Professional Documents
Culture Documents
A10 Networks WAF Guide PDF
A10 Networks WAF Guide PDF
Patent Protection
A10 Networks products are protected by patents in the U.S. and elsewhere. The following website is provided to satisfy the virtual pat-
ent marking provisions of various jurisdictions including the virtual patent marking provisions of the America Invents Act. A10 Net-
works' products, including all Thunder Series products, are protected by one or more of U.S. patents and patents pending listed at:
https://www.a10networks.com/company/legal-notices/a10-virtual-patent-marking.
Trademarks
The A10 logo, A10 Harmony, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, Affinity, aFleX, aFlow, aGalaxy, aGAPI, aVCS, AX,
aXAPI, IDsentrie, IP-to-ID, SSL Insight, SSLi, Thunder, Thunder TPS, UASG, and vThunder are trademarks or registered trademarks of A10
Networks, Inc. in the United States and other countries. All other trademarks are property of their respective owners.
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may
not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of
A10 Networks, Inc.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA), provided later in
this document or available separately. Customer shall not:
1. reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not
limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to verify that the information
contained herein is accurate, but A10 Networks assumes no responsibility for its use. All information is provided "as-is." The product
specifications and features described in this publication are based on the latest information available; however, specifications are sub-
ject to change without notice, and certain features may not be available upon initial product release. Contact A10 Networks for current
information regarding its products or services. A10 Networks’ products and services are subject to A10 Networks’ standard terms and
conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please con-
tact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic com-
ponents in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks loca-
tion, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series
Contents
Overview ...................................................................................................................................................................... 9
WAF Overview.......................................................................................................................................................................9
WAF External Logging..................................................................................................................................................... 10
Protection Against Common Web Attacks .............................................................................................................. 10
Buffer Overflow Attacks ......................................................................................................................................................................10
Cookie Tampering ..................................................................................................................................................................................11
Forceful Browsing ...................................................................................................................................................................................11
Web Form Security Attacks ...............................................................................................................................................................11
WAF Security Models....................................................................................................................................................... 12
Positive Security Model .......................................................................................................................................................................12
Negative Security Model ....................................................................................................................................................................12
Request Protection........................................................................................................................................................... 13
Compare Request URI to White List and Black List ............................................................................................................13
White List ................................................................................................................................................................................................................. 13
Black List ................................................................................................................................................................................................................... 13
URL Check ...................................................................................................................................................................................................14
Scan Request for Threats ....................................................................................................................................................................15
Bot Check ................................................................................................................................................................................................................ 15
Form Field Consistency Check ................................................................................................................................................................... 16
Referer Check ........................................................................................................................................................................................................ 16
HTTP Protocol Compliance Check ........................................................................................................................................................... 16
HTML Cross-Site Scripting (XSS) Check ................................................................................................................................................ 17
Buffer Overflow Check .................................................................................................................................................................................... 18
HTML SQL Injection Check ........................................................................................................................................................................... 18
Allowed HTTP Methods Check .................................................................................................................................................................. 18
Maximum Cookies Check ............................................................................................................................................................................. 19
Maximum Headers Check ............................................................................................................................................................................. 19
Session Checks ..................................................................................................................................................................................................... 20
Password Security .............................................................................................................................................................................................. 20
Open Redirect Mitigation ............................................................................................................................................................................. 22
Normalization Enhancements for URL Options .............................................................................................................................. 24
WAF XML Checks ....................................................................................................................................................................................26
XML Format Checks .......................................................................................................................................................................................... 27
XML Validation Checks .................................................................................................................................................................................... 27
XML Limit Checks ............................................................................................................................................................................................... 29
XML Cross-Site Scripting Checks .............................................................................................................................................................. 31
XML SQL Injection Checks ............................................................................................................................................................................ 32
WAF SOAP Checks ..................................................................................................................................................................................33
SOAP Format Checks ....................................................................................................................................................................................... 33
SOAP Validation Checks ................................................................................................................................................................................. 34
WAF JSON Checks ..................................................................................................................................................................................36
JSON Format Checks ........................................................................................................................................................................................ 36
JSON Limit Checks ............................................................................................................................................................................................. 37
Geo-location Based Blocking ..........................................................................................................................................................38
Filter Requests Using an HTTP Policy ..................................................................................................................................................... 38
Filter Requests Using an ACL ...................................................................................................................................................................... 41
Configuring the WAF with aFleX Scripts ..................................................................................................................................41
Overview
• WAF Overview
• Request Protection
• Response Protection
WAF Overview
The A10 product line provides additional security for your Web servers with the Web Application Firewall
(WAF) feature. The WAF filters communication between users and Web applications to protect Web servers
and sites from unauthorized access and malicious programs. This new layer of security examines incoming
user requests, output from Web servers, and access to Web site content to safeguard against Web attacks
and protect sensitive information hosted on Web servers.
The WAF protects against the following main threats to Web servers:
• Unauthorized access and control of the Web server – There are various attacks designed to grant an
attacker access to and control of a Web server. If an attack is successful, the unauthorized user can
deface existing Web pages, provide SMTP services to send spam, or launch distributed denial-of-ser-
vice (DDoS) attacks.
In addition, the attacker can use the compromised server to host content directly, or act as a proxy for
content hosted on another server. This type of attack can enable unauthorized users to host illegal,
online activities using your Web server resources.
• Unauthorized retrieval of sensitive information – These attacks are intended to provide unauthorized
retrieval or leakage of sensitive information from your Web sites or back-end databases.
The WAF is configured via a WAF template, which includes built-in basic and policy-based security checks for
convenient and quick deployment. Within the WAF template, you can enforce security checks to immedi-
ately provide a foundational level of protection against common threats.
Web sites are further protected from attack through checks that are defined by customizable WAF policy
files. You can configure WAF policy files for advanced countermeasures to common attacks, such as SQL
injection attacks or bots.
If the system does not have the filters enforced to block these requests, a buffer overflow can trigger the
underlying operating system to slow down or crash. This form of attack compromises a Web server and can
permit unauthorized users to access sensitive information.
The WAF can prevent buffer overflow attacks by setting an accepted maximum for aspects of an HTTP
request and blocking requests which exceed the configured limit. This includes normalization of the URL.
(For details on URL normalization, see “url-options option – This command is used to normalize
requested URLs.” on page 98.)
Cookie Tampering
Cookie tampering occurs when a user sends a modified cookie to a Web server in an attempt to access unau-
thorized content. To protect against cookie tampering, enable the Cookie Encryption check within the WAF
template.
Forceful Browsing
Forceful browsing occurs when a user bypasses the hyperlinks of a Web site to access the URLs of a Web site
directly. This method is normally used to gain access to private pages, but can be used in conjunction with
other attacks to compromise a Web server. To protect against forceful browsing, enable the URL check for
your Web site. (See “URL Check” on page 14.)
• SQL Injection Attacks (SQLIA) – An SQL Injection Attack uses a Web form or other mechanism to send
active SQL commands or SQL special characters to the Web site’s SQL database. An SQL Injection
Attack can trigger the back-end SQL database to execute SQL commands, allowing attackers to
retrieve sensitive information from the database. The WAF includes the SQL Injection Check template
option and default “sqlia_defs” policy file to provide immediate protection from SQL Injection Attacks.
• Cross-Site Scripting (XSS) Attacks – A cross-site scripting (XSS) attack attempts to use Javascript com-
mands to modify Web page content or obtain hidden properties from a Web site. XSS can compromise
the security of a Web server or allow an attacker to retrieve sensitive information. The WAF includes
the XSS Check template option and default “jscript_defs” policy file to provide immediate protection
from XSS attacks.
The WAF operates based on both a positive security model and negative security model to maximize protec-
tion.
All operational modes support the White List Check. During the White List Check, the WAF compares the URI
of a user request against the URI patterns in the White List policy file. If there is match, the WAF performs
additional checks.
Request Protection
The WAF scans request elements for possible threats or malicious content. Based on the responsive action
that is configured for each security check, the WAF denies the client request completely or sanitizes the
request of malicious content and forwards the sanitized request to the Web server.
The WAF filters inbound traffic through the following security checks.
White List
The URI White List defines acceptable destination URIs allowed for incoming requests. The White List Check
compares the URI of an incoming request against the rules contained in the URI White List policy file. Con-
nection requests are accepted only if the URI matches a rule in the URI White List. For more information, see
“URI White List” on page 110.
Black List
A URI Black List is a WAF policy file that lists exclusion criteria for incoming requests. If the URI of an incoming
request matches a rule in the URI Black List, the request is automatically blocked.
The URI Black List works in combination with the URI White List to restrict accessible URIs on a Web site. If a
URI matches acceptance criteria within the URI White List, a connection is blocked automatically if it meets a
rule in the separate URI Black List. For more information, see “URI Black List” on page 109.
The following diagram displays the processing order for incoming requests:
In this illustration, the WAF filters 3 HTTP requests. Of these, request #3 does not meet any criteria in the WAF
template’s URI White List and is blocked.
The remaining requests are compared against the WAF template’s URI Black List and blocked if they match at
least one URI Black List rule. Of these, request #2 is denied. Request #1 is the only request that is processed
for additional security checks.
URL Check
In addition to the URI White List and Black List, you can enable the URL Check to restrict users to a limited set
of URL paths on your Web site. The URL Check allows clients to access a specific set of acceptable URLs that
were added to the URL-check policy file while the WAF is deployed in Learning Mode.
Once this policy file is generated, you can manually edit its contents before switching the WAF deployment
mode from Learning to Active. At this point, users will be prevented from accessing any URLs on your web-
site that are not listed in this generated policy file.
NOTE: For a deployment example that includes configuration of the URL Check, see
“Generate Allowed URL Paths for the URL Check” on page 127.
If the URL Check is enforced in the WAF template, the accessible Web pages must appear as hyperlinks on
your website to appear in the list. This means users can access the pages on your Web site that appear as
hyperlinks, but they are prevented from accessing private pages through “forceful browsing”. For more infor-
mation, see “Forceful Browsing” on page 11.
NOTE: In the example shown in Figure 1 on page 14, the URL Check would achieve
the same degree of security if a hyperlink is only provided to the page “/
site_images.jpg”.
Bot Check
The Bot Check option uses the “bot_defs” WAF policy file for search definitions of known bot agents. If the
Bot Check is enabled in the WAF template and a match is found with the “bot_defs” file, the request is
denied automatically.
You can copy the “bot_defs” file and modify the copy to include or remove bot search terms. For more infor-
mation about WAF policy files, see “WAF Policy Files” on page 107.
Referer Check
The Referer Check validates that the referer header in a request contains Web form data from the specified
Web server, rather than from an outside Web site. This check helps to protect against CSRF attacks. If a
request fails the Referer Check, the WAF redirects the request to a safe URL. The safe URL is any URL that you
specify during configuration.
When you configure the Referer Check, you specify the domain names from which you want to allow traffic.
When ACOS receives a request addressed to the virtual port that is using the WAF, the WAF examines the Ref-
erer field of the request.
You can select one of the following options for the Referer Check:
• Enable (full checking) – Select the Enable option to enable full checking. To pass the full check, the
request must contain a Referer header field, and the field must contain at least one of the domain
names you specify during configuration.
• Only-if-present checking – Enable this option to check the referer header of a request only when a ref-
erer header is present. Unlike the full checking option, the only-if-present option ensures that a
request does not fail the Referer Check automatically because there is no referer header in the request.
NOTE: The WAF issues sends a warning message to the logging servers if a POST
request (that is not chunked) has a content length of 0.
NOTE: A request containing more than one Content-Length header might indicate
that the request is part of an HTTP response-splitting attack.
NOTE: This check uses the “jscript_defs” WAF policy file for Javascript attack pat-
terns. If your Web site uses Javascript-based content that accesses or modi-
fies content on an outside server, A10 Networks recommends modifying the
“jscript_defs” file to generate the appropriate exceptions, so that this check
does not block legitimate activity.
• Maximum parameters
• URL length
• Line length
• Query length
NOTE: The HTML SQL Injection Check scans incoming requests for attack patterns
listed in the “sqlia_defs” WAF file. Copy this file and apply the copied file to
the check to customize attack pattern search criteria for the HTML SQL Injec-
tion Check. (See “SQL Injection Attack Check” on page 108.)
• GET
• POST
• HEAD
• PUT
• OPTIONS
• DELETE
• TRACE
• CONNECT
• PURGE
The WAF can be configured to accept a set of several new WebDAV HTTP methods which allows WebDAV
traffic to pass through the WAF without being dropped. In releases prior to ACOS 4.0, the WAF had to be dis-
abled on all relevant connections prior to attempting to use the WebDAV methods.
Web Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP protocol that is used to
allow Internet users to modify files on remote a resource (e.g., a web server), using HTTP as the communica-
tion medium.
As part of the ACOS 4.0 enhancements, the WAF now supports the following new WebDAV HTTP methods (in
addition to the original GET and POST methods):
• PROPFIND – retrieves the hierarchical information, and properties, for a directory containing a set
of resources
• PROPPATCH – modifies multiple properties for a set of a resources with a single operation
The WAF can be configured to accept these new methods by using the allowed-http-methods CLI com-
mand within a WAF template and then specifying which of the WebDAV HTTP methods that will be allowed
to pass through the WAF.
Session Checks
To increase the security of the session between the ACOS device and the clients, the WAF offers cookie-based
session checks, or “session tracking”.
With this option enabled, the WAF uses a cookie to track user sessions. When a request is received from a cli-
ent for the first time, ACOS creates a unique ID for the session, stores it in a table, and inserts the ID into a
cookie that is returned to the client. Subsequent requests from this client are then validated against the ses-
sion ID. If the session ID does not match the saved ID, or if the ID is coming from a different IP address than
that of the original client, then the request is rejected.
Details:
• When enabled, you must specify the Session Lifetime to determine the amount of time the session ID
will remain valid. By default, the session lifetime is 600 seconds (10 minutes), but you can enter a range
from 1–86400 seconds (24 hours).
• The session cookie is named “awaf-sid”, and it is inserted into the header of the response sent by ACOS.
Password Security
The WAF offers several additional password security options to control how passwords are treated when tra-
versing the WAF.
When a user types a password into an HTML form’s password field, the characters are typically hidden by
another character, such as an asterisk. In this way, the password characters are masked when typed by the
user. This masking prevents an observer from stealing the password and using it at a later time to access the
user’s account.
The WAF can guard against this type of “shoulder surfing” by leveraging the “password” field type. When the
deny-non-masked-password option is enabled, the WAF will deny the web server’s attempt to send a form
unless the field type is set to “password”.
If the form field is named “password” (or “secret”), then the field type also needs to be set to “password” to
ensure that the password characters will be hidden when typed by the end user. (Other field types, such as
“text”, will not hide the password characters as they are being entered by the user.)
The example below shows a form that would be denied by the WAF. Note that the form field type is set to
“text”, and the form name is set “Password”. The WAF would block the web server’s attempt to send this form
because the “input type=text” means the user’s password would not be hidden or masked as it was being
typed and would thus be vulnerable to theft.
<form>
Password: <input type="text" name="Password">
</form>
The second example below shows a form that would be allowed by the WAF, because even though the field
is named “Password”, the field type has also been set to “password”, meaning the form field would mask the
characters typed by a user.
<form>
Password: <input type="password" name="Password">
</form>
To configure the WAF to prevent web servers from sending non-secure password forms to a client, use the
deny-non-masked-password CLI command at the WAF template configuration level.
You can configure the WAF to block user passwords that are sent over a non-encrypted connection. If the
connection between the client and the WAF is secured with SSL/TLS, then the user password is allowed.
However, if the client attempts to submit to a form field where “input type=password”, and if the connection
is not encrypted with SSL/TLS, then the WAF will block the transmission.
NOTE: Even if this option is enabled, the user’s password may have already been
compromised while in transit, because the WAF blocks transmission of the
password only after the client has already entered it over an unsecured con-
nection. In such cases, the user’s password could have already been compro-
mised before reaching the WAF.
You can enable this option to prevent the WAF from allowing the transmission of user passwords over non-
SSL-encrypted connections by entering the deny-non-ssl-password CLI command at the WAF template con-
figuration level.
Modern browsers can store user passwords and make an attempt at guessing at the password values when
the user encounters a website that requires entering his or her password into a web form field. This autocom-
plete behavior is controlled by the “autocomplete=on/off” attribute, which is typically associated with the
HTML form text fields.
While end users may appreciate this “autocomplete” behavior because it simplifies the process of logging
into websites, the convenience comes at the cost of making the user’s password and the overall security of
the login process, less secure.
In order to control the browser’s behavior, administrators can increase the network security by configuring
the WAF to reject the web server form if the field type is set to “password” and if the “autocomplete=on/off”
attribute is set to “on”.
To configure this option and prevent the WAF from allowing the transmission of user passwords when the
“autocomplete=on/off” attribute is set to “on”, use the deny-password-autocomplete CLI command at the WAF
template configuration level.
An unvalidated redirect occurs when a hacker uses social networking (such as email, Facebook, Twitter, etc.)
to trick unsuspecting users into clicking on a malicious hyperlink as part of a phishing scam. Although the
hyperlink appears to be from a trusted website, the link actually contains code that redirects users to a
forged website. At this point, users may be tricked into submitting their login credentials (username/pass-
word), credit card numbers, security codes, or other sensitive information. Hackers can then use this informa-
tion to access their accounts or attack their systems.
Although OWASP groups “unvalidated redirects or forwards” together as a single threat, they are actually
two separate but related threats. As such, the WAF has different ways to mitigate both types of attacks:
• “forwards” – With this type of threat, users become victims when they are forwarded to a malicious
URL which tricks them into surrendering their login credentials. This particular risk can be mitigated
through the use of the URL check feature, which is discussed here: “URL Check” on page 14
• “unvalidated redirects” – Described in detail below.
