This section discusses the configuring WAF Profile

Note:

  • Navigate to Templates > WAF > WAF Profile to locate the default profile.

  • System-WAF-Profile is the default profile that contains most commonly used web application settings served through a virtual service.

  • For customizing a profile, it is highly recommended to create a new profile instead of editing the default profile (System-WAF-Profile).

To create a new profile follow the below:

  1. Navigate to Templates > WAF > WAF Profile.

  2. Click on Create icon.

Settings Tab

Provide the following details to configure the WAF profile:

Field

Description

Additional Information

Name

Enter a relevant name for the profile.

Allowed Versions

Enter the allowed HTTP versions for the profile.

1.0, 1.1, 20.x and 2.0 are the default entries.

Allowed Methods

Enter the allowed HTTP method for the profile. Different applications might need different methods.

Websites might use only the default HTTP methods i.e. GET, HEAD, POST, OPTIONS. APIs might use other HTTP methods such as PUT, DELETE, TRACE, CONNECT etc.

You can also choose from the additional options provided below:

  • PATCH

  • PROPFIND

  • PROPPATCH

  • MKCOL

  • COPY

  • MOVE

  • LOCK

  • UNLOCK

Allowed Content Types

Enter the accepted request content types for the profile.

Default entry covers all standard content types.

Restricted Extensions

Enter extensions that should be restricted and blocked.

Generally, these are files that do not reside on a web server.

Restricted Headers

Enter headers that will not be allowed by WAF.

Static Extensions

Enter the list of static file extensions that will bypass the WAF check.

A GET request without any parameter or dynamic part is classified as a static request. It does not contain any attack vector.

Default Actions

Request Header, Request Body, Response Header, and Response Body are the four WAF phases. Each of this phase has a default action. The fields defined for this default action are phase,action,status code,additional logging,WAF logs

Phase: The Allowed values along with the description for each phase are as given below:

phase:1 - Request Header phase

phase:2 - Request Body phase

phase:3 - Response Header phase

phase:4 - Response Body phase.

Example- phase:1

action: Two options are permit and deny. Example- deny

status code: In case the request is denied by WAF then, by default a 403 status code is sent to the client. However, the status code can be customised (if required). Example- status:403

additional logging: Enter the additional logging level. Example- log

WAF logs: Enter the WAF logging level.

Example- auditlog

To configure the General Settings, follow the below:

  1. Select the WAF allowed HTTP versions in the field Allowed Versions. By default, 1.0, 1.1, 2.0 are selected.

  2. Select the WAF allowed HTTP methods, as required. By default GET, HEAD, POST, OPTIONS are selected.

  3. Select the WAF allowed content types to restrict the content types that are accepted. By default, standard content types are covered.

    Note:

    The other content types can be added easily.

  4. Under Restricted Extensions enter WAF restricted file extensions to restrict access by blocking. By default, it covers most use-cases.

  5. Under Restricted Headers enter WAF restricted headers to be blocked. By default, it covers most use-cases.

  6. Enter the list of static file extensions that should bypass the WAF check in the field Static Extensions.

The General section in the New WAF Profile screen is as shown below:



Other Settings

Maximum client request size

This is the maximum size for the client request body scanned by WAF.

Example - 32

Maximum backend response size

Enter the maximum response size in KB allowed by WAF.

Example - 128

Argument Separator

Enter the separator for specical applications that have different argument separators.

Example - &

Regex Match Limit

This is the Limit for CPU utilization for each regular expression match when the processing rules.

Example - 30000

Max Execution Time

This is the maximum time allowed for WAF processing for a single request.

Example - 50

Cookie Format Versions

Select the preferred cookie format version.

Version 1 cookies have been deprecated. Therfore, Netscape cookies are recommended.

XXE Protection

Block or flag XML requests referring to External Entities.

Check/Uncheck the Checkbox.

The following screenshot displays a sample configuration:



Files Tab

The static input data in a WAF profile that is shared between virtual services is stored here. For instance, the file name sql-errors.data has the default data set which contains strings for examining HTTP responses for data leakage protection.

To create a new file, follow the below :

  1. Go to the File Tab.

  2. Scroll down to the bottom of the page and click on + Add File.

  3. Provide a Name and enter the relevant Data.

These files can be referred in the custom WAF policy rules. For more information refer to Custom Rules