Web Application Firewall Guide: Document Version 10.04.4.0028 - 08/10/2013

Download as pdf or txt
Download as pdf or txt
You are on page 1of 49

Web Application

Version 10
Firewall Guide

Document Version 10.04.4.0028 - 08/10/2013


Cyberoam Web Application Firewall Guide

Important Notice
Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but
is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any
products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document.
Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications.
Information is subject to change without notice.

USER’S LICENSE
Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License
Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.

You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for
Cyberoam UTM Appliances at http://kb.cyberoam.com .

RESTRICTED RIGHTS
Copyright 1999 - 2013 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Cyberoam Technologies Pvt. Ltd.

Corporate Headquarters
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower, Off. C.G. Road,
Ahmedabad – 380006, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com

2/49
Cyberoam Web Application Firewall Guide

Contents

Introduction .................................................................................................................... 7
Terminologies Used ................................................................................................................... 8
Defacement ............................................................................................................................. 8
Buffer Overflow ........................................................................................................................ 8
URL Parameter Tampering ..................................................................................................... 8
Cookie Tampering/poisoning ................................................................................................... 8
SQL Injection ........................................................................................................................... 8
Cross Site Scripting ................................................................................................................. 8
Cross-Site Request Forgery .................................................................................................... 9
Session tampering/hijacking/riding .......................................................................................... 9
Forceful browsing .................................................................................................................... 9

Need of WAF ............................................................................................................................. 10

Cyberoamm WAF ...................................................................................................................... 12


Core Concepts and Technologies ......................................................................................... 13
How Cyberoam WAF works .................................................................................................. 14

Deployment Modes ................................................................................................................... 18


1. Server Hosted on Public IP Address ........................................................................... 18
2. Server Hosted on Private IP Address .......................................................................... 19

Configure WAF .......................................................................................................................... 20


Web Servers .......................................................................................................................... 20
Exception ............................................................................................................................... 33
Global Settings ...................................................................................................................... 41
Alerts...................................................................................................................................... 43

3/49
Cyberoam Web Application Firewall Guide

Preface
Welcome to Cyberoam‘s – Web Application Firewall Guide.

Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to


organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats
over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more.
They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support
can be used as either Active or Backup WAN connection for business continuity.

Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti-
Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Web
Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility,
Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single
platform.

Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack.
Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic,
enabling Administrators to apply access and bandwidth policies far beyond the controls that
traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without
compromising productivity and connectivity.

Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its
security features through a Web 2.0-based GUI. An extensible architecture and an ‗IPv6 Ready‘
Gold logo provide Cyberoam the readiness to deliver on future security requirements.

Cyberoam provides increased LAN security by providing separate port for connecting to the publicly
accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible to
the external world and still have firewall protection.

Note

 Default Web Admin Console username is ‗admin‘ and password is ‗admin‘


 Cyberoam recommends that you change the default password immediately after installation to
avoid unauthorized access.

4/49
Cyberoam Web Application Firewall Guide

Typographic Conventions
Material in this manual is presented in text, screen displays, or command-line notation.

Item Convention Example


Server Machine where Cyberoam Software - Server component is
installed
Client Machine where Cyberoam Software - Client component is
installed
User The end user
Username Username uniquely identifies the user of the system
Part titles Bold and

Report
shaded font
typefaces

Topic titles Shaded font

Introduction
typefaces

Subtitles Bold & Black


typefaces Notation conventions

Navigation link Bold typeface System  Administration  Appliance Access


it means, to open the required page click on System then on
Administration and finally click Appliance Access

Name of a Lowercase Enter policy name, replace policy name with the specific
particular italic type name of a policy
parameter / Or
field / command Click Name to select where Name denotes command button
button text text which is to be clicked
Cross Hyperlink in Refer to Customizing User database Clicking on the link will
references different color open the particular topic
Notes & points Bold typeface
to remember between the
black borders Note
Prerequisites Bold typefaces
between the
black borders Prerequisite
Prerequisite details

5/49
Cyberoam Web Application Firewall Guide

Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:

Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com

Cyberoam contact:
Technical support (Corporate Office): +91-79-66065777
Email: [email protected]
Web site: www.cyberoam.com

Visit www.cyberoam.com for the regional and latest contact information.

6/49
Cyberoam Web Application Firewall Guide 1

PART
Introduction
Application Security is equivalent to preventing exception either in its security policy, or in the
underlying system vulnerabilities in its design, development, or deployment. The rapid growth in
technology has increased security threats concurrently. Automation lends sophistication to these
threats against the Web applications, thereby addressing the need of security during the
development. Developers write the Applications with an emphasis on time-to-market over security.
Thus, with constant time to market pressure, a highly vulnerable Web infrastructure environment is
created. Regardless of a carefully developed and audited application code, chances of
vulnerabilities in the application and the framework that it supports still exist. Integrating various
technologies to deploy complex architectures makes it susceptible to numerous vulnerabilities.

Such Applications are open to theft of intellectual property, resulting in business disruption, damage
of brand reputation thereby loosing the customer trust. These vulnerabilities prove to be fatal for
business directly affecting the revenue by endangering the sensitive data and critical business
operations. In many cases, application security is also a legal requirement—such as complying with
the PCI Data Security Standards, for example. Therefore, securing Web infrastructure of an
organization requires attention, through knowledge and awareness from various areas of IT
including the Web development, operations, infrastructure, and security teams.

Cyberoam‘s Web Application Firewall (WAF) aids in securing a Web application infrastructure.
Cyberoam WAF is an operational security control, monitoring the HTTP and HTTPS traffic and
protecting Web applications from attacks.

Note

All the screen shots in the Cyberoam User Guides have been taken from NG series of appliances. The
feature and functionalities however remains unchanged across all Cyberoam appliances.

Note

 WAF is an additional subscription based module.


