security anti-fraud profile(1)BIG-IP TMSH Manualsecurity anti-fraud profile(1)
NAME
profile - Configures a Fraud Protection Service profile.
MODULE
security anti-fraud
SYNTAX
Configure the profile component within the security anti-fraud module
using the syntax shown in the following sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
alert-client-side-caching [enabled | disabled]
alert-identifier [string]
alert-path [string]
alert-pool [[name] | none]
alert-publisher [[name] | none]
alert-token-header [string]
app-service [[string] | none]
auto-transactions {
bot-score [integer]
click-score [integer]
integrity-fail-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
not-human-score [integer]
strong-integrity {
hide-encrypted-parameters [enabled | disabled]
parameter [string]
}
tampered-cookie-score [integer]
time-fail-score [integer]
}
before-load-function [[string] | none]
blocking-page {
response-body [[string] | none]
response-headers [string]
}
[case-sensitive | case-insensitive]
cloud-service-pool [[name] | none]
config-location [string]
cookies {
application [none | add | delete | replace-all-with] { [string] ... }
base-domain {
apply [enabled | disabled]
exceptions [none | add | delete | replace-all-with] { [string] ... }
}
client-side [string]
client-side-lifetime [[integer] | session]
components-state [string]
components-state-lifetime [[integer] | session]
components-state-removal-protection [enabled | disabled]
encryption-disabled [string]
encryption-disabled-lifetime [[integer] | session]
encryption-disabled-removal-protection [enabled | disabled]
fingerprint [string]
fingerprint-lifetime [[integer] | session]
fingerprint-removal-protection [enabled | disabled]
html-field-obfuscation [string]
html-field-obfuscation-lifetime [[integer] | session]
malware-forensic [string]
malware-forensic-lifetime [[integer] | session]
malware-guid [string]
malware-guid-lifetime [[integer] | session]
malware-guid-removal-protection [enabled | disabled]
rules [string]
rules-lifetime [[integer] | session]
rules-removal-protection [enabled | disabled]
secure-alert [string]
secure-alert-lifetime [[integer] | session]
secure-alert-removal-protection [enabled | disabled]
secure-channel [string]
secure-channel-lifetime [[integer] | session]
secure-channel-removal-protection [enabled | disabled]
transaction-data [string]
transaction-data-lifetime [[integer] | session]
user-inspection [string]
user-name [string]
user-name-lifetime [[integer] | session]
user-name-removal-protection [enabled | disabled]
}
debug {
console-log {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
send-alert {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
}
defaults-from [[name] | none]
description [[string] | none]
encryption-staging-mode [enabled | disabled]
fingerprint {
collect [enabled | disabled]
location [string]
}
forensic {
alert-path [string]
client-domains [none | add | delete | replace-all-with] { [string] ... }
cloud-config-path [string]
cloud-forensics-mode [integer]
cloud-remediation-mode [integer]
continue-element [[string] | none]
exe-location [string]
html [[string] | none]
self-post-location [string]
skip-element [[string] | none]
skip-path [string]
}
inject-main-javascript {
[after | before]
tag [string]
}
javascript-location [string]
malware {
allowed-domains [none | add | delete | replace-all-with] { [string] ... }
bait-check-generic [enabled | disabled]
bait-location [string]
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
detected-malware [none | add | delete | modify | replace-all-with] {
name [string] {
baits [none | add | delete | modify | replace-all-with] {
name [string] {
data-before [string]
data-inject [string]
trigger-url {
name [string]
position [ alone | any | last ]
}
}
}
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
blacklist-js-words [none | add | delete | replace-all-with] { [string] ... }
blacklist-urls [none | add | delete | replace-all-with] { [string] ... }
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
browser-cache {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
domain-availability {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
}
}
domain-availability-urls [[string] | none]
external-sources-targets [none | add | delete | replace-all-with] { [string] ... }
flash-cookie-content [[string] | none]
flash-cookie-location [string]
flash-cookies [enabled | disabled]
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
inline-scripts-whitelist-signatures [none | add | delete | replace-all-with] { [string] ... }
removed-scripts {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
source-integrity-location [string]
web-rootkit {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
}
mobilesafe {
alert-custom-config [[string] | none]
alert-threshold [integer]
app-integrity {
custom-config [[string] | none]
[enabled | disabled]
android {
score [integer]
signature [[string] | none]
}
ios {
hashes [none | add | delete | modify | replace-all-with] {
value [string] {
version [[string] | none]
}
}
score [integer]
}
}
general-custom-config [[string] | none]
malware {
android {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
}
}
}
check-custom [enabled | disabled]
check-generic [enabled | disabled]
custom-config [[string] | none]
[enabled | disabled]
ios {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
}
}
}
behaviour-analysis {
run [enabled | disabled]
score [integer]
}
}
mitm {
certificate-custom-config [[string] | none]
dns-custom-config [[string] | none]
domains [none | add | delete | modify | replace-all-with] {
name [string] {
dns {
ip-ranges [none | add | delete | replace-all-with] {address | address-address ... }
spoofing-score [integer]
}
certificate {
forging-score [integer]
hash [string]
}
}
}
[enabled | disabled]
}
os-security {
android {
untrusted-apps-score [integer]
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
custom-config [[string] | none]
[enabled | disabled]
ios {
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
}
rooting-jailbreak {
custom-config [[string] | none]
[enabled | disabled]
jailbreak-score [integer]
rooting-score [integer]
}
}
phishing {
alert-path [string]
allowed-elements [none | add | delete | replace-all-with] { [string] ...}
allowed-referrers [none | add | delete | replace-all-with] { [string] ...}
application-css [enabled | disabled]
application-css-locations [none | add | delete | replace-all-with] { [string] ...}
css-attribute-name [string]
css-location [string]
expiration-checks [enabled | disabled]
image-location [string]
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
protected-elements [none | add | delete | replace-all-with] { [string] ...}
referrer-checks [enabled | disabled]
}
risk-engine-publisher [[name] | none]
rules [none | add | delete | modify | replace-all-with] {
event [auto-transaction | client-network-connection | client-side-missing-components | encryption-failure |
generic-malware | mandatory-words | phishing | phishing-user | rat-detection | referrer-checks |
server-side-missing-components | source-integrity | web-injection] {
action [block-user | forensic | inspection | redirect | remediation | route | web-service]
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
min-score [integer]
publisher [[name] | none]
payload [[string] | none]
pool [[name] | none]
url [[string] | none]
}
}
suggested-username-header [string]
trigger-irule [enabled | disabled]
urls [none | add | delete | modify | replace-all-with] {
name [string] {
app-layer-encryption {
add-decoy-inputs [enabled | disabled]
custom-encryption-function [[string] | none]
[enabled | disabled]
fake-strokes [enabled | disabled]
full-ajax-encryption [enabled | disabled]
hide-password-revealer [enabled | disabled]
html-field-obfuscation [enabled | disabled]
real-time-encryption [enabled | disabled]
remove-element-ids [enabled | disabled]
remove-event-listeners [enabled | disabled]
stolen-creds [enabled | disabled]
substitute-value-function [[string] | none]
}
auto-transactions {
bot-score [integer]
browser [enabled | disabled]
click-score [integer]
[enabled | disabled]
full-ajax-integrity [enabled | disabled]
integrity-fail-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
non-browser [enabled | disabled]
not-human-score [integer]
strong-integrity [enabled | disabled]
