when enabled, that the system sends an alert if expired JavaScript engine files are used, as this is
an indication of a phishing attack.
image-location
Specifies the BIG-IP URL location of the 1x1 pixel image file. If an attacker copies a web page with this image,
it most likely lacks the JavaScript, and this triggers an alert. This path cannot be none and must start with
'/'.
inject-css-element
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies
where the system injects the CSS element. You can configure the following options for CSS element injection
position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies whether the system injects the CSS element after an opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies the HTML tag for injection of the CSS element. This tag cannot be none.
inject-css-link
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies
where the system injects the CSS link, when application-css is disabled. You can configure the following options
for CSS link injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies whether the system injects the CSS link after an opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies the HTML tag for injection of the CSS link. This tag cannot be none.
inject-inline-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead. Specifies
where the system injects the phishing inline script and image. You can configure the following options for
phishing inline script and image injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies whether the system injects the phishing inline script and image after an opening tag or before a
closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies the HTML tag for injection of the phishing inline script and image. This tag cannot be none.
protected-elements
Adds, deletes, or replaces a set of URLs in requests for which the system verifies (checks) the referrer header
value. You can use wildcards, for example *.gif.
referrer-checks
Specifies, when enabled, that the system verifies (checks) requests coming to the web application for resources
from different domains.
referrer-info-header
Specifies the name of the custom HTTP header used by client side to communicate referrer and view identifier to BIG-
IP.
risk-engine-path
Specifies the BIG-IP URL path to where a risk-engine report is sent by client. This path cannot be none and must start
with '/'.
risk-engine-publisher
Specifies the name of the log publisher used for reports to a Risk engine.
rules
Adds, deletes, or replaces a set of rules used by the system to perform actions upon detected events. You can
configure the following options for each rule:
action
Specifies the type of the action that the system performs when this event is detected. The options are:
block-user
Specifies that the system adds the user with block mode to be enforced from the next login.
forensic
Specifies that the system adds the user with forensic mode to be enforced from the next login.
inspection
Specifies that the system adds the user with inspection mode to be enforced from the next login.
redirect
Specifies that the system redirects the next request to a specific web page.
remediation
Specifies that the system adds the user with remediation mode to be enforced from the next login.
route
Deprecated in v13.1.0. Specifies that the system routes to a specific pool all subsequent requests for a
specific time.
web-service
Specifies that the system sends a POST request to a specific Web service.
duration
Specifies number of minutes during which the system performs the action block-user, forensic, inspection,
remediation or route.
enforce-policy
Specifies enforcement policy for the action block-user, forensic, inspection or remediation. The options are:
enforce
Specifies that the system adds the user mode with the enforce policy.
time-limited
Specifies that the system adds the user mode with the time-limited policy.
unlimited
Specifies that the system adds the user mode with the unlimited policy.
event
Specifies a unique event for the rule. This option is required for the operations create, delete, modify, and
replace-all-with. The options are:
auto-transaction
Specifies that the action is performed when the system detects automatic (bot) transaction.
client-network-connection
Specifies that the action is performed when the system detects that client network connectivity is blocked.
client-side-missing-components
Specifies that the action is performed when the system detects missing components on the client side.
encryption-failure
Specifies that the action is performed when the system fails to decrypt a password.
generic-malware
Specifies that the action is performed when the system detects generic malware.
mandatory-words
Specifies that the action is performed when the system detects that mandatory words are changed in the page.
phishing
Specifies that the action is performed when the system detects a phishing attempt.
phishing-user
Specifies that the action is performed when the system detects a user attacked by a phishing attempt.
rat-detection
Specifies that the action is performed when the system detects a Remote Access Trojan (RAT) on a client web
browser.
referrer-checks
Specifies that the action is performed when the system detects a request from a different domain by the
referrer header.
server-side-missing-components
Specifies that the action is performed when the system detects missing components on the BIG-IP.
source-integrity
Specifies that the action is performed when the system detects a mismatch of the URL's HTML source code.
web-injection
Specifies that the action is performed when the system detects an attempt to inject malware.
min-score
Specifies the lowest score of this event necessary for the system to perform the action.
payload
Specifies the payload for the web-service action.
pool Specifies the name of the pool for the route action.
publisher
Specifies the name of the log publisher for the web-service action.
url Specifies the URL for the action redirect or web-service.
suggested-username-header
Specifies the name of the custom HTTP header in AJAX requests added by JavaScript with a username value identified on
the client side.