 WAF feature is not available in CR15i, CR15wi, CR25ia, CR25wi, CR35ia, CR35wi CR15iNG and
CR15wiNG Cyberoam Appliances.
 HA failover and load balancing is not supported in WAF.

7/49
Cyberoam Web Application Firewall Guide

Terminologies Used
Defacement
Defacement, in Web site security terminology, describes a form of vandalism in which a Web site or
Web page is altered or marred by an unauthorized individual or process. Generally, it is done by
logging on administrator‘s account by means of SQL injections. The information on the Web site or
Web page is often replaced with undesirable information. This damages the reputation of the
organization, leaving Website‘s visitors with an impression that the Website may be insecure and
hence turn them off in order to protect its own property.

Buffer Overflow
Buffer overflow is the condition that occurs when the data transferred to a buffer via a program
exceeds the storage capacity of that buffer and overflows into adjacent or other buffers, corrupting
the data already contained in them.

Unauthorized users overwrite data that control the program execution by launching a buffer overflow
attack. They hijack and control the program to execute the malicious code instead of actual process
code.

URL Parameter Tampering


Parameter Tampering is a type of Web-based attack in which certain query string parameter values
of a Uniform Resource Locator (URL) sent to a Web site are altered in order to obtain unauthorized
information. By doing so, unauthorized users can access the database and retrieve and/or modify its
contents.

Cookie Tampering/poisoning
Cookie poisoning is modification of a cookie by an unauthorized person to gain access and control
of the data within a cookie for malicious motives like theft of bank account details, etc.

SQL Injection
A SQL injection attack is insertion or ―injection‖ of a malicious code (SQL query) in to user input
variables, which are coupled with SQL commands and executed. The attacker then forces database
to execute the harmful SQL code that could potentially ruin database tables or to retrieve valuable
information from database.

Cross Site Scripting


Cross-site scripting attacks are security vulnerability caused due to injection of malicious HTML tags
or client side scripting code into HTML form fields of a Web page. On execution, this malicious script
can access cookies, session tokens, or other sensitive information retained by the Web browser or
may modify the information of the Web page.

8/49
Cyberoam Web Application Firewall Guide

Cross-Site Request Forgery


A Cross-Site Request Forgery (CSRF) attack is the one in which a request by malicious Website is
sent to a Web application that a user is already authenticated against from a different Website.
CSRF takes advantage of the trust that a Website lays in a user‘s browser.

Session tampering/hijacking/riding
Session hijacking is a method that takes over a TCP session, which is still in progress between two
machines after obtaining or generating an authentication session ID and masquerading as the
authorized user.

Forceful browsing
Forced browsing is XSRF attack in which user without a prior knowledge is forced to browse a
content to gain access to resources, which are referenced yet are accessible. One of the methods
implemented to enforce this attack is by manipulating the URL of the Web page and deleting
sections from the end until an unprotected directory is found.

9/49
Cyberoam Web Application Firewall Guide

Need of WAF

Prior to touching the subject ―Need of WAF‖, it is vital to understand the basic difference between a
firewall, IPS/IDS, and a WAF. Each of them is a crucial security device, ensuring the protection of
organization‘s environment and sensitive data in diverse ways. A firewall generally, controls who
can access what data at which time. An IPS/IDS detect packets and validates them on the bases of
signatures that are often provided by vendors, blocking the invalid or malicious packets. A WAF,
besides inspecting the packet will also verify the full request and response at the Application Layer.

User interaction to a Web Application includes HTTP/HTTPS methods, URL‘s, session IDs, cookies,
etc. Intruders today, uses XSS, XRSF, SQL injection, session hijacking, buffer overflows to attack
Web Applications hosted in private data centers or within the organization‘s local network. Several
organizations depend on the network firewall and IPS/IDS to protect Web application threats. Is this
solution adequate? The answer is ―No‖! Let us see why.

Firewall indeed safeguards the organization from network layer attacks but they permit application
layer HTTP and HTTPS traffic to Web servers. Unauthorized users take advantage of this and
implant attacks URL tampering, cross-site scripting, forceful browsing, SQL injection into Web traffic
with the help of allowed application protocols, which effortlessly bypasses the network firewall. This
is because, a traditional network firewall secures the third and fourth of the seven layers of the OSI
model and fail to understand protocols and Web Application. Thus, a network firewall fails to
control/filter sensitive data embedded in server responses, as it cannot validate user inputs to a
Web Application and most of all do not have understanding about session data, limiting its
effectiveness against Web application attacks.

IPS/IDS monitor the network traffic by matching the data within packets with data in a signature
database. IPS takes an appropriate action if an anomaly is detected in the traffic and is suspected to
be a threat. However, they fail to understand logic of Web application protocol and cannot
differentiate between normal and malicious Web application request. Thus, it is possible, IPS allows
an attack to pass without a detection or prevention if a signature for the attack does not exist within
the signature database.

WAF deployment mitigates the risk of potentially vulnerable Web application. WAF unlike Firewall
and IPS/IDS, keeps an eye on behavior of the Web request and response and provides protection
at layer 7 – application layer of OSI model. They protect Web applications from the most common

10/49
Cyberoam Web Application Firewall Guide

and dangerous attacks by meticulously auditing the IP packets or protocols and analyzing the
application logics. WAF verifies each request and response present in various Web service layers
viz., HTTP, HTTPS. WAFs protect against OWASP Top 10 threats like cross-site scripting, session
hijacking, SQL injection, parameter tampering, etc.

11/49
Cyberoam Web Application Firewall Guide

Cyberoamm WAF
Cyberoam Web Application Firewall (WAF) provides protection to applications in real time, rather
than fixing them in advance or hardening them. Cyberoam WAF sits between the Web Server and
the Internet-facing firewall, accepting all the client connection requests. It then analyzes
HTTP/HTTPS traffic between a client browser and Web server at layer 7 (a whole session, not
packets) and validates the requests received before allowing them to be processed by the
Web/application server through a separate connection. This protects applications from attacks
aimed at exploiting vulnerabilities found in the applications.