The WAF protects users against the threat of “unvalidated redirects” by pre-learning a white-list of accept-
able locations to which users can safely be redirected. If one of the web servers attempts to redirect a user to
a location that does not appear in the redirect white-list, then the WAF blocks the redirect.
The Open Redirect Mitigation feature must be enabled using the redirect-wlist CLI command. The com-
mand is used at the WAF template configuration level, and the first time the command is used, the WAF must
be deployed in Learning Mode.
NOTE: If you attempt to use the command for the first time while the WAF is
deployed in Active Mode or Passive Mode (and before the redirect white-list
has been created during Learning Mode), then you will receive an error mes-
sage stating that “redirect-wlist cannot be turned on with empty list.”
Valid traffic is then injected into the WAF, which then investigates each “redirect” response packet received
from the backend web servers, where a redirect response packet is defined as any packet having a status
code ranging from 300–308.
The WAF extracts the value from the Location field of the header of the response packet and stores it in its
internal database.
When the WAF deployment mode is subsequently changed from Learning Mode to Active Mode (or Passive
Mode), the location information in the database is transferred to a persistent file called “redirect_wlist_”. The
filename will have the name of the WAF template as its prefix. For example, the WAF template “test” would
have a policy file called “_test_redirect_wlist_”.
Details:
The behavior of this option depends on which deployment mode the WAF is in:
• Learning Mode – The option must be enabled for the first time while the WAF is deployed in Learning
Mode. The information is saved in the ACOS device’s local database. At this time, the white-list file has
not yet been created, so if you wish to modify the redirect white-list, you must change to Active or Pas-
sive Mode. Note that no action is performed upon traffic during Learning Mode, other than using the
traffic to build the redirect white-list.
• Active Mode – Once the redirect white-list is created while the WAF is deployed in Learning Mode, you
can then change the deployment mode to Active Mode. At this point, the database is used as a white-
list of allowed location headers in redirect packets. If a response from the web server contains a redi-
rect which is not in the white-list, the WAF will deny (drop) the response and send the client a “403 for-
bidden” reply.
• Passive Mode – If the option is enabled while the WAF is deployed in Passive Mode, the WAF leverages
the existing redirect white-list to inspect traffic, but it takes no action, in terms of blocking traffic, and
simply increases the counters and generates logs for hypothetical actions that would be taken if the
WAF were in Active and not Passive Mode.
Configuration
To prevent unvalidated redirects, use the following CLI command at the WAF template configuration level:
redirect-wlist
NOTE: The WAF must be deployed in Learning Mode the first time the command is
used. Once the redirect white-list is created, you can then switch to Passive
Mode or Active Mode.
Display Statistics
You can display statistics for this redirect-wlist option using the show waf stats virtual-server-name
portnum CLI command, as shown in the example below, which offers three dedicated counters associated
with the redirect white-list:
The output in this example is for the WAF template that is bound to vip2, port 80. The table below describes
the relevant fields in the command output.
For example, one URL might use lower-case characters, while another URL could use a mix of upper-case and
lower-case characters. A simple corrective normalization scheme could be used to convert the URL with the
mixed set of upper-case and lower-case characters to use only lower-case characters, as shown below.
This process of normalizing URLs is sometimes used by search engines to make comparisons of several URLs
easier. By standardizing the appearance of URLs and reducing them down to the canonical form, it is easier
to ensure the same URL is not cataloged twice by a web crawler. Perhaps more relevant to its functionality in
the WAF, URL normalization offers a way to protect web servers from certain types of attacks, which can hide
in the non-normalized, recursive encoding of the data.
One example of such an attack is the so-called directory traversal attack, which exploits non-sanitized file
names in order to gain access to sensitive directories or files that were supposed to remain off limits.
URL Options
In addition to normalizing upper-case and lower-case, the WAF can also make the following changes to inter-
nal URLs sent from backend servers:
• Decode Entities – Decode entities, such as < &#xx; &#ddd; &xXX in an internal URL.
• Decode Escaped Characters – Decode escape characters, such as \r \n \"\xXX in an internal URL.
• Decode HEX Characters – Decode hexadecimal characters, such as \%xx and \%u00yy in an internal
URL.
• Remove Comments – Remove comments from an internal URL.
• Remove Self References – Remove self-references, such as /./ and /path/../ from an internal URL.
Therefore, it is important to inspect and validate client requests containing XML code to protect the backend
servers from XML transactions that could allow hackers to bypass application security, provide malicious
input, and potentially slow down or crash the servers.
When the new WAF XML checks are enabled, the WAF checks client requests for XML, and if present, the WAF
then validates the structure of the XML document using a trusted XML schema file. In doing so, this helps to
ensure that the content of the client’s XML request is well-formed and does not contain any potential threats.
In this release, the WAF offers the following types of XML checks:
• XML Format Checks – This option uses the xml-format-check command and examines the XML for-
mat of incoming requests and blocks requests that are not well-formed.
• XML Validation Checks – This option uses the xml-validation CLI command to validate the XML con-
tent in a request in order to check it against an XML Schema file or WSDL file. Running such checks on
incoming XML content prevents an attacker from using specially-constructed (and invalid) XML mes-
sages to circumvent the web application’s standard security checks. If the WAF discovers that the XML
content fails the validation check, then the WAF blocks the request.
• XML Limit Checks – This option uses the xml-limit CLI to command enforce parsing limits in order to
protect the servers from various denial-of-service (DoS) attacks, such as XML bombs and Transform
Injections, both of which are defined in greater detail below.
• XML Cross-Site Scripting Checks – This option uses the xml-xss-check CLI command to examine the
headers and bodies of incoming XML requests for Javascript keywords that might indicate possible
cross-site scripting attacks. If the request contains a positive match, then the WAF blocks the request.
• XML SQL Injection Checks – This option uses the xml-sqlia-check CLI command to examine the
headers and bodies of incoming requests for inappropriate SQL special characters and keywords that
might indicate an SQL Injection Attack. If found, the WAF blocks those requests.
xml-format-check
The XML format check verifies that incoming requests containing XML code are in compliance with the XML
1.0 specification, which can be found at the following URL: http://www.w3.org/TR/REC-xml/
The XML Format Check evaluates incoming XML documents for compliance with the following rules:
• The document may contain no special XML syntax characters. For example, none of the following char-
acters can be included in the XML document, unless used as markup: , “<“, “>”, and "&”
• The XML document must contain all beginning and end tags. All begin, end, and empty element tags
must be nested correctly. The XML document must not be missing any element tags, and it cannot
contain overlapping element tags.
• A single root element must contain all the other elements in the XML document.
The XML Validation Check examines client requests containing XML content to make sure that the XML mes-
sages are valid.
If a client request contains an XML message, and the XML validation check option is enabled, then the
incoming request will be compared with an XML schema file.
An XML schema is an XML document which describes the desired structure of other XML document. The
XML schema goes beyond just defining proper XML syntax, and it defines things such as which elements or
attributes can appear in an XML document, as well as the number, order, and relationship of child elements.
It can also determine the data types associated with the various elements and attributes that appear in an
XML document.
If an incoming request is compared with the XML schema, and the WAF determines that the request is not
valid, then it is deemed a threat and the WAF blocks the request.
The option can be enabled using the following CLI command at the WAF template configuration level:
The WAF can validate XML messages using an XML schema file. You must upload the XML schema file that
you plan to use for validation. The XML schema file can be uploaded using the import command at the
global config level of the CLI:
The use-mgmt-port option allows you to indicate the use of the management interface as the source inter-
face for the connection to the device.
The url option specifies the file transfer protocol, username, and directory path. You can enter the entire URL
on the command line, or you can press Enter to display a prompt for each part of the URL. If you enter the
entire URL and a password is required, you will still be prompted to enter the password. To enter the entire
URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file
If you need to modify an existing XML schema file, you can do so using the following CLI command at the
global config level:
If you need to remove an existing schema file, you can do so using the following CLI command at the global
config level:
Response Validation
By default, the WAF does not validate server responses. In order to validate responses from a protected web
application, the resp-val option should be selected.
WSDL Validation
The WAF can validate SOAP messages (based on XML) using a Web Services Description Language (WSDL)
document.
For more information about WSDL Validation, please see “WAF SOAP Checks” on page 33.
XML Bomb
An XML Bomb is a denial of service attack that takes advantage of the fact that entity references in XML doc-
uments must be expanded for evaluation. Such attacks can achieve this goal by adding extra entity entries to
the XML document, and then defining subsequent entities, which are based on the expanded values of the
previous entity. Entity expansion is a normal and required action for XML documents, so hackers can take
advantage of this loophole by using it to exhaust system memory and CPU resources. If it is left unchecked,
such an attack could really slow performance thus causing servers to crash.
The WAF can address this issue by placing a maximum limit on the number of entity expansions that are
allowed in an XML document. Similarly, a maximum limit can be imposed on the number of levels of entity
recursion. Together, imposing these types of limits on XML documents can contain and mitigate the harmful
effects of an XML Bomb.
Transform Injection
Transform Injections are a different type of denial of service attack, and they work by taking advantage of
XSLT flow-control functions, and by creating infinite loops, or perhaps redundant transforms, which will
eventually exhaust the available memory and CPU resources that the server can offer.
To mitigate the effects of Transform Injection attacks, the WAF can be configured to place limits on the maxi-
mum depth of child element pairs, the amount of data contained in an element pair, and the maximum size
of an XML document.
Configuring XML Limit Parameters to Thwart XML Bombs and Transform Injections
To prevent XML Bombs, Transform Injections, and other types of DoS attacks from consuming excessive sys-
tem resources, ACOS provides the following CLI command, which can be used at the WAF template configu-
ration level.
The xml-limit command can be completed using any of the parameters shown below:
• max-attr number
Limits the maximum number of attributes each individual element is allowed to have.
number – Maximum number of children allowed per element. Range is 1–256. Default is 256.
• max-attr-name-len number
Limits the maximum number of any one type of element per XML document.
number – Number of elements allowed. Range is 1–65535. Default is 65535.
• max-elem-child number
Limits the maximum number of children each element is allowed, and includes other elements, charac-
ter information, and comments.
number – Maximum number of children allowed per element. Range is 1–65535. Default is 65535.
• max-elem-depth depth
number – Maximum number of namespace declarations allowed. Range is 0–256. Default is 16.
• max-namespace-uri-len number
The option can be enabled with the following CLI command at the WAF template configuration level:
xml-xss-check
The policy file for xml-xss-check is taken from the xss-check option, which must also be configured. See
“XSS Check” on page 108 for additional details.
The WAF checks the incoming request against the “jscript_defs” WAF policy file, which contains a list of com-
mon Javascript commands. If the client request detects a positive match against the Javascript commands in
this policy file, then the message will be rejected. The WAF does not currently support the ability to modify
the contents in XML requests that are denied.
CLI Example
The xml-xss-check depends on configuring the xml-format-check and the xss-check within the WAF tem-
plate. The xss-check is configured to reject requests with a positive match to the filtering criteria. The WAF
template “tempwaf1” is bound to VIP “vs101”.
xml-sqlia-check
The policy file for xml-sqlia-check is taken from sqlia-check, which must also be configured. See “SQL
Injection Attack Check” on page 108 for additional details.
The WAF checks the incoming request against the rules contained in the WAF policy file “sqlia_defs”. If the cli-
ent request detects a positive match against the rules in the policy file, then the message will be rejected.
The WAF does not currently support the ability to modify the contents in XML requests that are denied.
CLI Example
The xml-sqlia-check depends on configuring the xml-format-check and the sqlia-check within the WAF
template “tempwaf2”. The sqlia-check is configured to reject requests with a positive match to the filtering
criteria. The WAF template “tempwaf2” is bound to VIP “vs102”.
What is SOAP?
The Simple Object Access Protocol (SOAP) was created to allow platform-independent communication
between web services. SOAP is based on XML and typically relies on HTTP to transmit messages.
Prior to SOAP, most applications would communicate using remote procedure calls (RPCs). When attempting
to send an RPC over the Internet to a web server, problems could occur because RPCs would often get
blocked by overzealous firewalls.
SOAP gained popularity because it offered a way for web applications to communicate over the Internet
without the messages being intercepted by firewalls. This is by virtue of the fact that SOAP relies on HTTP to
transmit messages, and HTTP is supported by virtually all Internet browsers and servers.
A SOAP message is an ordinary XML document that contains the following elements:
• An Envelope element, which identifies this XML document as being a SOAP message
In this release, the WAF offers the following types of SOAP checks:
• SOAP Format Checks – This option uses the soap-format-check CLI command and examines the for-
mat of incoming SOAP requests and blocks those which are not well-formed.
• SOAP Validation Checks – This option uses the xml-validation wsdl CLI command to validate the
SOAP content in a request in order to check it against a WSDL file. If the WAF discovers that the SOAP
content fails the validation check, then the WAF blocks the request.
While it is not recommended, SOAP format checks can be enabled independently of XML checks. Most of the
time, however, SOAP format checks are done in tandem with XML format checks, which makes sense,
because SOAP is based on XML.
As a matter of best practices, when enabling SOAP format checks (using the soap-format-check option), you
should also enable XML format checks (using the xml-format-check option). The reason for this is that the
WAF always does the XML checks first and then adds additional SOAP checks.
For additional information on XML format checks, see “WAF XML Checks” on page 26.
The SOAP Format Check scrubs incoming client requests to ensure that the SOAP requests are structured in
the proper format, as defined by the World Wide Web consortium in the following Recommendation:
http://www.w3.org/TR/2007/REC-soap12-part1-20070427/
• Verifies that messages have the appropriate sections (e.g., Message, Header, Body, Fault, etc.) and that
these sections appear in the correct order.
• Verifies that the envelope uses the correct namespace (http://www.w3.org/2003/05/soap-envelope).
• Verifies that defined attributes, such as role, encodingStyle, Code, etc., follow the defined format.
You can enable SOAP format checks using the following CLI command at the WAF template configuration
level:
soap-format-check
In contrast with the XML schema file (which defines how the data in an XML document is structured), the
WSDL document is for SOAP documents. (Please ignore for a moment the confusing fact that SOAP docu-
ments are based on XML1.)
1.
To explain why the command is “xml-validation wsdl” and not “soap-validation”, consider that WSDL is an extension to the XML
Schema and it assumes the presence of some type of XML RPC headers. Therefore, WSDL does not include their definition in each
schema file, but it extends the XML Schema to allow for an association to occur for specific calls to specific URIs, assuming the con-
tents of the headers.
The WSDL file describes functionality of a SOAP document by defining which operations are available and
how the data should be structured. The WSDL file contains the operation, such as the methods provided by a
web service, and the document describes which data types (int, float, etc) the method can accept. Validating
a SOAP document using a WSDL file ensures that the method being called is defined for the current direc-
tion, and that the message conforms to the schema for that message.
The WSDL validation option can be enabled using the following CLI command at the WAF template configu-
ration level:
You must upload the WSDL file you will use for validation. The WSDL file can be uploaded using the import
command at the global config level of the CLI:
The use-mgmt-port option allows you to indicate the use of the management interface as the source inter-
face for the connection to the device.
The url option specifies the file transfer protocol, username, and directory path. You can enter the entire URL
on the command line, or you can press Enter to display a prompt for each part of the URL. If you enter the
entire URL and a password is required, you will still be prompted to enter the password. To enter the entire
URL:
• tftp://host/file
• ftp://[user@]host[:port]/file
• scp://[user@]host/file
• sftp://[user@]host/file
If you need to modify an existing WSDL file, you can do so using the following CLI command at the global
config level:
If you need to remove an existing WSDL file, you can do so using the following CLI command at the global
config level:
Response Validation
By default, the WAF does not validate server responses. In order to validate responses from a protected web
application, the resp-val option should be selected.
In this release, the WAF offers the following types of JSON checks:
• JSON Format Checks – This option uses the json-format-check command and examines the JSON
format of incoming requests and blocks requests that are not well-formed.
• JSON Limit Checks – This option uses the json-limit CLI to command enforce parsing limits in order
to protect the servers from various denial-of-service (DoS) attacks.
The JSON format check verifies that incoming requests containing JSON code are in compliance with RFC
4627.
Compliance Criteria
The JSON Format Check evaluates incoming requests for compliance with the following criteria:
• All objects must contain matching braces {}, and a set of members must be separated by commas.
• Every object member must contain a name and value, separated by a colon.
• All arrays must contain matching brackets [], and a set of values must be separated by commas.
This option can be enabled using the following CLI command at the WAF template configuration level:
json-format-check
To prevent DoS attacks from consuming excessive system resources, ACOS provides the following CLI com-
mand, which can be used at the WAF template configuration level.
The json-limit command can be completed using any of the parameters shown below:
• max-array-value-count number
This capability allows you to limit which countries can access your resources based upon the geo-location
information associated with a request. You can create an HTTP policy that would permit or deny traffic based
upon a combination of threshold events and geo-location information.
The WAF Geo-location Based Blocking feature allows you filter incoming client requests using two different
approaches.
The WAF geo-location feature uses an HTTP policy to apply a WAF template to an incoming request. The geo-
location database (such as an IANA file) can identify which part of the world a certain request came from. The
IANA database contains the mappings between geographic regions and IP address ranges, as assigned by
the Internet Assigned Numbers Authority. (For more information about the IANA database, see the Global
Server Load Balancing Guide.)