trigger-irule
Specifies, when enabled, that the system activates Anti-fraud iRule events. The default value is disabled.
urls Adds, deletes, or replaces a set of URLs in the web application that are protected by the system. You can configure
the following options for a protected URL:
app-layer-encryption
Specifies how the system performs Application layer encryption for this URL. With Application layer encryption,
the system detects an attempt to steal and tamper with end-user passwords (or other protected information), and
also prevents it by encrypting the protected information. You can configure the following options for Application
layer encryption:
add-decoy-inputs
Specifies, when enabled, that the system randomly and continuously generates and removes decoy
fields that are added to the web page, thus making it harder for an attacker to identify sensitive
information with either JavaScript or a proxy. In order to enable it, you must first enable html-field-
obfuscation.
auto-complete-block
Specifies, when enabled, that the system prevents auto-complete functionality in browser.
auto-complete-whitelist-functions
Specifies a list of customer-specific global functions that require access to the value of a parameter with
substitute-value enabled.
custom-encryption-function
Specifies the name or implementation of custom encryption function to be run instead of built-in encryption.
[enabled | disabled]
Specifies whether the system protects this URL with Application layer encryption, and sends an alert if an
attacker attempts to breach Application layer encryption for this URL, or not.
fake-strokes
Specifies, when enabled, that the system protects against in-browser key loggers by generating fake keyboard
events.
full-ajax-encryption
Specifies, when enabled, that the system encrypts the full AJAX payload.
hide-password-revealer
Specifies, when enabled, that the system hides the password revealer icon found in web pages.
html-field-obfuscation
Specifies, when enabled, that the system encrypts the names of defined fields on the client, and
then decrypts them back to the original names on the BIG-IP.
real-time-encryption
Specifies, when enabled, that the system encrypts passwords as they are typed (even before the user clicks
the Submit button in a web form).
remove-element-ids
Specifies, when enabled, that the system removes the ID attribute from the fields in a web form. In
order to enable it, you must first enable html-field-obfuscation.
remove-event-listeners
Specifies, when enabled, that the system removes event listeners from the encrypted fields in a web
form.
stolen-creds
Specifies, when enabled, that the system examines whether the user was trying to use a fabricated password.
substitute-value-function
Specifies a JavaScript function that receives the real password as an argument and returns a fake value.
auto-transactions
Specifies how the system protects this URL from automatic (bot) transactions. You can configure the following
options for Automated transactions detection:
attach-ajax-payload-to-alerts
Specifies whether to attach the actual AJAX payload to alerts. Use the DB variable
antifraud.antifraud.maxalertrequestsize to limit the attached payload size.
bot-score
Specifies the score added to an alert that is triggered if the system determines that the client is a bot
and not a human. The default is a score of 50.
browser
Specifies, when enabled, that the system looks for bot automation performed within the browser.
click-score
Specifies the score added to an alert that is triggered if the min-mouse-over-count and min-mouse-move-count
conditions are not met. The default is a score of 40.
[enabled | disabled]
Specifies whether the system protects this URL against non-human transactions, and sends an alert if the
system detects a non-human transaction attempt for this URL, or not.
full-ajax-integrity
Specifies, when enabled, that the system verifies whether the full AJAX payload was changed by malware when
it left the browser for the server.
integrity-fail-score
Specifies the score added to an alert that is triggered if the system detects a difference between the
actual parameter value and the expected value of a protected parameter sent after a user clicks a web form's
Submit button. The default is a score of 40.
integrity-fail-max-score
Specifies the maximal score added to an alert that is triggered if the system detects a difference between
the actual parameter value and the expected value of a protected parameter sent after a user clicks a web
form's Submit button. The default is a score of 100
min-mouse-move-count
Specifies the minimum number of mouse movements necessary per page load in order for the system to consider
the transaction to be of human origin. The default is 5 movements.
min-mouse-over-count
Specifies the minimum number of times the client's mouse is positioned over the Submit button in a web form
in order for the system to consider the transaction to be of human origin. The default is 2 button
interactions.
min-report-score
Specifies the lowest score necessary for the system to send an alert. The default value is 50.
min-time-to-request
Specifies the minimum amount of time (in seconds) permitted between when a web form is opened and the Submit
button is clicked. The default is 2 seconds.
non-browser
Specifies, when enabled, that the system looks for bot automation performed not within the browser.