Depending upon various criteria including patterns of known/unknown attacks, protocol standards
and anomalous application traffic, the Cyberoam WAF has the capability to enforce security policies.
Although the prime focus lays on Layer 7 – the application layer, however it is not exclusively on it. It
provides shielding against other form of attacks as well, like cookie tampering, forceful browsing,
hidden field tampering etc. These tools typically protect against the classes of "user-induced"
vulnerability in configured applications or in custom-developed code that make Web applications
open to attacks, such as cross-site scripting, directory traversal and forced URL browsing. A WAF
shields, however does not "fix" the underlying vulnerability. WAF reporting can be used to optimize
the level of security.

Diagram – Cyberoam Web Application Firewall (WAF)

Cyberoam WAF implements Positive security model, a comprehensive security method, providing
an independent input validation envelope to an application. Positive security follows a methodology
―allow only what I know‖ ―moving away from ―blocked,‖ end of the spectrum. The Cyberoam Web
Application Firewall enforces a positive security model through Intuitive Website Flow Detector to
automatically identify and block all application layer attacks without relying on signature tables or
pattern matching techniques. The Web Application Firewall considers defined Web application
behavior as ―good‖. Any deviation is considered ―bad‖, or malicious, and is blocked accordingly. This
provides security against ―zero day attacks‖ and eliminates the need to manually populate and
update signature tables. The Intuitive Website Flow Detector automatically adapts to changes in the
Website.

12/49
Cyberoam Web Application Firewall Guide

Core Concepts and Technologies


Intuitive Website Flow Detector
Cyberoam WAF utilizes Intuitive Website Flow Detector to implement a positive protection model,
ensuring usage of the Website and its applications exactly as intended.

For example, consider HTML form with a text field intended to accept a maximum of 50 characters
(<input type=‖text‖ maxlength=‖50‖…>). When the text field is sent back to the server in an HTTP
POST or GET request and if it contains beyond 50 characters, it will be blocked by Cyberoam WAF
for violating the intended guideline. Similar is true for hidden form fields, URL query strings, cookie
values, and other common targets of application manipulation attacks.

Intuitive Website Flow Detector also manages access to Web resources. All the Requests for URI‘s,
which is not a part of the Web site, are blocked. For example, the URI /admin/ will be blocked, if it is
not declared (as an <a href= ―/admin/‖…> for example) in a Web page somewhere on the site. In
other words, an existing resource on the Web server will be blocked, if it is not intended to be
accessed over the Web. With this approach, since both known and unknown URI-based worms will
never be a legitimate part of any Web site, Cyberoam WAF safeguards the applications from the so-
called ―zero-day‖ attacks. This approach is diagonally different from signature recognition technique,
which is limited to block the explicitly recognized attacks.

13/49
Cyberoam Web Application Firewall Guide

How Cyberoam WAF works


Cyberoam WAF is placed between the Web/application server and the Internet-facing firewall. All
the client connection requests received are accepted. Each request is then validated as per
intended guidelines. Only if the request is valid, the Web/application server using a separate
connection processes it.

Schematic Diagram

As illustrated above, incoming traffic is limited by the Internet-facing network firewall to the standard
HTTP/HTTPS. Cyberoam WAF accepts the received client connections request that pass through
the network firewall. To ensure that request received from the client conform to the intended
guidelines, the HTTP specification, and any user-defined policies, it is evaluated by Cyberoam
WAF. Using a separate connection generally a non-standard TCP port, the valid request is
forwarded on to the Web/application server. In case the request is invalid it is blocked and never
processed by the Web/application server.

Cyberoam WAF uses a sophisticated technology ―Intuitive Website Flow Detector‖ that
automatically identifies and enforces intended guidelines in real time. Any modification to Web site
is recognized automatically since Intuitive Website Flow Detector works in real time, with no
requirement for cumbersome, time-consuming ―training‖. This ability of Cyberoam WAF enormously

14/49
Cyberoam Web Application Firewall Guide

reduces installation, setup, and on-going administration time.

Intuitive Website Flow Detector begins examining the outgoing HTTP/HTTPS responses (typically
HTML content, either static or dynamically-generated) to identify the intended guidelines after
defining at least one ―entry point‖ URI in the application (―/‖ by default). HTTP/HTTPS requests from
clients (typically Web browsers such as Internet Explorer or Netscape Navigator) subsequently are
validated before being forwarded on to the Web server (for example, IIS or Apache).
Intuitive Website Flow Detector ensures each HTTP/HHTPS request follows 3 step validation
process:

Step 1. HTTP Specification Validation.

Diagram - HTTP Specification Validation

User sends a request to access Web site (www.abcretaillogin.com). Cyberoam WAF receives and
validates the request for the protocol compliance HTTP 1.0/1.1. If the received request is found valid,
it is forwarded to the Web Server.

Web Server will respond with requested content (www.abcretaillogin.com/index.htm) which contains
resources list like (―myaccount.htm‖, Image\Imaege1.gif)

15/49
Cyberoam Web Application Firewall Guide

Step 2. Intuitive Web Flow detector.

Diagram – Intuitive Web Flow Detector

Once the request is found legitimate and is sent to the Web server, Cyberoam creates rules
dynamically (for resources like ―myaccount.htm‖, Image\Imaege1.gif) depending on the response
received from the Web server.

Exceptions, if configured, are allowed by Cyberoam and user can access them directly without being
interrupted by Intuitive Guide Lines.

Only legitimate request is forwarded to the Web server. A request if found to be a non RFC compliant
protocol traffic or violating intended usage guidelines,, Cyberoam drops it, creating a rule dynamically
for it. An alert notification in the form of email or a network ―pop-up‖ message, and/or HTTP is sent as
per the user preference.

