security anti-fraud profile(1) BIG-IP TMSH Manual security anti-fraud profile(1)
NAME
profile - Configures a Fraud Protection Service profile.
MODULE
security anti-fraud
SYNTAX
Configure the profile component within the security anti-fraud module using the syntax shown in the following
sections.
CREATE/MODIFY
create profile [name]
modify profile [name]
options:
alert-client-side-caching [enabled | disabled]
alert-identifier [string]
alert-path [string]
alert-pool [[name] | none]
alert-publisher [[name] | none]
alert-token-header [string]
app-layer-encryption {
fail-open [enabled | disabled]
}
app-service [[string] | none]
auto-transactions {
bot-score [integer]
click-score [integer]
integrity-fail-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
not-human-score [integer]
strong-integrity {
hide-encrypted-parameters [enabled | disabled]
parameter [string]
}
tampered-cookie-score [integer]
time-fail-score [integer]
}
before-load-function [[string] | none]
blocking-page {
response-body [[string] | none]
response-headers [string]
}
[case-sensitive | case-insensitive]
cloud-service-pool [[name] | none]
config-location [string]
cookies {
application [none | add | delete | replace-all-with] { [string] ... }
base-domain {
apply [enabled | disabled]
exceptions [none | add | delete | replace-all-with] { [string] ... }
}
client-side [string]
client-side-lifetime [[integer] | session]
components-state [string]
components-state-lifetime [[integer] | session]
components-state-removal-protection [enabled | disabled]
encryption-disabled [string]
encryption-disabled-lifetime [[integer] | session]
encryption-disabled-removal-protection [enabled | disabled]
fingerprint [string]
fingerprint-lifetime [[integer] | session]
fingerprint-removal-protection [enabled | disabled]
html-field-obfuscation [string]
html-field-obfuscation-lifetime [[integer] | session]
malware-forensic [string]
malware-forensic-lifetime [[integer] | session]
malware-guid [string]
malware-guid-lifetime [[integer] | session]
malware-guid-removal-protection [enabled | disabled]
rules [string]
rules-lifetime [[integer] | session]
rules-removal-protection [enabled | disabled]
secure-alert [string]
secure-alert-lifetime [[integer] | session]
secure-alert-removal-protection [enabled | disabled]
secure-channel [string]
secure-channel-lifetime [[integer] | session]
secure-channel-removal-protection [enabled | disabled]
secure-mode [auto | disabled | enabled]
transaction-data [string]
transaction-data-lifetime [[integer] | session]
user-inspection [string]
user-name [string]
user-name-lifetime [[integer] | session]
user-name-removal-protection [enabled | disabled]
}
debug {
console-log {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
send-alert {
client-ips [none | add | delete | replace-all-with] { [string] ... }
user-agents [none | add | delete | replace-all-with] { [string] ... }
fingerprints [none | add | delete | replace-all-with] { [string] ... }
}
}
defaults-from [[name] | none]
description [[string] | none]
dummy-alert-html-maximum-length [integer]
encryption-staging-mode [enabled | disabled]
fingerprint {
collect [enabled | disabled]
location [string]
}
forensic {
alert-path [string]
client-domains [none | add | delete | replace-all-with] { [string] ... }
cloud-config-path [string]
cloud-forensics-mode [integer]
cloud-remediation-mode [integer]
continue-element [[string] | none]
exe-location [string]
html [[string] | none]
self-post-location [string]
skip-element [[string] | none]
skip-path [string]
}
geolocation [enabled | disabled]
inject-main-javascript {
[after | before]
tag [string]
}
javascript-grace-threshold [integer]
javascript-location [string]
javascript-removal-location [string]
local-syslog-publisher [[name] | none]
malware {
allowed-domains [none | add | delete | replace-all-with] { [string] ... }
bait-check-generic [enabled | disabled]
bait-location [string]
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
detected-malware [none | add | delete | modify | replace-all-with] {
name [string] {
baits [none | add | delete | modify | replace-all-with] {
name [string] {
data-before [string]
data-inject [string]
trigger-url {
name [string]
position [ alone | any | last ]
}
}
}
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
blacklist-js-words [none | add | delete | replace-all-with] { [string] ... }
blacklist-urls [none | add | delete | replace-all-with] { [string] ... }
blacklist-words [none | add | delete | replace-all-with] { [string] ... }
browser-cache {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
domain-availability {
blacklist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
whitelist-urls [none | add | delete | modify | replace-all-with] { [string] ... }
}
dom-signatures [none | add | delete | modify | replace-all-with] {
name [string] {
attribute-name [[string] | none]
hash-id [string]
html-tag [[string] | none]
match-type [ contains | is ]
search-for [string]
search-in [ all | attribute | html | js-global-variable | text ]
}
}
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
}
}
domain-availability-urls [[string] | none]
external-sources-targets [none | add | delete | replace-all-with] { [string] ... }
flash-cookie-content [[string] | none]
flash-cookie-location [string]
flash-cookies [enabled | disabled]
generic-whitelist-words [none | add | delete | replace-all-with] { [string] ... }
inline-scripts-whitelist-signatures [none | add | delete | replace-all-with] { [string] ... }
removed-scripts {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
same-domain-scripts-validation-header [string]
self-bait-header [string]
source-integrity-location [string]
web-rootkit {
blacklist-functions [none | add | delete | replace-all-with] { [string] ... }
whitelist-functions [none | add | delete | replace-all-with] { [string] ... }
}
}
mobilesafe {
alert-custom-config [[string] | none]
alert-threshold [integer]
app-integrity {
custom-config [[string] | none]
[enabled | disabled]
android {
score [integer]
signature [[string] | none]
}
ios {
hashes [none | add | delete | modify | replace-all-with] {
value [string] {
version [[string] | none]
}
}
score [integer]
}
}
general-custom-config [[string] | none]
malware {
android {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
package [string]
}
}
}
check-custom [enabled | disabled]
check-generic [enabled | disabled]
custom-config [[string] | none]
[enabled | disabled]
ios {
custom-malware [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
score [integer]
}
}
custom-whitelist [none | add | delete | modify | replace-all-with] {
name [string] {
path [string]
}
}
}
behaviour-analysis {
run [enabled | disabled]
score [integer]
}
}
mitm {
certificate-custom-config [[string] | none]
dns-custom-config [[string] | none]
domains [none | add | delete | modify | replace-all-with] {
name [string] {
dns {
ip-ranges [none | add | delete | replace-all-with] {address | address-address ... }
spoofing-score [integer]
}
certificate {
forging-score [integer]
hash [string]
}
}
}
[enabled | disabled]
}
os-security {
android {
untrusted-apps-score [integer]
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
custom-config [[string] | none]
[enabled | disabled]
ios {
versions [none | add | delete | modify | replace-all-with] {
priority [integer] {
from [string]
score [integer]
to [string]
}
}
}
}
rooting-jailbreak {
custom-config [[string] | none]
[enabled | disabled]
jailbreak-score [integer]
rooting-score [integer]
}
}
phishing {
alert-path [string]
allowed-elements [none | add | delete | replace-all-with] { [string] ...}
allowed-referrers [none | add | delete | replace-all-with] { [string] ...}
application-css [enabled | disabled]
application-css-locations [none | add | delete | replace-all-with] { [string] ...}
css-attribute-name [string]
css-location [string]
expiration-checks [enabled | disabled]
image-location [string]
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
protected-elements [none | add | delete | replace-all-with] { [string] ...}
referrer-checks [enabled | disabled]
}
referrer-info-header [string]
risk-engine-path [string]
risk-engine-publisher [[name] | none]
rules [none | add | delete | modify | replace-all-with] {
event [auto-transaction | client-network-connection | client-side-missing-components | encryption-failure |
generic-malware | mandatory-words | phishing | phishing-user | rat-detection | referrer-checks |
server-side-missing-components | source-integrity | web-injection] {
action [block-user | forensic | inspection | redirect | remediation | route | web-service]
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
min-score [integer]
publisher [[name] | none]
payload [[string] | none]
pool [[name] | none]
url [[string] | none]
}
}
suggested-username-header [string]
trigger-irule [enabled | disabled]
urls [none | add | delete | modify | replace-all-with] {
name [string] {