submit-buttons [none | add | delete | replace-all-with] { [string] ...}
tampered-cookie-score [integer]
time-fail-score [integer]
}
custom-alerts [none | add | delete | modify | replace-all-with] {
name [string] {
component [auto-transactions | malware | mobilesafe | phishing]
header-name [[string] | none]
malware-name [[string] | none]
message [[string] | none]
search-in [client-ip | header | payload | query-string]
value [[string] | none]
}
}
description [string]
include-query-string [enabled | disabled]
inject-javascript [enabled | disabled]
inject-main-javascript {
[after | before]
tag [string]
}
login-response {
status-code [[integer] | none]
domain-cookie [[string] | none]
exclude-string [[string] | none]
header [[string] | none]
include-string [[string] | none]
validation [enabled | disabled]
}
malware {
attach-html-to-alerts [enabled | disabled]
auto-learn-form-tags [enabled | disabled]
auto-learn-input-tags [enabled | disabled]
auto-learn-script-tags [enabled | disabled]
blocked-enter-key-detection [enabled | disabled]
domain-availability [enabled | disabled]
enable-symbols [enabled | disabled]
[enabled | disabled]
external-injection [enabled | disabled]
generic-malware [enabled | disabled]
manual-count-form-tags [integer]
manual-count-input-tags [integer]
manual-count-script-tags [integer]
rat-detection [enabled | disabled]
removed-scripts-detection [enabled | disabled]
source-integrity [enabled | disabled]
vbklip-detection [enabled | disabled]
visibility-check [enabled | disabled]
visibility-check-items [none | add | delete | replace-all-with] { [string] ...}
web-rootkit-detection [enabled | disabled]
whitelist-words [none | add | delete | replace-all-with] { [string] ...}
}
mobilesafe-encryption [enabled | disabled]
parameters [none | add | delete | modify | replace-all-with] {
name [string] {
attach-to-vtoken-report [enabled | disabled]
check-integrity [enabled | disabled]
encrypt [enabled | disabled]
identify-as-username [enabled | disabled]
method [GET | POST]
mobilesafe-encrypt [enabled | disabled]
mobilesafe-entangle [enabled | disabled]
obfuscate [enabled | disabled]
substitute-value [enabled | disabled]
}
}
phishing {
capture-users [enabled | disabled]
copy-detection [enabled | disabled]
css-protection [enabled | disabled]
[enabled | disabled]
field-types-to-send [none | add | delete | replace-all-with] { [string] ...}
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
}
priority [integer]
type [explicit | wildcard]
}
}
users [add | delete | modify] {
name [string] {
modes [add | delete] {
mode [block | forensic | inspection | remediation] {
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
first-login-time [date]
}
}
}
}
whitelist-custom-alerts [none | add | delete | replace-all-with] { [string] ...}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete
an Anti-Fraud profile.
Note: The users property may be specified only for the commands modify,
edit, and list and only when no other properties are specified. By
default, users are not displayed.
Note: The first-login-time property of user modes may be specified only
for the list command.
EXAMPLES
create profile my_antifraud_profile
Creates a custom Anti-Fraud profile named my_antifraud_profile with
default parameters.
list profile
Displays the properties of all Anti-Fraud profiles.
OPTIONS
alert-client-side-caching
Specifies whether or not to cache the sent alerts in order to
prevent multiple alerts from being sent to the dashboard.
alert-identifier
Specifies the ID of the customer in the dashboard.
alert-path
Specifies the BIG-IP URL path where the alert is sent. This path
cannot be none and must start with '/'.
alert-pool
Specifies the name of the pool used when the system sends alerts.
alert-publisher
Specifies the name of the log publisher used for sending alerts
originating from the BIG-IP.
alert-token-header
Specifies the name of the custom HTTP header in alerts for
exchanging a random token between the client side and the BIG-IP.
app-service
Specifies the name of the application service to which the profile
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the profile. Only the application
service can modify or delete the profile.
auto-transactions
Specifies how the system differentiates between human and
automatic (bot) transactions. You can configure the following
options for automatic transactions:
bot-score
Deprecated since v13.0.0. Please use bot-score in auto-
transactions under urls instead. Specifies the score added to
an alert that is triggered if the system determines that the
client is a bot and not a human. The default is a score of
50.
click-score
Deprecated since v13.0.0. Please use click-score in auto-
transactions under urls instead. Specifies the score added to
an alert that is triggered if the min-mouse-over-count and
min-mouse-move-count conditions are not met. The default is a
score of 40.
integrity-fail-score
Deprecated since v13.0.0. Please use integrity-fail-score in
auto-transactions under urls instead. Specifies the score
added to an alert that is triggered if the system detects a
difference between the actual parameter value and the
expected value of a protected parameter sent after a user
clicks a web form's Submit button. The default is a score of
40.
min-mouse-move-count
Deprecated since v13.0.0. Please use min-mouse-move-count in
auto-transactions under urls instead. Specifies the minimum
number of mouse movements necessary per page load in order
for the system to consider the transaction to be of human
origin. The default is 5 movements.
min-mouse-over-count
Deprecated since v13.0.0. Please use min-mouse-over-count in
auto-transactions under urls instead. Specifies the minimum
number of times the client's mouse is positioned over the
Submit button in a web form in order for the system to
consider the transaction to be of human origin. The default
is 2 button interactions.
min-report-score
Deprecated since v13.0.0. Please use min-report-score in
auto-transactions under urls instead. Specifies the lowest
score necessary for the system to send an alert. The default
value is 50.
min-time-to-request
Deprecated since v13.0.0. Please use min-time-to-request in
auto-transactions under urls instead. Specifies the minimum
amount of time (in seconds) permitted between when a web form
is opened and the Submit button is clicked. The default is 2
seconds.
not-human-score
Deprecated since v13.0.0. Please use not-human-score in auto-
transactions under urls instead. Specifies the score added to
an alert that is triggered if the system only suspects that
the client is a bot and not a human. The default is a score
of 25.
strong-integrity
Specifies how the system performs strong integrity. You can
configure the following options for strong integrity:
hide-encrypted-parameters
Specifies, when enabled, that JavaScript does not add
the expected value of encrypted parameters to strong
integrity parameter.
parameter
Specifies the name of the HTTP parameter in POST
requests added by JavaScript with the expected user-
input data verified with physical input events.
tampered-cookie-score
Deprecated since v13.0.0. Please use tampered-cookie-score in
auto-transactions under urls instead. Specifies the score
added to an alert that is triggered if the system detects
that the transaction-data cookie was tampered with. The
default is a score of 50.
time-fail-score
Deprecated since v13.0.0. Please use time-fail-score in auto-
transactions under urls instead. Specifies the score added to
an alert that is triggered if the min-time-to-request
condition is not met. The default is a score of 20.
before-load-function
Specifies the implementation of additional function to be run
before JavaScript load, in the following format:
function(configs){...}. Note: For certain advanced configurations,
F5 support may provide a relevant code to be entered here, please
do not use it on your own.
blocking-page
Specifies information to display when the profile blocks a user
account. You can configure the following options for blocking
page:
response-body
Specifies the HTML code the system sends to the user whose
account is blocked.
response-headers
Specifies the set of response headers that the system sends
to the user whose account is blocked. Separate each header
with a new line (Ctrl-V followed by Ctrl-J).