16/49
Cyberoam Web Application Firewall Guide

Step 3. User Define policies.

Diagram – User Defined Policies

If the user request (www.abcretaillogin.com/probe.htm) is received for which a dynamic rule do not
exist in intended usage guidelines, Cyberoam WAF blocks the same and sends an error message
(403 forbidden).

In order to allow the request that do not exist within the intended usage guidelines, an exception
must be created by defining the user policies to override intended usage guidelines.

17/49
Cyberoam Web Application Firewall Guide

Deployment Modes
Cyberoam deployment is usually done within a data center of an organization, which also comprises
of other zones viz., LAN zone, DMZ zone, etc. Server farm consisting of several Web servers, are
hosted within the DMZ zone. The Administrator needs to publish the Web servers via Cyberoam
WAF. One of the following two methods can achieve this:
1. Server hosted on Public IP Address
2. Server hosted on Private IP Address

1. Server Hosted on Public IP Address


Web server might have a public IP directly assigned to actual physical server without any NAT.

 A user sends a HTTP/HTTPS request to access a Web server (here the request is to access
Web server 61.10.15.18).
 Cyberoam WAF receives the request. It validates the request depending on the level of
scanning methodology.
 If the received request is valid, the request is sent to the respective Web server.
 However, if the request fails the validation and is found to be malicious, it will be dropped and
thus not sent to Web server.
 Alert notifications are sent (depending on user preferences) in the form of email, network
―pop-up‖ message, and/or HTTP.

18/49
Cyberoam Web Application Firewall Guide

2. Server Hosted on Private IP Address


In this deployment scenario, a Web server 10.10.10.2 is published via a public IP Address
61.10.15.18 using Cyberoam WAF.

 A user sends a HTTP/HTTPS request for a public IP Address (here the request is sent for IP
Address 61.10.15.18) to access a Web server that is hosted on private IP Address (Here
private IP Address of Web server is 10.10.10.2).
 Cyberoam WAF receives the request. It validates the request depending on the level of
scanning methodology.
 If the received request is valid, the request is sent to the respective Web server (Using
Network Address Translation).
 However, if the request fails the validation and is found to be malicious, it will be dropped and
thus not sent to Web server.
 Alert notifications are sent (depending on user preferences) in the form of email, network
―pop-up‖ message, and/or HTTP.

19/49
Cyberoam Web Application Firewall Guide

Configure WAF

 Web Servers
 Global Settings
 Alerts

Web Servers
Use WAF  Web Servers to view to Web Server and Exception details.
 Web Server
 Exceptions

Web Server

Web Server provides interface to add servers that are to be safe-gaurded by WAF. Web Server
page displays list of servers and provides a way to manage them. You can:
 Add
 View
 Search
 Edit – Click the Edit icon in the Manage column against the Web Server to be modified.
Edit Web Server rule window is displayed which has the same parameters as the Add Web
Server rule window.

 Delete – Click the Delete icon in the Manage column against a Web Server rule to be
deleted. A dialog box is displayed asking you to confirm the deletion. Click OK to delete the
rule. To delete multiple rules, select them and click the Delete button.

To configure Web Server, go to WAF  Web Servers  Web Server.

Screen – Web Server

Manage Web Servers

Screen Elements Description

Add button Add new Web Server.

Name Name to identify the Web Server.

The Public IP Address or FQDN to which the Web Server is


Public IP/FQDN
added.

20/49
Cyberoam Web Application Firewall Guide

Private IP The Private IP Address to which the Web Server is added.

Domains Domains protected by the Web Server.

Public Port Port number through which Web Server communicates.

Edit Icon Edit Web Server.

Delete Icon Delete Web Server.

Delete Button Delete Web Server.


Table – Web Server

Search Web Server


Use the search facility for searching Web Server having a specific string.

Name

Click the Search icon to search Web Server for specific name. It can be searched on the
following criteria: is, is not, contains and does not contain. Click OK to get the search results and
Clear button to clear the results.

Screen – Search

Search Criteria Search Result

is All the Web Server names that exactly match with the string
specified in the criteria.

For example, if the search string is Test, only Web Servers


with the name exactly matching ―Test‖ is displayed.

is not All the Web Server names that do not match with the string
specified in the criteria.

For example, if the search string is Test, all Web Server‘s


except with the name exactly matching ―Test‖ are displayed.

contains All the Web Server names that contain the string specified in
the criteria.

For example, if the search string is Test, all the Web Server
names containing the string ―Test‖ are displayed.

does not contain All the Web Server names that do not contain the string
specified in the criteria.

21/49
Cyberoam Web Application Firewall Guide

For example, if the search string is Test, all the Web Server
names not containing the string ―Test‖ are displayed.
Table – Search Name

Web Server Parameters

To add or edit Web Server, go to WAF  Web Server. Click Add Button to add a new rule or Edit
Icon to modify the details of the rule. Web Server Rule Parameters are given below.

Note

On adding a Web Server, a default Exception and a Firewall Rule is created for the same.

Screen – Web Server Parameters

Screen Elements Description

Web Server Name Specify name to identify the Web Server.

Zone Specify zone to which the Web Server rule applies.

22/49
Cyberoam Web Application Firewall Guide

Web Server Hosted On Select from the available options on which the Web Server is
to be hosted.

Available Options:
 Public IP/FQDN – If selected, choose from following:
1. IP Address – If selected, choose from available IP
Host or add an IP Host.
2. FQDN Host – If selected, choose from available
FQDN Host or add a FQDN Host.

 Private IP – If selected, choose or add IP Host for each of


the following available options:
1. Public IP Address.
2. Private IP Address.

Web Server Protocol Select Web Server Protocol from the following available
options:

1. Only HTTP
2. Only HTTPS
3. HTTP & HTTPS

Advanced Settings
The WAF Advanced Settings allows you to customize Web Server configurations. In most
cases, the advanced settings on this screen should remain at their default values.