Using the IANA database, the WAF can evaluate incoming requests and determine that, for example, a
request with an IP of 222.111.222.111 is from, say, the North Korea. Perhaps this is a region with rampant
cyber-criminal activity. In order to prevent hackers from this region from being able to access your web serv-
ers and steal credit card numbers, the WAF can be configured to detect traffic from this region, and if there is
a match, the traffic could be denied. Alternatively, if this region is known to use XML bombs, then perhaps a
WAF template could be applied to the traffic that would offer protection from XML bombs and other DoS
attacks using the XML Limit Checks.
If an HTTP-policy file is used with a WAF template, and if the WAF is in Learning Mode, you can identify the
sources of various attacks. You can configure the relevant geo-locations in the HTTP-policy file and direct the
traffic through different WAF templates. This produces statistics for the different regions, and these statistics
can be used to identify the top countries where attacks are sourced from.
You can enable the WAF Geo-location blocking feature by using the new geo-location keyword at the HTTP
policy configuration level.
CLI Example
This example shows how to configure the WAF geo-location feature using an HTTP policy. The policy can be
used to allow or deny traffic based on geo-location information. This example creates the geo-location infor-
mation for a region in China, and for a region in the United States, and does not rely on the IANA database.
First, we will configure the GSLB geo-location IP address range for the first region (e.g., Beijing, China)
Configure the GSLB geo-location IP address range for the second region (e.g., San Jose, USA)
Configure the real server IP and port information for server “s1”:
Configure the real server IP and port information for server “s2”:
Set up the logging template and bind it to the service group “syslog”:
Create the WAF template “waf-1", with the max parameters set to 3, and logging template called “syslog”:
Create the WAF template “waf-2”, with credit card number masking enabled, and logging template called
“syslog”:
Create the http-policy template called “geo-policy-http-ipv4”, and within that HTTP policy template, enable
the geo-location feature for the first region you created (i.e. Beijing, China). Bind it to the service-group “sg-
http-p1”, and bind that to WAF template “waf-1”. Similarly, enable the geo-location feature for the second
region you created (i.e. San Jose, USA), and bind it to the service-group “sg-http-p2”, and bind that to WAF
template “waf-2”:
Create the slb virtual-server configuration “vs101”, with port 80 (HTTP), and set up the source-nat pool
“nat_IPv4”, and bind both service-groups “sg-http-p1” and “sg-http-p2”. Then, bind the HTTP-policy template
we created earlier, and bind the two waf templates.
With the above configurations, the HTTP request destined to virtual server “vs101” port 80 from clients
belonging to geo-location Beijing.China will be checked against template waf waf-1. Clients belonging to
geo-location Sanjose.USA will be checked against template waf waf-2.
You can configure WAF geo-location based blocking using an ACL by creating an access control list and using
the geo-location keyword.
This example shows how to configure an IPv4 access-list with geo-location rules that would permit all traffic
to and from the United States, while denying all traffic to or from North Korea:
• request violation – Violations are triggered anywhere in the code where ACOS is logging a WAF action,
such as deny, sanitize, ignore a real error, and so on. (This applies to client requests.)
• response violation – Violations are triggered anywhere in the code where ACOS is logging a WAF
action, such as deny, sanitize, ignore a real error, and so on. (This applies to server responses.)
• WAF deny – A deny action is triggered when there is a final deny action being applied (violations may
be overridden as described below)
• WebDAV - In prior releases, ACOS contained a hard-coded list of HTTP methods that the WAF would
allow to traverse. Prior to ACOS 4.0, the WebDAV methods were not part of this list, so whenever a WAF
was applied in a customer environment in which WebDAV methods were used, the WAF would end up
rejecting all of the requests that used the WebDAV methods. The workaround was to avoid configur-
ing WAF on this virtual port.
However, this release adds aFleX, which in turn means that the administrator can write an aFleX script
that triggers on request violation. The WAF will check the violation ID and determine that this is a vio-
lation of the allowed methods rule. Upon learning this, the WAF will call the WAF::disable method,
which will temporarily disable WAF processing (for this connection only).
• There are some cases where specific URL patterns (or other sorts of data) match some of the expres-
sions which are used by black lists, SQLIA, XSS, or any other pattern-matching rules used by the WAF. A
user can be aware of such false-positive violations, and bypass this violation for the false-positive that
triggered the event.
Possible Actions:
If the WAF detects traffic that violates one or more rules, aFleX commands can be configured to seize upon
this trigger in order to perform one of the following actions upon that traffic:
• Allow - This action is triggered by a violation event when the WAF is deployed in Passive Mode and
Learning Mode.
• Deny - This action is triggered by a violation event when the WAF is deployed in Active Mode.
• Mask - This action is triggered for the event WAF_RESPONSE_VIOLATION, but only for the following
select features, such as ssn-mask, ccn-mask, and pcre-mask.
• Redirect - This action is triggered under violation events for the referer-check feature if the WAF is
deployed in Active Mode.
• Sanitize - This action is triggered for the WAF_REQUEST_VIOLATION event for features that support the
ability to sanitize traffic, such as xss-check, sqlia-check. The action can also be triggered for the
WAF_RESPONSE_VIOLATION event.
• WAF::disable – Disables WAF processing for the connection during which the aFleX script is triggered.
• WAF::enable – Re-enables WAF processing for the connection during which the aFleX script is trig-
gered.
• WAF::mode – Returns the current deployment mode in which WAF is configured (active, passive or
learning).
• WAF::template – Returns the name of the active WAF template.
• WAF::violation – Returns or logs information related to WAF violation events.
For syntax associated with these aFleX commands, please see the “WAF Commands” section in the aFleX Ref-
erence.
WAF Events
The following Web Application Firewall (WAF) events are available:
For syntax and a list of events associated with these aFleX commands, please see the “WAF Events” in the
aFleX Reference.
Response Protection
The WAF inspects the content of outbound HTTP responses and hides aspects that can equip an attacker
with valuable information. The WAF template can further protect Web servers with the following options for
HTTP responses:
• Mask Sensitive Content – Strings in a response are examined for patterns of sensitive content, such as
credit card numbers or US social security numbers. If the WAF discovers a pattern of potentially sensi-
tive information, the string is masked with an alternative character.
• Cloak Response Headers – The WAF removes content from HTTP response headers that can disclose
vulnerabilities about the Web server.
• Return Instrumented Responses – If a Web form is included in outbound responses, the WAF can tag
form fields with a nonce value before sending the reply to the outside user. The WAF then checks sub-
sequent requests for the nonce, to protect against CSRF.
CCN Mask
The Credit-card Number (CCN) Mask checks Web server responses for end-user credit card numbers. This
check protects user credit card information from being intercepted and viewed by unauthorized parties. For
example, the CCN mask replaces all but the final group of digits in the card number with “x” characters. A
credit card number of 4111-1111-1111-1111 would become “xxxx-xxxx-xxxx-1111”.
To protect user credit card information, you should configure the CCN mask for each accepted type of credit
card.
NOTE: A10 Networks recommends enabling this check for URLs that access or trans-
fer credit card information. For example, shopping Web sites with a check-
out page or Web sites that access back-end databases which contain cus-
tomer credit card numbers. This check is unnecessary if the Web site does
not have access to or use credit card information.
SSN Mask
Similar to a CCN mask, a Social-security Number (SSN) Check masks Web server replies for US social security
numbers. If enabled, the SSN check mask searches strings which appear to match the format of US social
security numbers and replaces all but the last 4 digits of the string with “x” characters.
PCRE Mask
In addition to the preconfigured CCN and SSN checks described above, you can configure custom masks
using Perl Compatible Regular Expressions (PCRE) syntax. For example, you can configure a mask that checks
for driver’s license numbers. (For more information, see “Writing PCRE Expressions” on page 113.)
You can configure the portions of matching strings to keep, and which portions to mask. You also can cus-
tomize the mask character (“X” by default).
NOTE: You do not need to create a specialized PCRE mask to hide US social security
numbers or credit card information. Instead, simply enable the SSN or CCN
mask options that are provided in the WAF template.
Cloak Responses
The WAF can strip HTTP response headers to “cloak” server information that can equip a hacker to target an
attack on your Web servers. For example, the WAF can cloak an HTTP response header to hide what operat-
ing system is running on your servers. Information such as this can enable a hacker to more narrowly target
your servers with attacks that are specific to the servers’ operating systems. You can cloak server information
with the following WAF template options:
• Filter Response Headers – Checks responses coming from the Web server and removes headers with
server identifying information. For example:
• Server
• X-Runtime
• X-Powered-By
• X-AspNet-Version
• X-AspNetMvc-Version
• Hide Response Codes – Conceals 4xx and 5xx response codes for outbound responses from a Web
server and returns a generic error code instead. This option hides error codes which can provide an
attacker with information to specifically target Web server vulnerabilities.
The WAF sends an error page in response. You can configure the response error page in the Deny-Action
security check section of the WAF template.
NOTE: You can use the Referer Check to further help prevent CSRF attacks.
Cookie Encryption
This check protects against cookie tampering by encrypting cookies before sending server replies to end-
users. Clients are then unable to view the content of encrypted cookies, which clients could otherwise mod-
ify to gain illegal access. If the encrypted cookie is modified, then decryption of the tampered cookie will fail
when it is sent back from the client and the request will be rejected.
You can enable encryption based on specific cookie names or for all cookies that match a PCRE expression.
The encryption uses a secret string to decrypt and encrypt cookies that are transferred between the Web
server and client. (For a configuration example, see “WAF Deployment and Logging Examples” on page 123.)
A10 Networks has achieved WAF certification from ICSA Labs. This certification can help assure network
administrators that the ACOS WAF meets the requirements, as stated in PCI DSS section 6.6 “Compliance for
Web Apps”, the text of which appears below:
For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure
these applications are protected against known attacks by either of the following methods:
• Reviewing public-facing Web applications via manual or automated application vulnerability security
assessment tools or methods, at least annually and after any changes.
NOTE: Note: This assessment is not the same as the vulnerability scans performed
for Requirement 11.2.
• Installing an automated technical solution that detects and prevents Web-based attacks (for example,
a web-application firewall) in front of public-facing web applications, to continually check all traffic.
For more information, you can access the PCI DSS at https://www.pcisecuritystandards.org/documents/
PCI_DSS_v3.pdf
• Restrict access to a resource (such as a web server) based on the IP address from which the request
originated
• Hide sensitive information, such as credit card numbers, when this data crosses a network boundary
• Limit or prevent configuration changes (and logging each configuration change as it happens)
More information about PCI DSS compliance can be found at the following link:
https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf
This chapter describes the WAF operational modes and how to use them to deploy the WAF.
Overview
The WAF supports the following operational modes:
• Learning – Learning Mode provides a way to initially set the thresholds for certain WAF checks based
on known, valid traffic.
• Passive – Passive Mode provides passive WAF operation. All enabled WAF checks are applied, but no
WAF action is performed upon matching traffic. This mode is useful in staging environments to iden-
tify false positives for filtering.
• Active – This is the standard operational mode. You must use Active Mode if you want the WAF to san-
itize or drop traffic based on the configured WAF policies.
Figure 5 shows a typical work flow for WAF deployment, using these modes.
CAUTION: While Learning or Passive Mode is in operation, the WAF does not block any
traffic. Only Active Mode blocks traffic.
Notes:
• Use of the Learning and Passive Modes is recommended during the deployment process.
• To access WAF data event messages, logging to external servers is required. See “WAF Event Logging”
on page 101.
• When the WAF is deployed in either learning or passive mode, traffic is not blocked. However, event
log messages will list the response action (deny, allow, or sanitize) that is configured in the WAF tem-
plate. In addition, WAF counters will continue to increment as if the WAF is deployed in active mode.
Learning Mode
Learning Mode provides a way to dynamically set certain WAF options based on traffic.
When you enable Learning Mode in a WAF template, ACOS resets the following WAF security check values to
zero:
1. In Figure 6, a WAF template is configured and is bound to the HTTP/HTTPS virtual port on the ACOS
device. The domain name mapped to the VIP address by DNS is “www.example.com”.
2. Known, valid traffic is then sent to the WAF. As traffic is received by the virtual port to which the WAF
template is bound, ACOS updates the settings for the WAF parameters listed above.
In this example, the following HTTP request is sent:
GET / HTTP/1.1
Host: www.example.com
Connection: close
User-Agent: Mozilla/5.0
Accept-Encoding: gzip
Accept: text/html
Cache-Control: no-cache
3. When the WAF receives the request, Learning Mode updates the following checks in the WAF template:
Buffer Overflow Check:
• Maximum headers = 7
• Max-url-len = 15
• Max-hdrs-len = 23
Notes
• Beginning in ACOS release 4.0, the WAF will display the learned values in the running-configuration
only after the WAF deployment mode is changed from Learning Mode to Active Mode or Passive
Mode. The reason for this change in behavior relative to prior releases, is that ACOS 4.0 introduces the
Configuration Manager (CM), which acts like an internal “staging area” for the configuration changes.
Such config changes are temporarily save to short-term memory and will remain there until an opera-
tion is committed, which happens when the WAF is switched from Learning Mode to Passive or Active
Mode. In previous releases, config changes were saved directly into the running-config file, and there
was no internal staging area.
• Before enabling Learning Mode, make sure the WAF is not receiving production traffic. Security checks
in the WAF template are not enforced during Learning Mode and the WAF will not deny any requests,
even if a request fails a security check.
• If the setting for a check reaches its maximum configurable value, the check is set at that value. The
setting value does not increase.
• The URL Check file is not created until the mode is changed from Learning to Passive or Active. You
cannot modify the URL check file while Learning Mode is enabled.
• For an example of Learning Mode, see “WAF Deployment and Logging Examples” on page 123.
Passive Mode
Passive Mode logs traffic that matches a WAF policy file or check, but does not perform any action on match-
ing traffic. While the WAF is operating in Passive Mode, you can monitor the data event log messages sent to
remote logging servers, and fine-tune your template settings so that valid traffic is not mistakenly blocked
by the WAF.
Typically, Passive Mode is used in a production network to check for false positives while real production traf-
fic is running. A false positive occurs when valid traffic matches a WAF check, and would be dropped during
Active Mode operation.
This example shows a “false positive” match on the max-cookies check. In this example, the WAF template
allows a maximum of 3 cookie headers within a given request.
Notes:
• Because the WAF is operating in Passive Mode, the client request is sent to the server instead of being
dropped. In Active Mode, the request would be dropped.
• To access WAF data event messages, logging to external servers is required. See “WAF Event Logging”
on page 101.
• During Passive Mode operation, data event logs for matching traffic will state that the traffic was
denied even though the traffic in fact is allowed. However, all WAF data event messages include the
operational mode.
Active Mode
Active Mode enforces the policies (definition files) and security checks that are enabled in the WAF template
bound to the virtual port. If the action configured for a specific check is to drop traffic that matches the
check, the traffic is dropped.
1. The client sends a request. The request contains SQL code. The request is an attempt to inject SQL code
onto the server.
2. The WAF SQL Injection Check detects the SQL. Based on the configuration, the WAF rejects (drops) the
request.
3. The WAF sends a log message to the log server.
Figure 9 shows a walk-through of the WAF process as it examines the client’s request.
1. First, the WAF checks the request URI against the entries in the White List. In this case, the URI matches.
The request passes to the next phase, the Black List check.
2. The request URI does not match any of the Black List entries, so is passed to the next phase, the request
checks.
3. The request passes the Allowed-HTTP-methods Check. However, the request fails the SQL Injection
Check and is denied.
The WAF operates on traffic that is addressed to the virtual IP address (VIP) and HTTP/HTTPS virtual port of
your Web site. To apply WAF protection to the virtual port, basic configuration is required. Additional,
advanced configuration is optional.
This chapter describes how to configure the WAF using the GUI.
Configuration Overview
This section summarizes the configuration tasks for the WAF. The following sections provide detailed steps
for each task.
Notes:
• External logging is the only mechanism supported for accessing WAF data plane log messages.
• The WAF comes with predefined WAF policy files. You can modify policy rules in the URI White and
Black Lists, or add search definitions used for the Bot Check, SQLIA check and so on. For more informa-
tion, see “WAF Policy Files” on page 107. A10 Networks highly recommends modifying WAF policy files
to meet your specific security demands.
• Optionally, you can pair the WAF template with an HTTP policy template to enforce WAF security
checks based on URL, host, or cookie. (See “Overriding a WAF Template” on page 117.)
• For examples of advanced WAF configuration, see “WAF Deployment and Logging Examples” on
page 123.
5. Click the Virtual Server Name drop-down menu, and select the desired pre-configured VIP that you wish
to bind.
For a VIP to appear in the Virtual Server Name drop-down list, it must be configured with one or more
HTTP/HTTPS
virtual ports.
6. Based on the VIP that you select, the Virtual Server IP field and Port and Protocol fields will automatically
update. If desired, you can click the Port and Protocol drop-down menu and select a different port/proto-
col combination from the list of HTTP or HTTPS ports associated with this VIP.
7. Click the WAF Template drop-down menu and select the desired WAF template from the list that
appears.
If desired, you can click the New WAF Template button to configure a new WAF template for this WAF ser-
vice.
(See “Configure a WAF Template” on page 59.)
8. Click the HTTP Policy drop-down menu and select the desired HTTP template.
If desired, you can click the New HTTP Template button to configure a new WAF template for this WAF
service.
(See “Configure an HTTP Policy Template” on page 78.)
9. Click the Create button to complete the WAF service configuration.
• Active – The WAF enforces the checks configured in the template and sends events to the external
log server.
• Passive – The WAF sends events to the external log server but does not enforce any security checks.
• Learning – The WAF template “learns” acceptable check parameters based on a stream of legitimate,
secure traffic. When in Learning Mode, the WAF continues to send events to the external log server.
For more information, see “WAF Operational Modes” on page 49.