[case-sensitive | case-insensitive]
Specifies whether the profile treats protected URL paths as case
sensitive, or not. The default value is case-insensitive. Note: If
you create a profile, you can use either property, thereafter it
becomes read only. If the profile is case insensitive, the system
stores protected URL paths in lowercase in the profile
configuration.
cloud-service-pool
Specifies the name of the pool used by the system for various
internal purposes, like signing Forensics tool.
config-location
Specifies the BIG-IP URL directory where the configuration for the
injected JavaScript is located. The path here does not include the
actual filename of the configuration for the injected JavaScript.
This path cannot be none and must start with '/'.
cookies
Specifies names and lifetimes for the cookies that the system uses
to optimize its detection of malware, data transactions, and
phishing attacks on the web application. If you do not assign a
name to a cookie, a random name is assigned. You can configure the
following cookies:
application
Adds, deletes, or replaces a set of application cookies that
will be removed if at least one of the protected cookies is
missing.
base-domain
Specifies base domain settings for the cookies. You can
configure the following options for base domain:
apply
Specifies, when enabled, that the system applies the
cookies to the base domain.
exceptions
Adds, deletes, or replaces a set of exceptional base
domains that take precedence when the system resolves
the base domain from a host header.
client-side
Specifies the name of the cookie in which the system inserts
plain text with a record about client side alerts already
sent. This is done in order to prevent flooding the system
with additional alerts if the page reloads.
client-side-lifetime
Specifies whether the client-side cookie is persistent, and
if so, after how many minutes it expires.
components-state
Specifies the name of the cookie that verifies that the
system's expected JavaScript can run successfully, and
whether the system successfully decrypted configuration data
arriving from server.
components-state-lifetime
Specifies whether the components-state cookie is persistent,
and if so, after how many minutes it expires.
components-state-removal-protection
Enables or disables protection of the secure-alert cookie
from removal.
encryption-disabled
Specifies the name of the cookie that the system adds if the
system fails to decrypt a password (to restore the original
password as the user typed it), and the system forwards a
request to the server and waits for a login failure response.
In this case, the cookie does not encrypt the password on the
next login attempt. This is used in situations where
Application layer encryption is not possible (for example, if
the user is using an old browser that cannot encrypt
passwords).
encryption-disabled-lifetime
Specifies whether the encryption-disabled cookie is
persistent, and if so, after how many minutes it expires.
encryption-disabled-removal-protection
Enables or disables protection of the encryption-disabled
cookie from removal.
fingerprint
Specifies the name of the cookie that contains fingerprint
data.
fingerprint-lifetime
Specifies whether the fingerprint cookie is persistent, and
if so, after how many minutes it expires.
fingerprint-removal-protection
Enables or disables protection of the fingerprint cookie from
removal.
html-field-obfuscation
Specifies the name of the cookie that the system sets to
identify the fields that were created by HTML field
obfuscation, in order to remove them from the request before
sending it back to the web application, and to know which
field names to decrypt.
html-field-obfuscation-lifetime
Specifies whether the html-field-obfuscation cookie is
persistent, and if so, after how many minutes it expires.
malware-forensic
Specifies the name of the cookie that stores the essential
response header values from the web application to be sent to
the user after he finishes or skips downloading and running
Forensics tool on his host.
malware-forensic-lifetime
Specifies whether the malware-forensic cookie is persistent,
and if so, after how many minutes it expires.
malware-guid
Specifies the name of the cookie set by JavaScript to a
random string (12 chars long, not encrypted). The system
sends this cookie value in a special alert to the dashboard
in order to associate it with the logged in user.
malware-guid-lifetime
Specifies whether the malware-guid cookie is persistent, and
if so, after how many minutes it expires.
malware-guid-removal-protection
Enables or disables protection of the malware-guid cookie
from removal.
rules
Specifies the name of the cookie that the system sets in
order to perform the actions route and/or redirect.
rules-lifetime
Specifies whether the rules cookie is persistent, and if so,
after how many minutes it expires.
rules-removal-protection
Enables or disables protection of the rules cookie from
removal.
secure-alert
Specifies the name of the cookie that secures arrival of
alerts originating from JavaScript to the dashboard.
secure-alert-lifetime
Specifies whether the secure-alert cookie is persistent, and
if so, after how many minutes it expires.
secure-alert-removal-protection
Enables or disables protection of the secure-alert cookie
from removal.
secure-channel
Specifies the name of the cookie that the system sets when
the system provides JavaScript with a public key for
encryption operations. This cookie is used for the system to
correlate incoming encrypted data with the private key when a
request comes from the client.
secure-channel-lifetime
Specifies whether the secure-channel cookie is persistent,
and if so, after how many minutes it expires.
secure-channel-removal-protection
Enables or disables protection of the secure-channel cookie
from removal.
transaction-data
Specifies the name of the cookie that contains information
(such as mouse movement, clicks, and events) in encrypted
format and sends that information to the system.
transaction-data-lifetime
Specifies whether the transaction-data cookie is persistent,
and if so, after how many minutes it expires.
user-inspection
Specifies the name of cookie that is set once a user is
identified in a web form submitted by the client and this
user is enforced in inspection mode.
user-name
Specifies the name of the cookie with the username value
after a username is identified in a request. This ensures
that further transactions from the client are still
associated with that user even if they do not include the
username field.
user-name-lifetime
Specifies whether the user-name cookie is persistent, and if
so, after how many minutes it expires.
user-name-removal-protection
Enables or disables protection of the user-name cookie from
removal.
debug
Specifies troubleshooting settings to add and filter debug logs of
the system. Note: Only F5 support should configure this section,
please do not use it on your own. F5 support can configure the
following debug options:
console-log
Specifies when the system add prints to browser console. TMM
logs are also enabled in such cases. F5 support can configure
the following options for console log:
client-ips
Adds, deletes, or replaces a set of client IP addresses
for which the system adds prints to browser console.
user-agents
Adds, deletes, or replaces a set of strings contained in
user-agent header for which the system adds prints to
browser console.
fingerprints
Adds, deletes, or replaces a set of strings contained in
fingerprint data for which the system adds prints to
browser console.
send-alert
Specifies when the system sends debug alerts to the
dashboard. TMM logs are also enabled in such cases. F5
support can configure the following options for sending
alerts:
client-ips
Adds, deletes, or replaces a set of client IP addresses
for which the system sends debug alerts to the
dashboard.
user-agents
Adds, deletes, or replaces a set of strings contained in
user-agent header for which the system sends debug
alerts to the dashboard.
fingerprints
Adds, deletes, or replaces a set of strings contained in
fingerprint data for which the system sends debug alerts
to the dashboard.
defaults-from
Specifies the profile that you want to use as the parent profile.