Performance Tuning

Screen – Performance Tuning Parameters

Max Connections Provide the maximum number of client connections that can
be served simultaneously.

Minimum number of connections: 50


Maximum number of connections: 9999

By default, the value of maximum number of client


connections is 5000.

Max listen queue Listening queue shall be used once the threshold for
maximum connections is reached.

Minimum number of connections: 10


Maximum number of connections: 999

By default, the value of maximum number of pending


connections allowed in listening queue is 511.

23/49
Cyberoam Web Application Firewall Guide

Keep alive timeout Provide the time in seconds for a subsequent request to wait
before closing a connection.

Minimum number of Seconds: 5


Maximum number of Seconds: 999

By default, value for Keep Alive timeout is 15 seconds.

Enable Form Click to enable HTML form elements validation.


Validation
By default, form validation is in enable mode.

If enabled, to combat SQL command injection and cross-site


scripting attacks, specify the dangerous characters to be
filtered transparently from user input for each of the HTML
parameters.

Enable Cookie Click to enable HTTP and HTTPS name/value cookie


Validation validation.

By default, cookie validation is in enable mode.

If enabled, select/specify the validation parameters.

Override Global
Settings

Screen – Override Global Settings

Click to override the global settings for the respective Web


Server.
By default, the parameter ―Override Global Settings‖ is in
disable mode.

If enabled, select/specify the Global Settings parameters.


Table – Web Server Parameters

24/49
Cyberoam Web Application Firewall Guide

Web Server Protocol


1. Only HTTP

Screen – Only HTTP

Screen Elements Description

Web Serve HTTP Port Provide a HTTP Port number.

By default, the port number is 80.

Note

 If the Web Server is hosted on a private IP Address/host


then provide a public and a private HTTP Port numbers.

 In this case by default, both the public port number and the
private port number will be 80.

SSL Offloading Click to enable SSL Offloading.

By default, form validation is in disable mode.

Published HTTPS Port Provide a HTTPS Port number.

By default, the port number is 443.

Note

 If the Web Server is hosted on a private IP Address/host


then provide a public and a private HTTPS Port numbers.

 In this case by default, both the public port number and the
private port number will be 443.

25/49
Cyberoam Web Application Firewall Guide

Allow HTTP Traffic Click to enable allow HTTP traffic.


Also
By default, form validation is in disable mode.

Certificate A digital certificate is a document that guarantees the identity


of an entity.

Certificate will be used by the WAF for secured


communication for any request received for the Web Server.

In case of SSL offloading, certificate will be exchanged


between client and WAF.

Select a Certificate from the available list.

Certificate Authority A certificate signed by a Certificate Authority (CA) identifies


the owner of a public key.

Select a Certificate Authority from the available list.

Allow SSLv2 Select ―Yes‖ to allow SSLv2 client connection.

By default, the value is ―No‖.

Allow Weak Ciphers Select ―Yes‖ to allow weak ciphers.

By default, the value is ―No‖.

Domains to protect Choose domains to be protected from the following available


option:
1. All domains hosted on selected Web Server Host.

2. Specific domains hosted on Web Server Host.


In this case, select a domain or add a domain.

By default, the option ―All domains hosted on selected Web


Server Host‖ is selected.

Back to top
Table – Only HTTP

26/49
Cyberoam Web Application Firewall Guide

2. Only HTTPS

Screen – Only HTTPS

Screen Elements Description

Web Server HTTPS Provide a HTTPS Port number.


Port
By default the port number is 443

Note

 If the Web Server is hosted on a private IP Address/host


then provide a public and a private HTTPS Port numbers.

 In this case by default, both the public port number and the
private port number will be 443.

Certificate A digital certificate is a document that guarantees the identity


of an entity.

Certificate will be used by the WAF for secured


communication for any request received for the Web Server.

Select a Certificate from the available list.

Certificate Authority A certificate signed by a Certificate Authority (CA) identifies


the owner of a public key.

Select a Certificate Authority from the available list.

Allow SSLv2 Select ―Yes‖ to allow SSLv2 client connection.

By default, the value is ―No‖.

Allow Weak Ciphers Select ―Yes‖ to allow weak ciphers.

By default, the value is ―No‖.

Domains to protect Choose domains to be protected from the following available


option:

27/49
Cyberoam Web Application Firewall Guide

1. All domains hosted on selected Web Server Host.

2. Specific domains hosted on Web Server Host.


In this case, select a domain or add a domain.

By default, the option ―All domains hosted on selected Web


Server Host‖ is selected.

Back to top
Table – Only HTTPS

3. HTTP & HTTPS

Screen – HTTP & HTTPS

Screen Elements Description

Web Server HTTP Port Provide a HTTP Port number.

By default, the port number is 80.

Note

 If the Web Server is hosted on a private IP Address/host


then provide a public and a private HTTP Port numbers.

 In this case by default, both the public port number and the
private port number will be 80.

Web Server HTTPS Provide a HTTPS Port number.


Port
By default the port number is 443

Note

28/49
Cyberoam Web Application Firewall Guide

 If the Web Server is hosted on a private IP Address/host


then provide a public and a private HTTPS Port numbers.

 In this case by default, both the public port number and the
private port number will be 443.

Certificate A digital certificate is a document that guarantees the identity


of an entity.

Certificate will be used by the WAF for secured


communication for any request received for the Web Server.

Select a Certificate from the available list.

Certificate Authority A certificate signed by a Certificate Authority (CA) identifies


the owner of a public key.

Select a Certificate Authority from the available list.

Allow SSLv2 Select ―Yes‖ to allow SSLv2 client connection.

By default, the value is ―No‖.

Allow Weak Ciphers Select ―Yes‖ to allow weak ciphers.

By default, the value is ―No‖.