6. From the Logging Template drop-down menu, select the name of a configured logging template to
direct WAF logging activity. See “WAF Event Logging” on page 101.
7. Select the Log Successful WAF Requests checkbox if you want the WAF to log debug messages on the suc-
cessful completion of WAF requests, and not just for errors.
8. Click the Deny Action drop-down menu and specify the action to be applied when the WAF denies a cli-
ent’s request.
• HTTP Response 403 – Sends a 403 Forbidden response to the client. When this option is selected,
the default string returns a generic “Request Denied!” page to the client, but you can clear the
“Default Response 403” checkbox and enter your own response string in the “Response URL 403”
field that appears.
• HTTP Response 200 – Sends a 200 OK response to the client with the specified response string. The
default string returns a generic “Request Denied!” page to the client. When this option is selected,
the default string returns a generic “Request Denied!” page to the client, but you can clear the
“Default Response 200” checkbox and enter your own response string in the “Response URL 200”
field that appears.
• HTTP Response Redirect – Redirects the client to the specified URL.
When this option is selected, a text box appears where you can enter a response string or redirect
URL.
• Reset Connection – Sends a TCP RST to the client to end the connection.
2. In the Allowed HTTP Methods field, click to select one or more HTTP methods (GET, POST, and so on) that
are allowed to appear in client requests.
3. Select the Bot Check checkbox to check the user-agent of incoming requests for known bots. This check
uses the list of defined bots in the “bot_defs” WAF policy file. For more information, see “Bot Check” on
page 108.
4. Select the URL Check checkbox to prevent users from accessing the URLs of your website directly. The
URL Check allows users to only access Web pages by clicking a hyperlink on your protected Web site. In
the current release, the approved URL path list for the URL Check can be configured only using Learning
Mode. For a deployment example that includes configuration of the URL Check, see “Generate Allowed
URL Paths for the URL Check” on page 127.
5. Select the HTTP Check checkbox to check that user requests are compliant with HTTP protocols.
6. Select the Referer Check checkbox to enable referer checks, or clear the checkbox to disable. The referer
check validates that the referer header in a request contains Web form data from the specified Web
server, rather than from an outside Web site, and helps protect against CSRF attacks. Referer Check
behavior is as follows:
• Enabled – When enabled, the WAF always validates the referer header. Requests will fail the check
if there is no referer header or if the referer header is not valid.
• Disabled – The WAF will not validate requests based on the referer header.
a. Select the Only If Present checkbox to display the Allowed Referer Domains field. Then enter the fully-
qualified domain names (FQDNs) from which requests are allowed to originate.
b. In the Referer safe URL field, enter the URL for redirected requests that do not come from the allowed
referer domains.
7. Select the URI Black List Check checkbox to enable. Select the WAF Black List File drop-down menu that
appears, and select the name of a configured WAF policy file. This option enforces the rules contained
within a WAF policy file for the URI blacklist.The default WAF policy file is “uri_blist_defs”. For more infor-
mation about URI blacklists, see “URI Black List” on page 109.
8. Select the URI White List Check checkbox to enable. Click the WAF White List File drop-down menu that
appears, and select the name of a configured WAF policy file. This option enforces the rules contained
within a WAF policy file for the URI whitelist. The default WAF policy file is “uri_wlist_defs”. For more
information about URI whitelists, see “URI White List” on page 110.
9. When finished, click Create to save your changes.
2. Select the Decode Entities checkbox to decode entities, such as < &#xx; &#ddd; &xXX in an internal URL.
3. Select the Decode Escaped Characters checkbox to decode escape characters, such as \r \n \"\xXX in inter-
nal URLs.
4. Select the Decode HEX Characters checkbox to decode hexadecimal characters, such as \%xx and
\%u00yy in an internal URL.
5. Select the Remove Comments checkbox to remove comments from an internal URL.
6. Select the Remove Self-References checkbox to remove self-references, such as /./ and /path/../ from
internal URLs.
7. Select the Remove Spaces checkbox to remove spaces from an internal URL.
8. When finished, click Create to save your changes.
2. In the SQL Injection Attack Check radio button, specify whether the WAF will Sanitize or Reject requests
that do not pass the SQL Injection Attack check. This option is used to check for harmful SQL strings and
protects against SQL injection attacks.
• Selecting Reject will deny the user request.
• Selecting Sanitize will forward the request to the Web server after removing the offending SQL
strings from the message.
3. Selecting either of the above radio buttons displays the SQL Injection Attack Policy File drop-down menu.
Click this drop-down and select the policy file that will be used to perform SQL Injection Attack checks.
By default, the WAF uses the list of defined SQL commands in the “sqlia_defs” WAF policy file. For more
information, see “SQL Injection Attack Check” on page 108.
4. Select the XML Validation – SQL Injection Attack Check checkbox to check XML data against the SQLIA pol-
icy file. The WAF examine the headers and bodies of incoming requests for inappropriate SQL special
characters or keywords that might indicate the presence of an SQL Injection Attack (See “XML SQL Injec-
tion Checks” on page 32 for details.)
5. When finished, click Create to save your changes.
2. Clear the Disable Buffer Overflow Protection checkbox to display the buffer overflow protection options.
These options protect against attempts to cause a buffer overflow on the Web server.
3. In the Max Cookie Length field, enter the maximum length for cookies, cookie names, and/or cookie val-
ues allowed in a request.
4. In the Max Total Cookies Length field, enter the maximum total length for all cookies in a request.
5. In the Max Cookie Name Length field, enter the maximum length for cookie names allowed in a request.
6. In the Max Cookie Value Length field, enter the maximum cookie value length for cookie values allowed
in a request.
7. In the Max Data to Parse field, enter the maximum amount of data that can be parsed in a request.
8. In the Max Request Headers Length field, enter the maximum header length for headers, header names,
and/or header values allowed in requests.
9. In the Max Request Header Name Length field, enter the maximum header length for header names
allowed in requests.
10.In the Max Request Header Value Length field, enter the maximum header length for header values
allowed in requests.
11.In the Max URL Length field, enter the maximum URL length allowed in requests.
12.In the Max Request Line Length field, enter the maximum length for lines allowed in requests.
13.In the Max Query Length field, enter the maximum length for queries allowed in requests.
14.In the Max Post Size field, enter the maximum content length allowed in HTTP POST requests.
15.In the Max HTML Parameter Name Length field, enter the maximum HTML parameter length allowed for
the parameter names.
16.In the Max HTML Parameter Value Length field, enter the maximum HTML parameter length allowed for
the parameter values.
17.In the Max HTML Parameter Total Length field, enter the maximum HTML parameter length allowed for
the total parameters.
18.In the Max MIME entities allowed field, enter the maximum number of MIME entities allowed in the
request.
19.In the Max Cookies field, enter the maximum number of cookies allowed in a request. You can set a num-
ber ranging from 0–63. The default value is 20.
20.In the Max Headers field, enter the maximum number of header fields that are allowed in a request. You
can set a number ranging from 0–255. The default value is 20.
21.In the Max HTML Parameters field, enter the maximum number of HTML parameters that are allowed in a
request. You can set a number ranging from 0–1024. The default value is 64.
22.When finished, click Create to save your changes.
2. Select the Session Check checkbox to enable session checks. When this option is enabled, the WAF cre-
ates a unique ID that is inserted into a cookie and embedded in the server’s response to the client.
Future requests from the same client are validated against this ID, and if the tracking ID (or IP address)
does not match, then the request is rejected.
3. In the Session Check Lifetime field, enter a value ranging from 1–1440 minutes. The default session life-
time is 10 minutes. For more information about Session Checks, see “Session Checks” on page 20.
4. When finished, click Create to save your changes.
2. Select the Enforce JSON compliance checkbox if you wish to have the WAF scrub incoming requests con-
taining JSON code to verify compliance with RFC 4627. Requests will be blocked if the JSON content is
not well- formed.
3. The XSS Check uses “jscript_defs” WAF policy file to examine the content of URL, cookies, headers, and
POST bodies of client requests. By default, the radio button is disabled, but you can select one of the fol-
lowing actions:
• Sanitize – select this to remove the XSS script from the message and forward the message to the Web
server.
• Reject – select this to deny the request.
4. Select the XSS Check Policy File from the drop-down menu. By default, the XSS Check uses the list of
defined Javascript commands from the “jscript_defs” WAF policy file. (See “XSS Check” on page 108.)
JSON Limits:
When the following JSON Limit options are configured, the WAF JSON parser will enforce parsing limits
to protect backend servers from denial-of-service (DoS) attacks that are designed to exhaust system
memory or CPU resources.
5. In the JSON Limit - Max Array Value Count field, enter the maximum number of values in a single array.
The default value is 256, but you can set a number ranging from 0–4096.
6. In the JSON Limit - Max Depth field, enter the maximum recursion depth in a JSON value.
The default value is 16, but you can set a number ranging from 0–4096.
7. In the JSON Limit - Max Object Member Count field, enter the maximum number of members in a JSON
object.
The default value is 256, but you can set a number ranging from 0–4096.
8. In the JSON Limit - Max String field, enter the maximum length of a string (in bytes) for a name or a value
in a JSON request.
The default value is 64, but you can set a number ranging from 0–4096.
9. Select the XML XSS Check checkbox to check XML data against the XSS policy file. The XML cross-site
scripting check examines the headers and bodies of incoming XML requests for Javascript keywords
that might indicate possible cross-site scripting attacks and blocks those requests. (See “XML Cross-Site
Scripting Checks” on page 31 for details.)
10.Select the XML Format Check checkbox to check the HTTP body of the message for XML format compli-
ance. Incoming requests containing XML code are checked for compliance with the XML 1.0 specifica-
tion. (See “XML Format Checks” on page 27 for details.)
11.In the XML Limit - Max Attributes field, enter the maximum number of attributes each individual element
is allowed to have.
The default is 256, but you can enter an integer from 0-256.
12.In the XML Limit - Attribute Max Length field, enter the maximum number of characters allowed per ele-
ment.
The default is 128, but you can enter an integer from 0-2048.
13.In the XML Limit - Attribute Text Max Length field, enter the maximum number of characters allowed per
attribute.
The default is 128, but you can enter an integer from 0-4096.
14.In the XML Limit - CDATA Section Max Length field, enter the maximum length of CDATA section for each
element.
The default is 65535, but you can enter an integer from 0-65535.
15.In the XML Limit - Max XML Elements field, enter the maximum number of any one type of element per
XML document.
The default is 1024, but you can enter an integer from 0-8192.
16.In the XML Limit - Max Element Children field, enter the maximum number of children each element is
allowed to have, including other elements, character information, and comments. The default is 1024,
but you can enter an integer from 0-4096.
17.In the XML Limit - Max Element Depth field, enter the maximum number of nested levels in each element.
The default is 256, but you can enter an integer from 0-4096.
18.In the XML Limit - Max Element Name Length field, enter the maximum name length for each element,
including the XML path.
The default is 128, but you can enter an integer from 0-65535.
19.In the XML Limit - Max Entity Expansions field, enter the maximum number of entity expansions allowed.
The default is 1024, but you can enter an integer from 0-1024.
20.In the XML Limit - Max Entity Nested Depth field, enter the maximum depth of nested entity expansions.
The default is 32, but you can enter an integer from 0-32.
21.In the XML Limit - Max Namespace Declarations field, enter the maximum number of namespace declara-
tions in an XML document. The default is 16, but you can enter an integer from 0-256.
22.In the XML Limit - Max Namespace URI Length field, enter the maximum URI length allowed for each
namespace declaration.
The default is 256, but you can enter an integer from 0-1024.
23.Select the checkbox for XML Validation - WSDL File - Resp Val if you want the WAF to validate SOAP mes-
sages from a protected web application server using a Web Services Description Language (WSDL) doc-
ument.
• If you selected the checkbox, select the desired file from the XML Validation - WSDL File - Resp Val
drop-down menu.
• If you cleared the checkbox clear (default), optionally select the XML Validation - WSDL File from the
drop-down menu.
24.Select the checkbox for XML Validation - XML-Schema file - Resp Val if you want the WAF to validate SOAP
messages from a protected web application server using an XML Schema file.
• If you selected the checkbox, select the desired file from the XML Validation - XML-Schema file - Resp
Val drop-down menu.
• If you cleared the checkbox clear (default), optionally select the XML Validation - XML-Schema file from
the drop-down menu.
25.Select the Enforce SOAP compliance on XML checkbox to check XML documents for SOAP format compli-
ance. The WAF blocks those which are not well-formed. SOAP format checks are typically done in tan-
dem with XML format checks. See “WAF SOAP Checks” on page 33 for details.
26.When finished, click Create to save your changes.
2. In the Cookie Name field, enter the name of a cookie or PCRE expression. This option protect against
cookie tampering by encrypting cookies by a specific name or for all cookies that match a PCRE expres-
sion.
3. In the Cookie Encryption Secret field, enter a string which will be used to encrypt and decrypt the cook-
ies. The encryption uses a secret passphrase to decrypt and encrypt cookies that are transferred
between the Web server and client.
4. When finished, click Create to save your changes.
2. Select the Filter Response Headers checkbox to remove the Web server’s identifying headers in outgoing
responses.
3. Select the Hide Response Codes checkbox to enable this option to cloak 4xx and 5xx response codes for
outbound responses from the Web server. By default, this check uses the “allowed_resp_codes” WAF
policy file for a list of acceptable HTTP response codes. However, you can click the Hide Response Codes
file drop-down menu that appears to specify a different file. For more information, see “Allowed HTTP
Response Codes” on page 110.
4. Select the Redirect Whitelist checkbox to enable protection against unvalidated redirects, which can
occur if a hacker uses social networking to trick unsuspecting users into clicking on a malicious hyper-
link. The WAF must be deployed in Learning Mode when the redirect-wlist CLI command is used for the
first time so the list of acceptable locations can be built up. The WAF pre-learns a white-list of acceptable
locations to which users can safely be redirected. If one of the web servers gets hacked and attempts to
redirect a user to a location that does not appear in the redirect white-list, then the WAF blocks the redi-
rect. See “Open Redirect Mitigation” on page 22 for details.
5. When finished, click Create to save your changes.
2. Select the CCN Mask checkbox if you want the WAF to examine strings of outbound replies from the Web
server for patterns of numerical characters that resemble credit card numbers (CCN). If the WAF identi-
fies a credit card number, the WAF replaces all but the last four digits of credit card numbers with “x”
characters.
NOTE: From the CLI, you can view counters for the CCN check. These counters dis-
play the number of masked credit card numbers for various bank providers.
3. Select the SSN Mask checkbox if you want the WAF to scan HTTP responses for strings that resemble US
Social Security numbers and masks all but the last four digits of the string with “x” characters in a
response.
4. The PCRE Mask hides strings that match the specified PCRE pattern. (See “Writing PCRE Expressions” on
page 113 for details.) In the PCRE fields, enter the following values:
• PCRE Pattern – Masks patterns in a response that match the specified PCRE pattern.
• PCRE Mask Character – Selects a character to masked the matched pattern of a string. By default,
strings are masked with an “X” character.
• PCRE Keep Start – Sets the number of unmasked characters at the beginning of the string. This can
be 0-65535, the default is 0.
• PCRE Keep End – Sets the number of unmasked characters at the end of the string. This can be 0-
65535, the default is 0.
NOTE: You can configure PCRE patterns to match only on string of fixed length. For
this reason, wild-card characters that can mask excessively long strings (*
and +) are not supported.
If either the asterisk (*) or plus symbol (+) is detected during the syntax check, the syntax
check will automatically fail. To use an expression that matches an actual “*” or “+” char-
acter, use an escape character (\) before the matched symbol. For example, to search for
the actual asterisk (*) or plus character (+), enter “\*” or “\+”.
2. Select the Deny Forms Not Using POST checkbox to deny HTTP requests containing forms if the method
used is anything other than POST.
3. Select the CSRF Check checkbox to tag the fields of a web form with a nonce (a unique FormID). This
check protects against cross-site request forgery (CSRF).
4. Select the Form Consistency Check checkbox to check that the user input to a Web form field conforms to
the intended format for that entry. For example, it checks that a radio button is selected versus supply-
ing a string for that form field. WAF also parses HTTP bodies encoded as multipart/form-data. Extracted
form fields are verified against previously parsed HTML forms.
5. Select the Deny non-SSL Forms checkbox to deny user passwords that are sent over a non-encrypted
connection. If the connection between the client and the WAF is secured with SSL/TLS, the user pass-
word is allowed, but if the client attempts to submit to a form field where “input type=password”, and if
the connection is not encrypted with SSL/TLS, the WAF blocks the transmission. (For more information,
see “Deny Passwords Sent Over an Unencrypted Connection” on page 21.)
6. Select the Deny Caching of Form Responses checkbox to add “no-cache directives” if the HTTP response
contains <form> tags. The “no-cache” behavior is enforced by adding the following headers: (1) Cache-
Control: no-cache, no-store, must-revalidate, (2) Pragma: no-cache, (3) Expires: 0
7. When finished, click Create to save your changes.
2. Select the Deny non-masked password fields checkbox to prevent “should surfing” by denying the web
server’s attempt to send a form through the WAF unless the field type for the password field has been
set to “password”. (For more information, see “Deny Unmasked Passwords” on page 20.)
3. Select the Deny Autocompleted Passwords checkbox to deny web server attempts to transmit the form if
one of the form fields type is set to “password” and if the “autocomplete=on/off” attribute is set to “on”.
Enabling this option blocks browser “autocomplete” behavior. Although convenient for users, password
auto-completion weakens security by allowing browsers to store user passwords in order to later guess
the user’s password for some websites. (For more information, see “Deny Passwords if Autocomplete is
Enabled” on page 21.)