app-layer-encryption {
add-decoy-inputs [enabled | disabled]
auto-complete-block [enabled | disabled]
auto-complete-whitelist-functions [none | add | delete | replace-all-with] { [string] ...}
custom-encryption-function [[string] | none]
[enabled | disabled]
fake-strokes [enabled | disabled]
full-ajax-encryption [enabled | disabled]
hide-password-revealer [enabled | disabled]
html-field-obfuscation [enabled | disabled]
real-time-encryption [enabled | disabled]
remove-element-ids [enabled | disabled]
remove-event-listeners [enabled | disabled]
stolen-creds [enabled | disabled]
substitute-value-function [[string] | none]
}
auto-transactions {
attach-ajax-payload-to-alerts [enabled | disabled]
bot-score [integer]
browser [enabled | disabled]
click-score [integer]
[enabled | disabled]
full-ajax-integrity [enabled | disabled]
integrity-fail-score [integer]
integrity-fail-max-score [integer]
min-mouse-move-count [integer]
min-mouse-over-count [integer]
min-report-score [integer]
min-time-to-request [integer]
non-browser [enabled | disabled]
not-human-score [integer]
strong-integrity [enabled | disabled]
strong-integrity-user-functions [none | add | delete | replace-all-with] { [string] ...}
submit-buttons [none | add | delete | replace-all-with] { [string] ...}
tampered-cookie-score [integer]
time-fail-score [integer]
}
before-load-function [[string] | none]
custom-alerts [none | add | delete | modify | replace-all-with] {
name [string] {
attach-request-part [enabled | disabled]
component [auto-transactions | malware | mobilesafe | phishing]
header-name [[string] | none]
malware-name [[string] | none]
message [[string] | none]
search-in [client-ip | header | payload | query-string]
value [[string] | none]
}
}
description [string]
destination-urls [none | add | delete | replace-all-with] { [string] ...}
fallback-to-base-url [enabled | disabled]
include-query-string [enabled | disabled]
inject-javascript [enabled | disabled]
inject-javascript-removal {
[after | before]
tag [string]
}
inject-main-javascript {
[after | before]
tag [string]
}
login-response {
status-code [[integer] | none]
domain-cookie [[string] | none]
exclude-string [[string] | none]
header [[string] | none]
include-string [[string] | none]
validation [enabled | disabled]
}
malware {
attach-html-to-alerts [enabled | disabled]
auto-learn-form-tags [enabled | disabled]
auto-learn-input-tags [enabled | disabled]
auto-learn-script-tags [enabled | disabled]
blocked-enter-key-detection [enabled | disabled]
deferred-execution [enabled | disabled]
domain-availability [enabled | disabled]
enable-symbols [enabled | disabled]
[enabled | disabled]
external-injection [enabled | disabled]
generic-malware [enabled | disabled]
manual-count-form-tags [integer]
manual-count-input-tags [integer]
manual-count-script-tags [integer]
password-exfiltration-detection [enabled | disabled]
rat-detection [enabled | disabled]
removed-scripts-detection [enabled | disabled]
same-domain-scripts-validation [enabled | disabled]
self-bait [enabled | disabled]
source-integrity [enabled | disabled]
vbklip-detection [enabled | disabled]
visibility-check [enabled | disabled]
visibility-check-items [none | add | delete | replace-all-with] { [string] ...}
web-rootkit-detection [enabled | disabled]
whitelist-dom-signatures [none | add | delete | replace-all-with] { [string] ...}
whitelist-words [none | add | delete | replace-all-with] { [string] ...}
}
mobilesafe-encryption [enabled | disabled]
parameters [none | add | delete | modify | replace-all-with] {
name [string] {
ajax-mapping [string]
attach-to-vtoken-report [enabled | disabled]
check-integrity [enabled | disabled]
encrypt [enabled | disabled]
identify-as-username [enabled | disabled]
method [GET | POST]
mobilesafe-encrypt [enabled | disabled]
mobilesafe-entangle [enabled | disabled]
obfuscate [enabled | disabled]
priority [integer]
protect-by-selector [enabled | disabled]
search-in [payload | query-string | any]
substitute-value [enabled | disabled]
type [explicit | wildcard]
}
}
phishing {
capture-users [enabled | disabled]
copy-detection [enabled | disabled]
css-protection [enabled | disabled]
[enabled | disabled]
field-types-to-send [none | add | delete | replace-all-with] { [string] ...}
inject-css-element {
[after | before]
tag [string]
}
inject-css-link {
[after | before]
tag [string]
}
inject-inline-javascript {
[after | before]
tag [string]
}
}
priority [integer]
type [explicit | wildcard]
}
}
users [add | delete | modify] {
name [string] {
modes [add | delete] {
mode [block | forensic | inspection | remediation] {
duration [integer]
enforce-policy [enforce | time-limited | unlimited]
first-login-time [date]
}
}
}
}
whitelist-custom-alerts [none | add | delete | replace-all-with] { [string] ...}
edit profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list profile
list profile [ [ [name] | [glob] | [regex] ] ... ]
show running-config profile
show running-config profile [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
recursive
DELETE
delete profile [name]
DESCRIPTION
You can use the profile component to create, modify, display, or delete an Anti-Fraud profile.
Note: The users property may be specified only for the commands modify, edit, and list and only when no other
properties are specified. By default, users are not displayed.
Note: The first-login-time property of user modes may be specified only for the list command.
EXAMPLES
create profile my_antifraud_profile
Creates a custom Anti-Fraud profile named my_antifraud_profile with default parameters.
list profile
Displays the properties of all Anti-Fraud profiles.
OPTIONS
alert-client-side-caching
Specifies whether or not to cache the sent alerts in order to prevent multiple alerts from being sent to
the dashboard.
alert-identifier
Specifies the ID of the customer in the dashboard.
alert-path
Specifies the BIG-IP URL path where the alert is sent. This path cannot be none and must start with '/'.
alert-pool
Specifies the name of the pool used when the system sends alerts.
alert-publisher
Specifies the name of the log publisher used for sending alerts originating from the BIG-IP. If only DPS
is licensed, this publisher is used for reporting encryption failures.
alert-token-header
Specifies the name of the custom HTTP header in alerts for exchanging a random token between the client
side and the BIG-IP.
app-layer-encryption
Specifies how the system performs Application layer encryption. With Application layer encryption, the
system detects an attempt to steal and tamper with end-user passwords (or other protected information),
and also prevents it by encrypting the protected information. You can configure the following options for
Application layer encryption:
fail-open
Specifies, when enabled, that upon encryption error the system disables encryption in consecutive
requests in the current session.
app-service
Specifies the name of the application service to which the profile belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the profile. Only the application service can modify or delete the profile.
auto-transactions
Specifies how the system differentiates between human and automatic (bot) transactions. You can configure
the following options for automatic transactions:
bot-score
Deprecated since v13.0.0. Please use bot-score in auto-transactions under urls instead. Specifies
the score added to an alert that is triggered if the system determines that the client is a bot and
not a human. The default is a score of 50.
click-score
Deprecated since v13.0.0. Please use click-score in auto-transactions under urls instead. Specifies
the score added to an alert that is triggered if the min-mouse-over-count and min-mouse-move-count
conditions are not met. The default is a score of 40.
integrity-fail-score
Deprecated since v13.0.0. Please use integrity-fail-score in auto-transactions under urls instead.
Specifies the score added to an alert that is triggered if the system detects a difference between
the actual parameter value and the expected value of a protected parameter sent after a user clicks
a web form's Submit button. The default is a score of 40.
min-mouse-move-count
Deprecated since v13.0.0. Please use min-mouse-move-count in auto-transactions under urls instead.
Specifies the minimum number of mouse movements necessary per page load in order for the system to
consider the transaction to be of human origin. The default is 5 movements.
min-mouse-over-count
Deprecated since v13.0.0. Please use min-mouse-over-count in auto-transactions under urls instead.
Specifies the minimum number of times the client's mouse is positioned over the Submit button in a
web form in order for the system to consider the transaction to be of human origin. The default is 2
button interactions.
min-report-score
Deprecated since v13.0.0. Please use min-report-score in auto-transactions under urls instead.