not-human-score
Specifies the score added to an alert that is triggered if the system only suspects that the client is a bot
and not a human. The default is a score of 25.
strong-integrity
Specifies, when enabled, that Enhanced Data Integrity is active. When Enhanced Data Integrity is active, the
system detects a difference between the actual parameter value and the expected value of a protected
parameter verified with physical input events.
strong-integrity-user-functions
Adds, deletes, or replaces a set of configures a list of customer functions that change a parameter value
protected by Enhanced Data Integrity.
submit-buttons
Adds, deletes, or replaces a set of non-standard Submit buttons found in forms of the web application. You
can specify the name, or the CSS syntax (ID, class, or tagname) for each button.
tampered-cookie-score
Specifies the score added to an alert that is triggered if the system detects that the transaction-data
cookie was tampered with. The default is a score of 50.
time-fail-score
Specifies the score added to an alert that is triggered if the min-time-to-request condition is not met. The
default is a score of 20.
custom-alerts
Adds, deletes, or replaces a set of user-defined alerts sent by the system upon searches in different parts of
the request. You can configure the following options for each user-defined alert:
attach-request-part
Specifies whether to attach the original client-side request to this alert.
component
Specifies the alert component that the system sends in this alert. Select either: malware (the default
value), phishing, auto-transactions, or mobilesafe.
header-name
Specifies a header name in which the system searches for the value when search-in is header.
malware-name
Specifies the malware detected by this alert when component is malware.
message
Specifies the user-defined message that the system sends in this alert.
search-in
Specifies the part of the request where the system must find the value to send this alert. Note: If you
create a user-defined alert, you can use either request part, thereafter it becomes read only.
client-ip
Specifies that the systems sends this alert if the client IP address equals to the value.
header
Specifies that the systems sends this alert if the header-name header contains the value.
payload
Specifies that the systems sends this alert if the request payload contains the value.
query-string
Specifies that the systems sends this alert if the URL query string contains the value.
value
Specifies a value that the system searches for in the search-in part of the request. The default value is
none, which means that the system searches for any value.
before-load-function
Specifies the implementation of additional function to be run before JavaScript load, in the following format:
function(configs){...}. Note: For certain advanced configurations, F5 support may provide relevant code to be
entered here, please do not use it on your own.
description
Specifies an optional description of this URL.
destination-urls
Specifies a list of destination URLs for requests from SPA URLs/Views.
fallback-to-base-url
Specifies if a request to a non-configured view should use same configuration as the base URL or disable FPS for
that request.
include-query-string
Specifies, when enabled, that the system includes query string of URLs to match this wildcard expression. The
default value is disabled.
inject-javascript
Enables or disables JavaScript injection into responses to this URL. The default value is enabled.
inject-main-javascript
Specifies where the system injects the main JavaScript. You can configure the following options for main
JavaScript injection position:
[after | before]
Specifies whether the system injects the main JavaScript after an opening tag or before a closing tag.
tag Specifies the HTML tag for injection of the main JavaScript. This tag cannot be none.
inject-javascript-removal
Specifies where the system injects the JavaScript removal detection image. You can configure the following
options for JavaScript removal detection image injection position:
[after | before]
Specifies whether the system injects the JavaScript removal detection image after an opening tag or before a
closing tag.
tag Specifies the HTML tag for injection of the JavaScript removal detection image. This tag cannot be none.
login-response
Specifies validation criteria on the response of this URL when it is Login page. You must configure at least one
of them. If you configure more than one validation criteria, then all the criteria must be fulfilled for
successful login. You can configure the following Login page properties:
status-code
Specifies an HTTP response status code that the server must return to the user upon successful login.
domain-cookie
Specifies a defined domain cookie that the successful response to the login URL must include.
exclude-string
Specifies a string that should NOT appear in the successful response to the login URL.
header
Specifies a header name and value that the successful response to the login URL must match.
include-string
Specifies a string that should appear in the successful response to the login URL.
validation
Enables or disables successful login validation.
malware
Specifies when the system detects attempts of attackers to inject malware in the URL. You can configure the
following options for Malware detection:
attach-html-to-alerts
Specifies, when enabled, that the system attaches forensics information along with the alerts.
auto-learn-form-tags
Specifies, when enabled, that the system learns the number of HTML form tags that appear in the URL. In
order to enable it, you must first enable source-integrity.
auto-learn-input-tags
Specifies, when enabled, that the system learns the number of HTML input tags that appear in the URL. In
order to enable it, you must first enable source-integrity.
auto-learn-script-tags
Specifies, when enabled, that the system learns the number of HTML script tags that appear in the URL. In
order to enable it, you must first enable source-integrity.
blocked-enter-key-detection
Specifies, when enabled, that the system detects blocked "Enter" key.
deferred-execution
Specifies, when enabled, that the system detects deferred execution attack.
domain-availability
Specifies, when enabled, that the system checks that client network connectivity is not blocked by malware.
enable-symbols
Specifies, when enabled, that the system looks for malware strings (signatures) within JavaScript.