4. Select the Deny non-SSL Passwords checkbox to deny HTTP requests containing forms if the transmission
protocol used is anything other than SSL (TLS).
5. When finished, click Create to save your changes.
3. Enter a value in the Max Filesize field. Enter a value from 16–256 (KBytes). The default value is 32Kb.
4. Click Create to create a new WAF Policy.
5. Select the one of the following tabs:
• WAF Policies – see “WAF Policy Files” on page 107 for background information.
The WAF Policy table lists the default policy files, such as “bot_defs”, “jscript_defs”, and “sqlia_defs”. If
the Bot Checks, Cross-Site Scripting (XSS) Check, or SQL Injection Checks are enabled in a WAF tem-
plate, the policy files can be used to scrub incoming requests. For example, if the Bot Check option is
enabled in the WAF template and a match is found on an incoming request (using the “bot_defs”
file), the request we be denied automatically. You can copy the “bot_defs” file and modify the con-
tents to include or remove bot search terms. Simply click the Edit link, make changes, and save the
new copy.
To configure, click the Create button in the WAF Policy section. A window similar to that shown in
Figure 23 on page 76 appears.
~ If selecting the Local radio button, then enter the name and definition, and then click Create.
~ If selecting the Remote radio button, enter the name, transport protocol (e.g., TFTP, FTP, SCP, SFTP),
Host IP/FQDN, Port, Location, and user credentials (user/password) for the server where the file is
located. Then click Create.
• XML Schemas – see “WAF XML Checks” on page 26 for background information.
FIGURE 24 WAF > Files > (WAF Policy/XML Scheme/SOAP WSDL) > Create
For a general discussion of configuring an HTTP Policy Template, see “Overriding a WAF Template” on
page 117.
4. The Name field is not editable, since this example show how to update an existing HTTP policy template.
5. In the Cookie Name field, enter the cookie name associated with this HTTP Policy.
6. In the Match Rules section of the window, click the Add button.
The Add HTTP Policy Match Rule window appears, similar to that shown below:
Configure rules that match on URLs, hostnames, or cookie names. Client requests that match a rule in
the HTTP policy template are handled using the alternative WAF template that you will later bind to the
HTTP policy template.
7. To configure rules for matching:
a. Click the Type drop-down list and select one of the follow rule types:
• URL
• Host
• Cookie Name
a. Click the Match Type drop-down list and select the match operation:
• Starts With
• Ends With
• Contains
• Equals
These match options are always applied in the order shown above, regardless of the order in which
the rules appear in the configuration. The WAF template associated with the rule that matches first is
used.
If a template has more than one rule with the same match option (equals, starts-with, contains, or
ends-with) and a URL matches on more than one of them, the most-specific match is always used.
c. From the Service Group drop-down menu, select the desired drop-down menu that you wish to asso-
ciate with this match rule.
d. From the WAF drop-down menu, select the WAF template to which to bind this HTTP policy tem-
plate. The WAF template you select will be used for traffic that matches the rule.
e. Click the Add button.
f. Repeat this process for each rule you wish to add to the HTTP Policy.
8. Click the Add button to save your changes.
9. In the Geo Location Matches section of the window, click the Add button.
The Add HTTP Policy Geo Location Match Rule window appears, similar to that shown below:
10.Enter the Geo Location. (See “Geo-location Based Blocking” on page 38 for more information.)
11.From the Service Group drop-down menu, select the desired drop-down menu that you wish to associ-
ate with this match rule.
12.From the WAF drop-down menu, select the WAF template to which to bind this HTTP policy template.
The WAF template you select will be used for geo-location traffic that matches the rule.
13.Click the Add button to save your changes.
WAF Reporting
ACOS offers a reporting feature that allows you to view WAF statistics through the Web GUI. Currently, this
information can be displayed using the following WAF report types:
• Top URL – this report type indicates the most frequently accessed URLs during a specified time inter-
val.
• Top Violation – this report type indicates the most common WAF violations that occurred during a
specified time interval. This report provides information similar to the violations listed under the
Global Stats page, such as SQL Injection Attacks and Buffer Overflows.
• Top Attacker – this report type indicates the source IP where most attacks originated during a speci-
fied time interval.
WAF Reporting can be helpful, because it provides complex information in a visual format, making it easier to
see, for example, the types of attacks that might be occurring, when they occurred, how long they lasted,
and the size or magnitude of the attack. Similarly, WAF Reporting can show you which URLs are being
accessed on your network and the times of day this is happening.
3. Click the Report Type drop-down menu and select one of the following menu items: Top URL, Top Viola-
tion, or Top Attacker.
4. In the Top N field, enter the desired number (1–20). For example, entering 10 will result in a “Top 10”
report.
5. Click the Time Interval drop-down menu and select one of the following tabs:
• Last Hour
• Last Day
• Last Week
• Last Month
• Last Year
• Select Period – specify the Unit (Minute, Hour, Day, Week, Month) and then enter the Period.
• Select Date Time – enter the Start Time and End Time by selecting a date from the calendar window
that appears.
NOTE: The granularity of the history shown in a WAF report varies depending on
the time interval specified. Reports with shorter durations, (for example, the
Last Day) will include more granular information than reports that are spread
out over a month.
Details:
• The figure above shows a WAF Report for the Top 10 Violations during the last week. The most com-
mon violation
(URI While List Failure) appears at the top of the chart, and the second most common violation
(Response Headers Filtered), appears in the second position from the top of the chart, and so on.
• The horizontal axis shows Date Time, and the vertical axis is used to show the Count.
• The blue dots represent the number of times a particular violation occurred during the time interval.
In this example, a blue dot appears every hour.
• You can optionally click the green Show Charts button (at upper right) to toggle between showing
and hiding the charts.
7. (Optional) To see where attacks are coming from, you can select Top Attacker from the Report Type, and
click Apply to generate the desired chart.
A window similar to that shown in Figure 30 appears. In this example, the Top 10 Attackers are shown.
However, in this particular example, the attacks are all coming from one hypothetical source IP address:
172.128.9.154.
Logging of WAF events to external logging servers is supported over TCP or UDP, although UDP is typically
used for Syslog.
You can configure logging to a single server or a group of servers. If you use a group of servers, ACOS bal-
ances the log traffic among the servers for optimal efficiency.
Configuration Overview
1. Create a server configuration for each log server. On each server, add a UDP port with the port number
on which the log server listens for log messages. (While either TCP or UDP would work, Syslog typically
uses UDP.)
2. Add the log servers to a service group. Make sure to use the round-robin load-balancing method. (This is
the default method.)
3. (Optional) If logging over TCP, configure a TCP-proxy template to customize TCP settings for connections
between ACOS and the log servers. For example, you can enable use of keepalive probes to ensure that
the TCP connections with the log servers remain established during idle periods between logs.
4. Configure a logging template. Add the service group containing the log servers to the logging template.
If you configure a custom TCP-proxy template, also add that template to the logging template.
5. Apply the logging template to the WAF template.
External logging is activated once you bind the WAF template to a virtual port.
4. In the Name field, enter a name for the external log server.
5. In the Type radio button, select the IP version, IPv4, IPv6, or FQDN.
6. In the Host field, enter the server’s IP address or FQDN.
7. In the Port section of the window, configure the protocol port information:
a. Click the Create button.
b. Enter the following:
• Port Number – enter the port number in this field (514, which is the default for Syslog)
• Protocol – click the drop-down and select UDP protocol for this port.
• Health Check – select one of the radio buttons for Default, Disable, Monitor, Follow Port
• Click Create. The port appears in the list of ports for this server.
6. Click the Algorithm drop-down and select the desired load balancing algorithm (e.g., Round Robin, Least
Connection).
7. If desired, select the Health Check Disable checkbox, or if health checks are desired, then select one from
the Health Monitor drop-down menu.
8. In the Member section, click Create to add the server.
A window similar to that shown below appears:
a. For the desired Choose creation type radio button, select Existing Server.
b. Click the Server drop-down list and select the server(s) you just created in “Configure Log Servers” on
page 85.
c. Enter 514 in the Port field, since we are using Syslog. (Use the same number as specified in the server
config.)
d. In the Priority field, enter an appropriate value from 1-16.
Assign a higher priority number to the primary servers, and assign lower numbers for the servers that
will be used as backups. By default, the ACOS device will not use the lower-priority backup servers
unless all of the primary servers are down. The same priority number should be used for all the pri-
mary servers, but keep in mind that assigning the same priority value to the primary servers will
cause the logs to be load balanced across the primary servers, and will NOT cause duplicate copies of
the logs to be sent to multiple primary servers. For a detailed discussion and background informa-
tion on how Priority works, please see the “Priority Affinity” chapter in the Application Delivery and
Server Load Balancing Guide.
e. (Optional) Click the Template drop-down and select an HTTP template.
f. Click the State drop-down menu and select Enable or Disable to decide if the server will be active or
not.
g. (Optional) You can select Stats Data Disable checkbox if you wish to disable statistical data collection
for system resources, such as CPU, memory, disk, or interfaces.
h. Click Create button.
i. Repeat these steps for each server you wish to add to this service group.
The WAF operates on traffic that is addressed to the virtual IP address (VIP) and HTTP/HTTPS virtual port of
your Web site. To apply WAF protection to the virtual port, basic configuration is required. Additional,
advanced configuration is optional.
This chapter describes how to configure the WAF using the command-line interface (CLI).
NOTE: For deployment examples, see “WAF Deployment and Logging Examples” on
page 123.
Required Configuration
The minimum required configuration for the WAF consists of the following tasks:
NOTE: Configuration of other SLB resources required by the virtual port, such as real
servers and service groups, are not covered here. However, the deployment
examples in the guide include the commands for configuring these
resources. (See “WAF Deployment and Logging Examples” on page 123.)
For the template-name option, enter the name of an existing WAF template to modify the template’s configu-
ration, or an unused name to create a new WAF template. This command enters the CLI configuration level
for the template.
If you plan to use all the default settings for the template (including Active Mode operation) no further tem-
plate configuration is required. To customize template settings, see “Optional Configuration” on page 93.
To bind a template to a virtual port, you must access the configuration level for the port.
1. From the global configuration level of the CLI, use the following command to access the configuration
level for the virtual server that will receive HTTP/HTTPS traffic to be secured using the WAF:
slb virtual-server name ipaddr
2. At the configuration level for the virtual server, use the following command to access the configuration
level for the virtual port:
port port-number {http | https}
3. At the configuration level for the virtual port, use the following command to bind the WAF template to
the port:
template waf template-name
1. Create a server configuration for each log server. Add a TCP or UDP port to each server configuration,
with the port number on which the external log server listens for log messages.
a. Use the following command to add a server and access the configuration level for it:
slb server server-name ipaddr
b. Use the following command to add a TCP or UDP port to the server. Specify the port number on
which the server will listen for log traffic.
port port-num {tcp | udp}
2. Add the log servers to a service group. Make sure to use the round-robin load-balancing method. (This is
the default method.)
a. Use the following command to add the service group and access the configuration level for it:
slb service-group group-name {tcp | udp}
b. Use the following command to add each log server and its TCP or UDP port to the group:
member server-name portnum
3. (TCP only) If logging over TCP, configure a TCP-proxy template to customize TCP settings for connections
to log servers. For example, you can enable use of keepalive probes, to ensure that the TCP connections
with the log servers remain established during idle periods between logs.
a. Use the following command to create the TCP-proxy template and access the configuration level for
it:
slb template tcp-proxy template-name
b. Use the following command to add the service group containing the log servers to the logging tem-
plate:
service-group group-name
c. If you configured a TCP-proxy template, use the following command to add that template to the log-
ging template:
template tcp-proxy template-name
b. Use the following command to bind the logging template to the WAF template:
template logging template-name
NOTE: External logging is activated once you bind the WAF template that uses the
logging template to an HTTP/HTTPS virtual port.
Optional Configuration
This section provides syntax for the following WAF configuration options:
• Deployment mode
• Request checks
• Deny action (WAF response sent to client when a request is denied by the WAF)
• Response checks
• active – The WAF enforces the security checks configured on the template and sends events to the
external log server.
• passive– The WAF sends events to the external log server only and does not enforce any security
checks.
• learning – The WAF template “learns” acceptable check parameters based on a stream of legitimate,
secure traffic. In Learning Mode, the WAF continues to send events to the external log server.
The WAF is pre-loaded with a set of default policy files which are used for certain security checks. For exam-
ple, if you enable bot checking with the WAF template, the default “bots_def” WAF policy file is used for a list
of known bot names. (See “Bot Check” on page 108.)
Optionally, you can customize WAF policy files and apply these files to security checks. For example, you can
copy the default bots policy file, modify and import the copied file, then update the corresponding WAF
template option to use the custom policy file.
• allowed-http-methods method-list – Use this command to specify the HTTP methods (GET, POST,
and so on) that are allowed in requests.
• bot-check – Use this command to check the user-agent of incoming requests for known bots. This
check uses the list of defined bots in the “bot_defs” WAF policy file. See “Bot Check” on page 108.
• buf-ovf option – Use this command to configure checks for attempts to cause a buffer overflow on
the Web server.
• disable – Disables buffer overflow protection.
• max-cookie-len bytes – Sets the maximum length for cookies allowed in requests.
• max-cookie-name-len bytes – Sets the maximum length for cookie names in requests.
• max-cookie-value-len bytes – Sets the maximum length for cookie values in requests.
• max-cookies-len bytes – Sets the maximum total length for cookies allowed in requests.
• max-data-parse bytes – Sets the maximum data parsed for Web Application Firewall.
• max-hdr-name-len bytes - Sets the maximum header name length allowed in requests.
• max-hdr-value-len bytes - Sets the maximum header value length allowed in requests.
• max-hdrs-len bytes – Sets the maximum header length for headers allowed in requests.
• max-parameter-name-len bytes - Sets the maximum parameter name length allowed in requests.
• max-post-size bytes – Sets the maximum content length allowed in HTTP POST requests.
• csrf-check – Use this command to tag the fields of a web form with a nonce. This check protects
against cross-site request forgery (CSRF). “XSS Check” on page 108
• deny-action response-type – Use this command to specify the type of response string sent to a cli-
ent when WAF denies a request
• http-resp-403 resp-string – Sends a 403 Forbidden response to the client. The default string
returns a generic “Request Denied!” page to the client.
• http-resp-200 resp-string– Sends a 200 OK response to the client with the specified resp-string.
The default string returns a generic “Request Denied!” page to the client.
• http-redirect url-string – Sends a 302 Found redirection address to the client with the URL spec-
ified in the redirect-url.
• reset-conn – Terminates the client connection.
• deny-non-masked-passwords – Prevents “should surfing” by denying the web server’s attempt to send
a form through the WAF unless the field type for the password field has been set to “password”. See
“Deny Unmasked Passwords” on page 20.
• deny-non-ssl-passwords – Denies user passwords that are sent over a non-encrypted connection. If
the connection between the client and the WAF is secured with SSL/TLS, then the user password is
allowed, but if the client attempts to submit to a form field where “input type=password”, and if the
connection is not encrypted with SSL/TLS, then the WAF blocks the transmission. The feature is dis-
abled by default, meaning that forms not using the SSL/TLS protocol will not be denied. See “Deny
Passwords Sent Over an Unencrypted Connection” on page 21.
• deny-password-autocomplete – Denies web server attempts to transmit the form if one of the form
fields type is set to “password” and if the “autocomplete=on/off” attribute is set to “on”. Enabling this
option blocks browser “autocomplete” behavior. Although convenient for users, password auto-com-
pletion weakens security by allowing browsers to store user passwords in order to later guess the
user’s password for some websites. See “Deny Passwords if Autocomplete is Enabled” on page 21.
• form-consistency-check – Use this command to check that the user input to a form field conforms
to the form field tag. WAF also parses HTTP bodies encoded as multipart/form-data. Extracted form
fields are verified against previously parsed HTML forms.
• form-deny-non-post – Deny request with forms if the method is not POST.
• http-check – Use this command to check that user requests are compliant with HTTP protocols.
• json-format-check – Checks that incoming requests containing JSON code are in compliance with
RFC 4627, and blocks requests if the JSON content is not well- formed.
• json-limit – Enforces parsing limits to protect backend servers against various types of denial-of-
service (DoS) attacks, which are designed to exhaust system memory or CPU resources.
• max-array-value-count num – Limits the maximum number of values within a single array.
• max-string num – Limits the length of a string in a JSON request for a name or a value.
• log-succ-reqs – Enabling this option logs a debug message on the successful completion of WAF
requests, and not just for errors.
• max-cookies num – Specifies the maximum number of cookies allowed in a request.
• max-entities num – Specifies the maximum number of MIME entities allowed in request.
• redirect-wlist– Enables protection against unvalidated redirects, which can occur if a hacker uses
social networking to trick unsuspecting users into clicking on a malicious hyperlink. The WAF must be
deployed in Learning Mode when the redirect-wlist CLI command is used for the first time so the list of
acceptable locations can be built up. The WAF pre-learns a white-list of acceptable locations to which
users can safely be redirected. If one of the web servers gets hacked and attempts to redirect a user to
a location that does not appear in the redirect white-list, then the WAF blocks the redirect. See “Open
Redirect Mitigation” on page 22 for details.
• referer-check {enable | only-if-present}
safe-referer-domain safe-redirect-url – Use this command to validate that the referer header in
a request contains Web form data from the specified Web server, rather than from an outside Web site.
This check protects against CSRF attacks.
• enable – always validates the referer header. If selected, the request fails the referer check if there is
no referer header or if the referer header is invalid.
• only-if-present – validates the referer header only if a referer header exists. If the check finds an
invalid referer header, the request fails the check. However, the request does not fail the check if
there is no referer header in the request.