Specifies the lowest score necessary for the system to send an alert. The default value is 50.
min-time-to-request
Deprecated since v13.0.0. Please use min-time-to-request in auto-transactions under urls instead.
Specifies the minimum amount of time (in seconds) permitted between when a web form is opened and
the Submit button is clicked. The default is 2 seconds.
not-human-score
Deprecated since v13.0.0. Please use not-human-score in auto-transactions under urls instead.
Specifies the score added to an alert that is triggered if the system only suspects that the client
is a bot and not a human. The default is a score of 25.
strong-integrity
Specifies how the system performs strong integrity. You can configure the following options for
strong integrity:
hide-encrypted-parameters
Deprecated since v14.1.0. Please use attach-to-vtoken-report under parameters instead.
Specifies, when enabled, that JavaScript does not add the expected value of encrypted
parameters to strong integrity parameter.
parameter
Deprecated since v14.1.0. Specifies the name of the HTTP parameter in POST requests added by
JavaScript with the expected user-input data verified with physical input events.
tampered-cookie-score
Deprecated since v13.0.0. Please use tampered-cookie-score in auto-transactions under urls instead.
Specifies the score added to an alert that is triggered if the system detects that the transaction-
data cookie was tampered with. The default is a score of 50.
time-fail-score
Deprecated since v13.0.0. Please use time-fail-score in auto-transactions under urls instead.
Specifies the score added to an alert that is triggered if the min-time-to-request condition is not
met. The default is a score of 20.
before-load-function
Specifies the implementation of additional function to be run before JavaScript load, in the following
format: function(configs){...}. Note: For certain advanced configurations, F5 support may provide
relevant code to be entered here, please do not use it on your own.
blocking-page
Specifies information to display when the profile blocks a user account. You can configure the following
options for blocking page:
response-body
Specifies the HTML code the system sends to the user whose account is blocked.
response-headers
Specifies the set of response headers that the system sends to the user whose account is blocked.
Separate each header with a new line (Ctrl-V followed by Ctrl-J).
[case-sensitive | case-insensitive]
Specifies whether the profile treats protected URL paths as case sensitive, or not. The default value is
case-insensitive. Note: If you create a profile, you can use either property, thereafter it becomes read
only. If the profile is case insensitive, the system stores protected URL paths in lowercase in the
profile configuration.
cloud-service-pool
Specifies the name of the pool used by the system for various internal purposes, like signing Forensics
tool.
config-location
Specifies the BIG-IP URL directory where the configuration for the injected JavaScript is located. The
path here does not include the actual filename of the configuration for the injected JavaScript. This
path cannot be none and must start with '/'.
cookies
Specifies names and lifetimes for the cookies that the system uses to optimize its detection of malware,
data transactions, and phishing attacks on the web application. If you do not assign a name to a cookie,
a random name is assigned. You can configure the following cookies:
application
Adds, deletes, or replaces a set of application cookies that will be removed if at least one of the
protected cookies is missing.
base-domain
Specifies base domain settings for the cookies. You can configure the following options for base
domain:
apply
Specifies, when enabled, that the system applies the cookies to the base domain.
exceptions
Adds, deletes, or replaces a set of exceptional base domains that take precedence when the
system resolves the base domain from a host header.
client-side
Specifies the name of the cookie in which the system inserts plain text with a record about client
side alerts already sent. This is done in order to prevent flooding the system with additional
alerts if the page reloads.
client-side-lifetime
Specifies whether the client-side cookie is persistent, and if so, after how many minutes it
expires.
components-state
Specifies the name of the cookie that verifies that the system's expected JavaScript can run
successfully, and whether the system successfully decrypted configuration data arriving from server.
components-state-lifetime
Specifies whether the components-state cookie is persistent, and if so, after how many minutes it
expires.
components-state-removal-protection
Enables or disables removal detection for the secure-alert cookie.
encryption-disabled
Specifies the name of the cookie that the system adds if the system fails to decrypt a password (to
restore the original password as the user typed it), and the system forwards a request to the server
and waits for a login failure response. In this case, the cookie does not encrypt the password on
the next login attempt. This is used in situations where Application layer encryption is not
possible (for example, if the user is using an old browser that cannot encrypt passwords).
encryption-disabled-lifetime
Specifies whether the encryption-disabled cookie is persistent, and if so, after how many minutes it
expires.
encryption-disabled-removal-protection
Enables or disables removal detection for the encryption-disabled cookie.
fingerprint
Specifies the name of the cookie that contains fingerprint data.
fingerprint-lifetime
Specifies whether the fingerprint cookie is persistent, and if so, after how many minutes it
expires.
fingerprint-removal-protection
Enables or disables removal detection for the fingerprint cookie.
html-field-obfuscation
Specifies the name of the cookie that the system sets to identify the fields that were created by
HTML field obfuscation, in order to remove them from the request before sending it back to the web
application, and to know which field names to decrypt.
html-field-obfuscation-lifetime
Specifies whether the html-field-obfuscation cookie is persistent, and if so, after how many minutes
it expires.
malware-forensic
Specifies the name of the cookie that stores the essential response header values from the web
application to be sent to the user after he finishes or skips downloading and running Forensics tool
on his host.
malware-forensic-lifetime
Specifies whether the malware-forensic cookie is persistent, and if so, after how many minutes it
expires.
malware-guid
Specifies the name of the cookie set by JavaScript to a random string (12 chars long, not
encrypted). The system sends this cookie value in a special alert to the dashboard in order to
associate it with the logged in user.
malware-guid-lifetime
Specifies whether the malware-guid cookie is persistent, and if so, after how many minutes it
expires.
malware-guid-removal-protection
Enables or disables removal detection for the malware-guid cookie.
rules
Specifies the name of the cookie that the system sets in order to perform the actions block-user,
forensic, inspection, remediation, or redirect.
rules-lifetime
Specifies whether the rules cookie is persistent, and if so, after how many minutes it expires.
rules-removal-protection
Enables or disables removal detection for the rules cookie.
secure-alert
Specifies the name of the cookie that secures arrival of alerts originating from JavaScript to the
dashboard.
secure-alert-lifetime
Specifies whether the secure-alert cookie is persistent, and if so, after how many minutes it
expires.
secure-alert-removal-protection
Enables or disables removal detection for the secure-alert cookie.
secure-channel
Specifies the name of the cookie that the system sets when the system provides JavaScript with a
public key for encryption operations. This cookie is used for the system to correlate incoming
encrypted data with the private key when a request comes from the client.
secure-channel-lifetime
Specifies whether the secure-channel cookie is persistent, and if so, after how many minutes it
expires.
secure-channel-removal-protection
Enables or disables removal detection for the secure-channel cookie.
secure-mode
Specifies the status of secure mode, to set 'Secure' flag or not for all FPS cookies.
auto Specifies that secure mode for FPS cookies will be set automatically depending on connection
type. enabled for HTTPS (SSL) connections and disabled for HTTP connections. This is the
default value.
disabled
Specifies that secure mode for FPS cookies will be disabled and FPS cookies will not have
'Secure' flag.
enabled
Specifies that secure mode for FPS cookies will be enabled and all FPS cookies will have
'Secure' flag.
transaction-data
Specifies the name of the cookie that contains information (such as mouse movement, clicks, and
events) in encrypted format and sends that information to the system.
transaction-data-lifetime
Specifies whether the transaction-data cookie is persistent, and if so, after how many minutes it
expires.
user-inspection
Specifies the name of cookie that is set once a user is identified in a web form submitted by the
client and this user is enforced in inspection mode.
user-name
Specifies the name of the cookie with the username value after a username is identified in a
request. This ensures that further transactions from the client are still associated with that user
even if they do not include the username field.
user-name-lifetime
Specifies whether the user-name cookie is persistent, and if so, after how many minutes it expires.
user-name-removal-protection
Enables or disables removal detection for the user-name cookie.
