F5BigIpsPolicy Compliance Checks

The F5BigIpsPolicy Custom Resource (CR) supports the following compliance checks. You can select the compliance check to view the available configuration options:

Configurable

The compliances listed below enable custom configurations.

  • dns_disallowed_query_type - Disallowed DNS Query Type as per configuration.
  • dns_experimental_resource_records - Experimental Resource Records as per configuration.
  • dns_obsolete_resource_records - Indicates Resource Record types that have either been dropped or replaced by newer Resource Records as per configuration.
  • dns_disallowed_resource_records - Disallowed Resource Records types as per the configuration.
  • dns_maximum_reply_length - Reply length (in bytes) exceeds the configured value.
  • dns_rdata_overflow - RDATA length (in bytes) exceeds the configured value.
  • dns_domains_blacklist - Match domain from DNS request against blacklist of domains as per the configuration.
  • dns_maximum_request_length - Request length (in bytes) exceeds the configured value.
  • dns_unknown_resource_record_type - Resource Record Type IDs match the ranges 62-98, 110-248, 259-32767, 32770-65535.
  • http_body_in_request - Request header contains body data. The values configured are will raise a compliance violation if there is body data with these methods (that is, non-zero content length or transfer encoding headers.
  • http_contains_colon - Validates that the header value in the configured HTTP names/keys contains a colon.
  • http_disallowed_filetypes - Disallowed Filetypes. A File type is extracted from HTTP URI path as per RFC-3986. The file type is validated against one of the configured disallowed file types. The URI has to be one of the valid formatted URIs in order for it to work properly. File extension of up to 8 characters is verified.
  • http_disallowed_methods - Disallowed Methods. The compliance violation is raised if the method (not case-sensitive) is one of the configured methods.
  • http_duplicate_header_name - Duplicate Header Name. The same header name (key/value pair) appears more than once in HTTP headers. The header names (not case-sensitive) configured under this configuration are excluded from this compliance check.
  • http_empty_value - Empty header value. There is only a header key without any value. The values configured with this parameter are excluded from this check.
  • http_high_ascii_characters - HTTP URI or HTTP header values contain high ASCII characters (that is, the ASCII value is greater than 127). For URI, we decode one level of encoding as well for high ASCII characters.
  • http_host_with_ip_address - The value of the host header contains a valid IPv4/IPv6 address instead of a fully qualified domain name.
  • http_invalid_hpack - Invalid HPACK block in the frame (invalid compression, reach the limit of allocated memory etc).
  • http_invalid_monotonic_stream_id - Check that stream identifiers are incremented monotonically. The value specifies the max distance between stream identifiers.
  • http_malformed_pdu - HTTP protocol can’t be parsed per HTTP protocol specifications. Once a malformed PDU is detected, no more compliance check validation happens after that specific byte in payload. Disabling this compliance check or changing action to accept might cause unstable behavior and put your system at risk.
  • http_max_allowed_headers_request - Max Allowed Headers, that is, the number of headers exceeds the configured allowed headers.
  • http_max_post_body_data_length - Max POST Body Data Length. Means the body data in the POST method exceeds the configured value.
  • http_max_query_string_length - Compliance violation is raised if the length of the query string pair exceeds the configured value. For example, in this URL: http:host/uri?query1=value1&query2=value2…, the query1=value1 is one query string pair, query2=value2 is second pair, and so on.
  • http_max_request_length - This compliance check is raised if HTTP headers + HTTP body length exceeds the configured value.
  • http_max_reserved_streams - Maximum amount of streams which server can reserve.
  • http_max_spaces_between_header_fields - Indicates that the spaces between various header fields in the request header exceed the configured value. This includes spaces between request line, and header name and value pairs.
  • http_max_uri_length - The compliance violation is raised if the URI length exceeds the configured value.
  • http_missing_mandatory_headers - Validate that HTTP headers contain all the headers configured under this configuration value.