[enabled | disabled]
Specifies whether the system protects this URL against injected malware, and sends an alert if this URL is
detected to have malware, or not.
external-injection
Specifies, when enabled, that the system detects malicious scripts injected from domains not in the
profile's allowed-domains.
generic-malware
Specifies, when enabled, that the system applies the detection of generic malware, using honeypots.
manual-count-form-tags
Specifies the number of HTML forms that appear in the URL.
manual-count-input-tags
Specifies the number of HTML inputs that appear in the URL.
manual-count-script-tags
Specifies the number of HTML scripts that appear in the URL.
password-exfiltration-detection
When enabled, the system detects attempts to steal the user's password in the web browser. An alert is
triggered if such an attempt is detected.
rat-detection
Specifies, when enabled, that the system checks for Remote Access Trojans (RATs) on clients' web browsers.
removed-scripts-detection
Specifies, when enabled, that the system detects malicious scripts that removed their own injection from the
DOM.
same-domain-scripts-validation
Specifies, when enabled, that the system detects malicious responds to same-domain scripts.
self-bait
Specifies, when enabled, that the system scans the original source code of the page for malicious
injections.
source-integrity
Specifies, when enabled, that the system verifies that the URL's HTML source code matches the HTML code sent
from the server. The source integrity feature counts script tags that are external (with src) and inline
(without src).
vbklip-detection
Specifies, when enabled, that the system checks for VBKlip malware.
visibility-check
Specifies, when enabled, that the system searches HTML pages for words from visibility-check-items.
visibility-check-items
Adds, deletes, or replaces a set of words that must appear in the web site's HTML pages and may not be
changed. If these words are changed, the system sends an alert.
web-rootkit-detection
Specifies, when enabled, that the system detects malware that overwrites native browser functions.
whitelist-dom-signatures
Adds, deletes, or replaces a set of hash-IDs of DOM signatures that are permitted to appear in requests for
this URL, even though they are otherwise blacklisted by the system for other URLs.
whitelist-words
Deprecated since v15.0.0. Please use 'whitelist-dom-signatures' configuration instead. Adds, deletes, or
replaces a set of words that are permitted to appear in requests for this URL, even though they are
otherwise blacklisted by the system for other URLs.
mobilesafe-encryption
Specifies, when enabled, that the system protects requests for this URL from mobile devices with Application
layer encryption.
parameters
Adds, deletes, or replaces a set of sensitive parameters protected by the system. You can configure the following
options for each parameter:
ajax-mapping
Specifies the mapping between the parameter name and its location in AJAX payload.
attach-to-vtoken-report
Specifies, when enabled, that the system adds the parameter value data to the alerts.
check-integrity
Specifies, when enabled, that the system verifies whether the user-input data was changed by malware when it
left the browser for the server.
encrypt
Specifies, when enabled, that the system encrypts the parameter's value attribute.
identify-as-username
Specifies, when enabled, that the system considers this parameter a username. Note: There may be only one
such parameter per URL, and its value is used only when login is successful (according to the URL's login-
response).
method
Deprecated since v14.1.0. Please use parameter 'search-in' configuration instead. Specifies the method of
the request from which the system gets the parameter data. Select either: POST (the default value) or GET.
mobilesafe-encrypt
Specifies that this parameter contains the encrypted fields from mobile devices. Note: There may be only one
such parameter per URL (usually called auth), it cannot have other settings enabled and its method must be
POST.
mobilesafe-entangle
Specifies that this parameter must be encrypted by mobile devices. The system replaces its value in the
request payload and sends an alert if the mobilesafe-encrypt parameter does not contain this field.
obfuscate
Specifies, when enabled, that the system encrypts the parameter's name attribute.
priority
Specifies a unique ordinal number for this parameter in the set of wildcard parameters.
protect-by-selector
Specifies, when enabled, that the client considers this parameter`s name to be a CSS selector. Note: To
enable it, the parameter name must be defined as explicit and you must enable full-ajax-encryption.