debug
Specifies troubleshooting settings to add and filter debug logs of the system. Note: Only F5 support
should configure this section, please do not use it on your own. F5 support can configure the following
debug options:
console-log
Specifies when the system add prints to browser console. TMM logs are also enabled in such cases. F5
support can configure the following options for console log:
client-ips
Adds, deletes, or replaces a set of client IP addresses for which the system adds prints to
browser console.
user-agents
Adds, deletes, or replaces a set of strings contained in user-agent header for which the system
adds prints to browser console.
fingerprints
Adds, deletes, or replaces a set of strings contained in fingerprint data for which the system
adds prints to browser console.
send-alert
Specifies when the system sends debug alerts to the dashboard. TMM logs are also enabled in such
cases. F5 support can configure the following options for sending alerts:
client-ips
Adds, deletes, or replaces a set of client IP addresses for which the system sends debug alerts
to the dashboard.
user-agents
Adds, deletes, or replaces a set of strings contained in user-agent header for which the system
sends debug alerts to the dashboard.
fingerprints
Adds, deletes, or replaces a set of strings contained in fingerprint data for which the system
sends debug alerts to the dashboard.
defaults-from
Specifies the profile that you want to use as the parent profile. Your new profile inherits all settings
and values from the parent profile specified.
description
User defined description.
dummy-alert-html-maximum-length
Specifies the maximum length of HTML attached to dummy alert.
encryption-staging-mode
Specifies, when enabled, that the system activates Anti-fraud encryption staging mode. If decrypted data
differs from original data, an alert will be sent and original data will be used.
fingerprint
Specifies how the system collects fingerprint data. You can configure the following fingerprint options:
collect
Specifies, when enabled, that the system collects fingerprint data.
location
Specifies the BIG-IP URL location of the fingerprint JavaScript. This path cannot be none and must
start with '/'.
forensic
Specifies how the system enforces scanning client host for malware (Forensics) and its removal
(remediation). You can configure the following options for Forensics and remediation:
alert-path
Specifies the BIG-IP URL path for alerts from Forensics tool. This path cannot be none and must
start with '/'.
client-domains
Adds, deletes, or replaces a set of client domains to be resolved by Forensics tool.
cloud-config-path
Specifies the BIG-IP URL path for requests from Forensics tool to cloud-service-pool. This path
cannot be none and must start with '/'.
cloud-forensics-mode
Specifies the numeric value sent to cloud-service-pool to download Forensics tool.
cloud-remediation-mode
Specifies the numeric value sent to cloud-service-pool to download Forensics tool in remediation
mode.
continue-element
Specifies the HTML element with continue option that replaces %SKIP_PART% in the entire html, when
enforce-policy is enforce. Note: This property may be modified only when the DB variable
antifraud.forensic.showgui has value enable.
exe-location
Specifies the BIG-IP URL path to download Forensics tool that also replaces %EXE_LOCATION% in the
entire html. This path cannot be none and must start with '/'.
html Specifies the HTML code the system sends to the user after successful login with option to download
Forensics tool. Note: This property may be modified only when the DB variable
antifraud.forensic.showgui has value enable.
self-post-location
Specifies the BIG-IP URL path for self POST page opened by Forensics tool during scanning. This path
cannot be none and must start with '/'.
skip-element
Specifies the HTML element with skip option that replaces %SKIP_PART% in the entire html, when
enforce-policy is not enforce. Note: This property may be modified only when the DB variable
antifraud.forensic.showgui has value enable.
skip-path
Specifies the BIG-IP URL path for skip / continue option that also replaces %SKIP_PATH% in both
continue-element and skip-element (before their replacement in the entire html). This path cannot be
none and must start with '/'.
geolocation
Specifies, when enabled, that the client collects geolocation data which will be sent as part of the
alert data.
glob Displays the items that match the glob expression. See help glob for a description of glob expression
syntax.
inject-main-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL instead.
Specifies where the system injects the main JavaScript. You can configure the following options for main
JavaScript injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies whether the system injects the main JavaScript after an opening tag or before a
closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies the HTML tag for injection of the main JavaScript. This tag cannot be none.
javascript-grace-threshold
Specifies the maximum amount of time (in seconds) permitted between when a protected web page is loaded
and its injected JavaScript activates.
javascript-location
Specifies the BIG-IP URL directory where the injected JavaScript is located. The path here does not
include the actual filename of the injected JavaScript. This path cannot be none and must start with '/'.
javascript-removal-location
Specifies the BIG-IP URL location of the JavaScript removal detection location. This path cannot be none
and must start with '/'.
local-syslog-publisher
DPS mode only. Specifies the name of the log publisher used for reporting encryption failures.
malware
Specifies how the system detects a malware attack on the web application. You can configure the following
options for Malware protection:
allowed-domains
Adds, deletes, or replaces a set of whitelisted domains. The system does not send alerts on requests
for URLs from these domains, even if the system detects malware injection on these domains.
bait-check-generic
Specifies, when enabled, that the system checks predefined baits. Note: The configured baits are
checked anyway.
bait-location
Specifies the BIG-IP URL location of a file that acts as bait for attackers. This path cannot be
none and must start with '/'.
blacklist-words
Deprecated since v13.0.0. Please use blacklist-js-words and blacklist-words in detected-malware
instead. Adds, deletes, or replaces a set of words that are blacklisted if they appear in the web
application's HTML or JavaScript code. If the system detects these words, the system generates a
malware alert.
detected-malware
Adds, deletes, or replaces a set of malware detected by the system. You can configure the following
options for each malware:
baits
Adds, deletes, or replaces a set of baits for this malware. You can configure the following
options for each bait:
data-before
Specifies the HTML code that the malware searches and injects data-inject after it.
data-inject
Specifies the malicious code that the malware injects after data-before.
trigger-url
Specifies trigger URL settings for this bait. You can configure the following options for
trigger URL:
name Specifies the URL pattern that triggers the malware to inject malicious code.
position
Specifies the position of this URL pattern in the query string of a bait request.
alone
Specifies that this trigger URL must be alone in the query string of a bait
request.
any Specifies that the this trigger URL can be anywhere in the query string of a
bait request. This is the default value.
last Specifies that the this trigger URL must be last in the query string of a bait
request.
blacklist-functions
Adds, deletes, or replaces a set of regular expression patterns to detect functions that this
malware can use when executing AJAX requests.
blacklist-js-words
Adds, deletes, or replaces a set of words that are blacklisted if they appear in the JavaScript
code. If the system detects these words, the system generates a malware alert.
blacklist-urls
Adds, deletes, or replaces a set of regular expression patterns to detect URLs that this
malware can use for AJAX requests and external scripts.
blacklist-words
Adds, deletes, or replaces a set of words that are blacklisted if they appear in the web
application's HTML code. If the system detects these words, the system generates a malware
alert.
browser-cache
Specifies how the system checks client network connection as targeted method. You can configure
the following options for Browser cache:
blacklist-urls
Adds, deletes, or replaces a set of resources that are loaded by the malware.
whitelist-urls
Adds, deletes, or replaces a set of non-existent resources.
domain-availability
Specifies how the system checks client network connection as generic method. You can configure
the following options for Domain availability:
blacklist-urls
Adds, deletes, or replaces a set of URLs that are not blocked by the malware.
whitelist-urls
Adds, deletes, or replaces a set of URLs that are blocked by the malware.
dom-signatures
Adds, deletes, or replaces a set of DOM signatures for this malware. You can configure the
following options for each DOM signature:
attribute-name
Specifies the name of the attribute in which the pattern should be search for. Used only
if search-in is attribute.
hash-id
Specifies unique ID that identifies this DOM signature in profile.
html-tag
Specifies the name of the HTML tag in which the pattern should be search for.
match-type
Specifies the type of DOM signature pattern matching.
contains
Specifies that this DOM signature pattern should be matched as partial match (not
applicable when search-in is js-global-variable).
is Specifies that this DOM signature pattern should be matched as exact match.
search-for
Specifies the DOM signature pattern to search for.
search-in
Specifies search location for DOM signature.
all Specifies that this DOM signature should be searched in all locations.
attribute
Specifies that this DOM signature pattern should be searched only in an attribute
with name attribute-name.
html Specifies that this DOM signature pattern should be searched only in HTML.
js-global-variable
Specifies that this DOM signature pattern should be searched only in JavaScript
global variables (match-type contains not applicable in such case).
text Specifies that this DOM signature pattern should be searched only in text.
generic-whitelist-words
Deprecated since v15.0.0. Please use whitelist-dom-signatures in urls instead. Adds, deletes,
or replaces a set of generic blacklisted words that are ignored.
domain-availability-urls
Deprecated since v13.0.0. Please use blacklist-urls and whitelist-urls in domain-availability under
detected-malware instead. Specifies a JSON object containing URLs for which client network
connectivity should be checked.
external-sources-targets
Adds, deletes, or replaces a set of HTML element types and their attributes for which external
injections should be checked.
flash-cookie-content
Specifies the flash file (in hexadecimal format) used to allow JavaScript to access the Flash object
on the client side. The default content is none. The length is limited to 64k.
flash-cookie-location
Specifies the BIG-IP URL location of the SWF file that JavaScript requests to get the Flash file.