Domains to protect Choose domains to be protected from the following available


option:
1. All domains hosted on selected Web Server Host.

2. Specific domains hosted on Web Server Host.


In this case, select a domain or add a domain.

By default, the option ―All domains hosted on selected Web


Server Host‖ is selected.

Back to top
Table – HTTP & HTTPS

29/49
Cyberoam Web Application Firewall Guide

Enable Form Validation

Screen – Form Validation

Screen Elements Description

Text Specify the characters that require to be filtered


transparently.

By default, the value of this field is ―<‖, ―>‖, ―"‖, ―'‖, ―;‖, ―(‖, ―)‖.

Select one of the following actions in case the input is one of


the specified characters:
Alert
Block

By default, an alert is generated.

Text-Area Specify the characters that require to be filtered


transparently.

By default, the value of this field is ―<‖, ―>‖, ―"‖, ―'‖, ―;‖, ―(‖, ―)‖.

Select one of the following actions in case the input is one of


the specified characters:
Alert
Block

By default, the alert is generated.

Password Specify the characters that require to be filtered transparently.

By default, the value of this field is ―<‖, ―>‖, ―"‖, ―'‖, ―;‖, ―(‖, ―)‖.

Select one of the following actions in case the input is one of


the specified characters:
Alert
Block

30/49
Cyberoam Web Application Firewall Guide

By default, the alert is generated.

Form Clean-up Click to enable HTML form clean-up.

By default, form clean-up is in enable mode.

If enabled, specify the number of days and hours. HTML forms


older than the specified duration shall be cleaned up/ purged.

Minimum number of days: 0


Maximum number of days: 365

Minimum number of Hours: 0


Maximum number of Hours: 23

By default, the duration is 15 Days and 0 hours.

Back to top
Table – Form Validation

Enable Cookie Validation

Screen – Cookie Validation

Screen Elements Description

Enable Strict Cookie Click to enable blocking of the request that contains a
Validation tampered cookie, thereby avoiding it to be forwarded on to
the Web Server.

When a request containing a tampered cookie is received


and cookie validation is in disable mode, then the tampered
cookie will be stripped - off from request and the request will
be forwarded to Web Server.

By default, cookie validation is in disable mode.

31/49
Cyberoam Web Application Firewall Guide

Enable Transition Click to allow cookie attributes and values that cannot be
Period validated.

It will be effective from the time cookie validation is enabled.

By default, parameter transition period is in enable mode.

Minimum number of days: 0


Maximum number of days: 365

Minimum number of Hours: 0


Maximum number of Hours: 23

By default, the duration is 6 Days and 0 hours.

Enable Cookie Click to enable HTTP - HTTPS cookie cleanup.


Cleanup
By default, cookie cleanup is in enable mode.

If enabled, specify the number of days and hours. HTTP-


HTTPS cookies older than the specified duration shall be
cleaned up.

Minimum number of days: 0


Maximum number of days: 365

Minimum number of Hours: 0


Maximum number of Hours: 23

By default, the duration is 15 Days and 0 hours.

Back to top
Table – Cookie Validation

32/49
Cyberoam Web Application Firewall Guide

Exception
Exceptions are the parameters on which WAF configuration are not applicable. You can:
 Add
 View
 Edit - Click the Edit icon in the Manage column against the Exception to be modified. Edit
Exception pop-window window is displayed which has the same parameters as the Add
Exception window.

 Delete – Click the Delete icon in the Manage column against a Exception to be deleted. A
dialog box is displayed asking you to confirm the deletion. Click OK to delete the rule. To
delete multiple Exception, select them and click the Delete button.

To configure an Exception, go to WAF  Web Server  Exception.

Screen – Exceptions

View the list of Exception

Screen Elements Description

Add Button Add new Exception.

Exception Name Name of the Exception.

Exception Type Type of the Exception.

Web Server Web Server for which the exception is created.

URL/Directory/URI URL/Directory/URI path.

Edit Icon Edit exception.

Delete Icon Delete Web Server.

Delete Button Delete Web Server.


Table – Exceptions

Search Exception
Use the search facility for searching Exception having a specific string.

Name

Click the Search icon to search Exception for specific name. It can be searched on the
following criteria: is, is not, contains and does not contain. Click OK to get the search results and
Clear button to clear the results.

33/49
Cyberoam Web Application Firewall Guide

Screen – Search

Search Criteria Search Result

is All the Exception names that exactly match with the string
specified in the criteria.

For example, if the search string is Test, only Exception‘s


with the name exactly matching ―Test‖ are displayed.

is not All the Exception names that do not match with the string
specified in the criteria.

For example, if the search string is Test, all Exception‘s


except with the name exactly matching ―Test‖ are displayed.

contains All the Exception names that contain the string specified in
the criteria.

For example, if the search string is Test, all the Exception


names containing the string ―Test‖ are displayed.

does not contain All the Exception names that do not contain the string
specified in the criteria.

For example, if the search string is Test, all the Exception


names not containing the string ―Test‖ are displayed.
Table – Search Exception Name

34/49
Cyberoam Web Application Firewall Guide

Add Exception Parameters

To add an Exception, go to WAF  Web Server  Exception and click Add.

Screen – Add Exceptions

Screen Elements Description

Exception Name Provide name to exception.

Exception Type Select the type of the exception from the available options.

The available options are as follows:


1. Entry Point
2. Unprotected Directories
3. Filter Exception
4. Cookie Exception
5. Form Exception
Web Server Web Server for which the exception is created.

URL / Directory /URI URL / Directory / URI path

Edit Icon Edit exception

Delete Icon Delete Web Server.

Delete Button Delete Web Server.


Table – Add Exceptions

35/49
Cyberoam Web Application Firewall Guide

Edit Exception Parameters

To add an Exception, go to WAF  Web Server  Exception and click the Edit icon in
the Manage column against the Exception to be modified.

