ACOS 5.2.

1-P7
Web Application Firewall Configuration
Guide
April, 2023
© 2023 A10 Networks, Inc. All rights reserved.
Information in this document is subject to change without notice.

PATENT PROTECTION
A10 Networks, Inc. products are protected by patents in the U.S. and elsewhere. The following website is provided
to satisfy the virtual patent marking provisions of various jurisdictions including the virtual patent marking
provisions of the America Invents Act. A10 Networks, Inc. products, including all Thunder Series products, are
protected by one or more of U.S. patents and patents pending listed at:
a10-virtual-patent-marking.

TRADEMARKS
A10 Networks, Inc. trademarks are listed at: a10-trademarks

CONFIDENTIALITY
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information
and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc.
without prior written consent of A10 Networks, Inc.

DISCLAIMER
This document does not create any express or implied warranty about A10 Networks, Inc. or about its products or
services, including but not limited to fitness for a particular use and non-infringement. A10 Networks, Inc. has made
reasonable efforts to verify that the information contained herein is accurate, but A10 Networks, Inc. assumes no
responsibility for its use. All information is provided "as-is." The product specifications and features described in
this publication are based on the latest information available; however, specifications are subject to change without
notice, and certain features may not be available upon initial product release. Contact A10 Networks, Inc. for
current information regarding its products or services. A10 Networks, Inc. products and services are subject to A10
Networks, Inc. standard terms and conditions.

ENVIRONMENTAL CONSIDERATIONS
Some electronic components may possibly contain dangerous substances. For information on specific component
types, please contact the manufacturer of that component. Always consult local authorities for regulations
regarding proper disposal of electronic components in your area.

FURTHER INFORMATION
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest
A10 Networks, Inc. location, which can be found by visiting www.a10networks.com.
Table of Contents

Getting Started 9
Overview 10
Protection Against Common Web Attacks 11
Buffer Overflow Attacks 11
Cookie Tampering 11
Forceful Browsing 11
Web Form Security Attacks 12
WAF Security Models 12
Positive Security Model 12
Negative Security Model 13
Request Protection 13
Compare Request URI to White List and Black List 13
White List 13
Black List 14
URL Check 15
Scan Request for Threats 15
Bot Check 16
Form Field Consistency Check 16
Referer Check 16
HTTP Protocol Compliance Check 17
HTML Cross-Site Scripting (XSS) Check 18
Buffer Overflow Check 18
HTML SQL Injection Check 19
Allowed HTTP Methods Check 19
Maximum Cookies Check 20
Maximum Headers Check 20
Session Checks 21
Password Security 21

3
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Contents

Open Redirect Mitigation 23

Normalization Enhancements for URL Options 26
WAF XML Checks 27
XML Format Checks 28
XML Validation Checks 29
XML Limit Checks 31
XML Cross-Site Scripting Checks 34
XML SQL Injection Checks 35
WAF SOAP Checks 36
SOAP Format Checks 37
SOAP Validation Checks 38
WAF JSON Checks 39
JSON Format Checks 40
JSON Limit Checks 41
Geo-location Based Blocking 42
Filter Requests Using an HTTP Policy 42
Filter Requests Using an ACL 45
Response Protection 46
Mask Sensitive Content 46
CCN Mask 47
SSN Mask 47
PCRE Mask 48
Cloak Responses 48
Send Instrumented Responses 49
Cross Site Request Forgery Check 49
Form Field Consistency Check 49
Cookie Encryption 50
PCI 6.6 Compliance 50
ACOS WAF achieves ICSA Certification 50
How Does the ACOS WAF Achieve PCI DSS Compliance? 51
WAF External Logging 52

4
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Contents

WAF Operational Modes 53

Overview 53
Learning Mode 54
Passive Mode 57
Active Mode 59
Setting the WAF Operational Mode 61

Configuring WAF Using GUI 62

Overview 63
Bind the WAF Template to the Virtual Port 63
Add/Edit a WAF Template 66
Configuring HTTP Protocol Checks 66
Configuring HTTP Limit Checks 67
Configuring Request Checks 68
Configuring Cookie Security 70
Configuring Cookie Security Checks 71
Configuring Evasion Checks 72
Configuring Web Service Security 74
Configuring Data Leak Prevention 77
Configuring Form Protection and Password Security 79
Configuring Brute Force Security 81
Create a WAF File 83
Configure an HTTP Policy Template 86
Configure External Logging (recommended) 88
Configure Log Servers 89
Add Server to Service Group 91
Configure the Logging Template 93
Apply the Log Template to the WAF Template 94

Configuring WAF Using CLI 95

Required Configuration 96
Creating a WAF Template 96

5
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Contents

Creating a WAF Template using Inheritance 96

Bind the WAF Template to the HTTP/HTTPS Virtual Port 97
OWASP Top 10 Compliance 98
CLI Configuration 99
External Logging Configuration 99
Optional Configuration 101
Set Deployment Mode 102
Customize WAF Policy Files 102
Configure Security Checks for Requests 103
Configure Security Checks for Responses 109

Configuring WAF Using aFleX Scripts 112

Overview 113
WAF aFleX Commands 114
WAF Events 115

WAF Event Logging 118

WAF Event Types and Where They Are Logged 119
Violation Detection and Reporting 121
Masking Sensitive Data in Logs 123
Log Format 124
WAF Log Examples 127
Basic Log Message 127
Bot Check 128
Learning Mode 129

WAF Policy Files 131

Pre-Loaded WAF Policies 132
Request Protection 133
Bot Check 133
XSS Check 133
SQL Injection Attack Check 133
URI Black List 134

6
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Contents

URI White List 135

Response Protection 136
Allowed HTTP Response Codes 136
Customize WAF Policy Files 137
Syntax Check 137
Using the CLI 138
Configure Policy Files 138
Syntax Checks 138
Manage Files 139
Writing PCRE Expressions 139
General Guidelines 139
Example Applications 141

Overriding a WAF Template 144

Configure an HTTP Policy Template 145
GUI Configuration 147
CLI Configuration 147
Bind the HTTP Policy Template to the Virtual Port 148
GUI Configuration 148
CLI Configuration 148

WAF Statistics 149

Displaying WAF Statistics 150
GUI Configuration 150
CLI Configuration 150
Clearing WAF Statistics 150
GUI Configuration 150
CLI Configuration 150

Deployment and Logging Examples 152

Initial Configuration 153
Logging Configuration 153
WAF Template Configuration 154

7
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Contents

HTTP Virtual Port Configuration 154

Learning 155
Enable Learning Mode 156
Generate Traffic 156
View External Log 156
Generate Allowed URL Paths for the URL Check 157
Configuration Example 157
Save Template Settings 160
Response Header Filtering 160
Enable Header Response Filtering 161
View External Log 161
SQLIA Check 162
Enable the SQLIA Check 162
View External Log 162
Cross-site Scripting Check 162
Enable the XSS Check 163
View External Log 163
Cookie Encryption 164

WAF Template Reference 166

Glossary 182

8
Getting Started

The following topics are covered:

Overview 10
Protection Against Common Web Attacks 11
WAF Security Models 12
Request Protection 13
Response Protection 46
PCI 6.6 Compliance 50
WAF External Logging 52

9
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Overview
The A10 Networks product line provides additional security for your web servers
with the Web Application Firewall (WAF) feature. The WAF filters communication
between users and web applications to protect web servers and sites from
unauthorized access and malicious programs. This new layer of security examines
incoming user requests, output from web servers, and access to website content to
safeguard against web attacks and protect sensitive information hosted on web
servers.
The WAF protects against the following main threats to web servers:
l Unauthorized access and control of the web server – There are various attacks
designed to grant an attacker access to and control of a web server. If an attack is
successful, the unauthorized user can deface existing web pages, provide SMTP
services to send spam, or launch distributed denial-of-service (DDoS) attacks.
In addition, the attacker can use the compromised server to host content directly,
or act as a proxy for content hosted on another server. This type of attack can
enable unauthorized users to host illegal, online activities using your web server
resources.
l Unauthorized retrieval of sensitive information – These attacks are intended to
provide unauthorized retrieval or leakage of sensitive information from your
websites or back-end databases.

The WAF is configured via a WAF template, which includes built-in basic and policy-
based security checks for convenient and quick deployment. Within the WAF
template, you can enforce security checks to immediately provide a foundational
level of protection against common threats.
Websites are further protected from attack through checks that are defined by
customizable WAF policy files. You can configure WAF policy files for advanced
countermeasures to common attacks, such as SQL injection attacks or bots.

10
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Protection Against Common Web Attacks

The WAF protects your web servers from common threats which can compromise the
security of websites or leak sensitive information. The following sections briefly
describe common threats and WAF security checks you can use to counter these
attacks. More detail is provided later in this guide.

Buffer Overflow Attacks

A buffer overflow attack occurs when a web server receives excessively long pieces of
information (for example, URLs, headers, or cookies).
If the system does not have the filters enforced to block these requests, a buffer
overflow can trigger the underlying operating system to slow down or crash. This
form of attack compromises a web server and can permit unauthorized users to
access sensitive information.
The WAF can prevent buffer overflow attacks by setting an accepted maximum for
aspects of an HTTP request and blocking requests which exceed the configured limit.
This includes normalization of the URL.

Cookie Tampering
Cookie tampering occurs when a user sends a modified cookie to a web server in an
attempt to access unauthorized content. To protect against cookie tampering, enable
the Cookie Encryption check within the WAF template.

Forceful Browsing
Forceful browsing occurs when a user bypasses the hyperlinks of a website to access
the URLs of a website directly. This method is normally used to gain access to private
pages, but can be used in conjunction with other attacks to compromise a web
server. To protect against forceful browsing, enable the URL check for your website.
(See URL Check.)

11
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Web Form Security Attacks

A web form security attack uses the form of a web page to issue commands to a
website. The web form may be modified to include hidden fields, HTML, or injected
code to compromise the security of a web server. A web form security attack
commonly occurs through the following methods:
l SQL Injection Attacks (SQLIA) – An SQL Injection Attack uses a web form or other
mechanism to send active SQL commands or SQL special characters to the
website’s SQL database. An SQL Injection Attack can trigger the back-end SQL
database to execute SQL commands, allowing attackers to retrieve sensitive
information from the database. The WAF includes the SQL Injection Check
template option and default “sqlia_defs” policy file to provide immediate
protection from SQL Injection Attacks.
l Cross-Site Scripting (XSS) Attacks – A cross-site scripting (XSS) attack attempts to
use Javascript commands to modify web page content or obtain hidden properties
from a website. XSS can compromise the security of a web server or allow an
attacker to retrieve sensitive information. The WAF includes the XSS Check
template option and default “jscript_defs” policy file to provide immediate
protection from XSS attacks.

WAF Security Models

The WAF combats common attacks against web servers with an array of security
checks to filter inbound HTTP requests. In addition to managing requests, you can
apply WAF security checks to modify the responses sent back to users.
The WAF operates based on both a positive security model and negative security
model to maximize protection.

Positive Security Model

The WAF supports several operational modes, one of which is Learning Mode. In
Learning Mode, you send known, “trusted” traffic (HTTP/HTTPS requests) to the WAF.
The WAF automatically sets the values for certain checks based on the traffic.

12
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

All operational modes support the White List Check. During the White List Check, the
WAF compares the URI of a user request against the URI patterns in the White List
policy file. If there is match, the WAF performs additional checks.
(For more information, see WAF Operational Modes.)

Negative Security Model

One of the additional checks performed by the WAF is comparison of the traffic to
the patterns in the Black List policy file. If there is a match, the WAF generates a data
event log message. If Active Mode is enabled, the WAF also drops the traffic.

Request Protection
The WAF scans request elements for possible threats or malicious content. Based on
the responsive action that is configured for each security check, the WAF denies the
client request completely or sanitizes the request of malicious content and forwards
the sanitized request to the web server.
The WAF filters inbound traffic through the following security checks.

Compare Request URI to White List and Black List

The WAF examines incoming user requests against the URI White Lists and Black
Lists. These lists define rules to explicitly allow or deny traffic:

White List
The URI White List defines acceptable destination URIs allowed for incoming
requests. The White List Check compares the URI of an incoming request against the
rules contained in the URI White List policy file. Connection requests are accepted
only if the URI matches a rule in the URI White List. For more information, see URI
White List.

13
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Black List
A URI Black List is a WAF policy file that lists exclusion criteria for incoming requests.
If the URI of an incoming request matches a rule in the URI Black List, the request is
automatically blocked.
The URI Black List works in combination with the URI White List to restrict accessible
URIs on a website. If a URI matches acceptance criteria within the URI White List, a
connection is blocked automatically if it meets a rule in the separate URI Black List.
For more information, see URI Black List.
The following diagram displays the processing order for incoming requests:
Figure 1 : Screen URI requests

In this illustration, the WAF filters 3 HTTP requests. Of these, request #3 does not
meet any criteria in the WAF template’s URI White List and is blocked.

14
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The remaining requests are compared against the WAF template’s URI Black List and
blocked if they match at least one URI Black List rule. Of these, request #2 is denied.
Request #1 is the only request that is processed for additional security checks.

URL Check
In addition to the URI White List and Black List, you can enable the URL Check to
restrict users to a limited set of URL paths on your website. The URL Check allows
clients to access a specific set of acceptable URLs that were added to the URL-check
policy file while the WAF is deployed in Learning Mode.
Once this policy file is generated, you can manually edit the contents before
switching the WAF deployment mode from Learning to Active. At this point, users
are prevented from accessing any URLs that are not listed in this generated policy
file.

NOTE: For a deployment example that includes configuration of the URL

Check, see Generate Allowed URL Paths for the URL Check.

If the URL Check is enforced in the WAF template, the accessible web pages must
appear as hyperlinks on your website to appear in the list. This means users can
access the pages on your website that appear as hyperlinks, but they are prevented
from accessing private pages through “forceful browsing”. For more information, see
Forceful Browsing.

NOTE: In the example shown in Screen URI requests, the URL Check would
achieve the same degree of security if a hyperlink is only provided to
the page “/site_images.jpg”.

Scan Request for Threats

If a client request passes the URI White and Black List Checks, the WAF scans aspects
of the HTTP request (method, version, URI, query string, headers, cookies, and
content) for threats. If the security check discovers malicious content, the request is
either denied or sanitized of the threat and forwarded to the web server. These
security checks are described in more detail below.

15
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Figure 2 : Scan requests

Bot Check
The Bot Check option uses the “bot_defs” WAF policy file for search definitions of
known bot agents. If the Bot Check is enabled in the WAF template and a match is
found with the “bot_defs” file, the request is denied automatically.
You can copy the “bot_defs” file and modify the copy to include or remove bot
search terms. For more information about WAF policy files, see WAF Policy Files.

Form Field Consistency Check

The Form Field Consistency Check verifies that all of the form fields and their data
types that are sent to the client as part of the form are returned unmodified in
subsequent requests from the client. This check helps protect against hijacked forms
to which malicious code may have been added.

Referer Check
The Referer Check validates that the referer header in a request contains web form
data from the specified web server, rather than from an outside website. This check
helps to protect against CSRF attacks. If a request fails the Referer Check, the WAF
redirects the request to a safe URL. The safe URL is any URL that you specify during
configuration.

16
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

When you configure the Referer Check, you specify the domain names from which
you want to allow traffic. When ACOS receives a request addressed to the virtual
port that is using the WAF, the WAF examines the Referer field of the request.
You can select one of the following options for the Referer Check:
l Enable (full checking) – Select the Enable option to enable full checking. To pass
the full check, the request must contain a Referer header field, and the field must
contain at least one of the domain names you specify during configuration.
l Only-if-present checking – Enable this option to check the referer header of a
request only when a referer header is present. Unlike the full checking option, the
only-if-present option ensures that a request does not fail the Referer Check
automatically because there is no referer header in the request.

HTTP Protocol Compliance Check

Regardless of deployment mode, the WAF template automatically enforces a basic,
default set of HTTP protocol checks. Enable the HTTP Protocol Compliance Check to
perform the following suite of additional checks for protocol compliance:
l POST request with Content-Length: 0

NOTE: The WAF issues sends a warning message to the logging servers if a
POST request (that is not chunked) has a content length of 0.

l Header name with no header value

l Several Content-Length headers

NOTE: A request containing more than one Content-Length header might

indicate that the request is part of an HTTP response-splitting attack.

l Chunked request with Content-Length header

l Body in GET or HEAD requests
l No Host header in HTTP/1.1 request
l Host header contains IP address
l Content length should be a positive number
l Bad HTTP version

17
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

l Maximum number of headers

l Bad host header value
l Maximum number of cookies
l Invalid character in Host header
l Header contains NULL character
l Header contains high-ASCII character
l POST with invalid Content-Length header

HTML Cross-Site Scripting (XSS) Check

The HTML XSS Check defends against cross-site scripting (XSS) attacks. The WAF
searches the cookies and POST bodies of user requests for possible Javascript
commands.
If the WAF discovers a potential cross-site scripting attack, the request is blocked.
For more information about XSS, see Web Form Security Attacks.

NOTE: This check uses the “jscript_defs” WAF policy file for Javascript attack
patterns. If your website uses Javascript-based content that accesses or
modifies content on an outside server, A10 Networks recommends
modifying the “jscript_defs” file to generate the appropriate
exceptions, so that this check does not block legitimate activity.

Buffer Overflow Check

The WAF can check various elements in an HTTP request to prevent buffer overflow.
You can specify the check to examine one or more of the following aspects of a
request:
l Cookie length, name length, and/or value length
l Header length, name length, and/or value length
l Parameter length, name length, and/or value length
l Maximum parameters
l URL length
l POST content size

18
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

l Line length
l Query length

HTML SQL Injection Check

The HTML SQL Injection Check scans incoming requests for strings that resemble SQL
commands or SQL special characters. If the WAF discovers a match, the request is
blocked.

NOTE: The HTML SQL Injection Check scans incoming requests for attack
patterns listed in the “sqlia_defs” WAF file. Copy this file and apply the
copied file to the check to customize attack pattern search criteria for
the HTML SQL Injection Check. (See SQL Injection Attack Check.)

Allowed HTTP Methods Check

The Allowed HTTP Methods Check ensures that HTTP requests contain only the HTTP
methods that are allowed by the WAF template. By default, only the following
methods are allowed: GET, POST
You can allow one or more of the following HTTP methods:

l GET
l POST
l HEAD
l PUT
l OPTIONS
l DELETE
l TRACE
l CONNECT
l PURGE

Support for Additional WebDAV HTTP Methods

Web Distributed Authoring and Versioning (WebDAV) is an extension to the HTTP
protocol that is used to allow Internet users to modify files on remote a resource
(e.g., a web server), using HTTP as the communication medium.