This path cannot be none and must start with '/'.
flash-cookies
Specifies, when enabled, that the system may use a Flash shared object (FSO) as a place to store an
alternative malware cookie. This cookie tells the system, after a login attempt, that this user has
malware, and the system sends an alert.
generic-whitelist-words
Deprecated since v13.0.0. Please use generic-whitelist-words in detected-malware instead. Adds,
deletes, or replaces a set of generic blacklisted words that are ignored.
inline-scripts-whitelist-signatures
Adds, deletes, or replaces a set of signatures for allowed inline scripts. In case a signature
appears as part of JavaScript inline script, the system does not count this script in the source
integrity feature.
removed-scripts
Specifies how the system detects self-removed malicious scripts. You can configure the following
options for removed scripts detection:
blacklist-functions
Adds, deletes, or replaces a set of functions that are used for detecting self-removed
malicious scripts.
whitelist-functions
Adds, deletes, or replaces a set of functions that are NOT used for detecting self-removed
malicious scripts.
same-domain-scripts-validation-header
Specifies the name of the custom HTTP header used to identify PING-PONG requests between JavaScript
and BIG-IP for same-domain scripts validations. This name cannot be none.
self-bait-header
Specifies the name of the custom HTTP header used to identify self-bait requests from JavaScript to
BIG-IP for malicious injections scan. This name cannot be none.
source-integrity-location
Specifies the BIG-IP URL path where the system collects information about the HTML source from
multiple users. This path cannot be none and must start with '/'.
web-rootkit
Specifies how the system detects Web-RootKit malware. You can configure the following options for
Web-RootKit detection:
blacklist-functions
Adds, deletes, or replaces a set of additional functions to be checked.
whitelist-functions
Adds, deletes, or replaces a set of native functions that are allowed to be overwritten.
mobilesafe
Specifies how the system detects and prevents phishing, Trojan, and pharming attacks on mobile devices in
real time. You can configure the following options for mobile security:
alert-custom-config
Specifies alert custom configuration for SDK forward compatibility. Note: For certain advanced
configurations, F5 support may provide a relevant string to be entered here, please do not use it on
your own.
alert-threshold
Specifies the minimal score for sending alerts from mobile devices.
app-integrity
Specifies how the system checks if the application on the mobile device has been tampered with. You
can configure the following options for Application integrity:
custom-config
Specifies custom configuration of Application integrity for SDK forward compatibility. Note:
For certain advanced configurations, F5 support may provide a relevant string to be entered
here, please do not use it on your own.
[enabled | disabled]
Enables or disables Application integrity.
android
Specifies Application integrity settings for Android platform. You can configure the following
options for Android Application integrity:
score
Specifies Application integrity score for Android platform.
signature
Specifies signature of Android application (in hexadecimal format).
ios Specifies Application integrity settings for iOS platform. You can configure the following
options for iOS Application integrity:
hashes
Adds, deletes, or replaces a set of iOS Application hashes (in base64-encoded format). You
can configure the following options for iOS Application hash:
version
Specifies iOS Application version for this hash.
score
Specifies Application integrity score for iOS platform.
general-custom-config
Specifies general custom configuration for SDK forward compatibility. Note: For certain advanced
configurations, F5 support may provide a relevant string to be entered here, please do not use it on
your own.
malware
Specifies how the system checks for malicious applications on the customer's mobile devices. You can
configure the following options for Malware detection:
android
Specifies Malware detection settings for Android platform. You can configure the following
options for Android Malware detection:
custom-malware
Adds, deletes, or replaces a custom set of checked malware for Android platform. You can
configure the following options for each Android malware:
package
Specifies package of checked Android malware.
score
Specifies score for checked Android malware.
custom-whitelist
Adds, deletes, or replaces a custom set of whitelist applications for Android platform.
You can configure the following options for each whitelist Android application:
package
Specifies package of whitelist Android application.
check-custom
Enables or disables custom malware check.
check-generic
Enables or disables generic malware check.
custom-config
Specifies custom configuration of Malware detection for SDK forward compatibility. Note: For
certain advanced configurations, F5 support may provide a relevant string to be entered here,
please do not use it on your own.
[enabled | disabled]
Enables or disables Malware detection.
ios Specifies Malware detection settings for iOS platform. You can configure the following options
for iOS Malware detection:
custom-malware
Adds, deletes, or replaces a custom set of checked malware for iOS platform. You can
configure the following options for each iOS malware:
path Specifies path of checked iOS malware.
score
Specifies score for checked iOS malware.
custom-whitelist
Adds, deletes, or replaces a custom set of whitelist applications for iOS platform. You
can configure the following options for each whitelist iOS application:
path Specifies path of whitelist iOS application.
behaviour-analysis
Specifies how the system checks for suspicious behavior and characteristics on all applications
on the customer's mobile devices. You can configure the following options for behavior
analysis:
run Enables or disables behaviour analysis run.
score
Specifies score for behavior analysis.
mitm Specifies how the system checks the defined domains for DNS Spoofing and Certificate Forging on
customer devices. You can configure the following options for Man-in-the-middle detection:
certificate-custom-config
Specifies custom configuration of Certificate forging detection for SDK forward compatibility.
Note: For certain advanced configurations, F5 support may provide a relevant string to be
entered here, please do not use it on your own.
dns-custom-config
Specifies custom configuration of DNS spoofing detection for SDK forward compatibility. Note:
For certain advanced configurations, F5 support may provide a relevant string to be entered
here, please do not use it on your own.
domains
Adds, deletes, or replaces a set of domains for Man-in-the-middle detection. You can configure
the following options for a MITM domain:
dns Specifies DNS spoofing detection settings for this domain. You can configure the following
options for DNS spoofing detection:
ip-ranges
Adds, deletes, or replaces a set of IP address ranges for DNS spoofing detection.
spoofing-score
Specifies score for DNS spoofing detection.
certificate
Specifies Certificate forging detection settings for this domain. You can configure the
following options for Certificate forging detection:
forging-score
Specifies score for Certificate forging detection.
hash Specifies certificate hash.
[enabled | disabled]
Enables or disables Man-in-the-middle detection.
os-security
Specifies how the system checks the customer's mobile devices for old, unsupported, and unpatched
operation system (OS) versions. You can configure the following options for OS security:
android
Specifies OS security settings for Android platform. You can configure the following options
for Android OS security:
versions
Adds, deletes, or replaces an ordered set of version ranges for Android platform. You can
configure the following options for Android version range:
from Specifies Android version number from which OS is unpatched.
priority
Specifies a unique ordinal number for Android version range in the set. This option
is required for the operations add, delete, modify, and replace-all-with.
score
Specifies score for Android version range.
to Specifies Android version number to which OS is unpatched.
custom-config
Specifies custom configuration of OS security for SDK forward compatibility. Note: For certain
advanced configurations, F5 support may provide a relevant string to be entered here, please do
not use it on your own.
