Profile Settings

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

Profile setup has been organized into the following categories:

Settings

Core and advanced profile settings are grouped under the Settings tab.

Core Settings

Core profile settings allow you to:

Preventing False Positives

The characteristics of certain cookies, headers, and query string arguments may resemble malicious traffic. This may result in WAF incorrectly identifying a request as a threat. Avoid this situation by identifying the cookies, headers, and query string arguments that should be ignored when WAF performs threat assessment.

Key information:

To set up an ignore list

  1. Create or modify a profile.

  2. From the Ignore List option, select whether an ignore list will be defined for cookies, headers, or query string arguments. The corresponding option will appear directly below this option.
  3. Set this option to a list of cookies, headers, or query string arguments that should be ignored. Identify each one by its name.

Advanced Settings

Advanced settings, which may be viewed by expanding the More Details section, define query string argument and file size limitations that cannot be exceeded by valid requests.

The modification of these advanced settings is strongly discouraged.

Type Description

File size

The Single File Upload Limit option defines the maximum file size, in bytes, for a POST request.

The Multiple File Upload Limit option defines the total file size, in bytes, for a POST request that is a multipart message.

For the purpose of these settings, file size is calculated from the body (i.e., message or payload) of POST requests with a Content-Type header that is set to "multipart/form-data."

The recommended maximum value for both of these settings is 6,291,456 bytes.

Query string value/parameters

A variety of restrictions may be placed on either a request's query string value or parameters.

The Total Argument Length option defines the maximum number of characters for the query string value in the request URL.

The Max # of Arguments /Request option defines the maximum number of parameters that a query string may contain.

The Single Argument Length option defines the maximum number of characters for any single query string parameter value in the request URL.

The Argument Name Length option defines the maximum number of characters for any single query string parameter name in the request URL.

JSON Inspection

Determines whether JSON payloads will be inspected.

Access Controls

Identify valid and/or malicious requests by:

Basic Access Controls

Control access to your content by creating whitelists, accesslists, and blacklists for the following categories:

Type Description

ASN

Identifies requests according to the autonomous system (AS) from which the request originated. Specify each desired AS by its autonomous system number (ASN).

Country

Identifies requests by the country from which the request originated. Specify each desired country using its country code.

IP Address

Identifies requests by the requester’s IPv4 and/or IPv6 address. Specify each desired IP address using standard IPv4/IPv6 and CIDR notation.

Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22).

Do not specify more than 1,000 IP addresses or IP blocks. Whitelist, accesslist, and blacklist entries count towards this limit.

Referrer

Identifies requests by referrer. A successful match is found when the specified regular expression matches any portion of the Referer request header value.

The Referer request header identifies the URL of the resource (e.g., web page) from which the request was initiated. The specified regular expression may match any portion of the entire URL including the protocol and hostname.

URL

Identifies requests by searching for a value that matches the specified regular expression within the request URI.

Do not include a protocol or a hostname (e.g., http://cdn.mydomain.com) when defining a regular expression for this access control.

Certain common characters (e.g., ?.+) have special meaning in a regular expression. Use a backslash to escape a special character (e.g., main\.html\?user=Joe).

Example

All of the entries in the following sample access control list will match the sample request:

/marketing/.*

.*images.*

.*/ad[0-9]*\.png

Sample request:

http://www.mydomain.com/marketing/images/ad001.png

User Agent

Identifies requests by the user agent that acted on behalf of a user to submit the request. A successful match is found when the specified regular expression matches any portion of the User-Agent request header value.

Whitelists

The purpose of a whitelist is to identify legitimate traffic.

Accesslists

The purpose of an accesslist is to identify traffic that may access your content upon passing a threat assessment. If one or more accesslists have been defined, WAF will only inspect requests that satisfy at least one criterion in each defined accesslist. All other traffic, unless it has been whitelisted, will be blocked.

Blacklists

The purpose of a blacklist is to describe unwanted traffic.

Key information:

Additional Access Controls

Unlike the access controls described above, the following access controls are limited to identifying malicious traffic:

HTTP Methods

Define the set of valid and invalid HTTP request methodIndicates the type of action that a server should perform on the asset identified in the request URL. Common HTTP request methods are GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, and CONNECT.s via the Allowed HTTP Methods option.

Media Types (aka Content Types)

Define the set of valid media typesIdentifies/classifies the data contained in a file. (aka content types or MIME types) via the Allowed Request Content Types option.

Key information:

File Extensions

Define the set of invalid file extensions via the Extension Blacklist option.

Key information:

Policies (Rule Set)

WAF provides protection for known and unknown vulnerabilities through the ECRS rule set. Balance security against false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. via the Security Level option. Security levels are explained below.

Ensure that your web applications are secured by the latest threat detection policies by enabling the Automatically opt-in to the latest ECRS ruleset option.

Each rule set consists of a set of threat detection policies. Each threat detection policy contains a set of rules that define how threats to site traffic will be detected.

Key information:

Policy and Rule Updates

Periodic updates to the policies and rules in a rule set are necessary to address the dynamic nature of threats to site traffic. Due to this changing landscape of threats, it is critical to keep up with the latest rule set updates. Using the latest rule set version maximizes the degree to which HTTP/HTTPS traffic is protected.

Identify a rule set's version by the date on which it was released.

Syntax:

Rule Set Name Date

Example:

ECRS 2019-02-11

Threat Detection Policies

A brief description for each available threat detection policy is provided below.

Balance security with optimal data delivery performance by disabling policies that do not apply to your site's traffic. For example, the Typo3 attacks policy should be disabled if your site does not use that CMS.

The ability to monitor outbound traffic is currently unsupported. Therefore, none of the following policies are applicable to outbound traffic.

Rule Exceptions

An effective strategy for reducing false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. is to create rule exceptions. A rule exception identifies one or more rules that will be ignored for a set of requests. Identify requests using any of the following criteria:

Tips for setting up rule exceptions: