This article explains the legacy version of
A profile defines the set of security restrictions that may be used to screen inbound HTTP/HTTPS traffic.
Learn:
A profile defines the criteria for determining whether traffic is legitimate or malicious. WAF leverages this security configuration and performs a sequential check for each criterion. An overview of this security check is provided below.
Proceed to the next step if your profile configuration does not contain at least one acceslist.
Does the request satisfy at least one criterion in each defined accesslistAn accesslist identifies traffic that may access your content upon passing a threat assessment. Traffic may be accesslisted by ASN, country, IP address, referrer, URL, user agent, HTTP method, media type, and/or file extension.? If not, then the request is identified as a threat and no further checks will be performed.
A request will not be considered a threat until a threshold of violations is met. The score assigned to a request is determined according to the severity and frequency of the violations.
Severity: Each rule is assigned a severity. Each severity is assigned an anomaly score from 2 to 5.
Severity | Anomaly Score | Description |
---|---|---|
Critical |
5 |
This severity level is triggered by web attack violations. |
Error |
4 |
This severity level is reserved for future use. |
Warning |
3 |
This severity level is triggered by malicious client violations. |
Notice |
2 |
This severity level is generally used to indicate protocol policy violations. |
The workflow for threat detection is illustrated below.
A profile may be assigned a threshold value from 2 to 20. However, the recommended value is 5. A threshold value of 5 triggers threat identification after a single severe violation or multiple minor violations. This balanced approach identifies questionable requests without impacting legitimate traffic.
By itself, a profile will not affect production trafficRefers to requests directed to a live site. For example, the HTTP requests generated when a user visits your web page is considered production traffic.. It requires both of the following conditions:
An instance must define:
The above instance must be activated for the desired type of traffic from within Rules Engine via the Web Application Firewall feature.