  • http_no_host_header - No Host Header key/value pair exists in the HTTP request headers. The values configured with this parameter are HTTP methods of request (not case-sensitive) that will be excluded from this compliance validation.
  • smtp_bad_commands_per_conn - Bad Commands Per Connection, as per section 4.1 of RFC-5321, number of bad commands exceeds the configured value.
  • smtp_malformed_pdu - SMTP protocol can’t be parsed as per SMTP protocol specifications. Disabling this compliance check or changing action to accept might cause unstable behavior and put your system at risk.
  • diameter_disallowed_origin_host - This compliance check matches value of Origin Host AVP against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_destination_realm - This compliance check matches value of Destination Realm AVP against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_origin_realm - This compliance check matches value of Origin Realm AVP against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_imsi_entries - This compliance check matches the IMSI(User Name AVP) of the Diameter message against the configured lists. Wildcard values are supported for this configuration. If an entry presents in both the lists, it is considered as disallowed. If the allowed list is not empty, IMSI match failure against the allowed list is considered as disallowed. This compliance check is triggered only for a disallowed entry.
  • diameter_previous_location_check - This compliance check indicates if there is a mismatch in Origin-Host/Origin-Realm AVPs between the last seen Update-Location Request(ULR) and current ULR/Purge-UE-Request/Notify-Request commands. Value is a caching time in seconds for last seen Update-Location-Answer, during which this compliance check will be raised.
  • diameter_disallowed_apn - This compliance check matches the APN-Configuration AVP of the Diameter message against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_apn_entries - This compliance check matches the AVP of the Diameter message against the configured lists. Wildcard values are supported for this configuration. If an entry presents in both the lists, it is considered as disallowed. If the allowed list is not empty, APN match failure against the allowed list is considered as disallowed. This compliance check is triggered only for a disallowed entry.
  • diameter_disallowed_destination_host - This compliance check matches value of Destination Host AVP against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_command_code - This compliance check matches the command code of the Diameter message against the configured values.
  • diameter_disabled_unused_operator_determined_barring_avp - Indicates disabled bits of Operator Determined Barring AVP which should be blocked in an IDR command.
  • diameter_disallowed_imsi_for_ulr_messages - This compliance check matches the IMSI(User Name AVP) of the Diameter message against the configured values for a Update-Location-Request (ULR) message. Wildcard values are supported for this configuration.
  • diameter_time_location_check - This compliance check indicates if there is a mismatch in MCC between the last seen Update-Location Request(ULR) and current ULR/Authentication-Information-Request commands. Value is a caching time in seconds for last seen Update-Location-Answer, during which this compliance check will be raised.
  • diameter_allowed_avp_code_avp_flag - This compliance check is exception list of AVP codes for Invalid AVP flag compliance check.
  • diameter_disallowed_imsi - This compliance check matches the IMSI(User Name AVP) of the Diameter message against the configured values. Wildcard values are supported for this configuration.
  • diameter_disallowed_avps - This compliance check matches the code of the AVP against the configured values.
  • diameter_app_id_ip_subnet_mapping - This compliance check is Application-ID to IP subnet mapping that restricts external access to internal interfaces. Action will be applied if incoming Application-ID and IP Address does not match configured Key:Values list. Key is an Application-ID, Value is an IP Address with optional CIDR Mask e.g 10.10.10.10/32, 10.10.10.10. 2008::ab, 2008:ab::cd/64. IPv4 and IPv6 are supported.
  • ssl_disallowed_versions - All disallowed tls/ssl versions are considered illegal. Default values are all versions that have been deprecated. RFC 6176, RFC 7568, and RFC 8996 have deprecated versions TLSv1.1 and earlier.