• session-check secs – This command creates an ID for a client request and inserts it in a cookie in the
response. Future requests from the same client are validated against the session cookie. If the ID or IP
do not match, then the request will be rejected. The default lifetime for the session ID is 600 seconds.
See “Session Checks” on page 20.
• soap-format-check – Check XML documents for SOAP format compliance and blocks those which are
not well-formed. SOAP format checks are typically done in tandem with XML format checks. See “WAF
SOAP Checks” on page 33 for details.
• sqlia-check {reject | sanitize} – Use this command to check for SQL strings to protect against
SQL injection attacks. This check uses the list of defined SQL commands in the “sqlia_defs” WAF policy
file. See “SQL Injection Attack Check” on page 108.
• reject – denies requests that contain SQL injection attacks.
• sanitize – removes the SQL injection attack and forwards the request to the Web server.
• uri-blist-check file-name – Enforces the rules contained within a WAF policy file for the URI Black
List. For more information see, “URI Black List” on page 109.
• uri-wlist-check file-name – Enforces the rules contained within a WAF policy file for the URI White
List. For more information, see “URI White List” on page 110.
• url-check – The URL Check allows users to access Web pages only by clicking hyperlinks on your pro-
tected Web site, as opposed to allowing users to access hidden web pages by typing the full URL in the
browser. Select this option to prevent users from manually typing the URL for content on your website
that you do not want accessible.
The list of approved URL paths is initially generated as a policy file during Learning Mode. After this list
is generated, you can customize the contents of the URL Check policy file. For a deployment example
that includes configuration of the URL Check, see “Generate Allowed URL Paths for the URL Check” on
page 127.
• url-options option – This command is used to normalize requested URLs.
The url-options command helps shorten URLs, thus preventing buffer overflows from long URLs.
• decode-entities - Decode entities, such as <, in an internal URL.
• decode-hex-chars - Decode hexadecimal characters, such as \%xx and \%u00yy, in an internal URL.
• remove-selfref - Remove self-references, such as /./ and /path/../, from an internal URL.
NOTE: ACOS 4.0 does not support the ability to decode a plus symbol “+” in the URL
if it is being used to represent a space by the browsers.
• xml-format-check – Check HTTP body for XML format compliance. Incoming requests containing
XML code are checked for compliance with the XML 1.0 specification. (See “XML Format Checks” on
page 27 for details.)
• xml-limit – XML parsing limits. (See “XML Limit Checks” on page 29 for details.)
• max-attr num – Limits the maximum number of attributes/children each individual element is
allowed to have.
Range is 1–256. Default is 256.
• max-attr-name-len num – Limits the maximum length of each attribute name.
Range is 1–2048. Default is 128.
• max-attr-value-len num – Limits the maximum length of each attribute value.
Range is 1–2048. Default is 128.
• max-cdata-len num – Limits the length of the CDATA section for each element.
Range is 1–65535. Default is 65535.
• max-elem num – Limits the maximum number of any one type of element per XML document.
Range is 1–65535. Default is 65535.
• max-elem-child num – Limits the maximum number of children each element is allowed, and
includes other elements, character information, and comments. Range is 1–65535. Default is 65535.
• max-elem-depth depth – Limits the maximum number of nested levels in each element.
Range is 1–65535. Default is 256.
• max-elem-name-len length – Limits the maximum length of name of each element, and includes the
XML path, which is in the following format: http://<site>/<path>/page.xml
Range is 1–65535. Default is 128.
• sanitize – removes the detected XSS script and forwards the request to the Web server.
• ccn-mask – Use this command to examine strings of outbound replies from the Web server for pat-
terns of numerical characters that resemble credit card numbers (CCN). If the WAF identifies a credit
card number, the WAF replaces all but the last four digits of credit card numbers with “x” characters.
• cookie-encrypt – Use this command to encrypt specified cookies matching PCRE pattern. Used to
protect against cookie tampering by encrypting cookies before sending the server replies to a client.
(See “Cookie Encryption” on page 133.)
• filter-resp-hdrs – Use this command to removes the Web server’s identifying headers in outgoing
responses.
• hide-resp-codes – Cloaks 4xx and 5xx response codes for outbound responses from the Web server.
NOTE: Do not enter the secret-encrypted option when configuring this check. This
option is placed into the configuration by the WAF to indicate that the string
is the encrypted form.
• pcre-mask options pcre-pattern – Use this command to masks patterns in a response that match
the specified PCRE pattern.
• For options you can enter the following:
• keep-end num-length – Specifies the number of unmasked characters at the end of the string.
The default is 0.
• keep-start num-length – Sets the number of unmasked characters at the beginning of the
string. The default is 0.
• mask character – Selects a character to mask the matched pattern of a string. The default is x.
• For pcre-pattern, enter a PCRE expression. (See “Writing PCRE Expressions” on page 113.)
NOTE: You can configure PCRE patterns to match only on a fixed-length string. For
this reason, wildcard characters that can mask excessively long strings (* and
+) are not supported.
If either the asterisk (*) or plus symbol (+) is detected during the syntax
check, the syntax check will automatically fail. To use an expression that
matches an actual “*” or “+” character, use an escape character (\) before the
matched symbol. For example, to search for the actual asterisk (*) or plus
character (+), enter “\*” or “\+”
• ssn-mask – Use this command to examine server responses for strings that resemble US Social Secu-
rity numbers and masks all but the last four digits of the string with “x” characters in a response.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 100
A10 Thunder Series and AX Series
WAF Event Types and Where They Are Logged
This chapter describes where WAF events are logged and the format used for WAF log messages.
There is no external logging by default. To configure external logging, see either of the following sections:
NOTE: After external logging is enabled, WAF messages for configuration events
will be sent to the local log, but messages for data events will be sent to the
external logging servers.
Deny actions are not written to the log. To view the configured response to
denied client requests, check the WAF template currently in use.
• Configuration events – Indicate that a configuration change has occurred. Typically, this type of WAF
event is generated when you configure WAF settings.
• Data events – Indicate that traffic has matched a WAF template check.
By default, only configuration events are logged to the local logging buffer on ACOS.
Data events are not logged by default. Due to the potentially high volume of data event messages, they are
accessible only by using remote logging servers. You can configure the WAF to use a single logging server or
a group of servers.
After you enable WAF logging to remote logging servers, WAF configuration events also are sent to the
remote servers. In this case, the WAF configuration events are no longer sent to the local logging buffer.
Figure 35 shows the WAF logging behavior without external logging. WAF configuration events are logged
locally. WAF data events are not logged.
page 101 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Event Types and Where They Are Logged
Figure 36 shows the WAF logging behavior after external logging is configured for the WAF template. WAF
configuration events and WAF data events both are logged to the external log server.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 102
A10 Thunder Series and AX Series
Log Format
Log Format
For optimal interoperability, WAF uses the Common Event Format (CEF), an open standard used by other
security appliances and network devices.
Timestamp CEF:version|device-vendor|device-product|
device-version|module|event-type|severity|CEF-extension
Table 2 describes the data fields that can appear in WAF logs
page 103 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Log Examples
• Bot Check
• Learning Mode
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 104
A10 Thunder Series and AX Series
WAF Log Examples
NOTE: For more log examples, see “WAF Deployment and Logging Examples” on
page 123.
Bot Check
Here is an example of a WAF log that indicates the detection of a bad bot:
Here is the same message, formatted to more clearly show each field:
page 105 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Log Examples
Oct 20 18:16:13
CEF:0
A10
AX3200
2.7.1
WAF
bot-check
6
src=20.20.25.10
spt=30842
dst=20.20.25.130
dpt=80
request=”GET /tours/index.html HTTP/1.1” 0
msg=”Bad bot detected! User-Agent drip”
cs1=w2
act=deny
md=nrm
This message indicates that an HTTP GET request from 20.20.25.10:30842 to VIP 20.20.25.130:80 contained a
bot whose name matches a name in the bots WAF policy file. The WAF template name is “w2”. Based on the
WAF configuration, the request was denied. The WAF is running in normal mode.
Learning Mode
Below are example log messages for when the WAF is deployed in learning mode:
The first message indicates that WAF updated the header-length limit based on traffic observed during
Learning Mode. Likewise, the second message indicates that WAF updated the maximum-headers limit. The
act=learn field indicates that the value was learned. The md=lrn field indicates that Learning Mode was
enabled.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 106
A10 Thunder Series and AX Series
Pre-Loaded WAF Policies
WAF Policy Files (also referred to as WAF Definitions) give you the ability to define a set of rules for custom-
ized security checks. WAF policy files enable you to specify security checks for enhanced response- and
request-side protection to protect against security risks, such as SQL injection attacks or forceful browsing.
• XSS Check
• Bot Check
• SQLIA Check
If one of these checks is enabled and a WAF policy file is not specified, the default WAF policy file is applied.
These policy files are described in more detail below.
NOTE: You cannot rename, edit, or delete default files. However, you can copy a
default WAF policy file and customize its contents to fit your specific
demands.
page 107 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Pre-Loaded WAF Policies
Request Protection
The following checks point to WAF policy files for enhanced protection against incoming requests. By
default, these checks refer to the default WAF policy files, as described below. Optionally, you can configure
these checks to use customized policy files.
Bot Check
The WAF bot check option uses the “bot_defs” policy file for search definitions of known bot agents. If bot
checking is enabled in the WAF template and a match is found with the “bot_defs” policy file, the request is
denied automatically. You can add or modify the “bot_defs” policy file to include or remove bot search terms.
XSS Check
The “jscript_defs” WAF policy file defines a list of common Javascript commands. The XSS check uses
this policy file for examining the content of URL, cookies, headers, and POST bodies of client requests. This
type of policy file is useful for Web sites that use Javascript-based web content.
NOTE: If your Web site contains embedded Javascript, A10 Networks recommends
enabling the XSS check in the WAF template.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 108
A10 Thunder Series and AX Series
Pre-Loaded WAF Policies
The URI Black List takes priority over a URI White List. That is, even if a URI matches acceptance criteria within
the URI White List, a connection is blocked automatically if it meets a rule in the separate URI Black List.
Table 5 lists URI Black List criteria in the default “uri_blist_defs” file.
page 109 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Pre-Loaded WAF Policies
Table 6 lists URI White List criteria in the default “uri_wlist_defs” file.
Response Protection
This section describes policy-based security checks for outbound responses from the Web server.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 110
A10 Thunder Series and AX Series
Customize WAF Policy Files
You cannot remove or edit a pre-loaded WAF policy file. However, you can quickly duplicate an existing file to
an unused name and modify the contents.
The following sections describe how to write PCRE patterns for customized WAF policies. ACOS incorporates
aspects of PCRE expressions for writing WAF policies, but does not support full PCRE functionality.
Syntax Check
After the file is created or modified, a syntax check is automatically performed on the file. If you modify a
WAF policy file that is currently bound to a WAF template and the file does not pass the syntax check, it is
automatically restored to the previous version.
Files which do not pass the syntax check cannot be bound to a WAF
template. A policy can fail a syntax check for various reasons, including the following:
• Duplicate policies (more than one policy file containing the same PCRE expressions)
(a|b) – Incorrect
instead of
(?:a|b) – Correct
page 111 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Customize WAF Policy Files
For the file-name option, enter the name of an existing WAF policy file to edit the file, or an unused
name to create a new WAF policy. Do not include the “.waf” extension in the file name, this is automati-
cally applied during creation.
The CLI enters the input mode for the policy file.
NOTE: You cannot modify default files. If you enter the name of a pre-loaded WAF
policy for file-name, the following message will display:
2. Type or copy-and-paste a collection of PCRE expressions for the file. If you type the script, press the
Enter key at the end of each line. For information about writing PCRE expressions, see “Writing PCRE
Expressions” on page 113.
3. To save the file and complete the input process, press the Escape key, type “:wq” or “ZZ” and press Enter.
Alternatively, use “:q!” to exit without saving the file.
Syntax Checks
After you finish entering the policy text, the CLI performs a syntax check and displays one of the following
messages:
Indicates a failed syntax check and reports the line (n) with invalid
syntax.
Manage Files
The following commands allow you to manage WAF policy files.
Copy Files
Use the following command to copy a WAF policy to a new file name:
For the source-name option, use the name of an existing WAF policy.
For the destination-name option, enter an unused name for the copied file.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 112
A10 Thunder Series and AX Series
Customize WAF Policy Files
Rename Files
Delete Files
NOTE: You cannot rename, edit, or delete default files. However, you can copy a
default WAF policy file and customize its contents to fit your specific
demands.
General Guidelines
This section summarizes common characters used in PCRE expressions and provides a quick reference to
basic PCRE syntax. To learn more about writing detailed PCRE expressions, consult outside reference mate-
rial.
page 113 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Customize WAF Policy Files
PCRE Characters
Enclose Patterns
You can enclose patterns with any non-alphanumeric character that is not a backslash \ or whitespace. You
can also use special symbols that may otherwise carry an alternative function as long as the same symbol is
used in the beginning and end of the string.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 114
A10 Thunder Series and AX Series
Customize WAF Policy Files
Basic Syntax
WAF policy files consist of PCRE expressions and comment lines. Lines with PCRE expressions are structured
as follows:
name,PCRE expression
The name is a string which you can use to title the line. Follow the description with a comma “,” before writing
the PCRE expression. As shown below:
FromDefaultBlackList,^[^?]*[.]htx
NOTE: Everything following the comma is included in the PCRE expression. Do not
include whitespace unless this is intended as part of the expression.
Comments
To insert a comment into the policy file enter a pound character ‘#’ before the comment line.
example_expression,^[^?]*/[?]wp-
# comment
...
(# comment)
Example Applications
Outlined below are various examples of PCRE expressions.
Attack Patterns
You can create customized WAF policies with search criteria for attack
patterns.
• Use the " | " symbol as a separator in lists of elements. Traffic matches a policy rule if the traffic matches
any of the elements delimited by " | ". For example, "(apples | oranges)" is read as a single object that
can be triggered when either "apples" or "oranges" is found in traffic.
• Use parentheses to enclose each separate element. For example, the set of elements "(apples)
(oranges)" is read by WAF as two individual objects: an "apples" object and an "oranges" object.
page 115 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Customize WAF Policy Files
(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|chinaclaw|cicc|civa|
clipping|collage|collector|copyrightcheck|cosmos|crescent|custo|cyberalert|deweb|diagem|di
gger|digimarc|diibot|directupdate|disco|dittospyder|download accelerator|download
demon|download wonder)
To add three additional known bots under the names “brewster”, “nook” and “peanut”, you would modify the
policy file similar to the following. The additions are indicated in bold:
(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|
chinaclaw|cicc|civa|clipping|collage|collector|brewster|nook|
copyrightcheck|cosmos|crescent|custo|cyberalert|deweb|diagem|
digger|digimarc|diibot|directupdate|disco|dittospyder|
download accelerator|download demon|download wonder|peanut)
Policy Rules
You can write WAF policy files to list more complicated policy rules. The following examples illustrate the var-
ious rules that you can create as a PCRE expression.
The following example defines a rule for the URI Black List. The rule denies user requests to access the image
server at img.example.com directly:
^http://img[.]example[.]com$
The following example defines a rule for the URI Black List. The rule denies user requests to access CGI (.cgi)
or PERL (.pl) scripts directly:
^http://www[.]example[.]com/(?:[0-9A-Za-z][0-9A-Za-z_-]*/)*
[0-9A-Za-z][0-9A-Za-z_.-]*[.](?:cgi|pl)
The following PCRE expression looks for strings that resemble a California driver’s license ID number. This
policy rule can be used in conjunction with the PCRE mask option to mask strings that match the expression:
[A-Za-z][0-9]{7,7}
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 116
A10 Thunder Series and AX Series
Configure an HTTP Policy Template
You can configure ACOS to override the WAF settings applied to the HTTP/HTTPS virtual port with another
set of WAF settings, using an HTTP policy template. You can configure rules in the HTTP template to match
on URLs, hostnames, or cookie names in traffic.
1. Configure a second WAF template with the alternative settings to use. See either of the following:
• Using the GUI – “Configure a WAF Template” on page 59
• Requested URL
• Requested hostname
• Add (bind) the second WAF template to the HTTP policy template.
NOTE: For the WAF to operate, it is still required to bind a WAF template directly to
the virtual port, to use as the virtual port’s primary WAF template. HTTP pol-
icy templates can be used only to override the primary WAF template with
secondary WAF template, based on the match rules in the HTTP policy tem-
plate.
page 117 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Configure an HTTP Policy Template
• Equals string – matches only if the URL, hostname, or cookie name completely matches the speci-
fied string.
• Starts-with string – matches only if the URL, hostname, or cookie name starts with the specified
string.
• Contains string – matches if the specified string appears anywhere within the URL, hostname, or
cookie name.
• Ends-with string – matches only if the URL, hostname, or cookie name ends with the specified
string.
These match options are always applied in the order shown above, regardless of the order in which the rules
appear in the configuration. The WAF template associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals, starts-with, contains, or ends-with)
and a URL matches on more than one of them, the most-specific match is always used.
In addition to URLs, hostnames and cookies, HTTP policy also supports “geo-location”. Below is an example of
a geo location configuration with the assumption that waf-template-1 has been previously configured.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 118
A10 Thunder Series and AX Series
Bind the HTTP Policy Template to the Virtual Port
6. Click Create.
Use the GUI to Bind the HTTP Policy Template to a Virtual Port
To bind the HTTP policy to an existing virtual port:
Use the CLI to Bind the HTTP Policy Template to a Virtual Port
To bind a template to a virtual service port, create the VIP and the port, as well as the service group, and then
enter
the template waf command at the configuration level for the port. For example:
For a complete CLI example, see “HTTP Virtual Port Configuration” on page 124.
page 119 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Bind the HTTP Policy Template to the Virtual Port
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 120
A10 Thunder Series and AX Series
Displaying WAF Statistics
WAF Statistics
The sections of this chapter describe GUI and CLI procedures to display WAF statistics.