19
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The WAF can be configured to accept several new WebDAV HTTP methods which
allows WebDAV
traffic to pass through the WAF without being dropped. In releases prior to ACOS
4.0, the WAF had to be disabled on all relevant connections prior to attempting to
use the WebDAV methods.
As part of the ACOS enhancements, the WAF supports the following new WebDAV
HTTP methods, in addition to the originally-supported GET and POST methods:
l PROPFIND – retrieves the hierarchical information, and properties, for a directory
containing a set of resources
l PROPPATCH – modifies multiple properties for a set of a resources with a single
operation
l MKCOL – creates a directory for the resources
l COPY – copies a resource from one URI to another
l MOVE – moves a resource from one URI to another
l LOCK – locks a resource (can be either shared or exclusive lock)
l UNLOCK – removes the lock from a resource
l * DP parsing of the new method string

The WAF can be configured to accept these new methods by using the allowed-
http-methods CLI command within a WAF template and then specifying which of
the WebDAV HTTP methods that will be allowed to pass through the WAF.

NOTE: WAF configuration is allowed on shared and on service partitions.

Maximum Cookies Check

The Maximum Cookies Check ensures that a client request does not contain more
than the maximum allowed number of cookies. By default, the maximum number of
cookies allowed in a request is 20.

Maximum Headers Check

The Maximum Headers Check ensures that a client request does not contain more
than the maximum allowed number of headers. By default, the maximum number of
headers allowed in a request is 20.

20
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Session Checks
To increase the security of the session between the ACOS device and the clients, the
WAF offers cookie-based session checks, or “session tracking”.
With this option enabled, the WAF uses a cookie to track user sessions. When a
request is received from a client for the first time, ACOS creates a unique ID for the
session, stores it in a table, and inserts the ID into a cookie that is returned to the
client. Subsequent requests from this client are then validated against the session ID.
If the session ID does not match the saved ID, or if the ID is coming from a different IP
address than that of the original client, then the request is rejected.

Details:
l Session Tracking for WAF sessions is disabled by default.
l When enabled, you must specify the Session Lifetime to determine the amount of
time the session ID will remain valid. By default, the session lifetime is 600
seconds (10 minutes), but you can enter a range from 1–86400 seconds (24
hours).
l The session cookie is named “awaf-sid”, and it is inserted into the header of the
response sent by ACOS.
l The header appears in the following format:
Set-Cookie: awaf-sid=<session-id>; path=/' max-age=<session-lifetime>

Password Security
The WAF offers several additional password security options to control how
passwords are treated when traversing the WAF.

Deny Unmasked xPasswords

When a user types a password into an HTML form’s password field, the characters
are typically hidden by another character, such as an asterisk. In this way, the
password characters are masked when typed by the user. This masking prevents an
observer from stealing the password and using it at a later time to access the user’s
account.
The WAF can guard against this type of “shoulder surfing” by leveraging the
“password” field type. When the deny-non-masked-passwords option is enabled,

21
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

the WAF will deny the web server’s attempt to send a form unless the field type is
set to “password”.
If the form field is named “password” (or “secret”), then the field type also needs to
be set to “password” to ensure that the password characters will be hidden when
typed by the end user. (Other field types, such as “text”, will not hide the password
characters as they are being entered by the user.)
The example below shows a form that would be denied by the WAF. Note that the
form field type is set to “text”, and the form name is set “Password”. The WAF
would block the web server’s attempt to send this form because the “input
type=text” means the user’s password would not be hidden or masked as it was
being typed and would thus be vulnerable to theft.
<form>
Password: <input type="text" name="Password">
</form>

The second example below shows a form that would be allowed by the WAF,
because even though the field is named “Password”, the field type has also been
set to “password”, meaning the form field would mask the characters typed by a
user.
<form>
Password: <input type="password" name="Password">
</form>

To configure the WAF to prevent web servers from sending non-secure password
forms to a client, use the deny-non-masked-passwords CLI command at the WAF
template configuration level.

Deny Passwords Sent Over an Unencrypted Connection

You can configure the WAF to block user passwords that are sent over a non-
encrypted connection. If the connection between the client and the WAF is secured
with SSL/TLS, then the user password is allowed. However, if the client attempts to
submit to a form field where “input type=password”, and if the connection is not
encrypted with SSL/TLS, then the WAF will block the transmission.

22
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

NOTE: Even if this option is enabled, the user’s password may have already
been compromised while in transit, because the WAF blocks
transmission of the password only after the client has already entered
it over an unsecured connection. In such cases, the user’s password
could have already been compromised before reaching the WAF.

You can enable this option to prevent the WAF from allowing the transmission of
user passwords over non-SSL-encrypted connections by entering the deny-non-ssl-
passwords CLI command at the WAF template configuration level.

Deny Passwords if Autocomplete is Enabled

Modern browsers can store user passwords and make an attempt at guessing at the
password values when the user encounters a website that requires entering his or
her password into a web form field. This autocomplete behavior is controlled by the
“autocomplete=on/off” attribute, which is typically associated with the HTML form
text fields.
While end users may appreciate this “autocomplete” behavior because it simplifies
the process of logging into websites, the convenience comes at the cost of making
the user’s password and the overall security of the login process, less secure.
In order to control the browser’s behavior, administrators can increase the network
security by configuring the WAF to reject the web server form if the field type is set
to “password” and if the “autocomplete=on/off” attribute is set to “on”.
To configure this option and prevent the WAF from allowing the transmission of
user passwords when the “autocomplete=on/off” attribute is set to “on”, use the
deny-password-autocomplete CLI command at the WAF template configuration
level.

Open Redirect Mitigation

The Open Redirect Mitigation feature offers protection against the threat of
“unvalidated redirects or forwards”, which is listed as one of the Open Web
Application Security Project (OWASP) “Top 10 List” of most severe security risks for
2013.
An unvalidated redirect occurs when a hacker uses social networking (such as email,
Facebook, Twitter) to trick unsuspecting users into clicking on a malicious hyperlink
as part of a phishing scam. Although the hyperlink appears to be from a trusted

23
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

website, it contains code that redirects users to a forged website where users may be
tricked into submitting their login credentials (username/password), credit card
numbers, security codes, or other sensitive information. Once this information is
acquired, hackers may then use it to access their accounts or attack their systems.
Although OWASP groups “unvalidated redirects or forwards” together as a single
threat, these are actually two separate-but-related threats. As such, the WAF has
different ways to mitigate both types of attacks:
l “forwards” – With this type of threat, users become victims when they are
forwarded to a malicious URL which tricks them into surrendering their login
credentials. This particular risk can be mitigated through the use of the URL check
feature, which is discussed here: URL Check
l “unvalidated redirects” – Described in detail below.

The WAF protects users against the threat of “unvalidated redirects” by pre-learning
a white-list of acceptable locations to which users can safely be redirected. If one of
the web servers attempts to redirect a user to a location that does not appear in the
redirect white-list, then the WAF blocks the redirect.
The Open Redirect Mitigation feature must be enabled using the redirect-wlist CLI
command. The command is used at the WAF template configuration level, and the
first time the command is used, the WAF must be deployed in Learning Mode.

NOTE: If you attempt to use the command for the first time while the WAF is
deployed in Active Mode or Passive Mode (and before the redirect
white-list has been created during Learning Mode), then you will
receive an error message stating that “redirect-wlist cannot be turned
on with empty list.”

Valid traffic is then injected into the WAF, which then investigates each “redirect”
response packet received from the backend web servers, where a redirect response
packet is defined as any packet having a status code ranging from 300–308.
The WAF extracts the value from the Location field of the header of the response
packet and stores it in its internal database.
When the WAF deployment mode is subsequently changed from Learning Mode to
Active Mode (or Passive Mode), the location information in the database is
transferred to a persistent file called “redirect_wlist_”. The filename will have the

24
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

name of the WAF template as its prefix. For example, the WAF template “test” would
have a policy file called “_test_redirect_wlist_”.

Details:
The behavior of this option depends on which deployment mode the WAF is in:
l Learning Mode – The option must be enabled for the first time while the WAF is
deployed in Learning Mode. The information is saved in the ACOS device’s local
database. At this time, the white-list file has not yet been created, so if you wish
to modify the redirect white-list, you must change to Active or Passive Mode.

NOTE: No action is performed upon traffic during Learning Mode, other

than using the traffic to build the redirect white-list.

l Active Mode – Once the redirect white-list is created while the WAF is deployed
in Learning Mode, you can then change the deployment mode to Active Mode. At
this point, the database is used as a white-list of allowed location headers in
redirect packets. If a response from the web server contains a redirect which is
not in the white-list, the WAF will deny (drop) the response and send the client a
“403 forbidden” reply.
l Passive Mode – If the option is enabled while the WAF is deployed in Passive
Mode, the WAF leverages the existing redirect white-list to inspect traffic, but it
takes no action, in terms of blocking traffic, and simply increases the counters
and generates logs for hypothetical actions that would be taken if the WAF were
in Active and not Passive Mode.

Configuration
To prevent unvalidated redirects, use the following CLI command at WAF template
configuration level:
redirect-wlist

NOTE: The WAF must be deployed in Learning Mode the first time the
command is used. Once the redirect white-list is created, you can then
switch to Passive Mode or Active Mode.

Display Statistics
You can display statistics for this redirect-wlist option using the show waf stats

25
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

virtual-server-name portnum CLI command, as shown in the example below,

which offers three dedicated counters associated with the redirect white-list:
ACOS# show waf stats vip2 80
...
Redirect White List Check
- Learned 8
- Success 2
- Failed 0
...

The output in this example is for the WAF template that is bound to vip2, port 80.
The table below describes the relevant fields in the command output.

Table 1 : show waf stats fields

Field Description
Redirect Redirect counters:
White List
l Learned – Number of redirect locations learned during Learning
Mode and added to the redirect white-list.
l Success – Number of requests that matched a URI entry in the
redirect white-list and were accepted.
l Failed – Number of requests that did not match a URI entry in
the redirect white-list and were blocked.

Normalization Enhancements for URL Options

ACOS support URL normalization, which is a process of standardizing the appearance
of URLs to remove inconsistencies from one URL to another.
For example, one URL might use lower-case characters, while another URL could use
a mix of upper-case and lower-case characters. A simple corrective normalization
scheme could be used to convert the URL with the mixed set of upper-case and
lower-case characters to use only lower-case characters, as shown below.
l Before normalization: HTTP://www.Example.com/
l After normalization: http://www.example.com/

26
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

This process of normalizing URLs is sometimes used by search engines to make

comparisons of several URLs easier. By standardizing the appearance of URLs and
reducing them to canonical form, it is easier to ensure the same URL is not cataloged
twice by a web crawler.
The WAF uses URL normalization to protect web servers from certain types of
attacks, which can hide in the non-normalized, recursive encoding of the data. One
example of such an attack is the so-called “directory traversal attack,” which exploits
non-sanitized file names to gain access to sensitive directories or files.

URL Options
In addition to normalizing upper-case and lower-case, the WAF can also make the
following changes to internal URLs sent from backend servers:
l Decode Entities – Decode entities, such as &lt; &#xx; &#ddd; &xXX in an internal
URL.
l Decode Escaped Characters – Decode escape characters, such as \r \n \"\xXX in an
internal URL.
l Decode HEX Characters – Decode hexadecimal characters, such as \%xx and
\%u00yy in an internal URL.
l Remove Comments – Remove comments from an internal URL.
l Remove Self References – Remove self-references, such as /./ and /path/../ from
an internal URL.
l Remove Spaces – Remove spaces from an internal URL.

WAF XML Checks

ACOS 4.0 offers enhancements to the WAF that allow it to scrub client requests
containing eXtensible Markup Language (XML) code for anomalies. XML is commonly
used for data exchange, but hackers may exploit security holes in the XML code to
attack servers.
It is important to inspect and validate client requests containing XML code to protect
the backend servers from XML transactions that could allow hackers to bypass
application security, provide malicious input, and potentially slow down or crash the
servers.

27
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

When the new WAF XML checks are enabled, the WAF checks client requests for
XML, and if present, the WAF then validates the structure of the XML document
using a trusted XML schema file. In doing so, this helps to ensure that the content of
the client’s XML request is well-formed and does not contain any potential threats.

Types of XML Checks

In this release, the WAF offers the following types of XML checks:
l XML Format Checks – This option uses the xml-format-check command and
examines the XML format of incoming requests and blocks requests that are not
well-formed.
l XML Validation Checks – This option uses the xml-validation CLI command to
validate the XML content in a request in order to check it against an XML Schema
file or WSDL file. Running such checks on incoming XML content prevents an
attacker from using specially-constructed (and invalid) XML messages to
circumvent the web application’s standard security checks. If the WAF discovers
that the XML content fails the validation check, then the WAF blocks the request.
l XML Limit Checks – This option uses the xml-limit CLI to command enforce
parsing limits in order to protect the servers from various denial-of-service (DoS)
attacks, such as XML bombs and Transform Injections, both of which are defined
in greater detail below.
l XML Cross-Site Scripting Checks – This option uses the xml-xss-check CLI
command to examine the headers and bodies of incoming XML requests for
Javascript keywords that might indicate possible cross-site scripting attacks. If
the request contains a positive match, then the WAF blocks the request.
l XML SQL Injection Checks – This option uses the xml-sqlia-check CLI command
to examine the headers and bodies of incoming requests for inappropriate SQL
special characters and keywords that might indicate an SQL Injection Attack. If
found, the WAF blocks those requests.

XML Format Checks

The XML format check examines the format of incoming requests, and blocks
requests if the XML content is not well-formed. The option can be enabled with the
following CLI command at the WAF template configuration level:
xml-format-check

28
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The XML format check verifies that incoming requests containing XML code are in
compliance with the XML 1.0 specification, which can be found at the following URL:
http://www.w3.org/TR/REC-xml/
The XML Format Check evaluates incoming XML documents for compliance with the
following rules:
l XML documents must contain only properly-encoded Unicode characters
l The document may contain no special XML syntax characters. For example, none of
the following characters can be included in the XML document, unless used as
markup: , “<“, “>”, and "&”
l The XML document must contain all beginning and end tags. All begin, end, and
empty element tags must be nested correctly. The XML document must not be
missing any element tags, and it cannot contain overlapping element tags.
l A single root element must contain all the other elements in the XML document.

XML Validation Checks

The XML Validation Check is used to prevent an attacker from using invalid XML
messages that have been specially-constructed to evade application security.
The XML Validation Check examines client requests containing XML content to make
sure that the XML messages are valid.
If a client request contains an XML message, and the XML validation check option is
enabled, then the incoming request will be compared with an XML schema file.
An XML schema is an XML document which describes the desired structure of other
XML document. The XML schema goes beyond just defining proper XML syntax, and it
defines things such as which elements or attributes can appear in an XML document,
as well as the number, order, and relationship of child elements. It can also
determine the data types associated with the various elements and attributes that
appear in an XML document.
If an incoming request is compared with the XML schema, and the WAF determines
that the request is not valid, then it is deemed a threat and the WAF blocks the
request.

29
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The option can be enabled using the following CLI command at the WAF template
configuration level:
xml-validation xml-schema [resp-val] xml-schema-file-name

XML Schema Validation

The WAF can validate XML messages using an XML schema file. You must upload the
XML schema file that you plan to use for validation. The XML schema file can be
uploaded using the import command at the global config level of the CLI:
import xml-schemalocal-filename [use-management-port] file-name url

The use-mgmt-port option allows you to indicate the use of the management
interface as the source interface for the connection to the device.
The url option specifies the file transfer protocol, username, and directory path.
You can enter the entire URL on the command line, or you can press Enter to
display a prompt for each part of the URL. If you enter the entire URL and a
password is required, you will still be prompted to enter the password. To enter the
entire URL:
l tftp://host/file
l ftp://[user@]host[:port]/file
l scp://[user@]host/file
l sftp://[user@]host/file

If you need to modify an existing XML schema file, you can do so using the following
CLI command at the global config level:
waf xml-schema editlocal-filename

If you need to remove an existing schema file, you can do so using the following CLI
command at the global config level:
waf xml-schema deletelocal-filename

Response Validation
By default, the WAF does not validate server responses. In order to validate
responses from a protected web application, the resp-val option should be
selected.

30
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

WSDL Validation
The WAF can validate SOAP messages (based on XML) using a Web Services
Description Language (WSDL) document.
For more information about WSDL Validation, please see WAF SOAP Checks .

XML Limit Checks

When the xml-limit-check option is configured, the WAF XML parser will enforce
parsing limits in order to protect backend servers against various types of denial-of-
service (DoS) attacks, which are designed to exhaust system memory or CPU
resources. Some examples of DoS attacks that can be prevented this way are XML
Bombs and Transform Injections.

XML Bomb
An XML Bomb is a denial of service attack that takes advantage of the fact that
entity references in XML documents must be expanded for evaluation. Such attacks
can achieve this goal by adding extra entity entries to the XML document, and then
defining subsequent entities, which are based on the expanded values of the
previous entity. Entity expansion is a normal and required action for XML
documents, so hackers can take advantage of this loophole by using it to exhaust
system memory and CPU resources. If it is left unchecked, such an attack could
really slow performance thus causing servers to crash.
The WAF can address this issue by placing a maximum limit on the number of entity
expansions that are allowed in an XML document. Similarly, a maximum limit can be
imposed on the number of levels of entity recursion. Together, imposing these
types of limits on XML documents can contain and mitigate the harmful effects of
an XML Bomb.

Transform Injection
Transform Injections are a different type of denial of service attack, and they work
by taking advantage of XSLT flow-control functions, and by creating infinite loops,
or perhaps redundant transforms, which will eventually exhaust the available
memory and CPU resources that the server can offer.

31
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

To mitigate the effects of Transform Injection attacks, the WAF can be configured to
place limits on the maximum depth of child element pairs, the amount of data
contained in an element pair, and the maximum size of an XML document.

Configuring XML Limit Parameters to Thwart XML Bombs and Transform Injections
To prevent XML Bombs, Transform Injections, and other types of DoS attacks from
consuming excessive system resources, ACOS provides the following CLI command,
which can be used at the WAF template configuration level.
xml-limit parameter limit

The xml-limit command can be completed using any of the parameters shown
below:
l max-attr number

Limits the maximum number of attributes each individual element is allowed to

have.
number – Maximum number of children allowed per element. Range is 1–256.
Default is 256.
l max-attr-name-len number

Limits the maximum length of each attribute name.

number – Maximum number of characters allowed per element. Range is 1–2048.
Default is 128.
l max-attr-value-len number

Limits the maximum length of each attribute value.

number – Maximum number of characters allowed per attribute. Range is 1–4096.
Default is 128.
l max-cdata-len number

Limits the length of the CDATA section for each element.

number – Maximum length of CDATA section for element. Range is 1–65535.
Default is 65535.

32
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

l max-elem number

Limits the maximum number of any one type of element per XML document.
number – Number of elements allowed. Range is 1–8192. Default is 1024.
l max-elem-child number

Limits the maximum number of children each element is allowed, and includes
other elements, character information, and comments.
number – Maximum number of children allowed per element. Range is 1–4096.
Default is 1024.
l max-elem-depth depth

Limits the maximum number of nested levels in each element.

depth – Maximum number of levels allowed. Range is 1–4096. Default is 256.
l max-elem-name-len length

Limits the maximum length of name of each element.

length – Maximum length of each element, and includes the XML path, which is
in the following format:
http://<site>/<path>/page.xml
Range is 1–65535. Default is 128.
l max-entity-expnumber

Limits the number of entity expansions allowed.

number – Maximum number of entity expansions allowed. Range is 0–1024.
Default is 1024.
l max-entity-exp-depthnumber

Limits the maximum depth of nested entity expansions.

number – Maximum depth of entity expansions allowed. Range is 0–32. Default is
32.
l max-namespacenumber

33
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Limits the number of namespace declarations in XML document

number – Maximum number of namespace declarations allowed. Range is 0–256.
Default is 16.
l max-namespace-uri-lennumber

Limits the URL length for each namespace declaration.

number – Maximum URL length allowed for each namespace declaration. Range is
0–1024. Default is 256.