Non-configurable

The compliances listed below specify static configurations.

  • dns_malformed_pdu - DNS protocol over SCTP transport is expected to begin with two-octet length field, otherwise Malformed DNS PDU will be raised. Disabling this compliance check or changing action to accept might cause unstable behavior and put your system at risk.
  • dns_illegal_query_flags - For opcode 0 (Standard Query) - RD and CD flags are valid, for opcode 4 (Notify) - RD, CD and AA flags are valid. All others are considered illegal.
  • dns_invalid_query_type - As per RFC 6895, 1035 - opcodes 0, 1, 2, 4, 5 are valid. All others are considered invalid.
  • http_bad_unescape_uri - There is a Bad Unescape in URI. A bad unescape is raised when there is a percent (%) followed by two characters that are not a-f/A-F.
  • http_bad_version - Bad HTTP Version. That is, it is not one of HTTP/0.9, HTTP/1.0, or HTTP/1.1. The HTTP version string is matched in non-case-sensitive fashion.
  • http_content_len_and_transfer_encoding_headers - he HTTP headers contain both Content-Length and Transfer-Encoding as header names (key/value pair). For http2 checks only Content-Length header.
  • http_invalid_header - Invalid header. It includes different cases: low case header name.
  • http_invalid_method - Invalid Method. Method (not case-sensitive) is not valid per RFC2068, RFC3253, RFC3648, RFC3744, RFC4437, RFC4791, RFC4918, RFC5323, RFC5789, RFC5842, FC7231, and RFC7540.
  • http_invalid_setting - Invalid Setting frame.
  • http_invalid_status_code - Invalid Status Code. The Status Code is not one of the allowed status codes as per RFC7231, RFC7232, RFC7233, RFC7538, RFC7235, RFC7540, RFC4918, RFC6585, RFC7725, RFC2295, RFC5842, and RFC2774.
  • http_invalid_stream_id - Invalid Stream Id. The value of Stream Id is not …. .
  • http_malformed_header_value_contents - The header value contents do not contain an expected value. That is, the contents do not comply with specifications. For now, only Content-Length and Host header are supported.
  • http_negative_content_length_value - There is negative Content-Length as a header value.
  • http_non_crlf_line_break - As per HTTP protocol specification, each header line should have CRLF (Carriage Return + Line Feed) line break. In real HTTP traffic, we may only see LF as line break. This compliance check comes up for traffic with only LF as a line break.
  • http_null_in_request_body - This compliance is raised if HTTP request body data contains a NULL character. Only one exception is when Content-Type is octet-stream.
  • http_null_in_request_headers - Null in Request Headers. Means the request header URI or header name or header value contains a NULL (0) character.
  • http_post_with_zero_content_length - POST with Zero Content-Length as a value.
  • http_post_without_content_len_or_transfer_encoding_header - Indicates a POST HTTP request without Content-Length or Transfer-Encoding header.
  • http_recursive_url_encoding - Recursive URL Encoding. URL is encoded recursively so that it contains dual percent (%%) or percent encoded itself (%2525).
  • http_response_with_no_content_len_and_transfer_encoding_header - HTTP response header contains neither Content-Length nor Transfer-Encoding Headers. The system stops processing further compliance checks after such an HTTP response header is seen.
  • smtp_bad_server_greetings_response - Bad Server Greetings Response. That is, it is not 220 from the server side on the first response packet.
  • smtp_binary_command - Displays if the SMTP command code contains non-ASCII characters. That is, it is not part of basic ASCII character set (ASCII characters with a value in the 32-126 range). This check only applies to command code itself and not to command arguments/options.
  • smtp_command_length_overflow - The command length, including command code and arguments, exceeds the configured value.
  • smtp_commands_per_conn - The number of commands per connection exceeds the configured value.
  • smtp_unknown_cmd - Unknown Smtp Command as per RFC821, RFC2821, RFC5321, and extended SMTP commands of MS exchange.
  • smtp_unknown_reply_code - Unknown Reply Code as per RFC821, RFC2821, RFC3463, RFC4954, RFC5321l, RFC7372, and RFC7504.
  • diameter_avp_message_type_mismatch - This compliance check indicates if there is an AVP in a Diameter message that must not be present.
  • diameter_duplicated_avp - This compliance check indicates duplicate of Invalid Attribute-Value Pairs (AVP) in a Diameter message.
  • diameter_invalid_access_restriction_data_avp - This compliance check indicates that in value of Disallowed Access Restriction Data AVP all beginning 7 bits are set.
  • diameter_invalid_avp_code - This compliance check indicates Invalid Attribute-Value Pairs (AVP) code as per section 4.5 of RFC-3588 (including iana aaa-parameters) and RFC-6733.
  • diameter_invalid_avp_flag - This compliance check indicates if AVP flags are compliant to the specifications in RFC 6733.
  • diameter_invalid_avp_length - This compliance check indicates invalid Attribute-Value Pairs (AVP) length as per section 4.5 of RFC-3588 and RFC-6733.
  • diameter_invalid_avp_type - This compliance check indicates invalid Attribute-value-pair (AVP) type as defined in the specifications in RFC 6733.
  • diameter_invalid_command_code - This compliance check indicates invalid Command Codes as per section 3.1 of RFC-3588 (including iana aaa-parameters) and latest RFC-6733.
  • diameter_invalid_host_realm_avp_format - This compliance check indicates invalid format of value of Origin/Destination Host/Realm AVPs.
  • diameter_invalid_message_length - This compliance check indicates that length in header doesn’t match the actual packet length, or it is not a multiple of 4 as per RFC-6733.
  • diameter_malformed_pdu - Diameter protocol can’t be parsed as per Diameter protocol specifications. Disabling this compliance check or changing action to accept might cause unstable behavior and put your system at risk.
  • diameter_missing_mandatory_avp - This compliance check indicates if mandatory AVP is missing in a Diameter message.
  • diameter_session_id_as_first_avp - This compliance check indicates that in Diameter message Session ID AVP is not first AVP if it presents in message.
  • diameter_source_ip_host_ip_address_avp_mismatch - This compliance check indicates that source IP address is consistent with the Host IP Address AVP if it’s present.
  • diameter_weak_interface_separation - This compliance check indicates mismatch between the Command Code and the Application ID.
  • ssl_deprecated_versions - All deprecated tls/ssl versions are considered illegal. RFC 6176, RFC 7568, and RFC 8996 have deprecated versions TLSv1.1 and earlier.
  • ssl_invalid_versions - All invalid tls/ssl versions are considered illegal.