NOTE: Statistics counters increment from 0 after the most recent reboot or from
when the statistics were most recently cleared.
page 121 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Clearing WAF Statistics
• use the clear waf command to clear all “show waf” counters.
• use the clear waf stats command to clear statistics for a specific virtual server and virtual port.
See “clear waf stats” on page 166 for more information about this CLI command.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 122
A10 Thunder Series and AX Series
Initial Configuration
This chapter provides some examples for WAF deployment. Since logging is a crucial part of WAF configura-
tion and management of the WAF, the examples include applicable log messages.
Initial Configuration
The commands in this example configure the following resources:
• Logging configuration
• WAF template
Logging Configuration
The commands in this section configure the resources required for external logging of WAF events.
To begin, the following commands configure external logging for the WAF. A single log server is used. Log
messages are sent over TCP.
A TCP-proxy template is used to periodically send keepalive probes to the syslog port on the server. The kee-
palive probes prevent the TCP session from aging out during periods of inactivity.
The following commands create the server configuration and add it to a TCP service group:
page 123 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Initial Configuration
The following commands configure the TCP-proxy template, to enable keepalive messages:
The following commands configure the logging template. This includes binding the TCP-proxy template to
the logging template.
To begin, the following commands create server configurations for the web servers to be load balanced and
protected by the WAF:
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 124
A10 Thunder Series and AX Series
Learning
The following commands configure the virtual server and bind it to the service group and WAF template:
Log Example
When done configuring, you can use the show log command to display log messages. These log messages
indicate whenever a WAF template is updated, created, or deleted. Hypothetical log messages are shown
below for illustration purposes.
ACOS(config:8)#show log
Log Buffer: 30000
Mar 24 2016 15:37:12 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:37:11|con-
fig|2|msg="Template waf-check-doc: buf-ovf max-hdr-value-len set to 65535"
Mar 24 2016 15:37:12 Info [VCS]:dcs config seq number increase (45,0,652)
Mar 24 2016 15:37:04 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:37:03|con-
fig|2|msg="Template waf-check-doc: bot-check ON (policy-file=bot_defs)"
Mar 24 2016 15:37:04 Info [VCS]:dcs config seq number increase (45,0,651)
Mar 24 2016 15:37:02 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:37:01|con-
fig|2|msg="Template waf-check-doc created"
Mar 24 2016 15:37:02 Info [VCS]:dcs config seq number increase (45,0,650)
Mar 24 2016 15:36:42 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:36:41|con-
fig|2|msg="Template waf-check-doc deleted"
NOTE: If external logging has not been configured for the WAF, then the log mes-
sages will appear in the local log buffer of the ACOS device.
Learning
The commands in this section use Learning Mode to dynamically set some WAF options based on traffic.
NOTE: This example assumes that the VIP using the WAF template is not yet receiv-
ing live traffic but is instead receiving known, valid traffic sent in order to pre-
set WAF parameters. The following caution explains why.
CAUTION: While Learning or Passive Mode is in operation, the WAF does not block any
traffic. Only Active Mode blocks traffic.
page 125 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Learning
Generate Traffic
On a client device, the following requests are generated and sent to the HTTP virtual port:
curl -v http://20.20.25.130/tours/index.html
curl -v http://20.20.25.130/batblue.html
curl -v http://20.20.25.130/file_set/dir00000/about.html
This message indicates that the GET method was observed in the first request sent to the HTTP virtual port,
and that the Allowed HTTP Methods list was updated with the method.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 126
A10 Thunder Series and AX Series
Learning
Configuration Example
The following example outlines steps for customizing the URL Check in learning mode and enforcing the
check for your Web site.
1. The following commands set the WAF to learning mode and enable the URL Check option in the WAF
template:
ACOS(config)#waf template w1
page 127 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Learning
ACOS(config-waf)#deploy-mode learning
Switching to learning mode will reset all WAF template parameters and may expose you to
attacks if done in a production environment.
Are you sure you wish to proceed? (N/Y): Y
ACOS(config-waf)#url-check
NOTE: In this example, the WAF template “w1” is bound to a virtual server with the
IP address 192.168.25.130.
2. Send secure traffic from a client. In this example, traffic from the client is sent to the following addresses:
http://192.168.25.130/tours/index.html
http://192.168.25.130/batblue.html
http://192.168.25.130/file_set/dir00000/about.html
3. Check the logs on the external log server. The log should contain a message such as the following, for
each URL path requested:
Mar 24 16:34:40 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:46:12|session-
id|2|src=172.17.3.100 spt=55150 dst=172.17.3.61 dpt=8080 hst="172.17.3.61:8080"
cs1=waf-url-check cs2=90f0c225f82e4cb8 act=learn md=passive svc=http req="GET /foooo/
rest/upload/aaa.txt HTTP/1.1" 0 msg="New session created: Id=90f0c225f82e4cb8"
4. The log will contain similar messages for each URL path clients are allowed to access. The following com-
mands verify that the URL Check policy file is created and display the contents of the file:
ACOS(config-waf)#show waf policy
Total WAF policy number: 14
Max WAF policy file size: 32K
Name Syntax Template
------------------------------------------------------------------------
_w1_url_check_ Check Bind
allowed_resp_codes Check Bind
bot_defs Check Bind
jscript_defs Check Bind
...
In WAF Template:
w1 (for url-check)
Content:
Matches Value
--------------------------------------------------------------------------
1 /tours/
1 /batblue.html
1 /file_set/dir00000/
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 128
A10 Thunder Series and AX Series
Response Header Filtering
5. Change the WAF deployment mode. (See “Save Template Settings” on page 129.) When you change the
deployment mode from Learning Mode, ACOS writes the observed URL paths into a policy file. The URL
Check will start operating.
ACOS(config-waf)#waf template w1
ACOS(config-waf)#deploy-mode active
NOTE: In Passive Mode, requests for other URL paths still are allowed, but they are
logged. The URL path list is enforced only while the URL Check is enabled
and the WAF template is in Active Mode.
6. Optionally, edit the contents of the URL Check policy file to explicitly define acceptable URI paths.
NOTE: The contents of the URL Check policy file are first generated in Learning
Mode. After which you can remove or define additional URL paths in the pol-
icy file. You cannot create the URL Check policy file without first deploying a
WAF template in Learning Mode with the URL Check enabled.
ACOS(config-waf)#deploy-mode passive
In Passive Mode, WAF checks are performed but the filter actions are not applied. Requests to the HTTP vir-
tual port are logged but are sent to the server without being altered. (For more information, see “WAF Oper-
ational Modes” on page 49.)
Here is an example of header fields in the HTTP response from a server. The fields shown in bold provide
information about the server OS.
page 129 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Response Header Filtering
Here is the same excerpt from the server response, with the OS-identifying headers removed:
The response received by the client does not contain the OS-identifying headers.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 130
A10 Thunder Series and AX Series
SQLIA Check
SQLIA Check
The SQLIA Check protects against SQL commands hidden in requests sent to database servers. The check
looks for SQL code in form arguments, URLs, and cookies. In general, these places are not supposed to con-
tain SQL code.
page 131 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Cross-site Scripting Check
Since the reject option is used in the configuration, a Deny page such as the one in “Deny page” on
page 132 is sent to the client.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 132
A10 Thunder Series and AX Series
Cookie Encryption
Cookie Encryption
Cookie Encryption protects against cookie tampering by encrypting cookies before sending server replies
to clients.
You can enable encryption based on specific cookie names or for all cookies that match a PCRE expression.
The encryption uses a secret string to decrypt and encrypt cookies that are transferred between the Web
server and client.
The following commands access the configuration level for WAF template “resetti” and configure encryption
for all cookies containing “hiddencookie” in the name:
The secret value “r0cc0” is used for encryption. To view the encrypted value created by the WAF and used in
responses, display the configuration:
NOTE: Do not enter the secret-encrypted option when configuring this check.
This option is placed into the configuration by the WAF to indicate that the
string is the encrypted form.
page 133 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Cookie Encryption
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 134
A10 Thunder Series and AX Series
WAF templates allow you to easily enforce the following security filters.
NOTE: This table is a reference. For configuration procedures, see either of the fol-
lowing:
page 135 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
GUI:
Security > WAF > WAF Templates > Create, and
then select the Logging Template drop-down.
Request Checks
URI White List Enforces the rules contained within a WAF policy Name of a WAF policy file
file for the URI White List. For more information Default: uri_wlist_defs
about URI White Lists, see “URI White List” on
page 110.
[no] uri-wlist-check file-name
GUI:
Security > WAF > WAF Templates > Create, and
then select the HTTP Requests Check tab, and
select the checkbox for URI White List Check.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 136
A10 Thunder Series and AX Series
Deny Action WAF response sent to the client if traffic is denied One of the following:
by the WAF template.
• http-resp-403 – Sends a 403 Forbidden
[no] deny-action options response to the client. The default string
resp-string returns a generic “Request Denied!”
page to the client.
GUI:
• http-resp-200 – Sends a 200 OK
Security > WAF > WAF Templates > Create, and response to the client with the specified
then select the General tab, and select the Deny resp-string. The default string returns a
Action drop-down. generic “Request Denied!” page to the
client.
• http-redirect – Redirects the client to the
specified URL.
• reset-conn – Sends a TCP RST to the cli-
ent to end the connection.
Default: http-resp-403
Allowed HTTP Checks requests to ensure they contain only the Valid HTTP method names:
Methods HTTP methods that are allowed by this option.
• GET
[no] allowed-http-methods • POST
method-name
• HEAD
• PUT
GUI:
• OPTIONS
Security > WAF > WAF Templates > Create, and • DELETE
then select the HTTP Request Checks tab, and in
the Allowed HTTP Methods field, click the desired • TRACE
methods to highlight them. • CONNECT
• PURGE
Default: GET, POST
page 137 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 138
A10 Thunder Series and AX Series
page 139 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Form Checks that user input to form fields is consistent Enabled or Disabled
Consistency with the intended format.
Default: Disabled
Check
[no] form-consistency-check
GUI:
Security > WAF > WAF Templates > Create, and
select the Form Checks tab. Then select the check-
box for Form Consistency Check.
HTTP Check Checks that user requests are compliant with Enabled or Disabled
HTTP protocols.
Default: Disabled
[no] http-check
GUI:
Security > WAF > WAF Templates > Create, and
then select the HTTP Request Checks tab. Then
select the checkbox for HTTP Check.
Session Check Checks that user requests match a unique session 1-1440
ID created for them.
Default: 10
[no] session-check [secs]
GUI:
Security > WAF > WAF Templates > Create, and
then select the Session Checks tab. Then select
the checkbox for Session Check, and from the
Session Check Lifetime field that appears, enter
the session lifetime in minutes.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 140
A10 Thunder Series and AX Series
page 141 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
SQL Injection Checks for SQL strings to protect against SQL One of the following:
Attack (SQLIA) injection attacks. This check uses the list of
• Reject
Check defined SQL commands in the “sqlia_defs” WAF
policy file. See “SQL Injection Attack Check” on • Disabled
page 108. • Sanitize
[no] sqlia-check Definition – Name of a configured WAF pol-
{reject | sanitize} icy file
GUI: Default: Disabled
Security > WAF > WAF Templates > Create, and
then select the Injection Checks tab. Then select
the Sanitize or Reject radio button.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 142
A10 Thunder Series and AX Series
URL Check Select this option to prevent users from accessing Enabled or Disabled
the URLs of your website directly. The URL Check
Default: Disabled
allows users to only access Web pages by clicking
a hyperlink on your protected Web site.
Note: In the current release, the approved URL
path list for the URL Check can be configured only
using Learning Mode. For a deployment example
that includes configuration of the URL Check, see
“Generate Allowed URL Paths for the URL Check”
on page 127.
[no] url-check
GUI:
Security > WAF > WAF Templates > Create, and
then select the HTTP Request Checks tab. Then
select the checkbox for URL Check.
page 143 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Response Checks
CCN Mask Replaces all but the last four digits of credit card Enabled or Disabled
numbers with an “x” character.
Default: Disabled
[no] ccn-mask
GUI:
Security > WAF > WAF Templates > Create, and
then select the Content Filter Checks tab, and
select the CCN Mask checkbox.
SSN Mask Replaces all but the last four digits of US Social Enabled or Disabled
Security numbers with an “x” character. Default: Disabled
[no] ssn-mask
GUI:
Security > WAF > WAF Templates > Create, and
then select the Content Filter Checks tab, and
select the SSN Mask checkbox.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 144
A10 Thunder Series and AX Series
Hide Response “Cloaks” your Web servers by hiding response Enabled or Disabled
Codes codes from them instead of forwarding them to
Default: Disabled
the client.
Definition – Name of a configured WAF pol-
[no] hide-resp-codes
icy file
waf-policy-file-name
If disabled, the default policy file
GUI:
is “allowed_resp_codes”
Security > WAF > WAF Templates > Create, and
then select the Server Filter Checks tab, and
select the Hide Response Codes checkbox.
page 145 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
Cookie Encryp- Uses the specified Secret string to encrypt and Cookie Name – String or PCRE expression
tion Secret decrypt cookies in server to client communication.
Cookie Encryption Secret – String
For Cookie Name, you can enter the name of a
specific cookie as a string, or a PCRE expression to Default: Not set
encrypt all cookies which match the expression.
[no] cookie-encrypt
{cookie-name | pcre-pattern}
GUI:
Security > WAF > WAF Templates > Create, and
then select the Cookie Encryption Checks tab.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 146
WAF CLI Command Reference
This chapter lists the CLI commands for WAF. The commands are organized into the following section:
• waf template
page 147 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
waf template
Description Configure a WAF template.
Parameter Description
template-name Name of the template.
This command changes the CLI to the configuration level for the specified WAF
template, where the following commands are available.
Command Description
[no] Specifies the HTTP methods that requests are allowed to contain.
allowed-http-methods
method-list For example, method list:
allowed-http-methods “GET POST”
Default methods are GET and POST, but you can specify the following:
• GET
• POST
• HEAD
• PUT
• OPTIONS
• TRACE
• CONNECT
• DELETE
• PURGE
• PROPFIND
• PROPPATCH
• MKCOL
• COPY
• MOVE
• LOCK
• UNLOCK
[no] bot-check Checks user requests for bot activity. This check uses the specified WAF policy
waf-policy file for a list of search terms. For more information see, “Bot Check” on
page 108.
By default, bot-checks are disabled.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 148
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] brute-force option Configure protection against brute-force attacks. The sub-options for this
command can include the following:
• challenge-limit num – Specify the maximum number of triggers that
can occur within the test period. If this limit is breached, then the WAF initi-
ates all of the configured challenge-actions against the client.
Setting this field to zero disables the feature and the challenge will never
be sent. You can set a value from 0-65535. The default is 2.
• global – When enabled, this option will cause the WAF to maintain a single
counter for all clients, as opposed to having a separate counter for each cli-
ent. When enabled, all clients will be locked out for the configured lock-
out-period once the lockout-limit is reached. Similarly, all responses will
include a challenge once the challenge-limit is reached. This default is
disabled.
• lockout-limit – This options sets the maximum number of brute-force
events (or triggers) that can occur within the test period. If the limit is
exceeded, then the WAF will deny all future requests from this client.
You can set a value from 0-65535. The default is 5.
If the lockout limit is set to zero, then clients will never be locked out.
The lockout-limit is a learned parameter, so it will be set to the maximum
number of triggers within a test period seen during learning mode.
• lockout-period – This option sets the number of seconds that a client
should be locked out. You can set a value from 0-1800. The default is 600.
• resp-codes name – This option triggers a brute-force check based on the
HTTP response code. Specify the name of the WAF policy that will be used to
define which response codes will trigger brute force checking. You must
configure this policy file prior to setting this parameter, and it must contain
a set of regular expressions that will be matched against the response
status-code.
• resp-headers name– This option triggers a brute-force check based on
the HTTP response header names. Specify the name of the WAF policy that
will be used to define which response headers will trigger brute force check-
ing. You must configure this policy file prior to setting this parameter, and it
must contain a set of regular expressions that will be matched against the
response header names.
• resp-string name – This option triggers a brute-force check based on
the HTTP response string. Specify the name of the WAF policy that will be
used to define which response line messages will trigger brute force check-
ing. You must configure this policy file prior to setting this parameter, and it
must contain a set of regular expressions that will be matched against the
response line messages. This default is disabled.
• test-period – This option sets the number of seconds between clearing
of the brute-force counters. The range is 0-600. Default is 60.
[no] brute-force-check Enable brute force attack mitigation checks for this template. This option is dis-
abled by default.
page 149 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] buf-ovf option Checks for attempts to cause a buffer overflow on the Web server. Can include
the following sub-options:
• disable – Disables buffer overflow protection. Default is Enabled.
• max-cookie-len bytes – Sets the maximum length for cookies allowed
in a request. Default is 4096.
• max-cookie-name-len bytes – Sets the maximum length for cookie
names allowed in a request. Default is 64.
• max-cookie-value-len bytes – Sets the maximum length for cookie
values allowed in a request. Default is 4096.
• max-cookies-len – Sets the maximum total length for cookies in a
request. The default value is 4096.
• max-data-parse – Sets the maximum data parsed for internal HTTP data
tests (XML, WAF, Forms). The request will not be rejected when the limit is
reached. The range is 0-262144. The default value is 65536.
• max-hdr-name-len bytes – Sets the maximum header name length for
headers allowed in requests.