XML Cross-Site Scripting Checks

The XML cross-site scripting check examines the headers and bodies of incoming XML
requests for Javascript keywords that might indicate possible cross-site scripting
attacks and blocks those requests.
The option can be enabled with the following CLI command at the WAF template
configuration level:
xml-xss-check

The policy file for xml-xss-check is taken from the xss-check option, which must
also be configured. See XSS Check for additional details.
The WAF checks the incoming request against the “jscript_defs” WAF policy file,
which contains a list of common Javascript commands. If the client request detects a
positive match against the Javascript commands in this policy file, then the message
will be rejected. The WAF does not currently support the ability to modify the
contents in XML requests that are denied.

CLI Example
The xml-xss-check depends on configuring the xml-format-check and the xss-check
within the WAF template. The xss-check is configured to reject requests with a
positive match to the filtering criteria. The WAF template “tempwaf1” is bound to
VIP “vs101”.
waf template tempwaf1
template logging syslog
xml-format-check
xml-xss-check

34
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

xss-check reject

slb virtual-server vs101 10.12.0.101

port 80 http
source-nat pool nat_IPv4
service-group sg-http
template waf tempwaf1

XML SQL Injection Checks

To prevent XML SQL Injection Checks, the WAF examines the headers and bodies of
incoming requests for inappropriate SQL special characters or keywords that might
indicate the presence of an SQL Injection Attack. If the check finds any of the
forbidden special characters or keywords, then the WAF will block those requests
and prevent them from reaching the servers. This option can be enabled using the
following CLI command at the WAF template configuration level:
xml-sqlia-check

The policy file for xml-sqlia-check is taken from sqlia-check, which must also be
configured. See SQL Injection Attack Check for additional details.
The WAF checks the incoming request against the rules contained in the WAF policy
file “sqlia_defs”. If the client request detects a positive match against the rules in the
policy file, then the message will be rejected. The WAF does not currently support
the ability to modify the contents in XML requests that are denied.

CLI Example
The xml-sqlia-check depends on configuring the xml-format-check and the
sqlia-check within the WAF template “tempwaf2”. The sqlia-check is configured to
reject requests with a positive match to the filtering criteria. The WAF template
“tempwaf2” is bound to VIP “vs102”.
waf template tempwaf2
sqlia-check reject
template logging syslog
xml-format-check
xml-sqlia-check
slb virtual-server vs102 10.12.0.101
port 80 http

35
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

source-nat pool nat_IPv4

service-group sg-http
template waf tempwaf2

WAF SOAP Checks

What is SOAP?
The Simple Object Access Protocol (SOAP) was created to allow platform-
independent communication between web services. SOAP is based on XML and
typically relies on HTTP to transmit messages.
Prior to SOAP, most applications would communicate using remote procedure calls
(RPCs). When attempting to send an RPC over the Internet to a web server,
problems could occur because RPCs would often get blocked by overzealous
firewalls.
SOAP gained popularity because it offered a way for web applications to
communicate over the Internet without the messages being intercepted by
firewalls. This is by virtue of the fact that SOAP relies on HTTP to transmit
messages, and HTTP is supported by virtually all Internet browsers and servers.

Structure of a SOAP Message

A SOAP message is an ordinary XML document that contains the following
elements:
l An Envelope element, which identifies this XML document as being a SOAP
message
l A Header element, which contains the header information
l A Body element, which contains the call and response information
l A Fault element, which contains errors and status information

Types of SOAP Checks

In this release, the WAF offers the following types of SOAP checks:
l SOAP Format Checks – This option uses the soap-format-check CLI command
and examines the format of incoming SOAP requests and blocks those which are
not well-formed.

36
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

l SOAP Validation Checks – This option uses the xml-validation wsdl CLI
command to validate the SOAP content in a request in order to check it against a
WSDL file. If the WAF discovers that the SOAP content fails the validation check,
then the WAF blocks the request.

SOAP Format Checks

The SOAP Format Check enhancement scrubs client requests that use SOAP for
anomalies that could indicate the presence of an attack.
While it is not recommended, SOAP format checks can be enabled independently of
XML checks. Most of the time, however, SOAP format checks are done in tandem
with XML format checks, which makes sense, because SOAP is based on XML.
As a matter of best practices, when enabling SOAP format checks (using the soap-
format-check option), you should also enable XML format checks (using the xml-
format-check option). The reason for this is that the WAF always does the XML
checks first and then adds additional SOAP checks.
For additional information on XML format checks, see WAF XML Checks .

What is a SOAP Format Check?

The SOAP Format Check scrubs incoming client requests to ensure that the SOAP
requests are structured in the proper format, as defined by the World Wide Web
consortium in the following Recommendation:
http://www.w3.org/TR/2007/REC-soap12-part1-20070427/
The SOAP format check performs the following evaluations:
l Verifies that messages have the appropriate sections (e.g., Message, Header,
Body, Fault, etc.) and that these sections appear in the correct order.
l Verifies that the envelope uses the correct namespace
(http://www.w3.org/2003/05/soap-envelope ).
l Verifies that defined attributes, such as role, encodingStyle, Code, etc., follow the
defined format.

You can enable SOAP format checks using the following CLI command at the WAF
template configuration level:
soap-format-check

37
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

NOTE: As mentioned above, the xml-format-check option should also be

enabled when enabling the soap-format-check option.

SOAP Validation Checks

The WAF can validate SOAP messages using a Web Services Description Language
(WSDL) document. WSDL is an XML document that is typically used to describe the
behavior of a web service.
In contrast with the XML schema file (which defines how the data in an XML
document is structured), the WSDL document is for SOAP documents. (Please ignore
for a moment the confusing fact that SOAP documents are based on XML1.)
The WSDL file describes functionality of a SOAP document by defining which
operations are available and how the data should be structured. The WSDL file
contains the operation, such as the methods provided by a web service, and the
document describes which data types (int, float, etc) the method can accept.
Validating a SOAP document using a WSDL file ensures that the method being called
is defined for the current direction, and that the message conforms to the schema for
that message.
The WSDL validation option can be enabled using the following CLI command at the
WAF template configuration level:
xml-validation wsdl [resp-val] wsdl-file

You must upload the WSDL file you will use for validation. The WSDL file can be
uploaded using the import command at the global config level of the CLI:
import wsdl local-filename [use-management-port] file-name url

The use-mgmt-port option allows you to indicate the use of the management
interface as the source interface for the connection to the device.

1To explain why the command is “xml-validation wsdl” and not “soap-validation”,
consider that WSDL is an extension to the XML Schema and it assumes the presence
of some type of XML RPC headers. Therefore, WSDL does not include their definition
in each schema file, but it extends the XML Schema to allow for an association to
occur for specific calls to specific URIs, assuming the contents of the headers.

38
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The url option specifies the file transfer protocol, username, and directory path. You
can enter the entire URL on the command line, or you can press Enter to display a
prompt for each part of the URL. If you enter the entire URL and a password is
required, you will still be prompted to enter the password. To enter the entire URL:
l tftp://host/file
l ftp://[user@]host[:port]/file
l scp://[user@]host/file
l sftp://[user@]host/file

If you need to modify an existing WSDL file, you can do so using the following CLI
command at the global config level:
waf wsdl edit local-filename

If you need to remove an existing WSDL file, you can do so using the following CLI
command at the global config level:
waf wsdl delete local-filename

Response Validation
By default, the WAF does not validate server responses. In order to validate
responses from a protected web application, the resp-val option should be
selected.

WAF JSON Checks

In ACOS 4.0, the WAF is enhanced by adding support for parsing and verifying JSON
data in HTTP POST operations. The WAF supports the ability to run a format check on
requests containing JSON data. This helps to ensure that the content of the request
is well-formed. In addition, the WAF supports the ability to impose JSON parsing
limits in order to protect web servers from various types of denial-of-service (DoS)
attacks.

Types of JSON Checks

The WAF offers the following types of JSON checks:

39
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

l JSON Format Checks – This option uses the json-format-check command and
examines the JSON format of incoming requests and blocks requests that are not
well-formed.
l JSON Limit Checks – This option uses the json-limit CLI to command enforce
parsing limits in order to protect the servers from various denial-of-service (DoS)
attacks.

JSON Format Checks

The JSON format check examines the format of incoming requests, and blocks
requests if the JSON content is not well-formed.
The JSON format check verifies that incoming requests containing JSON code are in
compliance with RFC 4627.
This document can be found at the following URL:
http://www.ietf.org/rfc/rfc4627.txt

Compliance Criteria
l The JSON Format Check evaluates incoming requests for compliance with the
following criteria:
l The JSON document must contain only properly-encoded Unicode characters.
l Strings must contain matching quotations and properly escaped characters.
l All objects must contain matching braces {}, and a set of members must be
separated by commas.
l Every object member must contain a name and value, separated by a colon.
l All arrays must contain matching brackets [], and a set of values must be
separated by commas.
l Numbers must be properly formatted.

This option can be enabled using the following CLI command at the WAF template
configuration level:
json-format-check

40
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

JSON Limit Checks

When the json-limit option is configured, the WAF JSON parser will enforce parsing
limits in order to protect backend servers against various types of denial-of-service
(DoS) attacks, which are designed to exhaust system memory or CPU resources.

Configuring JSON Limit Parameters to Prevent DoS Attacks

To prevent DoS attacks from consuming excessive system resources, ACOS provides
the following CLI command, which can be used at the WAF template configuration
level.
json-limit parameter limit

The json-limit command can be completed using any of the parameters shown
below:
l max-array-value-count number

Limits the maximum number of values within a single array.

number – Maximum number of values in an array. Range is 0–4096. Default is 256.
l max-depthnumber

Limits the maximum depth in a JSON value.

number – Maximum recursion depth in a JSON value. Range is 0–4096. Default is
16.
l max-object-member-count number

Limits the number of members in a JSON object.

number – Maximum number of values allowed. Range is 0–4096. Default is 256.
l max-stringnumber

Limits the length of a string in a JSON request for a name or a value.

number – Maximum length of a string in bytes. Range is 0–4096. Default is 64.

41
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Geo-location Based Blocking

This feature enables an administrator to configure the WAF to block attacks based
upon the geo-location information of incoming requests. You can block an attack
originating from a country, region, or state that has a known history of being a
hotspot for various types of WAF-preventable attacks.
This capability allows you to limit which countries can access your resources based
upon the geo-location information associated with a request. You can create an HTTP
policy that would permit or deny traffic based upon a combination of threshold
events and geo-location information.
The WAF Geo-location Based Blocking feature allows you filter incoming client
requests using the approaches mentioned below.

The following topics are covered:

Filter Requests Using an HTTP Policy 42
Filter Requests Using an ACL 45

Filter Requests Using an HTTP Policy

The WAF Geo-location Based Blocking can use HTTP policies to detect and act upon
traffic from different regions. You can use this option to apply a different WAF
template to requests coming from different regions.
The WAF geo-location feature uses an HTTP policy to apply a WAF template to an
incoming request. The geo-location database (such as an IANA file) can identify which
part of the world a certain request came from. The IANA database contains the
mappings between geographic regions and IP address ranges, as assigned by the
Internet Assigned Numbers Authority. (For more information about the IANA
database, see the Global Server Load Balancing Guide.)
Using the IANA database, the WAF can evaluate incoming requests and determine
that, for example, a request with an IP of 222.111.222.111 is from, say, the North
Korea. Perhaps this is a region with rampant cyber-criminal activity. In order to
prevent hackers from this region from being able to access your web servers and
steal credit card numbers, the WAF can be configured to detect traffic from this
region, and if there is a match, the traffic could be denied. Alternatively, if this region
is known to use XML bombs, then perhaps a WAF template could be applied to the

42
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

traffic that would offer protection from XML bombs and other DoS attacks using the
XML Limit Checks.
If an HTTP-policy file is used with a WAF template, and if the WAF is in Learning
Mode, you can identify the sources of various attacks. You can configure the relevant
geo-locations in the HTTP-policy file and direct the traffic through different WAF
templates. This produces statistics for the different regions, and these statistics can
be used to identify the top countries where attacks are sourced from.

CLI Configuration
You can enable the WAF Geo-location blocking feature by using the new geo-
location keyword at the HTTP policy configuration level.

ACOS-Inside-Primary(config)(NOLICENSE)#slb template http-policy name1

ACOS-Inside-Primary(config-http-policy)(NOLICENSE)#?
clear Clear or Reset Functions
cookie-name name of cookie to match
do To run exec commands in config mode
end Exit from configure mode
exit Exit from configure mode or sub mode
geo-location Geolocation name
...

CLI Example
This example shows how to configure the WAF geo-location feature using an HTTP
policy. The policy can be used to allow or deny traffic based on geo-location
information. This example creates the geo-location information for a region in
China, and for a region in the United States, and does not rely on the IANA
database.
First, we will configure the GSLB geo-location IP address range for the first region
(e.g., Beijing, China)
gslb geo-location Beijing.China
ip 172.16.3.62 172.16.3.62

Configure the GSLB geo-location IP address range for the second region (e.g., San
Jose, USA)
gslb geo-location Sanjose.USA
ip 172.16.3.63 mask 255.255.255.255

43
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

Configure the real server IP and port information for server “s1”:
slb server s1 172.17.3.48
port 80 tcp
port 443 tcp
port 514 udp

Configure the real server IP and port information for server “s2”:
slb server s2 172.17.3.49
port 80 tcp
port 443 tcp
port 514 udp

Create the service group “sg-http-p1” and add server “s1”:

slb service-group sg-http-p1 tcp
member s1 80

Create the service group “sg-http-p2” and add server “s2”:

slb service-group sg-http-p2 tcp
member s2 80

Set up the service group “syslog” and add server “s2”:

slb service-group syslog udp
member s2 514

Set up the logging template and bind it to the service group “syslog”:
slb template logging syslog
service-group syslog

Create the WAF template “waf-1", with the max parameters set to 3, and logging
template called “syslog”:
waf template waf-1
max-parameters 3
template logging syslog

Create the WAF template “waf-2”, with credit card number masking enabled, and
logging template called “syslog”:
waf template waf-2

44
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

ccn-mask
template logging syslog

Create the http-policy template called “geo-policy-http-ipv4”, and within that HTTP
policy template, enable the geo-location feature for the first region you created (i.e.
Beijing, China). Bind it to the service-group “sg-http-p1”, and bind that to WAF
template “waf-1”. Similarly, enable the geo-location feature for the second region
you created (i.e. San Jose, USA), and bind it to the service-group “sg-http-p2”, and
bind that to WAF template “waf-2”:
slb template http-policy geo-policy-http-ipv4
geo-location Beijing.China service-group sg-http-p1 template waf waf-1
geo-location Sanjose.USA service-group sg-http-p2 template waf waf-2

Create the slb virtual-server configuration “vs101”, with port 80 (HTTP), and set up
the source-nat pool “nat_IPv4”, and bind both service-groups “sg-http-p1” and “sg-
http-p2”. Then, bind the HTTP-policy template we created earlier, and bind the two
waf templates.
slb virtual-server vs101 10.11.0.101
port 80 http
source-nat pool nat_IPv4
service-group sg-http-p1
service-group sg-http-p2
template http-policy geo-policy-http-ipv4
template waf waf-1
template waf waf-2

With the above configurations, the HTTP request destined to virtual server “vs101”
port 80 from clients belonging to geo-location Beijing.China will be checked against
template waf waf-1. Clients belonging to geo-location Sanjose.USA will be checked
against template waf waf-2.

Filter Requests Using an ACL

The WAF Geo-location feature also allows you to block client requests using an
Access Control List (ACL). When this feature is enabled, the WAF will evaluate client
requests using the source address of the incoming request, and then it will either
permit or deny traffic if there is a match.

45
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

You can configure WAF geo-location based blocking using an ACL by creating an
access control list and using the geo-location keyword.
This example shows how to configure an IPv4 access-list with geo-location rules that
would permit all traffic to and from the United States, while denying all traffic to or
from North Korea:
ACOS(config)# ip access-list geo_acl_ipv4
ACOS(config-access-list:geo_acl_ipv4)# permit geo-location Sanjose.USA any
any
ACOS(config-access-list:geo_acl_ipv4)# deny geo-location
Pyongyang.NorthKorea any any

Response Protection
The WAF inspects the content of outbound HTTP responses and hides aspects that
can equip an attacker with valuable information. The WAF template can further
protect web servers with the following options for HTTP responses:
l Mask Sensitive Content – Strings in a response are examined for patterns of
sensitive content, such as credit card numbers or US social security numbers. If the
WAF discovers a pattern of potentially sensitive information, the string is masked
with an alternative character.
l Cloak Response Headers – The WAF removes content from HTTP response headers
that can disclose vulnerabilities about the web server.
l Return Instrumented Responses – If a web form is included in outbound responses,
the WAF can tag form fields with a nonce value before sending the reply to the
outside user. The WAF then checks subsequent requests for the nonce, to protect
against CSRF.

The following sections describe these steps in more detail.

Mask Sensitive Content

To protect sensitive content, the WAF masks strings in the communication between
an end-user and web server using the following options.
Figure 3 : Mask sensitive content

46
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

CCN Mask
The Credit-card Number (CCN) Mask checks web server responses for end-user credit
card numbers. This check protects user credit card information from being
intercepted and viewed by unauthorized parties. For example, the CCN mask replaces
all but the final group of digits in the card number with “x” characters. A credit card
number of 4111-1111-1111-1111 would become “xxxx-xxxx-xxxx-1111”.
To protect user credit card information, you should configure the CCN mask for each
accepted type of credit card.

NOTE: A10 Networks recommends enabling this check for URLs that access or
transfer credit card information. For example, shopping websites with a
check-out page or websites that access back-end databases which
contain customer credit card numbers. This check is unnecessary if the
website does not have access to or use credit card information.

SSN Mask
Similar to a CCN mask, a Social-security Number (SSN) Check masks web server
replies for US social security numbers. If enabled, the SSN check mask searches
strings which appear to match the format of US social security numbers and replaces
all but the last 4 digits of the string with “x” characters.

47
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

PCRE Mask
In addition to the preconfigured CCN and SSN checks described above, you can
configure custom masks using Perl Compatible Regular Expressions (PCRE) syntax.
For example, you can configure a mask that checks for driver’s license numbers. (For
more information, see Writing PCRE Expressions.)
You can configure the portions of matching strings to keep, and which portions to
mask. You also can customize the mask character (“X” by default).

NOTE: You do not need to create a specialized PCRE mask to hide US social
security numbers or credit card information. Instead, simply enable the
SSN or CCN mask options that are provided in the WAF template.