Your new profile inherits all settings and values from the parent
profile specified.
description
User defined description.
encryption-staging-mode
Specifies, when enabled, that the system activates Anti-fraud
encryption staging mode. If decrypted data differs from original
data, an alert will be sent and original data will be used.
fingerprint
Specifies how the system collects fingerprint data. You can
configure the following fingerprint options:
collect
Specifies, when enabled, that the system collects fingerprint
data.
location
Specifies the BIG-IP URL location of the fingerprint
JavaScript. This path cannot be none and must start with '/'.
forensic
Specifies how the system enforces scanning client host for malware
(Forensics) and its removal (remediation). You can configure the
following options for Forensics and remediation:
alert-path
Specifies the BIG-IP URL path for alerts from Forensics tool.
This path cannot be none and must start with '/'.
client-domains
Adds, deletes, or replaces a set of client domains to be
resolved by Forensics tool.
cloud-config-path
Specifies the BIG-IP URL path for requests from Forensics
tool to cloud-service-pool. This path cannot be none and must
start with '/'.
cloud-forensics-mode
Specifies the numeric value sent to cloud-service-pool to
download Forensics tool.
cloud-remediation-mode
Specifies the numeric value sent to cloud-service-pool to
download Forensics tool in remediation mode.
continue-element
Specifies the HTML element with continue option that replaces
%SKIP_PART% in the entire html, when enforce-policy is
enforce. Note: This property may be modified only when the DB
variable antifraud.forensic.showgui has value enable.
exe-location
Specifies the BIG-IP URL path to download Forensics tool that
also replaces %EXE_LOCATION% in the entire html. This path
cannot be none and must start with '/'.
html Specifies the HTML code the system sends to the user after
successful login with option to download Forensics tool.
Note: This property may be modified only when the DB variable
antifraud.forensic.showgui has value enable.
self-post-location
Specifies the BIG-IP URL path for self POST page opened by
Forensics tool during scanning. This path cannot be none and
must start with '/'.
skip-element
Specifies the HTML element with skip option that replaces
%SKIP_PART% in the entire html, when enforce-policy is not
enforce. Note: This property may be modified only when the DB
variable antifraud.forensic.showgui has value enable.
skip-path
Specifies the BIG-IP URL path for skip / continue option that
also replaces %SKIP_PATH% in both continue-element and skip-
element (before their replacement in the entire html). This
path cannot be none and must start with '/'.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
javascript-location
Specifies the BIG-IP URL directory where the injected JavaScript
is located. The path here does not include the actual filename of
the injected JavaScript. This path cannot be none and must start
with '/'.
inject-main-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies where the
system injects the main JavaScript. You can configure the
following options for main JavaScript injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies whether
the system injects the main JavaScript after an opening tag
or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies the HTML
tag for injection of the main JavaScript. This tag cannot be
none.
malware
Specifies how the system detects a malware attack on the web
application. You can configure the following options for Malware
protection:
allowed-domains
Adds, deletes, or replaces a set of whitelisted domains. The
system does not send alerts on requests for URLs from these
domains, even if the system detects malware injection on
these domains.
bait-check-generic
Specifies, when enabled, that the system checks predefined
baits. Note: The configured baits are checked anyway.
bait-location
Specifies the BIG-IP URL location of a file that acts as bait
for attackers. This path cannot be none and must start with
'/'.
blacklist-words
Deprecated since v13.0.0. Please use blacklist-js-words and
blacklist-words in detected-malware instead. Adds, deletes,
or replaces a set of words that are blacklisted if they
appear in the web application's HTML or JavaScript code. If
the system detects these words, the system generates a
malware alert.
detected-malware
Adds, deletes, or replaces a set of malware detected by the
system. You can configure the following options for each
malware:
baits
Adds, deletes, or replaces a set of baits for this
malware. You can configure the following options for
each bait:
data-before
Specifies the HTML code that the malware searches
and injects data-inject after it.
data-inject
Specifies the malicious code that the malware
injects after data-before.
trigger-url
Specifies trigger URL settings for this bait. You
can configure the following options for trigger
URL:
name Specifies the URL pattern that triggers the
malware to inject malicious code.
position
Specifies the position of this URL pattern in
the query string of a bait request.
alone
Specifies that this trigger URL must be
alone in the query string of a bait
request.
any Specifies that the this trigger URL can
be anywhere in the query string of a bait
request. This is the default value.
last Specifies that the this trigger URL must
be last in the query string of a bait
request.
blacklist-functions
Adds, deletes, or replaces a set of regular expression
patterns to detect functions that this malware can use
when executing AJAX requests.
blacklist-js-words
Adds, deletes, or replaces a set of words that are
blacklisted if they appear in the JavaScript code. If
the system detects these words, the system generates a
malware alert.
blacklist-urls
Adds, deletes, or replaces a set of regular expression
patterns to detect URLs that this malware can use for
AJAX requests and external scripts.
blacklist-words
Adds, deletes, or replaces a set of words that are
blacklisted if they appear in the web application's HTML
code. If the system detects these words, the system
generates a malware alert.
browser-cache
Specifies how the system checks client network
connection as targeted method. You can configure the
following options for Browser cache:
blacklist-urls
Adds, deletes, or replaces a set of resources that
are loaded by the malware.
whitelist-urls
Adds, deletes, or replaces a set of non-existent
resources.
domain-availability
Specifies how the system checks client network
connection as generic method. You can configure the
following options for Domain availability:
blacklist-urls
Adds, deletes, or replaces a set of URLs that are
not blocked by the malware.
whitelist-urls
Adds, deletes, or replaces a set of URLs that are
blocked by the malware.
generic-whitelist-words
Adds, deletes, or replaces a set of generic blacklisted
words that are ignored.
domain-availability-urls
Deprecated since v13.0.0. Please use blacklist-urls and
whitelist-urls in domain-availability under detected-malware
instead. Specifies a JSON object containing URLs for which
client network connectivity should be checked.
external-sources-targets
Adds, deletes, or replaces a set of HTML element types and
their attributes for which external injections should be
checked.
flash-cookie-content
Specifies the flash file (in hexadecimal format) used to
allow JavaScript to access the Flash object on the client
side. The default content is none. The length is limited to
64k.
flash-cookie-location
Specifies the BIG-IP URL location of the SWF file that
JavaScript requests to get the Flash file. This path cannot
be none and must start with '/'.