Screen – Add Exceptions

Screen Elements Description

Exception Name Provide name to exception.

Exception Type Select the type of the exception from the available options.

The available options are as follows:


1. Entry Point
2. Unprotected Directories
3. Filter Exception
4. Cookie Exception
5. Form Exception
Table – Add Exceptions

Exception Type
1. Entry Point

Screen – Entry Point

36/49
Cyberoam Web Application Firewall Guide

Screen Elements Description

Web Server Select the Web Server for which the exception is to be
created.

URL/Directory Provide a URL/Directory path.

URL/Directory Click one of the following options:


Properties HTTPS – Select if entry point/directory is to be accessed via
an encrypted connection.

Ignore Case – Select if the entry point /directory validation


should not be case sensitive.

RegEx – Select if the URL/Directory is a regular expression.

Back to top
Table – Entry Point

2. Unprotected Directories

Screen – Unprotected Directories

Screen Elements Description

Web Server Select the Web Server for which the exception is to be
created.

URL/Directory Provide a URL/Directory path.

URL/Directory Click one of the following options:


Properties HTTPS – Select if entry point/directory is to be accessed via
an encrypted connection.

Ignore Case – Select if the entry point /directory validation


should not be case sensitive.

RegEx – Select if the URL/Directory is a regular expression.

Back to top

37/49
Cyberoam Web Application Firewall Guide

Table – Unprotected Directories

3. Filter Exception

Screen – Filter Exception

Screen Elements Description

Web Server Select the Web Server for which the exception is to be
created.

URI Provide a URI path.

Form Name Specify the name of the form.

Field Name Specify the name of the field

Field Type Select the field type from the available options.

The following are the available options:


 Any
 Checkbox
 Hidden
 Radio Button
 Select
 Text
 Text-Area

Characters Specify the characters for which the exception id to be


created.

Back to top
Table – Filter Exception

38/49
Cyberoam Web Application Firewall Guide

4. Cookie Exception

Screen – Cookie Exception

Screen Elements Description

Web Server Select the Web Server for which the exception is to be created.

URI Provide a URI path.

Field Name Specify the name of the field.

Back to top
Table – Cookie Exception

5. Form Exception

Screen – Form Exception

Screen Elements Description

Web Server Select the Web Server for which the exception is to be created.

URI Provide a URI path.

39/49
Cyberoam Web Application Firewall Guide

Form Name Specify the name of the form.

Field Name Specify the name of the field.

Field Type Select the field type from the available options.

The following are the available options:


 Any
 Checkbox
 Hidden
 Radio Button
 Select
 Text
 Text-Area

Characters Specify the characters for which the exception id to be created.

Back to top, Continue with Alerts


Table – Form Exception

40/49
Cyberoam Web Application Firewall Guide

Global Settings
Global Settings are configurations that are applied on all the Web Servers by default. To alter these
configuration, modify the Advanced Settings of the Web Server.

To view Global Settings, go to WAF  Global Settings  Global Settings.

Screen – Global Settings

Global Settings Parameters

Screen Elements Description

Global Settings

Hide Server Identity Click to avoid disclosing Web Server‘s identity thereby

41/49
Cyberoam Web Application Firewall Guide

preventing banner – grabbing.

By default, the server identity is hidden.

Enable Passive Mode Click to enable passive mode for the Web Server to operate
in ―report-only‖ mode.

All the requests that are received will be forwarded on to the


Web Server.

Disable the passive mode of Web Server to identify report


and block malicious activities.

By default, the Web Server will not be in passive mode.

Enable JavaScript Click to enable to interpret client – side JavaScript to extract


Processing Intended Use Guidelines.

By default, JavaScript processing is in enable mode.

Enable Strict HTTPS Click to enable enforcing the access to HTTPS resources via
an encrypted connection.

By default, strict HTTPS is in enable mode.

Send Client IP Header Click to send ―WAF-Client-IP‖ i.e. the client IP Address in a
custom HTTP Header to the Web Server.

By default, client IP Header will be sent to Web Server.

Allow Incomplete Click to allow incomplete URL‘s.


URLs
For example, If intended URL is
―http://www.domain.com/test/‖, but the user enters
―http://www.domain.com/test‖ (no trailing slash) in their
browser's address bar, both will be allowed.

By default, incomplete URL‘s will not be allowed.

Enable Case-sensitive Click to enable validation of case sensitive URL.


URL validation
By default, case sensitive URL validation is in enable mode.

Enable Transform Click to enable ensuring HTTP error code 500 from the Web
Error 500 server gets transformed into a HTTP 202 Accepted response
code.

By default, Transform Error 500 is in disabled mode.

Error URLs

400 Bad Request Click to enable and provide a fully qualified URL.

If an HTTP error code 400 Bad Request occurs then it will be


redirected to the provided fully qualified URL.

42/49
Cyberoam Web Application Firewall Guide

403 Forbidden Click to enable and provide a fully qualified URL.

If an HTTP error code 403 Forbidden occurs then it will be


redirected to the provided fully qualified URL

405 Method not Click to enable and provide a fully qualified URL.
allowed
If an HTTP error code 405 Method not allowed occurs then it
will be redirected to the provided fully qualified URL

Allowed HTTP Methods

HTTP Methods Specify the allowed HTTP Methods.

By default, the allowed HTTP methods are POST, GET, and


HEAD.

Back to top
Table – Global Settings

Alerts
Based on the WAF configuration, certain system-generated events trigger alerts. These alerts are
reports of actions taken on the request received.

To view Alerts, go to WAF  Alerts  Alerts.

Parameters

Screen – Alerts

Screen Elements Description

Date & Time Date and Time when the alert was generated.

Action Displays action taken on the received request.

Source IP/Name Displays Source IP Address or Name of the request.

Reason Displays reason of the action taken.

Web Server Name Displays name of the Web Server.

Status Code Displays response status code of HTTP/HTTPS protocol.