Cloak Responses
The WAF can strip HTTP response headers to “cloak” server information that can
equip a hacker to target an attack on your web servers. For example, the WAF can
cloak an HTTP response header to hide what operating system is running on your
servers. Information such as this can enable a hacker to more narrowly target your
servers with attacks that are specific to the servers’ operating systems. You can cloak
server information with the following WAF template options:
l Filter Response Headers – Checks responses coming from the web server and
removes headers with server identifying information. For example:
o Server
o X-Runtime
o X-Powered-By
o X-AspNet-Version
o X-AspNetMvc-Version
l Hide Response Codes – Conceals 4xx and 5xx response codes for outbound
responses from a web server and returns a generic error code instead. This option
hides error codes which can provide an attacker with information to specifically
target web server vulnerabilities.

48
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

The WAF sends an error page in response. You can configure the response error
page in the Deny-Action security check section of the WAF template.

Send Instrumented Responses

You can configure the WAF to return instrumented responses with form tags for
user-modifiable fields.

Cross Site Request Forgery Check

The Cross Site Request Forgery (CSRF) Check tags the fields of a web form sent by a
website to end-users with a nonce (a unique, unpredictable number for one-time
use). The WAF examines the web forms sent in user requests to ensure that the
supplied nonce is correct.

NOTE: You can use the Referer Check to further help prevent CSRF attacks.

Figure 4 : Instrumented responses

Form Field Consistency Check

The Form Field Consistency Check applies to both requests from clients and
responses from servers. When this check is enabled, the WAF stores information
about the intended format for web form input fields before sending the form to
clients. The WAF then checks that the response from clients supply content to the

49
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

web form that adheres to the correct format. For example, checking that a valid entry
is used for drop-down menus or that a radio button is selected versus supplying a
string for that form field.

Cookie Encryption
This check protects against cookie tampering by encrypting cookies before sending
server replies to end-users. Clients are then unable to view the content of encrypted
cookies, which clients could otherwise modify to gain illegal access. If the encrypted
cookie is modified, then decryption of the tampered cookie will fail when it is sent
back from the client and the request will be rejected.

You can enable encryption based on specific cookie names or for all cookies that
match a PCRE expression. The encryption uses a secret string to decrypt and
encrypt cookies that are transferred between the web server and client. (For a
configuration example, see Deployment and Logging Examples.)

PCI 6.6 Compliance

The ACOS Web Application Firewall enables organizations to satisfy Payment Card
Industry Data Security Standard (PCI DSS) requirement 6.6. The PCI Security
Standards Council has developed a framework to help organizations that process,
transmit, or store payment card data to secure cardholder information. The PCI DSS,
the keystone of the PCI Security Standards Council’s compliance standards, sets forth
twelve high level requirements designed to protect payment card data, including
guidelines to detect, prevent, and respond to security incidents. By deploying the
ACOS Web Application Firewall, organizations can quickly and easily achieve PCI 6.6
compliance.

ACOS WAF achieves ICSA Certification

While the PCI SSC does not officially certify Web Application Firewalls, similar
recognition can be achieved through third-party companies, such as the International
Computer Security Association (ICSA) Labs.
A10 Networks has achieved WAF certification from ICSA Labs. This certification can
help assure network administrators that the ACOS WAF meets the requirements, as

50
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

stated in PCI DSS section 6.6 “Compliance for Web Apps”, the text of which appears
below:
For public-facing web applications, address new threats and vulnerabilities on an
ongoing basis and ensure these applications are protected against known attacks by
either of the following methods:
l Reviewing public-facing web applications via manual or automated application
vulnerability security assessment tools or methods, at least annually and after any
changes.

NOTE: This assessment is not the same as the vulnerability scans performed
for Requirement 11.2.

l Installing an automated technical solution that detects and prevents web-based

attacks (for example, a web-application firewall) in front of public-facing web
applications, to continually check all traffic.

For more information, you can access the PCI DSS at

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

How Does the ACOS WAF Achieve PCI DSS Compliance?

PCI compliance essentially means that the WAF meets a long list of requirements.
The exact set of requirements can vary, depending on where a particular device is
located in the network, as well as which services the device offers. For the ACOS
WAF, a partial list of important highlights includes the ability to do the following:
l Restrict access to a resource (such as a web server) based on the IP address from
which the request originated
l Restrict access to particular data at the network boundaries
l Hide sensitive information, such as credit card numbers, when this data crosses a
network boundary
l Limit or prevent configuration changes (and logging each configuration change as
it happens)
l Protect and store log messages

51
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Getting Started

More information about PCI DSS compliance can be found at the following link:
https://www.pcisecuritystandards.org/documents/information_supplement_
6.6.pdf

WAF External Logging

The WAF includes the option for external logging of data plane events and external
or local logging of control plane events. For optimal interoperability, the WAF uses
the Common Event Format (CEF), an open standard used by other security appliances
and network devices. WAF logging is supported over UDP and TCP. You can configure
external logging to a group of one or more log servers. You can easily add more log
servers if needed, simply by adding them to the log server group.
For more information, see WAF Event Logging

52
WAF Operational Modes

This section describes the WAF operational modes and how to use them to deploy
the WAF.

The following topics are covered:

Overview 53
Setting the WAF Operational Mode 61

Overview
The WAF supports the following operational modes:
l Learning – Learning Mode provides a way to initially set the thresholds for certain
WAF checks based on known, valid traffic.
l Passive – Passive Mode provides passive WAF operation. All enabled WAF checks
are applied, but no WAF action is performed upon matching traffic. This mode is
useful in staging environments to identify false positives for filtering.
l Active – This is the standard operational mode. You must use Active Mode if you
want the WAF to sanitize or drop traffic based on the configured WAF policies.

Figure 5 shows a typical work flow for WAF deployment, using these modes.

CAUTION: While Learning or Passive Mode is in operation, the WAF does not
block any traffic. Only Active Mode blocks traffic.

Notes:
l Use of the Learning and Passive Modes is recommended during the deployment
process.
l To block traffic, you must deploy the WAF in Active Mode.
l To access WAF data event messages, logging to external servers is required. See
WAF Event Logging.

53
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

l When the WAF is deployed in either learning or passive mode, traffic is not
blocked. However, event log messages will list the response action (deny, allow,
or sanitize) that is configured in the WAF template. In addition, WAF counters
will continue to increment as if the WAF is deployed in active mode.

Figure 5 : Typical Deployment Scenario

The following sections provide more details about each mode.

Learning Mode
Learning Mode provides a way to dynamically set certain WAF options based on
traffic.

54
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

When you enable Learning Mode in a WAF template, ACOS resets the following WAF
security check values to zero:
l Maximum Headers – set to 0
l Maximum Cookies – set to 0
l Buffer Overflow (max-url-len, max-hdrs-len, max-cookie-len, and max-post-size) –
all set to 0
l Allowed HTTP Methods – set to null
l URL Check (closure list) – set to null

Figure 6 shows an example of the Learning Mode.

Figure 6 : WAF Learning Mode

1. In Figure 6, a WAF template is configured and is bound to the HTTP/HTTPS virtual

port on the ACOS device. The domain name mapped to the VIP address by DNS is
“www.example.com”.
2. Known, valid traffic is then sent to the WAF. As traffic is received by the virtual
port to which the WAF template is bound, ACOS updates the settings for the
WAF parameters listed above.
In this example, the following HTTP request is sent:

55
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

GET / HTTP/1.1
Host: www.example.com
Connection: close
User-Agent: Mozilla/5.0
Accept-Encoding: gzip
Accept: text/html
Cache-Control: no-cache

NOTE: The HTTP header " Cache-Control: no-cache" cannot be inserted if

the form element is positioned beyond 128KB in the HTML.

3. When the WAF receives the request, Learning Mode updates the following checks
in the WAF template:
Buffer Overflow Check:
l Maximum headers = 7
l Max-url-len = 15
l Max-hdrs-len = 23
l Allowed HTTP Methods Check = GET
l URL Check (not shown in example)
4. To “lock in” the WAF template settings, change to a different mode (for example,
Passive Mode or Active Mode). You can fine-tune the template settings later, if
needed.

Notes
l Beginning in ACOS release 4.0, the WAF will display the learned values in the
running-configuration only after the WAF deployment mode is changed from
Learning Mode to Active Mode or Passive Mode. The reason for this change in
behavior relative to prior releases, is that ACOS 4.0 introduces the Configuration
Manager (CM), which acts like an internal “staging area” for the configuration
changes. Such config changes are temporarily save to short-term memory and
will remain there until an operation is committed, which happens when the WAF
is switched from Learning Mode to Passive or Active Mode. In previous releases,
config changes were saved directly into the running-config file, and there was no
internal staging area.

56
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

l Before enabling Learning Mode, make sure the WAF is not receiving production
traffic. Security checks in the WAF template are not enforced during Learning
Mode and the WAF will not deny any requests, even if a request fails a security
check.
l If the setting for a check reaches its maximum configurable value, the check is set
at that value. The setting value does not increase.
l The URL Check file is not created until the mode is changed from Learning to
Passive or Active. You cannot modify the URL check file while Learning Mode is
enabled.
l For an example of Learning Mode, see Deployment and Logging Examples.

Passive Mode
Passive Mode logs traffic that matches a WAF policy file or check, but does not
perform any action on matching traffic. While the WAF is operating in Passive Mode,
you can monitor the data event log messages sent to remote logging servers, and
fine-tune your template settings so that valid traffic is not mistakenly blocked by the
WAF.
Typically, Passive Mode is used in a production network to check for false positives
while real production traffic is running. A false positive occurs when valid traffic
matches a WAF check, and would be dropped during Active Mode operation.
Figure 7 shows an example of Passive Mode.
Figure 7 : WAF Passive Mode

57
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

This example shows a “false positive” match on the max-cookies check. In this
example, the WAF template allows a maximum of 3 cookie headers within a given
request.
1. Client sends request to server.
2. Server replies. The reply contains some cookies inserted by the server.
3. The client sends a new request and inserts the cookies sent by the server in the
request.
4. The WAF template allows a maximum of 3 cookies (3 separate cookie headers) in
a given client request. Because the client’s request contains more than 3 cookies,
the request fails the max-cookies check, and a data event log message is sent to
the external log server. However, because the WAF is operating in Passive Mode,
the traffic is allowed.

Notes:
l Because the WAF is operating in Passive Mode, the client request is sent to the
server instead of being dropped. In Active Mode, the request would be dropped.
l To access WAF data event messages, logging to external servers is required. See
WAF Event Logging.

58
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

l During Passive Mode operation, data event logs for matching traffic will state
that the traffic was denied even though the traffic in fact is allowed. However, all
WAF data event messages include the operational mode.

Active Mode
Active Mode enforces the policies (definition files) and security checks that are
enabled in the WAF template bound to the virtual port. If the action configured for a
specific check is to drop traffic that matches the check, the traffic is dropped.
Figure 8 shows an example of Active Mode.
Figure 8 : WAF Active Mode

In this example, a client POST request contains SQL code.

1. The client sends a request. The request contains SQL code. The request is an
attempt to inject SQL code onto the server.

59
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

2. The WAF SQL Injection Check detects the SQL. Based on the configuration, the
WAF rejects (drops) the request.
3. The WAF sends a log message to the log server.
Figure 9 shows a walk-through of the WAF process as it examines the client’s
request.
Figure 9 : WAF Active Mode - walk-through

60
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Operational Modes

1. First, the WAF checks the request URI against the entries in the White List. In this
case, the URI matches. The request passes to the next phase, the Black List check.
2. The request URI does not match any of the Black List entries, so is passed to the
next phase, the request checks.
3. The request passes the Allowed-HTTP-methods Check. However, the request fails
the SQL Injection Check and is denied.

Setting the WAF Operational Mode

The WAF operational mode is one of the options you can configure within the WAF
template. For configuration information, see either of the following sections:
l Configuring WAF Using GUI
l Configuring WAF Using CLI

61
Configuring WAF Using GUI

The WAF operates on traffic that is addressed to the virtual IP address (VIP) and
HTTP/HTTPS virtual port of your website. To apply WAF protection to the virtual
port, basic configuration is required.
Additional, advanced configuration is optional.
This section describes how to configure the WAF using the GUI.

The following topics are covered:

Overview 63
Bind the WAF Template to the Virtual Port 63
Add/Edit a WAF Template 66
Create a WAF File 83
Configure an HTTP Policy Template 86
Configure External Logging (recommended) 88

62
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Overview
This section summarizes the configuration tasks for the WAF. The following sections
provide detailed steps for each task.
To apply WAF security controls to a virtual port:
1. Configure a WAF template.
2. Bind the WAF template to the virtual port.
3. (Recommended) Configure external logging. ACOS supports logging of WAF
events only to external log servers. WAF events are not logged in the ACOS
device’s local log buffer. (See Configure External Logging (recommended).)

Notes:
l External logging is the only mechanism supported for accessing WAF data plane
log messages.
l The WAF comes with predefined WAF policy files. Modify policy rules in the URI
White and Black Lists, or add search definitions used for the Bot Check, SQLIA
check and so on. For more
information, see WAF Policy Files. A10 Networks highly recommends
modifying the WAF policy files to meet your specific security requirements.
l Optionally, you can pair the WAF template with an HTTP policy template to
enforce WAF security checks based on URL, host, or cookie. (See Overriding a
WAF Template)
l For examples of advanced WAF configuration, see Deployment and Logging
Examples.

Bind the WAF Template to the Virtual Port

Bind WAF Policy page contains the list of virtual servers, virtual servers with
HTTP/HTTPS virtual ports, and the HTTP policies binded to the virtual ports. The form
allows to bind different HTTP policy templates to the virtual port. Edit the match
conditions to bind the HTTP policy to the WAF template. To bind a WAF template to
an HTTP or HTTPS virtual service port:

63
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

1. Hover over Security on the menu bar, then select WAF.

2. On ‘Bind WAF Template’ click, the Bind WAF Form, the sliding window will open.
3. Select which virtual server Name, vPorts, WAF-templates and HTTP policy
templates to be bound to the vPort.
4. Edit either URL or Host match conditions by clicking the three dots icon for each
row. An option is available to add new URL or host match condition.
5. Save: Edit the HTTP policy template bound to the vPort, edit the HTTP policy
Match Conditions under the HTTP policy template, and the WAF template bound
to the virtual port (vPort) and click Save.
6. Select the WAF Bindings tab, if not already selected.
Figure 10 : WAF Bindings tab

A table of WAF binding appears. A WAF binding is the combination of a virtual IP

address, or “VIP” and a virtual port with service type HTTP or HTTPS.
7. Click +Bind WAF Template.
8. A new Bind WAF Policy page appears, as follows:

64
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 11 : Security > WAF > WAF Bindings > Bind WAF Policy

9. Click the VIP drop-down menu and select a pre-configured VIP to bind.
For a VIP to appear in the VIP drop-down list with the virtual server names, it
must be configured with one or more HTTP/HTTPS virtual ports.
10. Based on the VIP that you select, the vPort: (port and protocol) field
automatically updates. You can also click the vPort drop-down menu and select a
different port/protocol combination from the list of HTTP or HTTPS ports
associated with this VIP.
11. Click the WAF Template drop-down menu and select the desired WAF template
from the list.
Alternatively, click the WAF Template tab to +Add a new WAF Template for this
WAF service. (See Add/Edit a WAF Template ).
12. Click the HTTP Policy drop-down menu and select the desired HTTP template.
Alternatively, click the New HTTP Policy Template button to configure a new
template. (See Configure an HTTP Policy Template).
13. Click the Save button to complete the WAF service configuration.

65
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Add/Edit a WAF Template

NOTE: Remove all CGNv6 configurations before making SLB configurations
(including WAF, aFlex, AAM, GSLB and Overlay)

Use the following steps to configure a WAF template:

1. Hover over Security on the menu bar, then select WAF.
2. Select the WAF Templates tab.
3. Click +Add WAF Template.
The Add / Edit WAF Template configuration page appears, as shown below.
Figure 12 : Add / Edit WAF Template

4. In the Template Name field, enter a name for the template.

5. Configure all the settings for WAF and click Save to save the template.
6.

Configuring HTTP Protocol Checks

1. Click the HTTP Protocol Checks option in the Add/Edit WAF Template page. It
displays all the related configuration options in the form of toggle buttons. You
can turn on or turn off a required option from the GUI. However, configuration of

66
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

the associated sub-options, such as, allowed versions in Allowed HTTP Version or
allowed headers in Allowed HTTP Headers, can only be done from the Command
Line Interface.
2. Hover over the different options to see their detailed description and applicable
default values. Turn on the required options.
3. Click Save to save the HTTP protocol settings.
For details, refer to the GUI Online Help. and Command Line Interface Reference.

Configuring HTTP Limit Checks

1. Click the HTTP Limit Checks option n the Add/Edit WAF Template page. The
related configuration options open up. This displays the list of security options
that can be used to prevent the attempts to flood the resources with excessive
request parameters through WAF.
2. Configure the limit checks for related HTTP parameters. For details on each
parameter, see the context help and the related Online Help on GUI.
Figure 13 : HTTP Limit Checks Options

67
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Configuring Request Checks

1. Click the Request Checks option in the Add/Edit WAF Template page. The related
configuration options open up.
Figure 14 : WAF Template – Request Checks

2. Select the Bot Check On/Off button to check the user-agent of incoming requests
for known bots. This check uses the list of defined bots in the “bot_defs” WAF
policy file. For more information, see Bot Check.
3. Select the Referer Check On/Off button to enable referer checks, or clear the
On/Off button to disable. The referer check validates that the referer header in a
request contains web form data from the specified web server, rather than from
an outside website, and helps protect against CSRF attacks. Referer Check
behavior is as follows:
l Enabled – When enabled, the WAF always validates the referer header.
Requests will fail the check if there is no referer header or if the referer header
is not valid.
l Disabled – The WAF will not validate requests based on the referer header.
4. Turn on the URL White List Check toggle button to enable. Click the File drop-
down menu that appears, and select the name of a configured WAF policy file.

68
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

This option enforces the rules contained within a WAF policy file for the URI
white-list. The default WAF policy file is “uri_wlist_defs”. For more information
about URI white-lists, see URI White List.
5. Turn on the URL Black List Check toggle button to enable. Select the File drop-
down menu that appears, and select the name of a configured WAF policy file.
This option enforces the rules contained within a WAF policy file for the URI
blacklist.The default WAF policy file is “uri_blist_defs”. For more information
about URI blacklists, see URI Black List.
6. Configure the options under Injection Checks to prevent access to your website
directly through SQL injection or XSS Injection attacks.
7. Enable SQL Injection Attack Check to check for harmful SQL strings and provide
protection against SQL injection attacks. The Action drop-down menu provides
the following actions:
l Disabled- WAF will not validate requests, i.e., the SQL injection attack check
will be disabled (default).
l Reject - WAF will reject the requests that do not pass the SQL Injection Attack
check.
When this option is selected, the adjacent drop-down menu is enabled. Select
the WAF policy file from the menu to perform SQL Injection Attack checks. By
default, the WAF uses the list of defined SQL commands in the sqlia_defs WAF
policy file. For more information, see SQL Injection Attack Check.