flash-cookies
Specifies, when enabled, that the system may use a Flash
shared object (FSO) as a place to store an alternative
malware cookie. This cookie tells the system, after a login
attempt, that this user has malware, and the system sends an
alert.
generic-whitelist-words
Deprecated since v13.0.0. Please use generic-whitelist-words
in detected-malware instead. Adds, deletes, or replaces a set
of generic blacklisted words that are ignored.
inline-scripts-whitelist-signatures
Adds, deletes, or replaces a set of signatures for allowed
inline scripts. In case a signature appears as part of
JavaScript inline script, the system does not count this
script in the source integrity feature.
removed-scripts
Specifies how the system detects self-removed malicious
scripts. You can configure the following options for removed
scripts detection:
blacklist-functions
Adds, deletes, or replaces a set of functions that are
used for detecting self-removed malicious scripts.
whitelist-functions
Adds, deletes, or replaces a set of functions that are
NOT used for detecting self-removed malicious scripts.
source-integrity-location
Specifies the BIG-IP URL path where the system collects
information about the HTML source from multiple users. This
path cannot be none and must start with '/'.
web-rootkit
Specifies how the system detects Web-RootKit malware. You can
configure the following options for Web-RootKit detection:
blacklist-functions
Adds, deletes, or replaces a set of additional functions
to be checked.
whitelist-functions
Adds, deletes, or replaces a set of native functions
that are allowed to be overwritten.
mobilesafe
Specifies how the system detects and prevents phishing, Trojan,
and pharming attacks on mobile devices in real time. You can
configure the following options for mobile security:
alert-custom-config
Specifies alert custom configuration for SDK forward
compatibility. Note: For certain advanced configurations, F5
support may provide a relevant string to be entered here,
please do not use it on your own.
alert-threshold
Specifies the minimal score for sending alerts from mobile
devices.
app-integrity
Specifies how the system checks if the application on the
mobile device has been tampered with. You can configure the
following options for Application integrity:
custom-config
Specifies custom configuration of Application integrity
for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a
relevant string to be entered here, please do not use it
on your own.
[enabled | disabled]
Enables or disables Application integrity.
android
Specifies Application integrity settings for Android
platform. You can configure the following options for
Android Application integrity:
score
Specifies Application integrity score for Android
platform.
signature
Specifies signature of Android application (in
hexadecimal format).
ios Specifies Application integrity settings for iOS
platform. You can configure the following options for
iOS Application integrity:
hashes
Adds, deletes, or replaces a set of iOS Application
hashes (in base64-encoded format). You can
configure the following options for iOS Application
hash:
version
Specifies iOS Application version for this
hash.
score
Specifies Application integrity score for iOS
platform.
general-custom-config
Specifies general custom configuration for SDK forward
compatibility. Note: For certain advanced configurations, F5
support may provide a relevant string to be entered here,
please do not use it on your own.
malware
Specifies how the system checks for malicious applications on
the customer's mobile devices. You can configure the
following options for Malware detection:
android
Specifies Malware detection settings for Android
platform. You can configure the following options for
Android Malware detection:
custom-malware
Adds, deletes, or replaces a custom set of checked
malware for Android platform. You can configure the
following options for each Android malware:
package
Specifies package of checked Android malware.
score
Specifies score for checked Android malware.
custom-whitelist
Adds, deletes, or replaces a custom set of
whitelist applications for Android platform. You
can configure the following options for each
whitelist Android application:
package
Specifies package of whitelist Android
application.
check-custom
Enables or disables custom malware check.
check-generic
Enables or disables generic malware check.
custom-config
Specifies custom configuration of Malware detection for
SDK forward compatibility. Note: For certain advanced
configurations, F5 support may provide a relevant string
to be entered here, please do not use it on your own.
[enabled | disabled]
Enables or disables Malware detection.
ios Specifies Malware detection settings for iOS platform.
You can configure the following options for iOS Malware
detection:
custom-malware
Adds, deletes, or replaces a custom set of checked
malware for iOS platform. You can configure the
following options for each iOS malware:
path Specifies path of checked iOS malware.
score
Specifies score for checked iOS malware.
custom-whitelist
Adds, deletes, or replaces a custom set of
whitelist applications for iOS platform. You can
configure the following options for each whitelist
iOS application:
path Specifies path of whitelist iOS application.
behaviour-analysis
Specifies how the system checks for suspicious behavior
and characteristics on all applications on the
customer's mobile devices. You can configure the
following options for behavior analysis:
run Enables or disables behaviour analysis run.
score
Specifies score for behavior analysis.
mitm Specifies how the system checks the defined domains for DNS
Spoofing and Certificate Forging on customer devices. You can
configure the following options for Man-in-the-middle
detection:
certificate-custom-config
Specifies custom configuration of Certificate forging
detection for SDK forward compatibility. Note: For
certain advanced configurations, F5 support may provide
a relevant string to be entered here, please do not use
it on your own.
dns-custom-config
Specifies custom configuration of DNS spoofing detection
for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a
relevant string to be entered here, please do not use it
on your own.
domains
Adds, deletes, or replaces a set of domains for Man-in-
the-middle detection. You can configure the following
options for a MITM domain:
dns Specifies DNS spoofing detection settings for this
domain. You can configure the following options for
DNS spoofing detection:
ip-ranges
Adds, deletes, or replaces a set of IP address
ranges for DNS spoofing detection.
spoofing-score
Specifies score for DNS spoofing detection.
certificate
Specifies Certificate forging detection settings
for this domain. You can configure the following
options for Certificate forging detection:
forging-score
Specifies score for Certificate forging
detection.
hash Specifies certificate hash.
[enabled | disabled]
Enables or disables Man-in-the-middle detection.
os-security
Specifies how the system checks the customer's mobile devices
for old, unsupported, and unpatched operation system (OS)
versions. You can configure the following options for OS
security:
android
Specifies OS security settings for Android platform. You
can configure the following options for Android OS
security:
versions
Adds, deletes, or replaces an ordered set of
version ranges for Android platform. You can
configure the following options for Android version
range:
from Specifies Android version number from which OS
is unpatched.
priority
Specifies a unique ordinal number for Android
version range in the set. This option is
required for the operations add, delete,
modify, and replace-all-with.
score
Specifies score for Android version range.
to Specifies Android version number to which OS
is unpatched.
custom-config
Specifies custom configuration of OS security for SDK
forward compatibility. Note: For certain advanced
configurations, F5 support may provide a relevant string
to be entered here, please do not use it on your own.