• max-hdr-value-len bytes – Sets the maximum header value length for
headers allowed in requests.
• max-hdrs-len bytes – Sets the maximum header length for headers
allowed in requests.
• max-line-len bytes – Sets the maximum line length allowed in a
request. You can specify 0-16127. The default is 1024.
• max-parameter-name-len – Sets the maximum parameter name length
allowed in an HTTP request. You can specify 0-512. The default is 256.
• max-parameter-total-len – Sets the maximum parameter total length
allowed in an HTTP request. You can specify 0-10752. The default is 4096.
• max-parameter-value-len – Sets the maximum parameter value length
allowed in an HTTP request. You can specify 0-10240. The default is 4096.
• max-post-size bytes – Sets the maximum content length allowed in
HTTP POST requests. The default is 20480.
• max-query-len bytes – Sets the maximum query length allowed in a
request. The default is 1024.
• max-url-len bytes – Sets the maximum URL length allowed in requests.
The default is 1024.
[no] ccn-mask Replaces all but the last four digits of credit card numbers with “x” characters.
The default is disabled.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 150
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] challenge-actions The action to be taken to determine if a client is automated. Can include the
options following options:
If one or more of the challenge-limit triggers occurs within the test period,
then the WAF will initiate one or more of the configured challenge-actions
below:
• captcha – CLI option is not supported in ACOS 4.1.1.
• cookie – Use Set-Cookie to determine if the client allows cookies.
This option enabled cookie-based challenges to verify whether the client
will honor the “Set-Cookie requests”. Presence of this cookie will disable
brute-force checking.
• javascript – This option will insert a block of Javascript into HTML
responses that will insert a cookie if the client contains an input device.
Presence of this cookie will disable brute-force checking.
[no] cookie-encrypt Encrypts the specified cookie using the specified secret value. The cookie-
cookie-name name can be the name of a specific cookie or a PCRE pattern (see “Writing PCRE
secret-value Expressions” on page 113). The default is disabled.
NOTE: Do not enter the secret-encrypted option when configuring this
check. This option is placed into the configuration by the WAF to indicate that
the string is the encrypted form.
[no] csrf-check Tags fields of a web form to protect against Cross-site Request Forgery (CSRF).
The default is disabled.
[no] deny-action options Specifies the action performed by the WAF after a client request is denied:
resp-string
• http-resp-403 {default | resp-string} – Sends a 403 Forbid-
den response to the client. The default string returns a generic “Request
Denied!” page to the client. (Default)
• http-resp-200 {default | resp-string} – Sends a 200 OK
response to the client with the specified resp-string. The default string
returns a generic “Request Denied!” page to the client.
• http-redirect url-string – Sends a 302 Found redirection
address to the client with the URL specified in the url-string.
• reset-conn – Terminates the client connection.
[no] Prevents “should surfing” by denying the web server’s attempt to send a form
deny-non-masked-passwords through the WAF unless the field type for the password field has been set to
“password”.
(For more information, see “Deny Unmasked Passwords” on page 20.)
[no] Denies user passwords that are sent over a non-encrypted connection. If the
deny-non-ssl-passwords connection between the client and the WAF is secured with SSL/TLS, then the
user password is allowed, but if the client attempts to submit to a form field
where “input type=password”, and if the connection is not encrypted with SSL/
TLS, then the WAF blocks the transmission. The feature is disabled by default,
meaning that forms not using the SSL/TLS protocol will not be denied.
(For more information, see “Deny Passwords Sent Over an Unencrypted Con-
nection” on page 21.)
page 151 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] Denies web server attempts to transmit the form if one of the form fields type
deny-password-autocomplete is set to “password” and if the “autocomplete=on/off” attribute is set to “on”.
Enabling this option blocks browser “autocomplete” behavior. Although con-
venient for users, password auto-completion weakens security by allowing
browsers to store user passwords in order to later guess the user’s password
for some websites.
(For more information, see “Deny Passwords if Autocomplete is Enabled” on
page 21.)
[no] deploy-mode option Sets the operational mode for the WAF template.
• active – Standard operational mode. You must use Active Mode if you
want the WAF to sanitize or drop traffic based on the configured WAF poli-
cies. (Default)
• learning – Provides a way to initially set the thresholds for certain WAF
checks based on known, valid traffic.
• passive – Provides passive WAF operation. All enabled WAF checks are
applied, but no WAF action is performed upon matching traffic. This mode is
useful in staging environments to identify false positives for filtering.
(For more information, see “WAF Operational Modes” on page 49.)
[no] filter-resp-hdrs Removes the Web server’s identifying headers in responses.
The default is disabled.
[no] Verifies that user input to form fields is consistent with the intended format.
form-consistency-check
The default is disabled.
[no] form-deny-non-post Denies HTTP requests containing forms if the method used is anything other
than POST.
The feature is disabled by default, meaning that forms not using POST will not
be denied.
[no] form-deny-non-ssl Denies HTTP requests containing forms if the transmission protocol
used is anything other than SSL (TLS). This option is disabled by default,
meaning that forms not using the SSL/TLS protocol will not be denied.
[no] form-set-no-cache This option adds “no-cache directives” if the HTTP response contains
<form> tags. The feature is disabled by default, and the “no-cache”
behavior is enforced by adding the following headers:
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 152
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] json-limit Enforces parsing limits in order to protect backend servers against various
types of denial-of-service (DoS) attacks, which are designed to exhaust system
memory or CPU resources.
Various limits can be set, including:
• max-array-value-count num – Limits the maximum number of values
within a single array from 0–4096. Default is 256.
• max-depth number – Limits the maximum depth in a JSON value to a
maximum recursion depth ranging from 0–4096. Default is 16.
• max-object-member-count number – Limits the number of members
allowed in a JSON object. Range is 0–4096. Default is 64.
• max-string number – Limits the length of a string (in bytes) in a JSON
request for a name or a value. Range is 0–4096. Default is 64.
[no] log-succ-reqs Enabling this option creates a log debug message on the successful comple-
tion of WAF requests, and not just for errors.
[no] max-cookies num Specifies the maximum number of cookies allowed in a request. You can spec-
ify 0-63.
The default value is 20.
[no] max-entities num Specifies the maximum number of MIME entities allowed in a request. You can
specify 0–512.
The default value is 10.
[no] max-hdrs num Specifies the maximum number of headers allowed in a request. You can spec-
ify 0–255.
The default value is 20.
[no] max-parameters num Specifies the maximum number of parameters allowed in a request. You can
specify 0–1024.
The default value is 64.
[no] pcre-mask options Masks patterns in a response that match the specified PCRE pattern.
pcre-pattern
• keep-end num-length – Specifies the number of unmasked characters
at the end of the string. The default is 0.
• keep-start num-length – Sets the number of unmasked characters at
the beginning of the string. The default is 0.
• mask character – Selects a character to mask the matched pattern of a
string. The default is x.
[no] redirect-wlist Enables protection against unvalidated redirects, which can occur if a hacker
uses social networking to trick unsuspecting users into clicking on a malicious
hyperlink. When enabled, the WAF pre-learns a white-list of acceptable loca-
tions to which users can safely be redirected. If one of the web servers gets
hacked and attempts to redirect a user to a location that does not appear in
the redirect white-list, then the WAF blocks the redirect.
The WAF must be deployed in Learning Mode when the redirect-wlist CLI
command is used for the first time so the list of acceptable locations can be
built up.
See “Open Redirect Mitigation” on page 22 for details.
page 153 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] referer-check option Validates that the referer header in a request contains Web form data from the
specified Web server, rather than from an outside Web site. This check protects
against CSRF attacks. The feature is disabled by default.
• enable safe-referer-domain safe-url – Always validates the referer
header. If selected, the request fails the check if there is no referer header or
if the referer header is invalid.
• only-if-present safe-referer-domain safe-url – Validates the
referer header only if a referer header exists. If the check finds an invalid ref-
erer header, the request fails the check. However, the request does not fail
the check if there is no referer header in the request.
[no] session-check [secs] Enable cookie-based session tracking for WAF sessions.
With this option enabled, the WAF uses a cookie to track user sessions. When a
request is received from a client for the first time, ACOS creates a unique ID for
the session, stores it in a table, and inserts the ID into a cookie that is returned
to the client.
Subsequent requests from this client are validated against the session ID. If the
session ID does not match the saved ID, or if the ID is coming from a different IP
address than that of the original client, then the request is rejected.
The session cookie is named “awaf-sid”, and it is inserted into the header of the
response sent by the server.
The header appears in the following format:
Set-Cookie: awaf-sid=<session-id>; path=/' max-age=<session-lifetime>
The feature is disabled by default. When enabled, the default lifetime for the
session ID is 600 seconds, but you can enter a range from 1 - 86400 seconds (24
hours).
[no] soap-format-check Check the XML document for SOAP format compliance.
For more information, see “SOAP Format Checks” on page 33.
[no] sqlia-check option The feature is disabled by default, but when enabled, it checks for SQL strings
to protect against SQL injection attacks.
• reject – Denies the request.
• sanitize – Removes suspected SQL injection scripts from requests.
[no] ssn-mask Scans content for strings that resemble US Social Security numbers and
replaces all but the last four characters of the string with “x” characters. The
feature is disabled by default.
[no] template logging Applies a configured logging template to the WAF template. The default is not
template-name set.
[no] uri-blist-check Enforces the rules contained within a WAF policy file for the URI Black List. The
file-name default is “uri_blist_defs” policy file.
For more information see, “URI Black List” on page 109.
[no] uri-wlist-check Enforces the rules contained within a WAF policy file for the URI White List. The
file-name default is “uri_wlist_defs” policy file.
For more information, see “URI White List” on page 110.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 154
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
[no] url-check Enables the URL Check. This check allows users to access Web pages by click-
ing hyperlinks within the Web site only and does not allow users to access the
URLs of a Web site directly.
An approved list of URL paths can be initially configured only when the WAF is
deployed in Learning Mode. For a deployment example that includes configu-
ration of the URL Check, see “Generate Allowed URL Paths for the URL Check”
on page 127.
The feature is disabled by default.
[no] url-options options Use this command to normalize request URLs. This helps shorten the URLs and
prevent buffer overflows from length URLs.
• decode-entities – Decode entities, such as <, in an internal URL.
• decode-escaped-chars – Decode escaped chars, such as \r or \n, in an
internal URL.
• decode-hex-chars – Decode hexadecimal characters, such as \%xx and
\%u00yy, in an internal URL.
• remove-comments – Remove comments from an internal URL.
• remove-selfref – Remove self-references, such as /./ and /path/../, from
an internal URL.
• remove-spaces – Remove spaces from an internal URL.
[no] xml-format-check Checks the HTTP body for XML format compliance.
For more information, see “XML Format Checks” on page 27.
[no] xml-limit Checks for XML parsing limits.
For more information, see “XML Limit Checks” on page 29.
[no] xml-sqlia-check Check XML data against the selected SQLIA policy.
For more information, see “XML SQL Injection Checks” on page 32.
[no] xml-validation Checks for XML content validation.
For more information, see “XML Validation Checks” on page 27.
[no] xml-xss-check Check XML data against the specified XSS policy.
For more information, see “XML Cross-Site Scripting Checks” on page 31.
[no] xss-check option The feature is disabled by default, but when enabled, it checks for potential
HTML XSS scripts to protect against cross-site scripting attacks.
• reject – Rejects requests with XSS patterns.
• sanitize – Removes suspected cross-site scripts from requests.
page 155 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
virtual-server-name Name of the virtual server.
portnum Virtual port number.
Default N/A
Mode All
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 156
A10 Thunder Series and AX Series
WAF Template Commands
ACOS#show waf
Total
---------------------------------------------------------------
Requests 5666
Requests allowed 295630
Requests denied 3995
Responses denied 0
Session Check
- Success 0
- Failed 1
- None 73
Bad Bot Check
- Success 0
- Failed 0
Buffer Overflow Check
- URL too long 57
- Request line too long 18
- Query too long 0
- Cookie too long 0
- Total Cookies too long 0
- Cookie Name too long 0
- Cookie Value too long 0
- Headers too long 117
- Header Name too long 3
- Header Value too long 2460
- POST body too long 256
- Parameter name too long 0
- Parameter value too long 0
- Parameter total too long 0
- Too much data to parse 53
- Too many parameters 0
- Too many cookies 18
- Too many headers 1
- Too many MIME entities 18
Allowed HTTP Methods Check
- Success 299662
- Failed 13
HTTP Protocol Check
- Success 53
- Failed 44
Referer Check
- Success 51
page 157 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
- Failed 17
- No Referer (Redirect) 51
URI Whitelist Check
- Success (Match) 36
- Failed 18
URI Blacklist Check
- Success 35
- Failed (Match) 36
URL Check
- Learned 0
- Success 54
- Failed 126
Form Consistency Check
- Success 0
- Failed 0
Form CSRF Tag Check
- Success 0
- Failed 0
CCN Mask
- Amex 0
- Diners 0
- Visa 0
- MasterCard 0
- Discover 0
- JCB 0
SSN Mask
- US SSN's masked 0
PCRE Mask
- PCRE's masked 0
Cookie Encryption
- Encrypt Success 0
- Encrypt Failed 0
- Encrypt Limit Exceeded 0
- Encrypt Skipped 0
- Decrypt Success 0
- Decrypt Failed 0
SQLIA Check
- URL Success 54
- URL Sanitized 72
- URL Rejected 36
- POST Success 0
- POST Sanitized 0
- POST Rejected 0
- XML Success 72
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 158
A10 Thunder Series and AX Series
WAF Template Commands
- XML Failed 36
XSS Check
- Cookie Success 0
- Cookie Sanitized 0
- Cookie Rejected 0
- URL Success 18
- URL Sanitized 0
- URL Rejected 18
- POST Success 36
- POST Sanitized 18
- POST Rejected 18
- XML Success 36
- XML Failed 36
JSON Format Check
- Parse Success 882
- Parse Failure 630
- too many array values 0
- nested too deep 0
- too many object members 0
- string too long 18
XML Format Check
- Parse Success 306
- Parse Failure 252
- too many attributes 0
- attribute name too long 0
- attribute value too long 0
- CDATA field too long 18
- too many elements 0
- too many children 18
- elements nested too deep 0
- element name too long 0
- too many entity expansions 0
- entity expansions nested too deep 36
- too many namespaces 0
- namespace URI too long 0
- XML Schema success 18
- XML Schema failure 0
SOAP Format Check
- Parse Success 0
- Parse Failure 0
- WSDL Success 0
- WSDL Failure 0
Password Security Check
- Non masked passwords Rejected 0
page 159 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
The number at the top of the output (vip1 80 in this example) indicates the name of the virtual server and
port number. Table 10 describes the rest of fields in the command output.
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 160
A10 Thunder Series and AX Series
WAF Template Commands
page 161 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 162
A10 Thunder Series and AX Series
WAF Template Commands
page 163 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 164
A10 Thunder Series and AX Series
WAF Template Commands
page 165 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF Template Commands
Command Description
virtual-server-name Name of the virtual server.
portnum Virtual port number.
Default N/A
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 166
A10 Thunder Series and AX Series
WAF File Management Commands
Parameter Description
file-name Name of a configured WAF policy file.
page 167 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF File Management Commands
Parameter Description
source-name Name of a configured WAF policy file.
destination-name Name of the new, copied WAF policy file.
Default N/A
Replace file-name with the name of the WAF policy file to be deleted.
Default N/A
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 168
A10 Thunder Series and AX Series
WAF File Management Commands
Replace file-name with the name of the WAF policy file to be modified, or an un-
used name to create a new file.
Default N/A
Usage Editing the default WAF policy files is not allowed. However, you can copy a
default WAF policy file and customize its contents to fit your specific demands.
Default 32K
Parameter Description
source-name This is the old name of the WAF policy file.
destination-name This is the new name of the WAF policy file.
Default N/A
page 169 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF File Management Commands
Parameter Description
file-name Name of a configured WSDL file.
Parameter Description
source-name Name of a configured WAF WSDL file.
destination-name Name of the new, copied WAF WSDL file.
Default N/A
Replace file-name with the name of the WAF WSDL file to be deleted.
Default N/A
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 170
A10 Thunder Series and AX Series
WAF File Management Commands
Replace file-name with the name of the WAF WSDL file to be modified, or an un-
used name to create a new file.
Default N/A
Default 32K
Parameter Description
source-name This is the old name of the WAF WSDL file.
destination-name This is the new name of the WAF WSDL file.
Default N/A
page 171 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF File Management Commands
Parameter Description
file-name Name of a configured WSDL file.
Parameter Description
source-name Name of a configured WAF XML-Schema file.
destination-name Name of the new, copied WAF XML-Schema file.
Default N/A
Replace file-name with the name of the WAF XML-Schema file to be deleted.
Default N/A
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 172
A10 Thunder Series and AX Series
WAF File Management Commands
Replace file-name with the name of the WAF XML-Schema file to be modified, or
an un-used name to create a new file.
Default N/A
Default 32K
Parameter Description
source-name This is the old name of the WAF XML-Schema file.
destination-name This is the new name of the WAF XML-Schema file.
Default N/A
page 173 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
A10 Thunder Series and AX Series
WAF File Management Commands
Parameter Description
def-file-name Returns a list of WAF policy files with names that partially
match the specified string.
all-partitions Returns a list of WAF policy files for all partitions.
partition {shared | Returns a list of WAF policy files for the shared partition
partition-name} or the specified private partition.
Default N/A
Mode All
Example The following command lists all WAF policy files, for all partitions:
ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016 | page 174
A10 Thunder Series and AX Series
page 175 | ACOS 4.1.1-P1 Web Application Firewall Guide - 22 November 2016
1