8. The XSS Check uses jscript_defs WAF policy file to examine the content of URL,
cookies, and POST bodies of client requests. The drop-down menu provides the
following actions:
l Disabled- WAF will not validate requests, i.e., the XSS check will be disabled
(default).
l Reject - WAF will reject the requests that do not pass the XSS check.
When this option is selected, the adjacent drop-down menu is enabled. Select
the WAF policy file from the menu to perform XSS checks (see XSS Check).
9. Turn on the Session Checks button to enable session checks. When this option is
enabled, the WAF creates a unique ID that is inserted into a cookie and
embedded in the server’s response to the client. Future requests from the same

69
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

client are validated against this ID, and if the tracking ID (or IP address) does not
match, then the request is rejected. In the Limit field, enter a value ranging from
1–1440 minutes. The default session lifetime is 10 minutes. For more information
about Session Checks, see Session Checks .
10. In the Command Injection Check menu, turn on the required options.
11. Click Save to save your changes.

Configuring Cookie Security

1. Click the Cookie Security option in the Add/Edit WAF Template page. The related
configuration options are displayed.
2. Configure the parameters and settings related to Cookie Security as per
description and details on GUI Online Help.
Figure 15 : Cookie Security

3. Click Save to save your changes.

70
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Configuring Cookie Security Checks

1. The Cookie Security menu displays the list of security options that can be used to
prevent cookie tampering.
A window similar to that shown below appears.
Figure 16 : WAF Template – Cookie Security

2. In the Tampering Protection drop-down, select the Encrypt or Do Not Encrypt

option. This option protects against cookie tampering encrypting the cookies by a
specific name or for all cookies that match a PCRE expression.
3. If Encrypt option is selected, the Encryption Secret field is displayed. Enter the
encryption
keyword in this field.
4. In the Applies to field, select the All cookies or Session cookies only option which
will be used to encrypt and decrypt the cookies. The encryption uses a secret
pass phrase to decrypt and encrypt cookies that are transferred between the web
server and client.
5. Tun on the HTTP Only and Secure toggle buttons to enable tampering protection
to HTTP or HTTPS traffic.

71
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 17 : Set Cookie Security from Server

6. To set cookies security from server, in the Set-Cookies from Server menu, click +
Add.
7. Enter the Name, set Tamper Protection to Encrypt, enter the Encryption Secret
keyword, and turn on the HTTP Only and Secure options.
8. Click Save to save your changes.

Configuring Evasion Checks

1. Select the Evasion Checks tab to display the list of security options that can be
used to bypass a WAF rule. A window similar to that shown below appears.

72
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 18 : Configuring Evasion Checks

2. Set Apache White Space to ON to enable check for whitespace characters in URLs.
3. Set Decode Entities to ON, to enable decoding of entities, such as &lt; &#xx;
&#ddd; &xXX, in an internal URL.
4. Set Decode Escaped Characters to ON to enable decoding of escaped characters,
such as \r \n \” \xXX, in an internal URL.
5. Set Decode Unicode Characters to ON to check for evasion attempt using
encoding of unicode characters to bypass security.
6. Set Decode Plus Characters to ON to check for evasion attempt using encoding of
spaces with + characters.
7. Set Directory Traversal to ON to check for directory traversal attempt.
8. Set High ASCII Bytes to ON to check for evasion attempt using ASCII bytes with
values > 127.
9. Set Invalid Hex Encoding to ON to check for evasion attempt using invalid hex
characters (not in 0-9,a-f)
10. Set Multiple Encoding Levels to check for evasion attempt using multiple levels
of encoding
(0 - 7),

73
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

11. Set Multiple Slashes to check for evasion attempt using multiple
slashes/backslashes .
12. Set Remove Comments to ON to remove comments from internal URL.
13. Set Remove Spaces to ON to remove spaces from internal URL.
14. Click Save to save your changes.

Configuring Web Service Security

1. Select the Web Services Checks tab to display the list of security options that can
be used to configure JSON and XML checks. A window similar to that shown
below appears.

74
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 19 : WAF Template – Web Services Checks

2. Select the Enforce JSON compliance, On/Off button to set the WAF scrub
incoming requests containing JSON code to verify compliance with RFC 4627.
Requests will be blocked if the JSON content is not well- formed.
JSON Limits:
When the following JSON Limit options are configured, the WAF JSON parser will
enforce parsing limits to protect back end servers from denial-of-service (DoS)
attacks that are designed to exhaust system memory or CPU resources.
3. In the JSON Limit - Max Array Value Count field, enter the maximum number of
values in a single array.
The default value is 256, but you can set a number ranging from 0–4096.

75
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

4. In the JSON Limit - Max Depth field, enter the maximum recursion depth in a
JSON value.
The default value is 16, but you can set a number ranging from 0–4096.
5. In the JSON Limit - Max Object Member Count field, enter the maximum number
of members in a JSON object.
The default value is 256, but you can set a number ranging from 0–4096.
6. In the JSON Limit - Max String field, enter the maximum length of a string (in
bytes) for a name or a value in a JSON request.
The default value is 64, but you can set a number ranging from 0–4096.
7. Select the XML Format Check On/Off button to check the HTTP body of the
message for XML format compliance. Incoming requests containing XML code are
checked for compliance with the XML 1.0 specification. (See XML Format Checks
for details.)
8. Select the XML SQLIA Check On/Off button to check XML data against the SQLIA
policy file. The XML cross-site scripting check examines the headers and bodies of
incoming XML requests for SQL keywords that might indicate possible cross-site
scripting attacks and blocks those requests.
9. Select the XML XSS Check On/Off button to check XML data against the XSS policy
file. The XML cross-site scripting check examines the headers and bodies of
incoming XML requests for Javascript keywords that might indicate possible
cross-site scripting attacks and blocks those requests. (See XML Cross-Site
Scripting Checks for details.)
10. In the XML Limit - Max Attributes field, enter the maximum number of attributes
each individual element is allowed to have.
The default is 256, but you can enter an integer from 0-256.
11. In the XML Limit - Attribute Max Length field, enter the maximum number of
characters allowed per element.
The default is 128, but you can enter an integer from 0-2048.
12. In the XML Limit - Attribute Text Max Length field, enter the maximum number of
characters allowed per attribute.
The default is 128, but you can enter an integer from 0-4096.
13. In the XML Limit - CDATA Section Max Length field, enter the maximum length of
CDATA section for each element.
The default is 65535, but you can enter an integer from 0-65535.

76
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

14. In the XML Limit - Max XML Elements field, enter the maximum number of any
one type of element per XML document.
The default is 1024, but you can enter an integer from 0-8192.
15. In the XML Limit - Max Element Children field, enter the maximum number of
children each element is allowed to have, including other elements, character
information, and comments. The default is 1024, but you can enter an integer
from 0-4096.
16. In the XML Limit - Max Element Depth field, enter the maximum number of
nested levels in each element.
The default is 256, but you can enter an integer from 0-4096.
17. In the XML Limit - Max Element Name Length field, enter the maximum name
length for each element, including the XML path.
The default is 128, but you can enter an integer from 0-65535.
18. In the XML Limit - Max Entity Declarations field, enter the maximum number of
entity expansions allowed.
The default is 1024, but you can enter an integer from 0-1024.
19. In the XML Limit - Max Entity Depth field, enter the maximum depth of nested
entity expansions.
The default is 32, but you can enter an integer from 0-32.
20. In the XML Limit - Max Namespace Declarations field, enter the maximum
number of namespace declarations in an XML document. The default is 16, but
you can enter an integer from 0-256.
21. In the XML Limit - Max Namespace URL Length field, enter the maximum URL
length allowed for each namespace declaration.
The default is 256, but you can enter an integer from 0-1024.
22. Click Save to save your changes.

Configuring Data Leak Prevention

1. Select Data Leak Prevention to display the configurable content filtering options.
A window similar to that shown below appears.

77
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 20 : WAF Template – Data Leak Prevention

2. In the Response Cloaking menu, turn on Filter Response Headers to remove web
server's identifying headers in outgoing responses.
3. Turn on the Hide Response Codes toggle key to cloak response codes for
outbound responses from the web server to enable this option to cloak 4xx and
5xx response codes for outbound responses from the web server. By default, this
check uses the “allowed_resp_codes” WAF policy file for a list of acceptable HTTP
response codes. However, click the Hide Response Codes file drop-down menu to
specify a different file. For more information, see Allowed HTTP Response Codes.
4. In Content Filter Checks, turn on the CCN Mask option to examine strings of
outbound replies from the web server for patterns of numerical characters that
resemble credit card numbers (CCN). If the WAF identifies a credit card number,
the WAF replaces all but the last four digits of credit card numbers with “x”
characters.

NOTE: View counters for the CCN check from the CLI. These counters
display the number of masked credit card numbers for various bank
providers.

78
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

5. Turn on the SSN Mask option if you want the WAF to scan HTTP responses for
strings that resemble US Social Security numbers and masks all but the last four
digits of the string with “x” characters in a response.
6. Click PCRE Mask drop-down. PCRE Mask hides strings that match the specified
PCRE pattern. (See Writing PCRE Expressions for details.) In the PCRE fields, enter
the following values:
l PCRE Pattern – Masks patterns in a response that match the specified PCRE
pattern.
l PCRE Mask Character – Selects a character to masked the matched pattern of a
string. By default, strings are masked with an “X” character.
l PCRE Keep Start – Sets the number of unmasked characters at the beginning of
the string. This can be 0-65535, the default is 0.
l PCRE Keep End – Sets the number of unmasked characters at the end of the
string. This can be 0-65535, the default is 0.

NOTE: You can configure PCRE patterns to match only on string of fixed
length. For this reason, wild-card characters that can mask
excessively long strings (* and +) are not supported. If either the
asterisk (*) or plus symbol (+) is detected during the syntax check,
the syntax check will automatically fail. To use an expression that
matches an actual “*” or “+” character, use an escape character (\)
before the matched symbol. For example, to search for the actual
asterisk (*) or plus character (+), enter “\*” or “\+”.

7. Click Save to save your changes.

Configuring Form Protection and Password Security

1. Select the Form Protection tab to display the list of security options that can be
used to configure web form options. A window similar to that shown below
appears.

79
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 21 : WAF Template – Form Protection

2. Turn on the CSRF Check button to tag the fields of a web form with a nonce (a
unique FormID). This check protects against cross-site request forgery (CSRF).
3. Turn on the Form Consistency Check button to check that the user input to a
web form field conforms to the intended format for that entry. For example, it
checks that a radio button is selected versus supplying a string for that form
field. WAF also parses HTTP bodies encoded as multipart/form-data. Extracted
form fields are verified against previously parsed HTML forms.
4. Turn on the Forms Not Using POST button to deny HTTP requests containing
forms if the method used is anything other than POST.
5. Turn on the Non-SSL Forms button to deny user passwords sent over a non-
encrypted connection. If the connection between the client and the WAF is
secured with SSL/TLS, the user password is allowed, but if the client attempts to
submit to a form field where “input type=password”, and if the connection is not
encrypted with SSL/TLS, the WAF blocks the transmission. For more information,
see Deny Passwords Sent Over an Unencrypted Connection .
6. Turn on the Caching of Form Responses button to add “no-cache directives”
when the HTTP response contains <form> tags. “no-cache” behavior is enforced
when the header is added: Cache-Control: no-cache

80
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

NOTE: The HTTP header "Cache-Control: no-cache" cannot be inserted if

the form element is positioned beyond 128KB in the HTML.

7. In the Password Security menu, turn on the Non-masked password fields button
to prevent “shoulder surfing” by denying the web server’s attempt to send a
form through the WAF unless the field type for the password field has been set
to “password”. (See Deny Unmasked xPasswords .)
8. Turn on the Autocompleted Passwords button to deny web server attempts to
transmit the form if one of the form fields type is set to “password” and if the
“autocomplete=on/off” attribute is set to “on”. Enabling this option blocks
browser “autocomplete” behavior. Although convenient for users, password
auto-completion weakens security allowing browsers to stored user passwords in
order to later guess the user’s password for some websites. For more
information, see Deny Passwords if Autocomplete is Enabled .
9. Turn on the Non-SSL Passwords button to deny HTTP requests containing forms if
the transmission protocol used is anything other than SSL (TLS).
10. Click Save to save your changes.

Configuring Brute Force Security

1. Select the Brute Force Security tab to display the list of security options that can
be used to configure web form options. A window similar to that shown below
appears.

81
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 22 : Configure Brute Force Security parameters

2. Enable Brute Force Check for this template.

3. Enabling the Global option will cause the WAF to maintain a single counter for all
clients, as opposed to having a separate counter for each client. When this option
is selected, all clients will be locked out for the configured lockout period, once
the lockout-limit is reached. Similarly, all responses will include a challenge once
the challenge-limit is reached.
4. Specify Challenge Limit, the maximum number of triggers that can occur within
the test period. If this limit is breached, the WAF initiates all of the configured
challenge-actions against the client. If this field is set to zero, this effectively
disables the feature, as the challenge will never be sent.
5. Specify Lockout Limit field to specify the number of triggers that can occur within
the test period. If the limit is exceeded, then the WAF will deny all requests from
this client. If the lockout limit is set to zero, then clients will never be locked out.
The lockout-limit is a learned parameter, so it will be set to the maximum number
of triggers within a test period seen during learning mode.
6. Specify Lockout Period, the number of seconds that a client will be locked out
after breaching a threshold. If the lockout period is set to zero, then the client
will be locked out for the remainder of the current test period. In this way, this
option acts similar to a general rate limit.

82
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

7. Enable Response Codes to enable the WAF policy to define which response codes
will trigger brute force checking.
8. Select the Response Codes File the WAF policy used to define which response
codes will trigger brute force checking.Select a policy file that will be used for
matching prior to setting this
parameter, as none of the default listed files (e.g., bot_defs) would work. The
policy file must
contain a set of regular expressions that will be matched against the response
status-code.
9. Enable the Response Headers WAF policy to define which response headers will
trigger brute force checking.
10. Select a predefined Response Headers File with the WAF policy that will be used
to define which response headers will trigger brute force checking. You must
supply a policy file that will be used for matching prior to setting this parameter,
as none of the default listed files (e.g., bot_defs) would work. The policy file must
contain a set of regular expressions that will be matched against the response
headers.
11. Enable Response String WAF policy to define which response line messages will
trigger brute force checking.
12. Select the Response String File WAF policy used to define which response line
messages will trigger brute force checking. You must supply a policy file that will
be used for matching prior to setting this parameter, as none of the default listed
files (e.g., bot_defs) would work. The policy file must contain a set of regular
expressions that will be matched against the response status-line.
13. Specify the Test Period in number of seconds for brute-force event counting.

Create a WAF File

You can create a WAF files that will be used to parse incoming requests that contain
XML, SOAP, of JSON code.
1. Hover over Security on the menu bar, then select WAF.
2. Select the WAF Files tab. A table of WAF files appears, similar to that shown in

83
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 23 below.
Figure 23 : Security > WAF > WAF Files

3. Enter a value in the Max Filesize field. Enter a value from 16–256 (KBytes). The
default value is 32Kb.
4. Click Create to create a new WAF Policy.
5. Select one of the following tabs:
l WAF Policies – see WAF Policy Files for background information.
The WAF Policy table lists the default policy files, such as “bot_defs”, “jscript_
defs”, and “sqlia_defs”. If the Bot Checks, Cross-Site Scripting (XSS) Check, or
SQL Injection Checks are enabled in a WAF template, the policy files can be
used to scrub incoming requests. For example, if the Bot Check option is
enabled in the WAF template and a match is found on an incoming request
(using the “bot_defs” file), the request we be denied automatically. You can
copy the “bot_defs” file and modify the contents to include or remove bot
search terms. Simply click the Edit link, make changes, and save the new copy.

84
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

To configure, click the Create button in the WAF Policy section. A window
similar to that shown in Figure 23 appears.
~ Select the Local radio button, to enter the name and definition, and then click
Create.
~ Select the Remote radio button, to enter the name, transport protocol (e.g.,
TFTP, FTP, SCP, SFTP), Host IP/FQDN, Port, Location, and user credentials
(user/password) for the server where the file is located. Then click Create.
l XML Schemas – see WAF XML Checks for background information.
To configure, click the Create button in the XML Schemas section.
~ Select the Local radio button, then enter the name and definition, and click
Create.
~ Select the Remote radio button, enter the name, transport protocol, Host
IP/FQDN, and path to the file. Then click Create.
l SOAP WSDLs – see WAF SOAP Checks for background information.
To configure, click Create in the SOAP WSDL section.
~ Select the Local radio button, then enter the name and definition, and then
click Create.
~ Select the Remote radio button, enter the name, transport protocol (e.g.,
TFTP, FTP, SCP, SFTP), Host IP/FQDN, Port, Location, and option credentials
(user/password) for the server where the file is located. Then click Create.

85
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 24 : WAF > Files > (WAF Policy/XML Scheme/SOAP WSDL) > Create

6. Click the Update button.

Configure an HTTP Policy Template

You can configure ACOS to override the WAF settings applied to the HTTP/HTTPS
virtual port with another set of WAF settings, using an HTTP policy template. You can
configure rules in the HTTP
template to match on URLs, hostnames, or cookie names in traffic.
For a general discussion of configuring an HTTP Policy Template, see Overriding a
WAF Template.

Configure an HTTP Policy Template to Override a WAF Template

You can configure an HTTP policy template as follows:
1. Hover over Security on the menu bar, then select WAF.
2. Select the HTTP Policy tab. A table listing the configured HTTP Policies appears.
3. Click the HTTP Policy drop down button to create a new HTTP Policy Template,
or simply click Edit link by clicking the three dots icon for each row in the Actions
column. The HTTP Policy window appears.

86
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

4. Hosts:
Click +Add Host under Host section.
Figure 25 : HTTP Policy

5. The Name field is not editable, since this example show how to update an
existing HTTP policy template.
6. In the Match Condition field, enter the condition associated with this HTTP
Policy.
7. In the WAF Template section of the window, select the WAF template to bind.
8. Click the check mark under +Add Host, to save the host URLs.
9. Under URLs section, configure Match Conditions on URLs, or WAF Template
settings. Client requests that match a rule in the HTTP policy template are
handled using the alternative WAF template that you bind to the HTTP policy
template.
10. To configure rules for matching:

87
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

a. Click the Match Condition drop-down list and select the match operation:
l Starts With
l Ends With
l Contains
l Equals
These match options are always applied in the order shown above, regardless
of the order in which the rules appear in the configuration. The WAF template
associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one of
them, the most-specific match is always used.
b. From the WAF drop-down menu, select the WAF template to which to bind
this HTTP policy template. The WAF template you select will be used for
traffic that matches the rule.
c. Click the check mark under Add URL button.
d. Repeat this process for each rule you wish to add to the HTTP Policy.
11. Click the Add button to save your changes.