[enabled | disabled]
Enables or disables OS security.
ios Specifies OS security settings for iOS platform. You can configure the following options for
iOS OS security:
versions
Adds, deletes, or replaces an ordered set of version ranges for iOS platform. You can
configure the following options for iOS version range:
from Specifies iOS version number from which OS is unpatched.
priority
Specifies a unique ordinal number for iOS version range in the set. This option is
required for the operations add, delete, modify, and replace-all-with.
score
Specifies score for iOS version range.
to Specifies iOS version number to which OS is unpatched.
untrusted-apps-score
Specifies score for untrusted applications.
rooting-jailbreak
Specifies how the system checks customer's mobile devices to determine if they are rooted /
jailbroken. You can configure the following options for Rooting / Jailbreak detection:
custom-config
Specifies custom configuration of Rooting / Jailbreak detection for SDK forward compatibility.
Note: For certain advanced configurations, F5 support may provide a relevant string to be
entered here, please do not use it on your own.
[enabled | disabled]
Enables or disables Rooting / Jailbreak detection.
jailbreak-score
Specifies score for jailbreak on iOS platform.
rooting-score
Specifies score for rooting on Android platform.
name Specifies a unique name for the component. This option is required for the commands create, delete, and
modify.
partition
Displays the administrative partition within which the component resides.
phishing
Specifies how the system detects a phishing attempt. You can configure the following options for phishing
site detection:
alert-path
Specifies the BIG-IP URL path for alerts from the phishing inline script. This path cannot be none
and must start with '/'.
allowed-elements
Adds, deletes, or replaces a set of URLs in requests for which the system does not verify (check)
the referrer header value.
allowed-referrers
Adds, deletes, or replaces a set of domain names that are allowed to appear in the referrer header
when requesting protected resources.
application-css
Specifies, when enabled, that the system injects the CSS content to the existing application CSS
files.
application-css-locations
Adds, deletes, or replaces a set of server URL locations of the application CSS files, used when
application-css is enabled.
css-attribute-name
Specifies the attribute name as part of the CSS content. This name cannot be none.
css-location
Specifies the BIG-IP URL location of the CSS file, used when application-css is disabled. Injecting
JavaScript protects the web application against phishing attempts because even if an attacker
removes the injected JavaScript from the copied web page, the CSS element is not modified, and this
triggers an alert. This path cannot be none and must start with '/'.
expiration-checks
Specifies, when enabled, that the system sends an alert if expired JavaScript engine files are used,
as this is an indication of a phishing attack.
image-location
Specifies the BIG-IP URL location of the 1x1 pixel image file. If an attacker copies a web page with
this image, it most likely lacks the JavaScript, and this triggers an alert. This path cannot be
none and must start with '/'.
inject-css-element
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies where the system injects the CSS element. You can configure the following options
for CSS element injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies whether the system injects the CSS element after an opening tag or before a
closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies the HTML tag for injection of the CSS element. This tag cannot be none.
inject-css-link
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies where the system injects the CSS link, when application-css is disabled. You can
configure the following options for CSS link injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies whether the system injects the CSS link after an opening tag or before a
closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies the HTML tag for injection of the CSS link. This tag cannot be none.
inject-inline-javascript
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies where the system injects the phishing inline script and image. You can configure
the following options for phishing inline script and image injection position:
[after | before]
Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies whether the system injects the phishing inline script and image after an
opening tag or before a closing tag.
tag Deprecated since v12.1.3 (excluding v13.0.0). Please use same configuration in a specific URL
instead. Specifies the HTML tag for injection of the phishing inline script and image. This tag
cannot be none.
protected-elements
Adds, deletes, or replaces a set of URLs in requests for which the system verifies (checks) the
referrer header value. You can use wildcards, for example *.gif.
referrer-checks
Specifies, when enabled, that the system verifies (checks) requests coming to the web application
for resources from different domains.
referrer-info-header
Specifies the name of the custom HTTP header used by client side to communicate referrer and view
identifier to BIG-IP.
risk-engine-path
Specifies the BIG-IP URL path to where a risk-engine report is sent by client. This path cannot be none
and must start with '/'.
risk-engine-publisher
Specifies the name of the log publisher used for reports to a Risk engine.
rules
Adds, deletes, or replaces a set of rules used by the system to perform actions upon detected events. You
can configure the following options for each rule:
action
Specifies the type of the action that the system performs when this event is detected. The options
are:
block-user
Specifies that the system adds the user with block mode to be enforced from the next login.
forensic
Specifies that the system adds the user with forensic mode to be enforced from the next login.
inspection
Specifies that the system adds the user with inspection mode to be enforced from the next
login.
redirect
Specifies that the system redirects the next request to a specific web page.
remediation
Specifies that the system adds the user with remediation mode to be enforced from the next
login.
route
Deprecated in v13.1.0. Specifies that the system routes to a specific pool all subsequent
requests for a specific time.
web-service
Specifies that the system sends a POST request to a specific Web service.
duration
Specifies number of minutes during which the system performs the action block-user, forensic,
inspection, remediation or route.
enforce-policy
Specifies enforcement policy for the action block-user, forensic, inspection or remediation. The
options are:
enforce
Specifies that the system adds the user mode with the enforce policy.
time-limited
Specifies that the system adds the user mode with the time-limited policy.
unlimited
Specifies that the system adds the user mode with the unlimited policy.
event
Specifies a unique event for the rule. This option is required for the operations create, delete,
modify, and replace-all-with. The options are:
auto-transaction
Specifies that the action is performed when the system detects automatic (bot) transaction.
client-network-connection
Specifies that the action is performed when the system detects that client network connectivity
is blocked.
client-side-missing-components
Specifies that the action is performed when the system detects missing components on the client
side.
encryption-failure
Specifies that the action is performed when the system fails to decrypt a password.
generic-malware
Specifies that the action is performed when the system detects generic malware.
mandatory-words
Specifies that the action is performed when the system detects that mandatory words are changed
in the page.
phishing
Specifies that the action is performed when the system detects a phishing attempt.
phishing-user
Specifies that the action is performed when the system detects a user attacked by a phishing
attempt.
rat-detection
Specifies that the action is performed when the system detects a Remote Access Trojan (RAT) on
a client web browser.
referrer-checks
Specifies that the action is performed when the system detects a request from a different
domain by the referrer header.
server-side-missing-components
Specifies that the action is performed when the system detects missing components on the BIG-
IP.
source-integrity
Specifies that the action is performed when the system detects a mismatch of the URL's HTML
source code.
web-injection
Specifies that the action is performed when the system detects an attempt to inject malware.
min-score
Specifies the lowest score of this event necessary for the system to perform the action.
payload
Specifies the payload for the web-service action.
pool Specifies the name of the pool for the route action.
publisher
Specifies the name of the log publisher for the web-service action.
url Specifies the URL for the action redirect or web-service.
suggested-username-header
Specifies the name of the custom HTTP header in AJAX requests added by JavaScript with a username value
identified on the client side.
trigger-irule
Specifies, when enabled, that the system activates Anti-fraud iRule events. The default value is
disabled.
urls Adds, deletes, or replaces a set of URLs in the web application that are protected by the system. You can
configure the following options for a protected URL:
app-layer-encryption
Specifies how the system performs Application layer encryption for this URL. With Application layer
encryption, the system detects an attempt to steal and tamper with end-user passwords (or other
protected information), and also prevents it by encrypting the protected information. You can
configure the following options for Application layer encryption:
add-decoy-inputs
Specifies, when enabled, that the system randomly and continuously generates and removes decoy
fields that are added to the web page, thus making it harder for an attacker to
identify sensitive information with either JavaScript or a proxy. In order to enable it, you
must first enable html-field-obfuscation.
auto-complete-block
Specifies, when enabled, that the system prevents auto-complete functionality in browser.
auto-complete-whitelist-functions
Specifies a list of customer-specific global functions that require access to the value of a
parameter with substitute-value enabled.
custom-encryption-function
Specifies the name or implementation of custom encryption function to be run instead of built-
in encryption.