[enabled | disabled]
Enables or disables OS security.
ios Specifies OS security settings for iOS platform. You can
configure the following options for iOS OS security:
versions
Adds, deletes, or replaces an ordered set of
version ranges for iOS platform. You can configure
the following options for iOS version range:
from Specifies iOS version number from which OS is
unpatched.
priority
Specifies a unique ordinal number for iOS
version range in the set. This option is
required for the operations add, delete,
modify, and replace-all-with.
score
Specifies score for iOS version range.
to Specifies iOS version number to which OS is
unpatched.
untrusted-apps-score
Specifies score for untrusted applications.
rooting-jailbreak
Specifies how the system checks customer's mobile devices to
determine if they are rooted / jailbroken. You can configure
the following options for Rooting / Jailbreak detection:
custom-config
Specifies custom configuration of Rooting / Jailbreak
detection for SDK forward compatibility. Note: For
certain advanced configurations, F5 support may provide
a relevant string to be entered here, please do not use
it on your own.
[enabled | disabled]
Enables or disables Rooting / Jailbreak detection.
jailbreak-score
Specifies score for jailbreak on iOS platform.
rooting-score
Specifies score for rooting on Android platform.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
phishing
Specifies how the system detects a phishing attempt. You can
configure the following options for phishing site detection:
alert-path
Specifies the BIG-IP URL path for alerts from the phishing
inline script. This path cannot be none and must start with
'/'.
allowed-elements
Adds, deletes, or replaces a set of URLs in requests for
which the system does not verify (check) the referrer header
value.
allowed-referrers
Adds, deletes, or replaces a set of domain names that are
allowed to appear in the referrer header when requesting
protected resources.
application-css
Specifies, when enabled, that the system injects the CSS
content to the existing application CSS files.
application-css-locations
Adds, deletes, or replaces a set of server URL locations of
the application CSS files, used when application-css is
enabled.
css-attribute-name
Specifies the attribute name as part of the CSS content. This
name cannot be none.
css-location
Specifies the BIG-IP URL location of the CSS file, used when
application-css is disabled. Injecting JavaScript protects
the web application against phishing attempts because even if
an attacker removes the injected JavaScript from the copied
web page, the CSS element is not modified, and this triggers
an alert. This path cannot be none and must start with '/'.
expiration-checks
Specifies, when enabled, that the system sends an alert if
expired JavaScript engine files are used, as this is an
indication of a phishing attack.
image-location
Specifies the BIG-IP URL location of the 1x1 pixel image
file. If an attacker copies a web page with this image, it
most likely lacks the JavaScript, and this triggers an alert.
This path cannot be none and must start with '/'.
inject-css-element
Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies where the
system injects the CSS element. You can configure the
following options for CSS element injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
whether the system injects the CSS element after an
opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
the HTML tag for injection of the CSS element. This tag
cannot be none.
inject-css-link
Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies where the
system injects the CSS link, when application-css is
disabled. You can configure the following options for CSS
link injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
whether the system injects the CSS link after an opening
tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
the HTML tag for injection of the CSS link. This tag
cannot be none.
inject-inline-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same
configuration in a specific URL instead. Specifies where the
system injects the phishing inline script and image. You can
configure the following options for phishing inline script
and image injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
whether the system injects the phishing inline script
and image after an opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use
same configuration in a specific URL instead. Specifies
the HTML tag for injection of the phishing inline script
and image. This tag cannot be none.
protected-elements
Adds, deletes, or replaces a set of URLs in requests for
which the system verifies (checks) the referrer header value.
You can use wildcards, for example *.gif.
referrer-checks
Specifies, when enabled, that the system verifies (checks)
requests coming to the web application for resources from
different domains.
risk-engine-publisher
Specifies the name of the log publisher used for reports to a Risk
engine.
rules
Adds, deletes, or replaces a set of rules used by the system to
perform actions upon detected events. You can configure the
following options for each rule:
action
Specifies the type of the action that the system performs
when this event is detected. The options are:
block-user
Specifies that the system adds the user with block mode
to be enforced from the next login.
forensic
Specifies that the system adds the user with forensic
mode to be enforced from the next login.
inspection
Specifies that the system adds the user with inspection
mode to be enforced from the next login.
redirect
Specifies that the system redirects the next request to
a specific web page.
remediation
Specifies that the system adds the user with remediation
mode to be enforced from the next login.
route
Specifies that the system routes to a specific pool all
subsequent requests for a specific time.
web-service
Specifies that the system sends a POST request to a
specific Web service.
duration
Specifies number of minutes during which the system performs
the action block-user, forensic, inspection, remediation or
route.
enforce-policy
Specifies enforcement policy for the action block-user,
forensic, inspection or remediation. The options are:
enforce
Specifies that the system adds the user mode with the
enforce policy.
time-limited
Specifies that the system adds the user mode with the
time-limited policy.
unlimited
Specifies that the system adds the user mode with the
unlimited policy.
event
Specifies a unique event for the rule. This option is
required for the operations create, delete, modify, and
replace-all-with. The options are:
auto-transaction
Specifies that the action is performed when the system
detects automatic (bot) transaction.
client-network-connection
Specifies that the action is performed when the system
detects that client network connectivity is blocked.
client-side-missing-components
Specifies that the action is performed when the system
detects missing components on the client side.
encryption-failure
Specifies that the action is performed when the system
fails to decrypt a password.
generic-malware
Specifies that the action is performed when the system
detects generic malware.
mandatory-words
Specifies that the action is performed when the system
detects that mandatory words are changed in the page.
phishing
Specifies that the action is performed when the system
detects a phishing attempt.
phishing-user
Specifies that the action is performed when the system
detects a user attacked by a phishing attempt.
rat-detection
Specifies that the action is performed when the system
detects a Remote Access Trojan (RAT) on a client web
browser.
referrer-checks
Specifies that the action is performed when the system
detects a request from a different domain by the
referrer header.
server-side-missing-components
Specifies that the action is performed when the system
detects missing components on the BIG-IP.
source-integrity
Specifies that the action is performed when the system
detects a mismatch of the URL's HTML source code.
web-injection
Specifies that the action is performed when the system
detects an attempt to inject malware.
min-score
Specifies the lowest score of this event necessary for the
system to perform the action.
payload
Specifies the payload for the web-service action.
pool Specifies the name of the pool for the route action.
publisher
Specifies the name of the log publisher for the web-service
action.
url Specifies the URL for the action redirect or web-service.
suggested-username-header
Specifies the name of the custom HTTP header in AJAX requests
added by JavaScript with a username value identified on the client
side.
trigger-irule
Specifies, when enabled, that the system activates Anti-fraud
iRule events. The default value is disabled.
urls Adds, deletes, or replaces a set of URLs in the web application
that are protected by the system. You can configure the following
options for a protected URL:
app-layer-encryption
Specifies when the system performs Application layer
encryption. With Application layer encryption, the system
detects an attempt to steal and tamper with end-user
passwords (or other protected information), and also prevents
it by encrypting the protected information. You can configure
the following options for Application layer encryption:
add-decoy-inputs
Specifies, when enabled, that the system randomly and
continuously generates and removes decoy fields
that are added to the web page, thus making it harder
for an attacker to identify sensitive information with
either JavaScript or a proxy. In order to enable it, you
must first enable html-field-obfuscation.
custom-encryption-function
Specifies the name or implementation of custom
encryption function to be run instead of built-in
encryption.