Configure External Logging (recommended)

Although optional, A10 Networks strongly recommends configuring external logging.
It is the only mechanism supported for accessing WAF log messages.
Logging of WAF events to external logging servers is supported over TCP or UDP,
although UDP is typically used for Syslog.
You can configure logging to a single server or a group of servers. If you use a group
of servers, ACOS balances the log traffic among the servers for optimal efficiency.

Configuration Overview
To configure web logging:

88
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

1. Create a server configuration for each log server. On each server, add a UDP
port with the port number on which the log server listens for log messages.
(While either TCP or UDP would work, Syslog typically uses UDP.)
2. Add the log servers to a service group. Make sure to use the round-robin load-
balancing method. (This is the default method.)
3. (Optional) If logging over TCP, configure a TCP-proxy template to customize TCP
settings for connections between ACOS and the log servers. For example, you
can enable use of keepalive probes to ensure that the TCP connections with the
log servers remain established during idle periods between logs.
4. Configure a logging template. Add the service group containing the log servers
to the logging template. If you configure a custom TCP-proxy template, also add
that template to the logging template.
5. Apply the logging template to the WAF template.

External logging is activated once you bind the WAF template to a virtual port.

Configure Log Servers

1. Hover over ADC on the menu bar, then select SLB.
2. Select the Servers tab.
3. Click Create.
A window similar to that shown below appears:

89
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 26 : Create WAF Logging server

4. In the Name field, enter a name for the external log server.
5. In the Type radio button, select the IP version, IPv4, IPv6, or FQDN.
6. In the Host field, enter the server’s IP address or FQDN.
7. In the Port section of the window, configure the protocol port information:
a. Click Create.
b. Enter the following:
l Port Number – enter the port number in this field (514, which is the default
for Syslog)
l Protocol – click the drop-down and select UDP protocol for this port.
l Range – enter the range of port values
l Health Check – select one of the radio buttons for Default, Disable,
Monitor, Follow Port
l Connection Limit – enter a value ranging from 1-8000000.
l Select the No Logging On/Off button.
l Click Create. The port appears in the list of ports for this server.
8. Click Create again. The server appears in the list of servers.
9. Repeat this process to add additional servers, as needed.

90
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Add Server to Service Group

1. Hover over ADC on the menu bar, then select SLB.
2. Select the Service Groups tab.
3. Click Create.
A window similar to that shown below appears:
Figure 27 : Create Service Group

4. Enter a name for the service group in the Name field.

5. Click the Protocol drop-down and select UDP from the list. (Optionally, you could
select TCP, but not recommended.)
6. Click the Algorithm drop-down and select the desired load balancing algorithm
(e.g., Round Robin, Least Connection).
7. If desired, select the Health Check Disable On/Off button, or if health checks are
desired, then select one from the Health Monitor drop-down menu.
8. In the Member section, click Create to add the server.
A window similar to that shown below appears:

91
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Figure 28 : Adding a Member to the Service Group

a. For the desired Choose creation type radio button, select Existing Server.
b. Click the Server drop-down list and select the server(s) you just created in
Configure Log Servers.
c. Enter 514 in the Port field, since we are using Syslog. (Use the same number
as specified in the server config).
d. In the Priority field, enter an appropriate value from 1-16.
Assign a higher priority number to the primary servers, and assign lower
numbers for the servers that will be used as backups. By default, the ACOS
device will not use the lower-priority backup servers unless all of the primary
servers are down. The same priority number must be used for all the primary
servers, but keep in mind that assigning the same priority value to the
primary servers will cause the logs to be load balanced across the primary
servers, and will NOT cause duplicate copies of the logs to be sent to multiple
primary servers. For a detailed discussion and background information on
how Priority works, please see the “Priority Affinity” section in the
Application Delivery Controller Guide.
e. (Optional) Click the Template drop-down and select an HTTP template.
f. Click the State drop-down menu and select Enable or Disable to decide if the
server will be active or not.
g. (Optional) Select Stats Data Disable On/Off button if you wish to disable
statistical data
collection for system resources, such as CPU, memory, disk, or interfaces.

92
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

h. Click Create button.

i. Repeat these steps for each server to add to this service group.

Configure the Logging Template

1. Hover over ADC on the menu bar, then select Templates.
2. Select the General tab.
3. Click the Create button, and from the drop-down menu that appears, select
Logging.
A window similar to that shown below appears:
Figure 29 : Create Logging Template

4. In the Name field, enter a name for the template.

5. In the Format field, enter the log format. (See WAF Log Examples.)
6. In the Local Logging field, enter the local logging information.
7. Click the Service Group drop-down menu and select the service group that
contains the log servers.
8. For the PCRE Mask radio button, select Enable or Disable. (See Writing PCRE
Expressions for details.)
9. If you configured a custom TCP-proxy template for logging over TCP, select the
template from the drop-down.
10. Click the OK button.

93
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using GUI

Apply the Log Template to the WAF Template

1. Hover over Security on the menu bar, then select WAF.
2. Select the WAF Templates tab.
3. Click the Edit link next to the desired WAF template name to display the General
Settings. (See Add/Edit a WAF Template ).
4. Click the Logging Template drop-down menu and select the logging template
created.
5. Click the Update button.

94
Configuring WAF Using CLI

The WAF operates on traffic that is addressed to the virtual IP address (VIP) and
HTTP/HTTPS virtual port of your website. To apply WAF protection to the virtual
port, basic configuration is required. Additional, advanced configuration is optional.
This section describes how to configure the WAF using the command-line interface
(CLI).

NOTE: For deployment examples, see Deployment and Logging Examples.

The following topics are covered:

Required Configuration 96
External Logging Configuration 99
Optional Configuration 101

95
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

Required Configuration
The minimum required configuration for the WAF consists of the following tasks:
1. Create a WAF template.
2. Bind the WAF template to the HTTP/HTTPS virtual port on the VIP.

NOTE: Configuration of other SLB resources required by the virtual port, such
as real servers and service groups, are not covered here. However, the
deployment examples in the guide include the commands for
configuring these resources. (See Deployment and Logging Examples.)

Creating a WAF Template

To create or modify a WAF template, use this command at the global configuration
level of the CLI:
waf template template-name

For the template-name option, enter the name of an existing WAF template to
modify the template’s configuration, or an unused name to create a new WAF
template. This command enters the CLI configuration level for the template.
If you plan to use all the default settings for the template (including Active Mode
operation) no further template configuration is required. To customize template
settings, see Optional Configuration.
Additionally, you can also create a WAF template by inheriting another template
configuration. Refer to Creating a WAF Template using Inheritance for the same.

Creating a WAF Template using Inheritance

The WAF template configuration has many fields and hence defining the complete
template at all the levels is time consuming. To avoid reconfiguring the same WAF
template details on the vport level WAF, and on the URL/Host WAF, you can use the
parent template waf command.

The child configuration inherits all the features of the parent configuration and
overrides only the specific features that need changes.

96
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

This feature has the following limitations:

l The child template can inherit the configuration from one parent only; multiple
inheritance is prohibited.
l The inheritance is supported at one level only; the parent template cannot inherit
the configurations from another template.
l After downgrading, the inheritance configuration will be removed and the child
template will lose its true configuration. You will have to reconfigure the child
template.
l The following configurations will not be inherited,
o Logging template
o Deploy mode
o Deny action
o Cookie security
o PCRE mask
o Referer check
o xml-content-validation
o redirect-whitelist
o url-learned-list

Consider an existing WAF template waf-temp-parent. Use the following commands

to create another template waf-temp-child, that inherits the features of this
template,
ACOS(config)# waf templatewaf-temp-child
ACOS(config-waf)# parent template waf waf-temp-parent

Bind the WAF Template to the HTTP/HTTPS Virtual Port

The WAF template goes into operation after you bind the template to an HTTP/HTTPS
port.
To bind a template to a virtual port, you must access the configuration level for the
port.

97
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

1. From the global configuration level of the CLI, use the following command to
access the configuration level for the virtual server that will receive HTTP/HTTPS
traffic to be secured using the WAF:
slb virtual-server name ipaddr

2. At the configuration level for the virtual server, use the following command to
access the configuration level for the virtual port:
port port-number {http | https}

3. At the configuration level for the virtual port, use the following command to bind
the WAF template to the port:
template waf template-name

OWASP Top 10 Compliance

Content Security Policy (CSP) is a tool used for application security, mitigating the
risk of DDOS content injection vulnerabilities like cross-site scripting; and reducing
the run privileges for applications.
CSP protects against cross-site scripting attacks by ensuring that their trusted
Content Delivery
Network, is the only origin from which script can load and execute. No plug ins can
execute in the page contexts:
Content-Security-Policy: script-src https://cdn.example.com/scripts/;
object-src 'none'

The new CSP HTTP response header helps reduce XSS risks on modern browsers by
declaring what dynamic resources are allowed to load through a HTTP Header. Server
administrators can reduce or eliminate executable scripts based errors, by specifying
the valid domains that the browser must
consider valid.
CSP allows multiple policies for a resource, including through the CSP header, the
CSP-Report-Only header and a <meta> element. You can use the CSP header more
than once.

98
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

CLI Configuration
To support OWASP Top 10 Compliance, a new configuration mode, “csp” is added in
WAF template:
To configure CSP, got to WAF template configuration mode using waf-template
command:
ACOS(config)# waf template xyz

Use csp command as follows in config-waf mode to replace server CSP header if it
exists:
ACOS(config-waf)# csp csp1 insert-if-not-exist

By default, CSP is disabled. Otherwise use “insert-always” to insert a separate CSP

header.
ACOS(config-waf)# csp csp1 insert-always

If no CSP policy is provided, use the default value “script-src ' self'; object-src
‘self’”.

External Logging Configuration

Although optional, A10 Networks strongly recommends external logging. It is the
only mechanism
supported for accessing WAF data event messages.
To configure external logging for WAF:
1. Create a server configuration for each log server. Add a TCP or UDP port to each
server
configuration, with the port number on which the external log server listens for
log messages.
a. Use the following command to add a server and access the configuration level
for it:
slb server server-name ipaddr

b. Use the following command to add a TCP or UDP port to the server. Specify

99
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

the port number on which the server will listen for log traffic.
port port-num {tcp | udp}

2. Add the log servers to a service group. Make sure to use the round-robin load-
balancing method (This is the default method).
a. Use the following command to add the service group and access the
configuration level for it:
slb service-group group-name {tcp | udp}

b. Use the following command to add each log server and its TCP or UDP port to
the group:
member server-name portnum

3. (TCP only) If logging over TCP, configure a TCP-proxy template to customize TCP
settings for connections to log servers. For example, you can enable use of
keepalive probes, to ensure that the TCP connections with the log servers remain
established during idle periods between logs.
a. Use the following command to create the TCP-proxy template and access the
configuration level for it:
slb template tcp-proxy template-name

b. Use the following command to set keep-alive probes:

keepalive-probes num

4. Configure a logging template:

a. Use the following command to create the logging template and access its
configuration level:
slb template logging template-name

b. Use the following command to add the service group containing the log
servers to the logging template:
service-group group-name

c. If you configured a TCP-proxy template, use the following command to add

100
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

that template to the logging template:

template tcp-proxy template-name

5. Bind the logging template to the WAF template:

a. Use the following command to access the configuration level for the WAF
template:
waf template template-name

b. Use the following command to bind the logging template to the WAF
template:
template logging template-name

NOTE: External logging is activated once you bind the WAF template that uses
the logging template to an HTTP/HTTPS virtual port.

NOTE: The following log is generated when external logging is configured using
the command form-check {request-non-post | response-non-post}.
For sensitive data in forms, the server requests the client to submit
with method POST. If the POST form method is not used in HTTP
response, a warning message is logged.

Optional Configuration
This section provides syntax for optional WAF configurations.

The following topics are covered:

Set Deployment Mode 102
Customize WAF Policy Files 102
Configure Security Checks for Requests 103
Configure Security Checks for Responses 109

101
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

Set Deployment Mode

The default operational mode for WAF is active. To change the operational mode, use
the following command at the configuration level for the WAF template:
deploy-mode { active | passive | learning}

You can deploy WAF in one of the following operational modes:

l active – The WAF enforces the security checks configured on the template and
sends events to the external log server.
l passive– The WAF sends events to the external log server only and does not
enforce any security checks.
l learning – The WAF template “learns” acceptable check parameters based on a
stream of legitimate, secure traffic. In Learning Mode, the WAF continues to send
events to the external log server.

For more information, see WAF Operational Modes.

Customize WAF Policy Files

CAUTION: A mis-configured PCRE expression can negatively impact system

performance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will achieve
the desired result.

The WAF is pre-loaded with a set of default policy files which are used for certain
security checks. For example, if you enable bot checking with the WAF template, the
default “bots_def” WAF policy file is used for a list of known bot names. (See Bot
Check.)
Optionally, you can customize WAF policy files and apply these files to security
checks. For example, you can copy the default bots policy file, modify and import the
copied file, then update the corresponding WAF template option to use the custom
policy file.
For more information, see WAF Policy Files.

102
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

Configure Security Checks for Requests

To configure individual WAF security checks for requests, use the following
commands:
l http-protocol-check > allowed-methods method-list – Use this command to
specify the HTTP methods (GET, POST, and so on) that are allowed in requests.
l request check – This request contains commands for different checks on bots,
black lists, white lists, refers, and so on.
o bot-check– Use this command to check the user-agent of incoming requests for
known bots. This check uses the list of defined bots in the “bot_defs” WAF
policy file. See Bot Check.
o referer-check {enable | only-if-present}
referer-domain-list referer-safe-url– Use this command to validate that
the referer header in a request contains web form data from the specified web
server, rather than from an outside website. This check protects against CSRF
attacks.
o enable – always validates the referer header. If selected, the request fails the
referer check if there is no referer header or if the referer header is invalid.
o only-if-present – validates the referer header only if a referer header exists.
If the check finds an invalid referer header, the request fails the check.
However, the request does not fail the check if there is no referer header in
the request.
o session-checksecs – This command creates an ID for a client request and
inserts it in a cookie in the response. Future requests from the same client are
validated against the session cookie. If the ID or IP do not match, then the
request will be rejected. The default lifetime for the session ID is 600 seconds.
See Session Checks .
o sqlia-check{reject} – Use this command to check and deny requests that
contain SQL injection attacks. This check uses the list of defined SQL commands
in the “sqlia_defs” WAF policy file. See SQL Injection Attack Check.
o url-blacklistfile-name– Enforces the rules contained within a WAF policy file
for the URI Black List. For more information see, URI Black List.

103
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o url-whitelistfile-name – Enforces the rules contained within a WAF policy file

for the URI White List. For more information, see URI White List.
o url-learned-list – The URL Check allows users to access web pages only by
clicking hyperlinks on your protected website, as opposed to allowing users to
access hidden web pages by typing the full URL in the browser. Select this
option to prevent users from manually typing the URL for content on your
website that you do not want accessible.
The list of approved URL paths is initially generated as a policy file during
Learning Mode. After this list is generated, you can customize the contents of
the URL Check policy file. For a deployment example that includes configuration
of the URL Check, see Generate Allowed URL Paths for the URL Check.
o xss-check - Enable this command to protect against cross-site scripting
attacks. Request containing cross-site scripts are denied. This check uses the
list of defined Javascript commands in the jscript_defs WAF policy file. See
XSS Check.
l http-limit-check option – Use this command and its sub-options to configure
checks for attempts to cause a buffer overflow on the web server.
o max-content-length – Sets the maximum length of content.
o max-cookie-header-lengthbytes – Sets the maximum length for cookie headers
allowed in requests.
o max-cookie-name-length bytes – Sets the maximum length for cookie names in
requests.
o max-cookie-value-length bytes – Sets the maximum length for cookie values in
requests.
o max-cookies bytes – Sets the maximum number of cookies allowed in requests.
o max-cookies-length bytes – Sets the length of total cookies allowed in
requests.
o max-entities bytes – Sets the maximum number of MIME entities allowed in
requests.
o max-header-length bytes – Sets the maximum header length allowed in
requests.

104
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o max-header-name-length bytes - Sets the maximum header name length

allowed in requests.
o max-header-value-length bytes - Sets the maximum header value length
allowed in requests.
o max-headersbytes - Sets the total number of headers allowed in requests.
o max-headers-lengthbytes - Sets the total headers length allowed in requests.
o max-param-name-length bytes - Sets the max query/ POST parameter name
length allowed in requests.
o max-param-value-length bytes - Sets the max query/ POST parameter value
length allowed in requests.
o max-params bytes - Sets the total query/ POST parameters allowed in requests.
o max-params-length bytes - Sets the total query/ POST parameters length
allowed in requests.
o max-post-length bytes – Sets the maximum content length allowed in HTTP
POST requests.
o max-query-length bytes - Sets the maximum query length allowed in requests.
o max-request-length bytes – Sets the maximum length of requests.
o max-request-line-length bytes - Sets the maximum line length allowed in
requests.
o max-url-len bytes – Sets the maximum URL length allowed in requests.
l form-protection Use the commands in this option for protecting web forms.
o csrf-check– Use this command to tag the fields of a web form with a nonce.
This check protects against cross-site request forgery (CSRF). XSS Check
o field-consistency-check– Use this command to check the consistency of form
input.
o form-check– Use this command to check that the consistency of the whole form.
o caching – Disable caching of form-containing responses.
o non-ssl – Deny request with forms if the protocol is not SSL.
o request-non-post – Deny request with forms if the method is not POST.

105
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o password-check– Use this command to check that the forms in passwords.

o autocomplete – Denies web server attempts to transmit the form if one of the
form fields type is set to “password” and if the “autocomplete=on/off”
attribute is set to “on”. Enabling this option blocks browser “autocomplete”
behavior. Although convenient for users, password auto-completion weakens
security by allowing browsers to store user passwords in order to later guess
the user’s password for some websites. See Deny Passwords if Autocomplete
is Enabled
o non-masked – Prevents “shoulder surfing” by denying the web server’s
attempt to send a form through the WAF unless the field type for the
password field has been set to “password”. See Deny Unmasked xPasswords .
o non-ssl – Denies user passwords that are sent over a non-encrypted
connection. If the connection between the client and the WAF is secured with
SSL/TLS, then the user password is allowed, but if the client attempts to
submit to a form field where “input type=password”, and if the connection is
not encrypted with SSL/TLS, then the WAF blocks the transmission. The
feature is disabled by default, meaning that forms not using the SSL/TLS
protocol will not be denied. See Deny Passwords Sent Over an Unencrypted
Connection .
l deny-action response-type – Use this command to specify the type of response
string sent to a client when WAF denies a request
o http-resp-403 resp-string – Sends a 403 Forbidden response to the client.
The default string returns a generic “Request Denied!” page to the client.
o http-resp-200 resp-string– Sends a 200 OK response to the client with the
specified resp-string. The default string returns a generic “Request Denied!”
page to the client.
o http-redirect url-string – Sends a 302 Found redirection address to the
client with the URL specified in the redirect-url.
o reset-conn – Terminates the client connection.
l json-check– Checks that incoming requests containing JSON code are in
compliance with RFC 4627, and blocks requests if the JSON content is not well-
formed.