[enabled | disabled]
Specifies whether the system protects this URL with Application layer encryption, and sends an
alert if an attacker attempts to breach Application layer encryption for this URL, or not.
fake-strokes
Specifies, when enabled, that the system protects against in-browser key loggers by generating
fake keyboard events.
full-ajax-encryption
Specifies, when enabled, that the system encrypts the full AJAX payload.
hide-password-revealer
Specifies, when enabled, that the system hides the password revealer icon found in web pages.
html-field-obfuscation
Specifies, when enabled, that the system encrypts the names of defined fields on the
client, and then decrypts them back to the original names on the BIG-IP.
real-time-encryption
Specifies, when enabled, that the system encrypts passwords as they are typed (even before the
user clicks the Submit button in a web form).
remove-element-ids
Specifies, when enabled, that the system removes the ID attribute from the fields in a
web form. In order to enable it, you must first enable html-field-obfuscation.
remove-event-listeners
Specifies, when enabled, that the system removes event listeners from the encrypted
fields in a web form.
stolen-creds
Specifies, when enabled, that the system examines whether the user was trying to use a
fabricated password.
substitute-value-function
Specifies a JavaScript function that receives the real password as an argument and returns a
fake value.
auto-transactions
Specifies how the system protects this URL from automatic (bot) transactions. You can configure the
following options for Automated transactions detection:
attach-ajax-payload-to-alerts
Specifies whether to attach the actual AJAX payload to alerts. Use the DB variable
antifraud.antifraud.maxalertrequestsize to limit the attached payload size.
bot-score
Specifies the score added to an alert that is triggered if the system determines that the
client is a bot and not a human. The default is a score of 50.
browser
Specifies, when enabled, that the system looks for bot automation performed within the browser.
click-score
Specifies the score added to an alert that is triggered if the min-mouse-over-count and min-
mouse-move-count conditions are not met. The default is a score of 40.
[enabled | disabled]
Specifies whether the system protects this URL against non-human transactions, and sends an
alert if the system detects a non-human transaction attempt for this URL, or not.
full-ajax-integrity
Specifies, when enabled, that the system verifies whether the full AJAX payload was changed by
malware when it left the browser for the server.
integrity-fail-score
Specifies the score added to an alert that is triggered if the system detects a difference
between the actual parameter value and the expected value of a protected parameter sent after a
user clicks a web form's Submit button. The default is a score of 40.
integrity-fail-max-score
Specifies the maximal score added to an alert that is triggered if the system detects a
difference between the actual parameter value and the expected value of a protected parameter
sent after a user clicks a web form's Submit button. The default is a score of 100
min-mouse-move-count
Specifies the minimum number of mouse movements necessary per page load in order for the system
to consider the transaction to be of human origin. The default is 5 movements.
min-mouse-over-count
Specifies the minimum number of times the client's mouse is positioned over the Submit button
in a web form in order for the system to consider the transaction to be of human origin. The
default is 2 button interactions.
min-report-score
Specifies the lowest score necessary for the system to send an alert. The default value is 50.
min-time-to-request
Specifies the minimum amount of time (in seconds) permitted between when a web form is opened
and the Submit button is clicked. The default is 2 seconds.
non-browser
Specifies, when enabled, that the system looks for bot automation performed not within the
browser.
not-human-score
Specifies the score added to an alert that is triggered if the system only suspects that the
client is a bot and not a human. The default is a score of 25.
strong-integrity
Specifies, when enabled, that Enhanced Data Integrity is active. When Enhanced Data Integrity
is active, the system detects a difference between the actual parameter value and the expected
value of a protected parameter verified with physical input events.
strong-integrity-user-functions
Adds, deletes, or replaces a set of configures a list of customer functions that change a
parameter value protected by Enhanced Data Integrity.
submit-buttons
Adds, deletes, or replaces a set of non-standard Submit buttons found in forms of the web
application. You can specify the name, or the CSS syntax (ID, class, or tagname) for each
button.
tampered-cookie-score
Specifies the score added to an alert that is triggered if the system detects that the
transaction-data cookie was tampered with. The default is a score of 50.
time-fail-score
Specifies the score added to an alert that is triggered if the min-time-to-request condition is
not met. The default is a score of 20.
custom-alerts
Adds, deletes, or replaces a set of user-defined alerts sent by the system upon searches in
different parts of the request. You can configure the following options for each user-defined alert:
attach-request-part
Specifies whether to attach the original client-side request to this alert.
component
Specifies the alert component that the system sends in this alert. Select either: malware (the
default value), phishing, auto-transactions, or mobilesafe.
header-name
Specifies a header name in which the system searches for the value when search-in is header.
malware-name
Specifies the malware detected by this alert when component is malware.
message
Specifies the user-defined message that the system sends in this alert.
search-in
Specifies the part of the request where the system must find the value to send this alert.
Note: If you create a user-defined alert, you can use either request part, thereafter it
becomes read only.
client-ip
Specifies that the systems sends this alert if the client IP address equals to the value.
header
Specifies that the systems sends this alert if the header-name header contains the value.
payload
Specifies that the systems sends this alert if the request payload contains the value.
query-string
Specifies that the systems sends this alert if the URL query string contains the value.
value
Specifies a value that the system searches for in the search-in part of the request. The
default value is none, which means that the system searches for any value.
before-load-function
Specifies the implementation of additional function to be run before JavaScript load, in the
following format: function(configs){...}. Note: For certain advanced configurations, F5 support may
provide relevant code to be entered here, please do not use it on your own.
description
Specifies an optional description of this URL.
destination-urls
Specifies a list of destination URLs for requests from SPA URLs/Views.
fallback-to-base-url
Specifies if a request to a non-configured view should use same configuration as the base URL or
disable FPS for that request.
include-query-string
Specifies, when enabled, that the system includes query string of URLs to match this wildcard
expression. The default value is disabled.
inject-javascript
Enables or disables JavaScript injection into responses to this URL. The default value is enabled.
inject-main-javascript
Specifies where the system injects the main JavaScript. You can configure the following options for
main JavaScript injection position:
[after | before]
Specifies whether the system injects the main JavaScript after an opening tag or before a
closing tag.
tag Specifies the HTML tag for injection of the main JavaScript. This tag cannot be none.
inject-javascript-removal
Specifies where the system injects the JavaScript removal detection image. You can configure the
following options for JavaScript removal detection image injection position:
[after | before]
Specifies whether the system injects the JavaScript removal detection image after an opening
tag or before a closing tag.
tag Specifies the HTML tag for injection of the JavaScript removal detection image. This tag cannot
be none.
login-response
Specifies validation criteria on the response of this URL when it is Login page. You must configure
at least one of them. If you configure more than one validation criteria, then all the criteria must
be fulfilled for successful login. You can configure the following Login page properties:
status-code
Specifies an HTTP response status code that the server must return to the user upon successful
login.
domain-cookie
Specifies a defined domain cookie that the successful response to the login URL must include.
exclude-string
Specifies a string that should NOT appear in the successful response to the login URL.
header
Specifies a header name and value that the successful response to the login URL must match.
include-string
Specifies a string that should appear in the successful response to the login URL.
validation
Enables or disables successful login validation.
malware
Specifies when the system detects attempts of attackers to inject malware in the URL. You can
configure the following options for Malware detection:
attach-html-to-alerts
Specifies, when enabled, that the system attaches forensics information along with the alerts.
auto-learn-form-tags
Specifies, when enabled, that the system learns the number of HTML form tags that appear in the
URL. In order to enable it, you must first enable source-integrity.
auto-learn-input-tags
Specifies, when enabled, that the system learns the number of HTML input tags that appear in
the URL. In order to enable it, you must first enable source-integrity.
auto-learn-script-tags
Specifies, when enabled, that the system learns the number of HTML script tags that appear in
the URL. In order to enable it, you must first enable source-integrity.
blocked-enter-key-detection
Specifies, when enabled, that the system detects blocked "Enter" key.
deferred-execution
Specifies, when enabled, that the system detects deferred execution attack.
domain-availability
Specifies, when enabled, that the system checks that client network connectivity is not blocked
by malware.
enable-symbols
Specifies, when enabled, that the system looks for malware strings (signatures) within
JavaScript.