43/49
Cyberoam Web Application Firewall Guide

Add Exception Click Add Icon to add an exception.


Table – Alerts

Add Exception

Screen Elements Description

Exception Name Provide name to exception.

Exception Type Select the type of the exception from the available options.

The available options are as follows:


1. Entry Point
2. Unprotected Directories
3. Filter Exception
4. Cookie Exception
5. Form Exception
Table – Add Exception

Search Web Server


Use the search facility for searching Web Server having specific traffic. The search string can be
either an IP Address or a string.

Click the Search icon to search Web Server for specific string. It can be searched on the
following criteria: is, is not, contains and does not contain. Click OK to get the search results and
Clear button to clear the results.

Screen – Search Web Server Name

Search Criteria Search Results

is All the Web Server parameters that exactly match


with the string specified in the criteria.

For example, if the search string is Test, only Web


Servers with the name exactly matching ―Test‖ are
displayed.

is not All the Web Server parameters that do not match with
the string specified in the criteria.

For example, if the search string is Test, all Web


Servers except with the name exactly matching ―Test‖
are displayed.

contains All the Web Server parameters that contain the string

44/49
Cyberoam Web Application Firewall Guide

specified in the criteria.

For example, if the search string is Test, all the Web


Server names containing the string ―Test‖ are
displayed.

does not contain All the Web Server parameters that do not contain the
string specified in the criteria.

For example, if the search string is Test, all the Web


Server names not containing the string ―Test‖ are
displayed.
Table – Search Web Server Name

Search Action

Use the search facility by clicking the Search icon for searching action taken on the request
received.

Screen – Action

Search Criteria Search Results

Denied All the received requests that are denied matches


with the criteria.

Would be denied All the received requests that would be denied when
the Web Server is not in passive mode, matches with
this criteria.
Table – Search Action

45/49
Cyberoam Web Application Firewall Guide

Search Date & Time


Use the search facility for searching Web Server created on specific date and time. Click the Search
icon to search Web Server for specific string. It can be searched on the following criteria: is, is
not, contains and does not contain. Click OK to get the search results and Clear button to clear the
results.

Screen – Date & Time

Search Criteria Search Results

is All the Date & Time parameters that exactly match


with the string specified in the criteria.

For example, if the search string is 10, only Date &


Time with the exactly matching string ―10‖ is
displayed.

is not All the Date & Time parameters that do not match
with the string specified in the criteria.

For example, if the search string is 10, all Date &


Time except with the name exactly matching ―10‖ are
displayed.

contains All the Date & Time parameters that contain the string
specified in the criteria.

For example, if the search string is 10, all the Date &
Time containing the string ―10‖ are displayed.

does not contain All the Date & Time parameters that do not contain
the string specified in the criteria.

For example, if the search string is 10, all the Date &
Time not containing the string ―Test‖ are displayed.
Table – Search Date & Time

46/49
Cyberoam Web Application Firewall Guide

Search Source IP/Name

Use the search facility for searching source IP/ Name of the Web Server. Click the Search icon
to search Source IP/ Name for specific string. It can be searched on the following criteria: is, is not,
contains and does not contain. Click OK to get the search results and Clear button to clear the
results.

Screen – Source IP/Name

Search Criteria Search Results

is All the Source IP/ Name that exactly match with the
string specified in the criteria.

For example, if the search string is 172.16.16.16, only


Source IP/ Name with the exactly matching string is
displayed.

is not All the Source IP/ Name that do not match with the
string specified in the criteria.

For example, if the search string is 16, all Source IP/


Name except with the exactly matching ―16‖ are
displayed.

contains All the Source IP/ Name that contain the string
specified in the criteria.

For example, if the search string is 172, all the


Source IP/ Name containing the string ―172‖ are
displayed.

does not contain All the Source IP/ Name that do not contain the string
specified in the criteria.

For example, if the search string is 16, all the Source


IP/ Name not containing the string ―16‖ are displayed.
Table – Search Source IP/ Name

47/49
Cyberoam Web Application Firewall Guide

Search Reason

Use the search facility for searching reason of the Web Server. Click the Search icon to search
web server for specific reason. It can be searched on the following criteria: is, is not, contains and
does not contain. Click OK to get the search results and Clear button to clear the results.

Screen – Reason

Search Criteria Search Results

is All the reasons that exactly match with the string


specified in the criteria.

For example, if the search string is Test, only reasons


with the exactly matching string are displayed.

is not All the reasons that do not match with the string
specified in the criteria.

For example, if the search string is Test, all reasons


except with the exactly matching ―Test‖ are displayed.

contains All the reasons that contain the string specified in the
criteria.

For example, if the search string is Test, all the


reasons containing the string ―Test‖ are displayed.

does not contain All the reasons that do not contain the string specified
in the criteria.

For example, if the search string is Test, all the


reasons not containing the string ―Test‖ are displayed.
Table – Search Reason

48/49
Cyberoam Web Application Firewall Guide

Search Status Code

Use the search facility for searching source IP/ Name of the Web Server. Click the Search icon
to search Source IP/ Name for specific string. It can be searched on the following criteria: is, is not,
contains and does not contain. Click OK to get the search results and Clear button to clear the
results.

Screen – Status Code

Search Criteria Search Results

is All the status code that exactly match with the string
specified in the criteria.

For example, if the search string is 403, only status


code with the exactly matching string is displayed.

is not All the status code that do not match with the string
specified in the criteria.

For example, if the search string is 403, all status


code except with the exactly matching ―403‖ are
displayed.

contains All the status code that contain the string specified in
the criteria.

For example, if the search string is 403, all the status


code containing the string ―403‖ are displayed.

does not contain All the status code that do not contain the string
specified in the criteria.

For example, if the search string is 403, all the status


code not containing the string ―403‖ are displayed.
Table – Search Status Code

49/49

You might also like