106
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o format-check – Checks that the HTTP body for JSON format is compliant.
o max-array-valuesnum– Limits the maximum number of values within a single
array in a JSON request.
o max-depthnum– Limits the maximum recursion depth in a JSON value.
o max-object-membersnum– Limits the number of members in a JSON object.
o max-string-lengthnum– Limits the length of a string in a JSON request for a
name or a value.

l log-succ-reqs – Enabling this option logs a debug message on the successful

completion of WAF requests, and not just for errors.
l soap-format-check – Check XML documents for SOAP format compliance and
blocks those which are not well-formed. SOAP format checks are typically done in
tandem with XML format checks. See WAF SOAP Checks for details.
l xml-check– Contains different commands for XML parsing limits. (See XML Limit
Checks for details.)
o format – Check HTTP body for XML format compliance. Incoming requests
containing XML code are checked for compliance with the XML 1.0 specification.
(See XML Format Checks for details.)
o max-attrnum – Limits the maximum number of attributes/children each
individual element is allowed to have.
Range is 1–256. Default is 256.
o max-attr-name-lennum – Limits the maximum length of each attribute name.
Range is 1–2048. Default is 128.
o max-attr-value-lennum – Limits the maximum length of each attribute value.
Range is 1–2048. Default is 128.
o max-cdata-lennum – Limits the length of the CDATA section for each element.
Range is 1–65535. Default is 65535.
o max-elemnum – Limits the maximum number of any one type of element per XML
document.
Range is 1–8192. Default is 1024.
o max-elem-childnum – Limits the maximum number of children each element is
allowed, and includes other elements, character information, and comments.
Range is 1–4096. Default is 1024.

107
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o max-elem-depthdepth – Limits the maximum number of nested levels in each

element.
Range is 1–4096. Default is 256.
o max-elem-name-lenlength – Limits the maximum length of name of each
element, and includes the XML path, which is in the following format:
http://<site>/<path>/page.xml
Range is 1–65535. Default is 128.
o max-entity-decl num – Limits the number of entity declarations allowed.
Range is 0–1024. Default is 1024.
o max-entity-depthnum – Limits the maximum depth of entity expansions.
Range is 0–32. Default is 32.
o max-namespacenum – Limits the number of namespace declarations in XML
document.
Range is 0–256. Default is 16.
o max-namespace-uri-lennum – Limits the URL length for each namespace
declaration.
Range is 0–1024. Default is 256.
o sqlia – Checks XML data against SQLIA policy. Checking for XML SQL Injection
attacks means the WAF examine the headers and bodies of incoming requests
for inappropriate SQL special characters or keywords that might indicate the
presence of an SQL Injection Attack (See XML SQL Injection Checks for details.)
o xss – Checks XML data against XSS policy. The XML cross-site scripting check
examines the headers and bodies of incoming XML requests for Javascript
keywords that might indicate possible cross-site scripting attacks and blocks
those requests. (See XML Cross-Site Scripting Checks for details.)
l evasion-check – The commands in this option are used to normalize requested
URLs and prevent buffer overflows from long URLs.
o decode-entities - Decode entities in an internal URL.
o decode-escaped-chars - Decode escaped chars, such as \r or \n, in an internal
URL.
o decode-plus-chars- To be consistent in pattern matching inside WAF module,
decode '+' as space in URL.

108
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o decode-unicode-chars- Decode evasion attempt using %u encoding of Unicode

characters to bypass.
o dir-traversal - Check for directory traversal attempt.
o invalid-hex-encoding - Decode hexadecimal characters, such as \%xx and
\%u00yy, in an internal URL.
o multiple-slashes- Decode evasion attempt using multiple slashes/backslashes.
o remove-comments - Remove comments from an internal URL.
o remove-spaces - Remove spaces from an internal URL.

l xml-content-validation – Checks incoming requests against an XML schema file

to validate the XML content. Used to prevent hackers from using invalid XML
messages that have been specially-constructed to evade application security. (See
XML Validation Checks for details.)
o xml-schema - Specify an XML schema file to verify XML body contents.
o wsdl - Specify a WSDL file to verify XML body contents.

Configure Security Checks for Responses

To configure individual WAF security checks for responses, use the following
commands:
l data-leak-prevention - It contains the following commands:
o ccn-mask – Use this command to examine strings of outbound replies from the
web server for patterns of numerical characters that resemble credit card
numbers (CCN). If the WAF identifies a credit card number, the WAF replaces all
but the last four digits of credit card numbers with “x” characters.
o pcre-maskoptions pcre-pattern– Use this command to masks patterns in a
response that match the specified PCRE pattern. For options you can enter the
following:
o keep-end num-length – Specifies the number of unmasked characters at the
end of the string. The default is 0.
o keep-start num-length – Sets the number of unmasked characters at the
beginning of the string. The default is 0.

109
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o maskcharacter – Selects a character to mask the matched pattern of a string.

The default is x .
For pcre-pattern, enter a PCRE expression. (See Writing PCRE Expressions).

NOTE: You can configure PCRE patterns to match only on a fixed-length

string. For this reason, wildcard characters that can mask
excessively long string ( * and + ) are not supported.

If either the asterisk (*) or plus symbol (+) is detected during the
syntax check, the syntax check will automatically fail. To use an
expression that matches an actual “*” or “+” character, use an
escape character (\) before the matched symbol. For example, to
search for the actual asterisk (*) or plus character (+), enter “\*”
or “\+”.

o ssn-mask– Use this command to examine server responses for strings that
resemble US Social Security numbers and masks all but the last four digits of the
string with “x” characters in a response.
o response-cloaking- It contains the following commands for cloaking responses:
o filter-headers– Use this command to remove the web server’s identifying
headers in outgoing responses.
o hide-status-codes– Cloaks 4xx and 5xx response codes for outbound
responses from the web server.

NOTE: Do not enter the secret-encrypted option when configuring this

check. This option is placed into the configuration by the WAF
to indicate that the string is the encrypted form.

l cookie-security – Contains commands to configure protection to secure cookies.

Use this command to encrypt specified cookies matching PCRE pattern. Used to
protect against cookie tampering by encrypting cookies before sending the server
replies to a client (See Cookie Encryption).
o add-http-only– Adds the http flag to cookies that are not a part of set-cookie
policy list.

110
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using CLI

o add-samesite– Adds the samesite attribute to cookies that are not a part of set-
cookie policy list.
o add-secure– Adds the secure flag to cookies that are not a part of set-cookie
policy list.
o encrypt– Encrypt cookies that are not a part of set-cookie policy list.
o grace-period– Allows unrecognized cookies for the specified period of time
after the cookie encryption is applied. The default value is 120 mi nutes.
o session-cookie-only– Encrypts only session cookies.
o set-cookie-policy– Sets policy for cookies in the set-cookie header.

111
Configuring WAF Using aFleX Scripts

You can configure several key areas of the WAF using aFleX scripts.

The following topics are covered:

Overview 113
WAF aFleX Commands 114
WAF Events 115

112
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using aFleX Scripts

Overview
The aFleX interface is provided in addition to the CLI and GUI, and it provides a new
way to configure the WAF by allowing you to set up a variety of WAF trigger events.

WAF Trigger Events:

l request violation – Violations are triggered anywhere in the code where ACOS is
logging a WAF action, such as deny, sanitize, ignore a real error, and so on. (This
applies to client requests.)
l response violation – Violations are triggered anywhere in the code where ACOS
is logging a WAF action, such as deny, sanitize, ignore a real error, and so on.
(This applies to server responses.)
l WAF request deny – A deny action is triggered when there is a final deny action
being applied (violations may be overridden as described below)

Examples of Possible Violations:

l WebDAV - In prior releases, ACOS contained a hard-coded list of HTTP methods
that the WAF would allow to traverse. Prior to ACOS 4.0, the WebDAV methods
were not part of this list, so whenever a WAF was applied in a customer
environment in which WebDAV methods were used, the WAF would end up
rejecting all of the requests that used the WebDAV methods. The workaround
was to avoid configuring WAF on this virtual port.
However, this release adds aFleX, which in turn means that the administrator
can write an aFleX script that triggers on request violation. The WAF will check
the violation ID and determine that this is a violation of the allowed methods
rule. Upon learning this, the WAF will call the WAF::disable method, which will
temporarily disable WAF processing (for this connection only).
l There are some cases where specific URL patterns (or other sorts of data) match
some of the expressions which are used by black lists, SQLIA, XSS, or any other
pattern-matching rules used by the WAF. A user can be aware of such false-
positive violations, and bypass this violation for the false-positive that triggered
the event.

Possible Actions:

113
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using aFleX Scripts

If the WAF detects traffic that violates one or more rules, aFleX commands can be
configured to seize upon this trigger in order to perform one of the following
actions upon that traffic:
l Allow - This action is triggered by a violation event when the WAF is deployed in
Passive Mode and Learning Mode.
l Deny - This action is triggered by a violation event when the WAF is deployed in
Active Mode.
l Mask - This action is triggered for the event WAF_RESPONSE_VIOLATION, but
only for the following select features, such as ssn-mask, ccn-mask, and pcre-
mask.
l Redirect - This action is triggered under violation events for the referer-check
feature if the WAF is deployed in Active Mode.
l Sanitize - This action is triggered for the WAF_REQUEST_VIOLATION event for
features that support the ability to sanitize traffic. The action can also be
triggered for the WAF_RESPONSE_VIOLATION event.

WAF aFleX Commands

The WAF supports the following aFleX commands:
l WAF::disable – Disables WAF processing for the connection during which the
aFleX script is triggered.
l WAF::enable – Re-enables WAF processing for the connection during which the
aFleX script is triggered.
l WAF::mode – Returns the current deployment mode in which WAF is configured
(active, passive or learning).
l WAF::response_body - Returns the response body after a WAF violation occurs.
l WAF::template – Returns the name of the active WAF template.
l WAF::violation – Returns or logs information related to WAF violation events.

For syntax associated with these aFleX commands, please see the “WAF Commands”
section in the aFleX Reference.

114
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using aFleX Scripts

WAF Events
The following Web Application Firewall (WAF) events are available:
l WAF_REQUEST_DENY – Triggered whenever a WAF request is denied in active
deployment mode.
l WAF_REQUEST_VIOLATION – Triggered whenever a violation occurs in a WAF
request.
l WAF_RESPONSE_VIOLATION – Triggered whenever a violation occurs in a WAF
response.

For syntax and a list of events associated with these aFleX commands, please see
the “WAF Events” in the aFleX Reference.
Configuring WAF Deny Page

You can configure a customizable WAF Deny page that displays the relevant
message to the end user when a request is denied. You can also add extra
information such as the WAF event or violation ID, request details, reasons for
denial and even the highlighted violation payload.
To configure a customizable WAY Deny page, follow the steps given below:
1. Create WAF aflex using CLI or GUI under WAF_RESPONSE_VIOLATION event.
when WAF_RESPONSE_VIOLATION {
set mode [WAF::mode]
set template [WAF::template]
set srcip [WAF::violation src_ip]
set type [WAF::violation type]
set msg [WAF::violation message]
set id [WAF::violation id]
set action [WAF::violation action]
set severity [WAF::violation severity]
set default_response [WAF::response_body]
WAF::response_body "Access Denied"
log "For WAF RESPONSE VIOLATION: mode=$mode template=$template
srcip=$srcip type=$type"
log "\error msg=$msg session id=$id action=$action severity=$severity"
}

115
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using aFleX Scripts

NOTE: You can also create the WAF aFleX under WAF_REQUEST_
VIOLATION and WAF_REQUEST_DENY events.

2. Bind the aflex to the virtual port using the following commands,
slb virtual-server vip1 10.0.0.10
port 80 http
aflex waf-response_violate
source-nat auto
service-group sg
template waf waf_temp

To configure a customizable WAY Deny page with logo, follow the additional steps
given below:
1. Import the logo file using the following command (this is optional):
import local-uri-file logo.jpg use-mgmt-port
scp://10.10.10.10/home/logo.JPG

2. Create WAF aflex using CLI or GUI under WAF_RESPONSE_VIOLATION event:

when RULE_INIT {
set ::PAGE_CONTENT "<html><head><title>Page Not
Found</title></head><boiY><h2><center>Page Not
found</center></h2><center>It appears as though the page you're
looking for has not been found on the server. Please use the Back
button of your browser, or enjoy this image<center><center><img
src=\"logo.jpg\"
width=\"116\" height=118\"\"alt=\"logo\" /> <\center></body></html>"
}

when WAF_RESPONSE_VIOLATION {
log "-------- waf response violation --------"
set mode [WAF::mode]
set template [WAF::template]
set srcip [WAF::violation src_ip]
set type [WAF::violation type]
set msg [WAF::violation message]
set id [WAF::violation id]
set action [WAF::violation action]

116
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Configuring WAF Using aFleX Scripts

set severity [WAF::violation severity]

WAF::response_body $::PAGE_CONTENT
log "-------- response-local-uri-pic --------"
}

3. Bind the imported image to the cache template under policy local-uri using
following command,
slb template cache im_cache
policy local-uri/logo.jpg

4. Bind the aflex and cache template to the virtual port using the following
commands,
slb virtual-server vip1 10.0.0.10
port 80 http
aflex waf-response_violate
source-nat auto
service-group sg
template cache im_cache

NOTE: Binding the WAF Deny page per WAF Template is not supported since
the aFleX is bound to the virtual port.

117
WAF Event Logging

This section describes where WAF events are logged and the format used for WAF
log messages.
There is no external logging by default. To configure external logging, see either of
the following sections:
l Using the GUI – Configure External Logging (recommended)
l Using the CLI – External Logging Configuration

NOTE:
l After external logging is enabled, WAF messages for configuration
events will be sent to the local log, but messages for data events
will be sent to the external logging servers.
l Deny actions are not written to the log. To view the configured
response to denied client requests, check the WAF template
currently in use.

The following topics are covered:

WAF Event Types and Where They Are Logged 119
Violation Detection and Reporting 121
Masking Sensitive Data in Logs 123
Log Format 124
WAF Log Examples 127

118
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

WAF Event Types and Where They Are Logged

WAF log messages consist of the following basic event types:
l Configuration events – Indicate that a configuration change has occurred.
Typically, this type of WAF event is generated when you configure WAF settings.
l Data events – Indicate that traffic has matched a WAF template check.

By default, only configuration events are logged to the local logging buffer on ACOS.
Data events are not logged by default. Due to the potentially high volume of data
event messages, they are accessible only by using remote logging servers. You can
configure the WAF to use a single logging server or a group of servers.
After enabling WAF logging to remote logging servers, WAF configuration events also
are sent to the remote servers. In this case, WAF configuration events are no longer
sent to the local logging buffer.
Figure 30 shows the WAF logging behavior without external logging. WAF
configuration events are logged locally. WAF data events are not logged.

NOTE: WAF configuration is allowed on “shared” and on “service” partitions.

Figure 30 : WAF logging without external log server

119
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Figure 31 shows the WAF logging behavior after external logging is configured for the
WAF template. WAF configuration events and WAF data events both are logged to
the external log server.
Figure 31 : WAF logging with external log server

120
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Violation Detection and Reporting

The WAF takes a responsive action after detecting a violation. However, it doesn't
stop after detecting the first violation. Instead it continues to process and detects a
maximum of 6 violations and then tries to mitigate the attacks. This is achieved by
performing responsive actions due to aggregated violations at each of the following
HTTP events:
l Request headers parsed – All the violations on request headers are checked and
the attack is mitigated before sending the request headers to the server.
l Request body done – All violations on request body are checked and the attack is
mitigated before finishing sending the body to the server
l Response headers parsed – All violations on response headers are checked and the
attack is mitigated before sending the response header back to the client.
l Response body done – All violations on response body are checked and the attack
is mitigated before finishing sending the body to the client.

NOTE: All the WAF checks are triggered on HTTP events.

In case of a violation, the WAF performs one of the following actions: Allow, Deny,
Redirect, Sanitize, or Mask.
When violations are aggregated, the corresponding actions are also aggregated. The
action to be performed is based on the severity of the aggregated actions and
priority of the event. For example, if two violations result in two actions, sanitize and
deny, the deny action will be performed.

NOTE: After the 6th violation is detected, WAF performs a responsive action
immediately (except for mask action).

Consider the following example with the WAF template configuration and
corresponding debug logs and output of show waf command. This example clearly
demonstrates that WAF does not stop after the first violation; instead it detects 6
violations. The final responsive action is taken after the 6th violation.
The WAF template request-body1 is bound to VIP vs.

121
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

waf template request-body1

soap-format-check
xml-content-validation xml-schema shiporder-signed.xsd
request-check
command-injection-check form-body
json-check
format-check
max-array-values 1
max-depth 1
max-object-members 1
max-string-length 1
slb virtual-server vs 24.0.0.50
port 81 http
source-nat pool p2
service-group sg1-http2
template waf request-body1

Debug WAF Logs:

@4317694492 [WAF] Processing WAF request headers violations
@4317694492 [WAF] Processing internal WAF checks for HTTP arguments in
line
@4317694492 [WAF] JSON Limit Depth violation
@4317694492 [WAF] max-depth 15 over limit (1)
@4317694492 [WAF] JSON Limit String violation
@4317694492 [WAF] max-string 5 over limit (1)
@4317694492 [WAF] JSON Limit Depth violation
@4317694492 [WAF] max-depth 14 over limit (1)
@4317694492 [WAF] JSON Limit String violation
@4317694492 [WAF] max-string 4 over limit (1)
@4317694492 [WAF] JSON Limit Depth violation
@4317694492 [WAF] max-depth 15 over limit (1)
@4317694492 [WAF] JSON Limit String violation
@4317694492 [WAF] max-string 9 over limit (1)
@4317694492 [WAF] Denying request
@4317694492 [WAF] 403 Forbidden
@4317694492 [WAF] Remove waf services from http transaction
0x7f165d353418
@4317694492 [WAF] Violation[22]: 6 violations, action:
[log,deny,respond-403,no-learn]

122
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

@4317694492 [WAF] Violation[22.6]: action: [log,deny,respond-403,no-

learn] violation_id=210 (JSON Limit Depth violation)
@4317694492 [WAF] Violation[22.5]: action: [log,deny,respond-403,no-
learn] violation_id=214 (JSON Limit String violation)
@4317694492 [WAF] Violation[22.4]: action: [log,deny,respond-403,no-
learn] violation_id=210 (JSON Limit Depth violation)
@4317694492 [WAF] Violation[22.3]: action: [log,deny,respond-403,no-
learn] violation_id=214 (JSON Limit String violation)
@4317694492 [WAF] Violation[22.2]: action: [log,deny,respond-403,no-
learn] violation_id=210 (JSON Limit Depth violation)
@4317694492 [WAF] Violation[22.1]: action: [log,deny,respond-403,no-
learn] violation_id=214 (JSON Limit String violation)
@4317694492 o( 7, 350)> ip 24.0.0.50 > 24.0.0.100 tcp 81 > 42922 PA
54f78677:6174c829(231)

show waf command gives the count of the detected violations:

JSON Format Check
- Parse Success 0
- Parse Failure 0
- too many array values 0
- nested too deep 3
- too many object members 0
- string too long 3

All the detected violations are also logged in the WAF reports.