search-in
Specifies the request part from which the system gets the parameter data. Select either: payload or query-
string or any (the default value). If any is selected, then the query string will be searched first and only
if the parameter is not found there, the payload will be also searched in.
substitute-value
Specifies, when enabled, that the system substitutes the parameter's value with asterisks [*] in the web
application while the form is being filled. In order to enable it, you must first enable encrypt.
type Specifies a type of the parameter. Note: If you create a parameter, you can use either type, thereafter it
becomes read only. The options are:
explicit
Specifies that the parameter has an exact path. This is the default value.
wildcard
Specifies that any parameter that matches this wildcard expression is considered protected.
phishing
Specifies when the system detects phishing attempts by attackers who set up a fake URL that imitates the real
URL. You can configure the following options for Phishing detection:
capture-users
Specifies, when enabled, that the system logs the usernames and text fields (not passwords) of users
attacked by a phishing attempt.
copy-detection
Specifies, when enabled, that the system detects copied web pages.
css-protection
Specifies, when enabled, that the system activates the CSS module, which is part of the system's phishing
detection backup mechanism.
[enabled | disabled]
Specifies whether the system protects this URL against phishing, and sends an alert if the system detects
this URL to be under a phishing attempt, or not.
field-types-to-send
Adds, deletes, or replaces a set of HTML input types whose values should be included in phishing alerts.
inject-css-element
Specifies where the system injects the CSS element. You can configure the following options for CSS element
injection position:
[after | before]
Specifies whether the system injects the CSS element after an opening tag or before a closing tag.
tag Specifies the HTML tag for injection of the CSS element. This tag cannot be none.
inject-css-link
Specifies where the system injects the CSS link, when application-css is disabled. You can configure the
following options for CSS link injection position:
[after | before]
Specifies whether the system injects the CSS link after an opening tag or before a closing tag.
tag Specifies the HTML tag for injection of the CSS link. This tag cannot be none.
inject-inline-javascript
Specifies where the system injects the phishing inline script and image. You can configure the following
options for phishing inline script and image injection position:
[after | before]
Specifies whether the system injects the phishing inline script and image after an opening tag or
before a closing tag.
tag Specifies the HTML tag for injection of the phishing inline script and image. This tag cannot be none.
priority
Specifies a unique ordinal number for this URL in the set of wildcard URLs.
type Specifies a type of the URL. Note: If you create a URL, you can use either type, thereafter it becomes read only.
The options are:
explicit
Specifies that the URL has an exact path. This is the default value.
wildcard
Specifies that any URL that matches this wildcard expression is considered protected.
users
Adds, deletes, or replaces a set of users enforced by the system upon successful login. You can configure the
following options for an enforced user:
modes
Adds or deletes a single mode in the set of existing user modes.
mode Specifies a unique mode for the user. This option is required for the operations add and delete. The options
are:
block
Specifies that the system blocks the user account by displaying blocking-page.
forensic
Specifies that the system enforces the user to run Forensics tool on his host by displaying forensic
html.
inspection
Specifies that the system turns on verbose activity logging for this user, i.e. collects all HTML and
JS sources from sessions and sends this data to the dashboard.
remediation
Specifies that the system enforces the user to run Forensics tool in remediation mode that deploys
Anti-malware client on his host by displaying forensic html.
duration
Specifies number of minutes during which the user is enforced in this mode since its first login, when
enforce-policy is time-limited. After their expiration the user mode will be removed automatically.
enforce-policy
Specifies enforcement policy for this user mode. The options are:
enforce
Specifies that the user must download and run Forensics tool in order to continue online actions. Note:
This policy may be specified only for the modes forensic and remediation.
time-limited
Specifies that the user is enforced in this mode for a limited time, namely until first-login-time +
duration minutes. When this policy is specified for the modes forensic and remediation, the user may
skip downloading and running Forensics tool every time.
unlimited
Specifies that the user is enforced in this mode for unlimited time. When this policy is specified for
the modes forensic and remediation, the user may skip downloading and running Forensics tool every
time.
first-login-time
Displays time when the user firstly logged in being in this mode. A new user mode is added with value none
and it is updated automatically during traffic, when enforce-policy is time-limited.
whitelist-custom-alerts
Specifies a list of predefined alerts that are ignored.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security, security anti-fraud, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2015. All rights reserved.
BIG-IP 2019-07-10 security anti-fraud profile(1)