[enabled | disabled]
Specifies whether the system protects this URL with
Application layer encryption, and sends an alert if an
attacker attempts to breach Application layer encryption
for this URL, or not.
fake-strokes
Specifies, when enabled, that the system protects
against in-browser key loggers by generating fake
keyboard events.
full-ajax-encryption
Specifies, when enabled, that the system encrypts the
full AJAX payload.
hide-password-revealer
Specifies, when enabled, that the system hides the
password revealer icon found in web pages.
html-field-obfuscation
Specifies, when enabled, that the system encrypts the
names of defined fields on the client, and then
decrypts them back to the original names on the BIG-IP.
real-time-encryption
Specifies, when enabled, that the system encrypts
passwords as they are typed (even before the user clicks
the Submit button in a web form).
remove-element-ids
Specifies, when enabled, that the system removes the ID
attribute from the fields in a web form. In
order to enable it, you must first enable html-field-
obfuscation.
remove-event-listeners
Specifies, when enabled, that the system removes event
listeners from the encrypted fields in a web
form.
stolen-creds
Specifies, when enabled, that the system examines
whether the user was trying to use a fabricated
password.
substitute-value-function
Specifies a JavaScript function that receives the real
password as an argument and returns a fake value.
auto-transactions
Specifies how the system protects this URL from automatic
(bot) transactions. You can configure the following options
for Automated transactions detection:
bot-score
Specifies the score added to an alert that is triggered
if the system determines that the client is a bot and
not a human. The default is a score of 50.
browser
Specifies, when enabled, that the system looks for bot
automation performed within the browser.
click-score
Specifies the score added to an alert that is triggered
if the min-mouse-over-count and min-mouse-move-count
conditions are not met. The default is a score of 40.
[enabled | disabled]
Specifies whether the system protects this URL against
non-human transactions, and sends an alert if the system
detects a non-human transaction attempt for this URL, or
not.
full-ajax-integrity
Specifies, when enabled, that the system verifies
whether the full AJAX payload was changed by malware
when it left the browser for the server.
integrity-fail-score
Specifies the score added to an alert that is triggered
if the system detects a difference between the actual
parameter value and the expected value of a protected
parameter sent after a user clicks a web form's Submit
button. The default is a score of 40.
min-mouse-move-count
Specifies the minimum number of mouse movements
necessary per page load in order for the system to
consider the transaction to be of human origin. The
default is 5 movements.
min-mouse-over-count
Specifies the minimum number of times the client's mouse
is positioned over the Submit button in a web form in
order for the system to consider the transaction to be
of human origin. The default is 2 button interactions.
min-report-score
Specifies the lowest score necessary for the system to
send an alert. The default value is 50.
min-time-to-request
Specifies the minimum amount of time (in seconds)
permitted between when a web form is opened and the
Submit button is clicked. The default is 2 seconds.
non-browser
Specifies, when enabled, that the system looks for bot
automation performed not within the browser.
not-human-score
Specifies the score added to an alert that is triggered
if the system only suspects that the client is a bot and
not a human. The default is a score of 25.
strong-integrity
Specifies, when enabled, that the system detects a
difference between the actual parameter value and the
expected value of a protected parameter verified with
physical input events.
submit-buttons
Adds, deletes, or replaces a set of non-standard Submit
buttons found in forms of the web application. You can
specify the name, or the CSS syntax (ID, class, or
tagname) for each button.
tampered-cookie-score
Specifies the score added to an alert that is triggered
if the system detects that the transaction-data cookie
was tampered with. The default is a score of 50.
time-fail-score
Specifies the score added to an alert that is triggered
if the min-time-to-request condition is not met. The
default is a score of 20.
custom-alerts
Adds, deletes, or replaces a set of user-defined alerts sent
by the system upon searches in different parts of the
request. You can configure the following options for each
user-defined alert:
component
Specifies the alert component that the system sends in
this alert. Select either: malware (the default value),
phishing, auto-transactions, or mobilesafe.
header-name
Specifies a header name in which the system searches for
the value when search-in is header.
malware-name
Specifies the malware detected by this alert when
component is malware.
message
Specifies the user-defined message that the system sends
in this alert.
search-in
Specifies the part of the request where the system must
find the value to send this alert. Note: If you create a
user-defined alert, you can use either request part,
thereafter it becomes read only.
client-ip
Specifies that the systems sends this alert if the
client IP address equals to the value.
header
Specifies that the systems sends this alert if the
header-name header contains the value.
payload
Specifies that the systems sends this alert if the
request payload contains the value.
query-string
Specifies that the systems sends this alert if the
URL query string contains the value.
value
Specifies a value that the system searches for in the
search-in part of the request. The default value is
none, which means that the system searches for any
value.
description
Specifies an optional description of this URL.
include-query-string
Specifies, when enabled, that the system includes query
string of URLs to match this wildcard expression. The default
value is disabled.
inject-javascript
Enables or disables JavaScript injection into responses to
this URL. The default value is enabled.
inject-main-javascript
Specifies where the system injects the main JavaScript. You
can configure the following options for main JavaScript
injection position:
[after | before]
Specifies whether the system injects the main JavaScript
after an opening tag or before a closing tag.
tag Specifies the HTML tag for injection of the main
JavaScript. This tag cannot be none.
login-response
Specifies validation criteria on the response of this URL
when it is Login page. You must configure at least one of
them. If you configure more than one validation criteria,
then all the criteria must be fulfilled for successful login.
You can configure the following Login page properties:
status-code
Specifies an HTTP response status code that the server
must return to the user upon successful login.
domain-cookie
Specifies a defined domain cookie that the successful
response to the login URL must include.
exclude-string
Specifies a string that should NOT appear in the
successful response to the login URL.
header
Specifies a header name and value that the successful
response to the login URL must match.
include-string
Specifies a string that should appear in the successful
response to the login URL.
validation
Enables or disables successful login validation.
malware
Specifies when the system detects attempts of attackers to
inject malware in the URL. You can configure the following
options for Malware detection:
attach-html-to-alerts
Specifies, when enabled, that the system attaches
forensics information along with the alerts.
auto-learn-form-tags
Specifies, when enabled, that the system learns the
number of HTML form tags that appear in the URL. In
order to enable it, you must first enable source-
integrity.
auto-learn-input-tags
Specifies, when enabled, that the system learns the
number of HTML input tags that appear in the URL. In
order to enable it, you must first enable source-
integrity.
auto-learn-script-tags
Specifies, when enabled, that the system learns the
number of HTML script tags that appear in the URL. In
order to enable it, you must first enable source-
integrity.
blocked-enter-key-detection
Specifies, when enabled, that the system detects blocked
"Enter" key.
domain-availability
Specifies, when enabled, that the system checks that
client network connectivity is not blocked by malware.
enable-symbols
Specifies, when enabled, that the system looks for
malware strings (signatures) within JavaScript.