[enabled | disabled]
Specifies whether the system protects this URL against injected malware, and sends an alert if
this URL is detected to have malware, or not.
external-injection
Specifies, when enabled, that the system detects malicious scripts injected from domains not in
the profile's allowed-domains.
generic-malware
Specifies, when enabled, that the system applies the detection of generic malware, using
honeypots.
manual-count-form-tags
Specifies the number of HTML forms that appear in the URL.
manual-count-input-tags
Specifies the number of HTML inputs that appear in the URL.
manual-count-script-tags
Specifies the number of HTML scripts that appear in the URL.
password-exfiltration-detection
When enabled, the system detects attempts to steal the user's password in the web browser. An
alert is triggered if such an attempt is detected.
rat-detection
Specifies, when enabled, that the system checks for Remote Access Trojans (RATs) on clients'
web browsers.
removed-scripts-detection
Specifies, when enabled, that the system detects malicious scripts that removed their own
injection from the DOM.
same-domain-scripts-validation
Specifies, when enabled, that the system detects malicious responds to same-domain scripts.
self-bait
Specifies, when enabled, that the system scans the original source code of the page for
malicious injections.
source-integrity
Specifies, when enabled, that the system verifies that the URL's HTML source code matches the
HTML code sent from the server. The source integrity feature counts script tags that are
external (with src) and inline (without src).
vbklip-detection
Specifies, when enabled, that the system checks for VBKlip malware.
visibility-check
Specifies, when enabled, that the system searches HTML pages for words from visibility-check-
items.
visibility-check-items
Adds, deletes, or replaces a set of words that must appear in the web site's HTML pages and may
not be changed. If these words are changed, the system sends an alert.
web-rootkit-detection
Specifies, when enabled, that the system detects malware that overwrites native browser
functions.
whitelist-dom-signatures
Adds, deletes, or replaces a set of hash-IDs of DOM signatures that are permitted to appear in
requests for this URL, even though they are otherwise blacklisted by the system for other URLs.
whitelist-words
Deprecated since v15.0.0. Please use 'whitelist-dom-signatures' configuration instead. Adds,
deletes, or replaces a set of words that are permitted to appear in requests for this URL, even
though they are otherwise blacklisted by the system for other URLs.
mobilesafe-encryption
Specifies, when enabled, that the system protects requests for this URL from mobile devices with
Application layer encryption.
parameters
Adds, deletes, or replaces a set of sensitive parameters protected by the system. You can configure
the following options for each parameter:
ajax-mapping
Specifies the mapping between the parameter name and its location in AJAX payload.
attach-to-vtoken-report
Specifies, when enabled, that the system adds the parameter value data to the alerts.
check-integrity
Specifies, when enabled, that the system verifies whether the user-input data was changed by
malware when it left the browser for the server.
encrypt
Specifies, when enabled, that the system encrypts the parameter's value attribute.
identify-as-username
Specifies, when enabled, that the system considers this parameter a username. Note: There may
be only one such parameter per URL, and its value is used only when login is successful
(according to the URL's login-response).
method
Deprecated since v14.1.0. Please use parameter 'search-in' configuration instead. Specifies the
method of the request from which the system gets the parameter data. Select either: POST (the
default value) or GET.
mobilesafe-encrypt
Specifies that this parameter contains the encrypted fields from mobile devices. Note: There
may be only one such parameter per URL (usually called auth), it cannot have other settings
enabled and its method must be POST.
mobilesafe-entangle
Specifies that this parameter must be encrypted by mobile devices. The system replaces its
value in the request payload and sends an alert if the mobilesafe-encrypt parameter does not
contain this field.
obfuscate
Specifies, when enabled, that the system encrypts the parameter's name attribute.
priority
Specifies a unique ordinal number for this parameter in the set of wildcard parameters.
protect-by-selector
Specifies, when enabled, that the client considers this parameter`s name to be a CSS selector.
Note: To enable it, the parameter name must be defined as explicit and you must enable full-
ajax-encryption.
search-in
Specifies the request part from which the system gets the parameter data. Select either:
payload or query-string or any (the default value). If any is selected, then the query string
will be searched first and only if the parameter is not found there, the payload will be also
searched in.
substitute-value
Specifies, when enabled, that the system substitutes the parameter's value with asterisks [*]
in the web application while the form is being filled. In order to enable it, you must first
enable encrypt.
type Specifies a type of the parameter. Note: If you create a parameter, you can use either type,
thereafter it becomes read only. The options are:
explicit
Specifies that the parameter has an exact path. This is the default value.
wildcard
Specifies that any parameter that matches this wildcard expression is considered
protected.
phishing
Specifies when the system detects phishing attempts by attackers who set up a fake URL that imitates
the real URL. You can configure the following options for Phishing detection:
capture-users
Specifies, when enabled, that the system logs the usernames and text fields (not passwords) of
users attacked by a phishing attempt.
copy-detection
Specifies, when enabled, that the system detects copied web pages.
css-protection
Specifies, when enabled, that the system activates the CSS module, which is part of the
system's phishing detection backup mechanism.
[enabled | disabled]
Specifies whether the system protects this URL against phishing, and sends an alert if the
system detects this URL to be under a phishing attempt, or not.
field-types-to-send
Adds, deletes, or replaces a set of HTML input types whose values should be included in
phishing alerts.
inject-css-element
Specifies where the system injects the CSS element. You can configure the following options for
CSS element injection position:
[after | before]
Specifies whether the system injects the CSS element after an opening tag or before a
closing tag.
tag Specifies the HTML tag for injection of the CSS element. This tag cannot be none.
inject-css-link
Specifies where the system injects the CSS link, when application-css is disabled. You can
configure the following options for CSS link injection position:
[after | before]
Specifies whether the system injects the CSS link after an opening tag or before a closing
tag.
tag Specifies the HTML tag for injection of the CSS link. This tag cannot be none.
inject-inline-javascript
Specifies where the system injects the phishing inline script and image. You can configure the
following options for phishing inline script and image injection position:
[after | before]
Specifies whether the system injects the phishing inline script and image after an opening
tag or before a closing tag.
tag Specifies the HTML tag for injection of the phishing inline script and image. This tag
cannot be none.
priority
Specifies a unique ordinal number for this URL in the set of wildcard URLs.
type Specifies a type of the URL. Note: If you create a URL, you can use either type, thereafter it
becomes read only. The options are:
explicit
Specifies that the URL has an exact path. This is the default value.
wildcard
Specifies that any URL that matches this wildcard expression is considered protected.
users
Adds, deletes, or replaces a set of users enforced by the system upon successful login. You can configure
the following options for an enforced user:
modes
Adds or deletes a single mode in the set of existing user modes.
mode Specifies a unique mode for the user. This option is required for the operations add and
delete. The options are:
block
Specifies that the system blocks the user account by displaying blocking-page.
forensic
Specifies that the system enforces the user to run Forensics tool on his host by
displaying forensic html.
inspection
Specifies that the system turns on verbose activity logging for this user, i.e. collects
all HTML and JS sources from sessions and sends this data to the dashboard.
remediation
Specifies that the system enforces the user to run Forensics tool in remediation mode that
deploys Anti-malware client on his host by displaying forensic html.
duration
Specifies number of minutes during which the user is enforced in this mode since its first
login, when enforce-policy is time-limited. After their expiration the user mode will be
removed automatically.
enforce-policy
Specifies enforcement policy for this user mode. The options are:
enforce
Specifies that the user must download and run Forensics tool in order to continue online
actions. Note: This policy may be specified only for the modes forensic and remediation.
time-limited
Specifies that the user is enforced in this mode for a limited time, namely until first-
login-time + duration minutes. When this policy is specified for the modes forensic and
remediation, the user may skip downloading and running Forensics tool every time.
unlimited
Specifies that the user is enforced in this mode for unlimited time. When this policy is
specified for the modes forensic and remediation, the user may skip downloading and
running Forensics tool every time.
first-login-time
Displays time when the user firstly logged in being in this mode. A new user mode is added with
value none and it is updated automatically during traffic, when enforce-policy is time-limited.
whitelist-custom-alerts
Specifies a list of predefined alerts that are ignored.
SEE ALSO
create, delete, edit, glob, list, ltm virtual, modify, regex, security, security anti-fraud, tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2009-2015. All rights reserved.
BIG-IP 2019-07-10 security anti-fraud profile(1)