[enabled | disabled]
Specifies whether the system protects this URL against
injected malware, and sends an alert if this URL is
detected to have malware, or not.
external-injection
Specifies, when enabled, that the system detects
malicious scripts injected from domains not in the
profile's allowed-domains.
generic-malware
Specifies, when enabled, that the system applies the
detection of generic malware, using honeypots.
manual-count-form-tags
Specifies the number of HTML forms that appear in the
URL.
manual-count-input-tags
Specifies the number of HTML inputs that appear in the
URL.
manual-count-script-tags
Specifies the number of HTML scripts that appear in the
URL.
rat-detection
Specifies, when enabled, that the system checks for
Remote Access Trojans (RATs) on clients' web browsers.
removed-scripts-detection
Specifies, when enabled, that the system detects
malicious scripts that removed their own injection from
the DOM.
source-integrity
Specifies, when enabled, that the system verifies that
the URL's HTML source code matches the HTML code sent
from the server. The source integrity feature counts
script tags that are external (with src) and inline
(without src).
vbklip-detection
Specifies, when enabled, that the system checks for
VBKlip malware.
visibility-check
Specifies, when enabled, that the system searches HTML
pages for words from visibility-check-items.
visibility-check-items
Adds, deletes, or replaces a set of words that must
appear in the web site's HTML pages and may not be
changed. If these words are changed, the system sends an
alert.
web-rootkit-detection
Specifies, when enabled, that the system detects malware
that overwrites native browser functions.
whitelist-words
Adds, deletes, or replaces a set of words that are
permitted to appear in requests for this URL, even
though they are otherwise blacklisted by the system for
other URLs.
mobilesafe-encryption
Specifies, when enabled, that the system protects requests
for this URL from mobile devices with Application layer
encryption.
parameters
Adds, deletes, or replaces a set of sensitive parameters
protected by the system. You can configure the following
options for each parameter:
attach-to-vtoken-report
Specifies, when enabled, that the system adds the
parameter value data to the alerts.
check-integrity
Specifies, when enabled, that the system verifies
whether the user-input data was changed by malware when
it left the browser for the server.
encrypt
Specifies, when enabled, that the system encrypts the
parameter's value attribute.
identify-as-username
Specifies, when enabled, that the system considers this
parameter a username. Note: There may be only one such
parameter per URL, and its value is used only when login
is successful (according to the URL's login-response).
method
Specifies the method of the request from which the
systems gets the parameter data. Select either: POST
(the default value) or GET.
mobilesafe-encrypt
Specifies that this parameter contains the encrypted
fields from mobile devices. Note: There may be only one
such parameter per URL (usually called auth), it cannot
have other settings enabled and its method must be POST.
mobilesafe-entangle
Specifies that this parameter must be encrypted by
mobile devices. The system replaces its value in the
request payload and sends an alert if the mobilesafe-
encrypt parameter does not contain this field.
obfuscate
Specifies, when enabled, that the system encrypts the
parameter's name attribute.
substitute-value
Specifies, when enabled, that the system substitutes the
parameter's value with asterisks [*] in the web
application while the form is being filled. In order to
enable it, you must first enable encrypt.
phishing
Specifies when the system detects phishing attempts by
attackers who set up a fake URL that imitates the real URL.
You can configure the following options for Phishing
detection:
capture-users
Specifies, when enabled, that the system logs the
usernames and text fields (not passwords) of users
attacked by a phishing attempt.
copy-detection
Specifies, when enabled, that the system detects copied
web pages.
css-protection
Specifies, when enabled, that the system activates the
CSS module, which is part of the system's phishing
detection backup mechanism.
[enabled | disabled]
Specifies whether the system protects this URL against
phishing, and sends an alert if the system detects this
URL to be under a phishing attempt, or not.
field-types-to-send
Adds, deletes, or replaces a set of HTML input types
whose values should be included in phishing alerts.
inject-css-element
Specifies where the system injects the CSS element. You
can configure the following options for CSS element
injection position:
[after | before]
Specifies whether the system injects the CSS
element after an opening tag or before a closing
tag.
tag Specifies the HTML tag for injection of the CSS
element. This tag cannot be none.
inject-css-link
Specifies where the system injects the CSS link, when
application-css is disabled. You can configure the
following options for CSS link injection position:
[after | before]
Specifies whether the system injects the CSS link
after an opening tag or before a closing tag.
tag Specifies the HTML tag for injection of the CSS
link. This tag cannot be none.
inject-inline-javascript
Specifies where the system injects the phishing inline
script and image. You can configure the following
options for phishing inline script and image injection
position:
[after | before]
Specifies whether the system injects the phishing
inline script and image after an opening tag or
before a closing tag.
tag Specifies the HTML tag for injection of the
phishing inline script and image. This tag cannot
be none.
priority
Specifies a unique ordinal number for this URL in the set of
wildcard URLs.
type Specifies a type of the URL. Note: If you create a URL, you
can use either type, thereafter it becomes read only. The
options are:
explicit
Specifies that the URL has an exact path. This is the
default value.
wildcard
Specifies that any URL that matches this wildcard
expression is considered protected.
users
Adds, deletes, or replaces a set of users enforced by the system
upon successful login. You can configure the following options for
an enforced user:
modes
Adds or deletes a single mode in the set of existing user
modes.
mode Specifies a unique mode for the user. This option is
required for the operations add and delete. The options
are:
block
Specifies that the system blocks the user account
by displaying blocking-page.
forensic
Specifies that the system enforces the user to run
Forensics tool on his host by displaying forensic
html.
inspection
Specifies that the system turns on verbose activity
logging for this user, i.e. collects all HTML and
JS sources from sessions and sends this data to the
dashboard.
remediation
Specifies that the system enforces the user to run
Forensics tool in remediation mode that deploys
Anti-malware client on his host by displaying
forensic html.
duration
Specifies number of minutes during which the user is
enforced in this mode since its first login, when
enforce-policy is time-limited. After their expiration
the user mode will be removed automatically.
enforce-policy
Specifies enforcement policy for this user mode. The
options are:
enforce
Specifies that the user must download and run
Forensics tool in order to continue online actions.
Note: This policy may be specified only for the
modes forensic and remediation.
time-limited
Specifies that the user is enforced in this mode
for a limited time, namely until first-login-time +
duration minutes. When this policy is specified for
the modes forensic and remediation, the user may
skip downloading and running Forensics tool every
time.
unlimited
Specifies that the user is enforced in this mode
for unlimited time. When this policy is specified
for the modes forensic and remediation, the user
may skip downloading and running Forensics tool
every time.
first-login-time
Displays time when the user firstly logged in being in
this mode. A new user mode is added with value none and
it is updated automatically during traffic, when
enforce-policy is time-limited.
whitelist-custom-alerts
Specifies a list of predefined alerts that are ignored.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security,
security anti-fraud, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2015. All rights reserved.
BIG-IP 2016-12-13 security anti-fraud profile(1)