NOTE: ACOS 5.1.0 onwards, WAF reporting is done using the Harmony
Controller.

Masking Sensitive Data in Logs

To mask sensitive information, you can configure logging in the WAF template and
mask the query parameter value. The following features are available:
l The symbol 'x' is used to mask the sensitive data.
l The mask length is generated randomly to prevent guessing the content length.

123
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

l The mask is applied only while generating the logs; the real servers continue to
receive the original unmasked values.

Consider the following URL request <or HTTP request>,

http://1.2.3.4/index.html?username=aaa&amp;password=bbb
In this case, the sensitive query parameters username and password are displayed in
the log as aaa and bbb respectively. You can mask these parameters by replacing
them with 'xxxx' so that the URL in the violation logs will look like,
http://1.2.3.4/index.html?username=xxxxxxxxxxxx&amp;password=xxxxxxxxxxxxx

NOTE: The Harmony Controller log and the Syslog support this feature.
However, the debug logs display unmasked values.

CLI Configuration:
The following command masks the query parameters username and password during
logging,
ACOS(config)# waf template waf1
ACOS(config-waf)# violation-log-mask
ACOS(config-waf-violation-log-mask)# query-param-name equals " username
password"

For more information on violation-log-mask, see waf template .

Log Format
For optimal interoperability, WAF uses the Common Event Format (CEF), an open
standard used by other security appliances and network devices.
WAF log messages can contain the following fields:
Timestamp CEF: version| device-vendor| device-product|
device-version| module| event-type| severity| CEF-extension

Table 2describes the data fields that can appear in WAF logs

124
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Table 2 : WAF log data fields

Field Description
Timestamp Date and time that the log was generated, in the following format:
Mon Day hh:mm:ss
CEF version CEF version.
device- Vendor name, “A10”.
vendor

device- A10 Thunder or AX model number.

product

device- Advanced Core Operating System (ACOS) version.

version

module System module that generated the log message. For WAF
messages, the module is “WAF”.
event-type WAF feature or policy on which the traffic matched. Examples:
l bot-check
l ccn-mask
l cookie-encrypt
l csrf-check
l deny-action
l filter-resp-hdrs
l form-consistency-check
l hide-resp-codes
l http-check
l pcre-mask
l referer-check
l sqlia-check
l ssn-mask
l uri-blist-check
l uri-wlist-check

125
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Table 2 : WAF log data fields

Field Description
l url-check
l xss-check
severity Severity of the event.
l 1 – Debug
l 2 – Info
l 3 – Notice
l 4 – Warning
l 5 – Error
l 6 – Critical
l 7 – Alert
l 8 – Emergency
CEF- Set of any number of key/value pairs, in any order, that further
extension describe the event that generated the log. The CEF extension for
WAF uses the following elements:
l rt – Device Receipt Time
l src – Source IP of the request or response.
l spt – Source protocol port of the request or response.
l dst – Destination IP of the request or response.
l dpt – Destination protocol port of the request or response.
l dhost – Destination host name.
l request method – Protocol request method used (if applicable).
l request – URL in the request. (The request only contains the URL
and is not enclosed in “” marks).
l app – Application protocol.
l cs1 – device customString1, which is used for customer-specific
options

126
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Table 2 : WAF log data fields

Field Description
l cs2 – device customString2, which is used for customer-specific
options
l act – Action the WAF took in response to the event:
o deny
o allow
o sanitize
o learn

WAF Log Examples

The following sections show some examples of WAF log messages.

The following topics are covered:

Basic Log Message 127
Bot Check 128
Learning Mode 129

Basic Log Message

Here is a sample log message:
May 30 12:20:29 CEF: 0|A10|AX3030|2.7.2-P8|WAF|session-id|2|rt=May 30
2016 11:30:10 src=172.17.21.4 spt=57253 dst=172.17.21.2 dpt=80
dhost=172.17.21.2 cs1=waf-csrf-check1 cs2=e133c0360150667e act=learn
cs3=active app=HTTP requestMethod=GET
request=/foooo/2.html?B92A9743=B6A273450A38B6C7A4667E829B3DCB65&name=abc&a
ge=10 msg=New session created: Id=e133c0360150667e

Table 3 labels each field in the message.

127
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Table 3 : WAF log example

Field Value
Timestamp May 30 12:20:29
CEF version 0
device-vendor A10
device-product AX3030
device-version 2.7.2-P8
module WAF
event-type session-id
severity 2
CEF-extension src=172.17.21.4
spt=57253
dst=172.17.21.2
dpt=80
dhost= dhost=172.17.21.2
req=”/foooo/2.html?B92A9743=B6A273450A38B6
C7A4667E829B3DCB65&name=abc&age=10”

msg=New session created: Id=e133c0360150667e

cs1=waf-csrf-check1 cs2=e133c0360150667e

act=learn
app=HTTP
requestMethod=GET

md=learn

NOTE: For more log examples, see Deployment and Logging Examples.

Bot Check
Here is an example of a WAF log that indicates the detection of a bad bot:

128
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Oct 20 18:16:13 CEF:0|A10|AX3200|2.7.1|WAF|bot-check|6|src=20.20.25.10

spt=30842 dst=20.20.25.130 dpt=80 request="GET /tours/index.html HTTP/1.1"
0 msg="Bad bot detected! User-Agent " cs1=w2 act=deny md=nrm

Here is the same message, formatted to more clearly show each field:
Oct 20 18:16:13
CEF:0
A10
AX3200
2.7.1
WAF
bot-check
6
src=20.20.25.10
spt=30842
dst=20.20.25.130
dpt=80
request=”GET /tours/index.html HTTP/1.1” 0
msg=”Bad bot detected! User-Agent drip”
cs1=w2
act=deny
md=nrm

This message indicates that an HTTP GET request from 20.20.25.10:30842 to VIP
20.20.25.130:80 contained a bot whose name matches a name in the bots WAF policy
file. The WAF template name is “w2”. Based on the WAF configuration, the request
was denied. The WAF is running in normal mode.

Learning Mode
Below are example log messages for when the WAF is deployed in learning mode:
Oct 19 16:24:43 CEF:0|A10|AX3200|2.7.1|WAF|http-limit-
check|2|src=20.20.25.10 spt=1892 dst=20.20.25.130 dpt=80 request="GET
/tours/index.html HTTP/1.1" 0 msg="Learning Mode: Increasing headers
length limit from 0 to 172" cs1=w2 act=learn md=lrn

129
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Event Logging

Oct 19 16:25:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10

spt=1892 dst=20.20.25.130 dpt=80 request="GET /tours/index.html HTTP/1.1"
0 msg="Learning Mode: Increasing max_hdrs from 0 to 3" cs1=w2 act=learn
md=lrn

The first message indicates that WAF updated the header-length limit based on
traffic observed during Learning Mode. Likewise, the second message indicates that
WAF updated the maximum-headers limit. The act=learn field indicates that the value
was learned. The md=lrn field indicates that Learning Mode was enabled.

130
WAF Policy Files

WAF Policy Files (also referred to as WAF Definitions) give you the ability to define a
set of rules for customized security checks. WAF policy files enable you to specify
security checks for enhanced response- and request-side protection to protect
against security risks, such as SQL injection attacks or forceful browsing.

CAUTION: Misconfigured PCRE expressions can negatively impact system

performance. Do not apply a PCRE expression to a WAF policy file
unless you are certain that the PCRE expression will achieve the
desired result.

The following topics are covered:

Pre-Loaded WAF Policies 132
Customize WAF Policy Files 137

131
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Pre-Loaded WAF Policies

Default WAF policy files are pre-loaded onto ACOS to allow immediate protection
against common threats. Default WAF policies apply to the following checks:
l XSS Check
l Bot Check
l SQLIA Check
l URI White List
l URI Black List
l Hide Response Codes

If one of these checks is enabled and a WAF policy file is not specified, the default
WAF policy file is applied. These policy files are described in more detail below.

NOTE: You cannot rename, edit, or delete default files. However, you can copy
a default WAF policy file and customize it to fit your specific demands.

Table 4 lists pre-loaded WAF policy files

Table 4 : Pre-Loaded WAF Policy Files

Check Policy File Description
Hide Response allowed_resp_ Defines a list of permitted HTTP
Codes codes response codes.
Bot Check bot_defs Defines a list of known bots.
XSS Check jscript_defs Defines a set of commonly used
javascript commands.
SQLIA Check sqlia_defs Defines common search terms for SQL
injection attacks.
URI Black List uri_blist_defs Lists exclusion criteria for the URI Black
List.
See URI Black List.
URI White List uri_wlist_defs Lists inclusion criteria for the URI White

132
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Table 4 : Pre-Loaded WAF Policy Files

Check Policy File Description
List.
See URI White List.

Request Protection
The following checks point to WAF policy files for enhanced protection against
incoming requests. By default, these checks refer to the default WAF policy files, as
described below. Optionally, you can configure these checks to use customized policy
files.

Bot Check
The WAF bot check option uses the “bot_defs” policy file for search definitions of
known bot agents. If bot checking is enabled in the WAF template and a match is
found with the “bot_defs” policy file, the request is denied automatically. You can
add or modify the “bot_defs” policy file to include or remove bot search terms.

XSS Check
The “jscript_defs” WAF policy file defines a list of common Javascript
commands. The XSS check uses this policy file for examining the content of URL,
cookies, and POST bodies of client requests. This type of policy file is useful for
websites that use Javascript-based web content.

NOTE: If your website contains embedded Javascript, A10 Networks

recommends enabling the XSS check in the WAF template.

SQL Injection Attack Check

The WAF policy file “sqlia_defs” provides a basic collection of SQL special
characters and keywords that are common to SQL injection attacks. The terms in this
policy file can trigger commands in the back-end SQL database and allow
unauthorized users to obtain sensitive information. If a request contains a term that
matches a search definition in the “sqlia_defs” policy file, you can configure the
WAF to deny the request.

133
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

URI Black List

A URI Black List specifies exclusion criteria for incoming requests. If the URI of an
incoming request matches a rule in the URI Black List, the request is automatically
blocked.
The URI Black List takes priority over a URI White List. That is, even if a URI matches
acceptance criteria within the URI White List, a connection is blocked automatically if
it meets a rule in the separate URI Black List.
Table 5 lists URI Black List criteria in the default “uri_blist_defs” file.

Table 5 : URI Black List – Default

Description Attack Pattern
Access attacks access,^[^?]*(?:htaccess|access_log)(?:[.]
[^/?]*)?(?:[~])?(?:[?].*)?$

Apache possible directory index apache_dir,^[^?]*/[?][SM]=[AD]

disclosure vulnerability
Command injection attack cmd_inj,(?:[ /=]|\t|\n)(?:ls|rm|cat)(?:[
;'\"&].*)?$

CodeRed code_red,^[^?]*/default[.]ida[?]N+

Debug attacks debug,debug[.][^/?]*(?:|[?].*)$

Front Page server extensions fp_srvr_ext_bo1,^[^?]*dvwssr[.]dll

buffer
overflow-1
Front Page server extensions fp_srvr_ext_bo2,^[^?]*fp30reg[.]dll
buffer
overflow-2
Front Page server extensions fp_srvr_ext_pb,^[^?]*/_vti_bin/shtml[.]
path
disclosure vulnerability
HTR source disclosure htr_sd,^[^?]*[+][.]htr

Index server buffer overflow idx_srvr_bo,^[^?]*[.]id[aq]

IIS executable file parsing iis_exe_fp1,^[^?]*[+]dir

vulnerability-1
IIS executable file parsing iis_exe_fp2,^[^?]*/georgi[.]asp

134
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Table 5 : URI Black List – Default

Description Attack Pattern
vulnerability-2
IIS executable file parsing iis_exe_fp3,^[^?]*[.](?:bat|ini|exe)(?:|
vulnerability-3 [?].*)$

Microsoft IIS UNC mapped iis_unc_mvh,^[^?]*[.]asp/.*

virtual host vulnerability
Microsoft IIS UNC path iis_unc_pd,^[^?]*[.]htx
disclosure
vulnerability
Nimbda-3 nimda3,^[^?]*Admin[.]dll

Nimbda-4 nimda4,^[^?]*/winnt/

Netscape enterprise server nses_dir_idx,^[^?]*/[?]wp-

directory indexing vulnerability
Netscape enterprise server web nses_web_pub,^[^?]*/publisher
publishing vulnerability
Printer buffer overflow print_bo,^[^?]*/NULL[.]printer

Password file attacks pwd_file,^[^?]*(?:passwd|passwords?)(?:[.]

[^/?]*)?(?:[?].*)?$

Script exploit script,^[^?]*[.](?:cgi|pl|php|bat)(?:

[/?].*)?[|]

System command attacks sys_cmd,system(?: |\t|\n)*[(?:]

Unix core file attacks unix_core,/core(?:/.*)?$

Unix file attacks unix_file,[\\/]etc[\\/]

(?:passwd|group|hosts)

Webhits source disclosure webhits_sd,^[^?]*null[.]htw

URI White List

You can configure the WAF to check the URIs of incoming requests and only accept
connection attempts that meet specified criteria. A URI White List check compares
the URI of an incoming request with the expressions contained in the URI Whitelist

135
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

policy file. Connection requests are accepted only if the request matches a criterion
in the URI White List.
Table 6 lists URI White List criteria in the default “uri_wlist_defs” file.

Table 6 : URI White List – Default

Description Expression
URL Path Component root,^/$

Common file types static,^[^?]+[.](?:html?|shtml|js|gif|jpg|jpeg|png|

swf|pif|pdf|css|csv)

Common website dynamic,^[^?]+[.](?:cgi|aspx?|jsp|php|pl)(?:

scripts [?].*)?$

Response Protection
This section describes policy-based security checks for outbound responses from the
web server.

Allowed HTTP Response Codes

The WAF policy file “allowed_resp_codes” lists acceptable HTTP response codes in
outbound replies from the web server. If the Hide Response Codes option is enabled
within the WAF template, then response codes that do not match a value contained
in the “allowed_resp_codes” file are cloaked in replies.

136
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Customize WAF Policy Files

CAUTION: Misconfigured PCRE expressions can negatively impact system
performance. Do not apply a PCRE expression to a WAF policy file
unless you are certain that the PCRE expression will achieve the
desired result.

You cannot remove or edit a pre-loaded WAF policy file. However, you can quickly
duplicate an existing file to an unused name and modify the contents.
The following sections describe writing PCRE patterns for customized WAF policies.
ACOS incorporates aspects of PCRE expressions for writing WAF policies, but does
not support full PCRE functionality.

Syntax Check
After the file is created or modified, a syntax check is automatically performed on the
file. If you modify a WAF policy file that is currently bound to a WAF template and
the file does not pass the syntax check, it is automatically restored to the previous
version.
Files which do not pass the syntax check cannot be bound to a WAF template. A
policy can fail a syntax check for various reasons, including the following:
l Invalid PCRE syntax
l Duplicate policies (more than one policy file containing the same PCRE
expressions)
l Pair of brackets missing the escape character sequence; for example:
(a|b) – Incorrect
instead of
(?:a|b) – Correct

137
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Using the CLI

This section describes procedures to create, edit, or manage WAF policy files in the
CLI.

Configure Policy Files

To configure a WAF policy file using the CLI:
1. Enter the following command at the global configuration level:
waf policy edit file-name

For the file-name option, enter the name of an existing WAF policy file to edit the
file, or an unused name to create a new WAF policy. Do not include the “.waf”
extension in the file name, this is automatically applied during creation.
The CLI enters the input mode for the policy file.

NOTE: You cannot modify default files. If you enter the name of a pre-
loaded WAF policy for file-name, the following message will be
displayed: Editing of default WAF policy file not allowed.

2. Type or copy-and-paste a collection of PCRE expressions for the file. If you type
the script, press the Enter key at the end of each line. For information about
writing PCRE expressions, see Writing PCRE Expressions.
3. To save the file and complete the input process, press the Escape key, type “:wq”
or “ZZ” and press Enter. Alternatively, use “:q!” to exit without saving the file.

Syntax Checks
After entering policy text, the CLI performs a syntax check and displays one of the
following messages:
l WAF file-name edited; syntax check passed. –
Indicates the syntax is valid for file-name.
l WAF policy syntax error. Line n: –
Indicates a failed syntax check and reports the line (n) with invalid syntax.

138
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Manage Files
The following commands allow you to manage WAF policy files.

Copy Files
Use the following command to copy a WAF policy to a new file name:
waf copy source-name destination-name

For the source-name option, use the name of an existing WAF policy.
For the destination-name option, enter an unused name for the copied file.

Rename Files
Use the following command to rename a WAF policy file:
waf policy rename old-name new-name

Delete Files
Enter the following command to delete a WAF policy file:
waf policy delete file-name

You cannot rename, edit, or delete default files. However, you can copy a default
WAF policy file and customize it to fit your specific demands.

Writing PCRE Expressions

The following section provides guidelines for writing WAF policy files which the WAF
can use to search for attack patterns or define policy rules.

General Guidelines
This section summarizes common characters used in PCRE expressions and provides a
quick reference to basic PCRE syntax. To learn more about writing detailed PCRE
expressions, consult outside reference material.
Misconfigured PCRE expressions can negatively impact system performance. Do not
apply a PCRE expression to a WAF policy file unless you are certain the expression
will achieve the desired result.

139
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

PCRE Characters
Table 7 describes frequently used characters in PCRE expressions.

Table 7 : PCRE Characters

Character Purpose
\ Escape character.
^ Start of a subject or line.
$ End of a subject or line.
. Matches with any type of character.
- Character range. Use this symbol within square brackets.
For example, [a-f] will indicate the range a, b, c, d, e, f.
[ Start of a character class definition.
] End of a character class definition.
| Logical “or” operator.
For example, (yellow | red | orange) will return true if either
yellow, red, or orange is found.
( Start of a sub-pattern.
) End of a sub-pattern.
* Quantifier for a value of 0 or more.
+ Quantifier for a value of 1 or more.
{ Start of a minimum or maximum quantifier.
} End of a minimum or maximum quantifier.

Enclose Patterns
You can enclose patterns with any non-alphanumeric character that is not a
backslash \ or whitespace. You can also use special symbols that may otherwise
carry an alternative function as long as the same symbol is used in the beginning
and end of the string.
Table 8 displays a few valid examples of enclosed expressions:

140
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Table 8 : PCRE Syntax – Enclose Patterns

Character Example
+ +positive+

/ /ahoy/

# #numeric#

% %percentages%

! !eep!

Basic Syntax
WAF policy files consist of PCRE expressions and comment lines. Lines with PCRE
expressions are structured as follows:
name,PCRE expression

The name is a string which you can use to title the line. Follow the description with
a comma “,” before writing the PCRE expression. As shown below:
FromDefaultBlackList,^[^?]*[.]htx

NOTE: Everything following the comma is included in the PCRE expression.

Do not include whitespace unless this is intended as part of the
expression.

Comments
To insert a comment into the policy file enter a pound character ‘#’ before the
comment line.
example_expression,^[^?]*/[?]wp-
# comment
...

Alternatively, you can enter a comment in-line as follows:

(# comment)

The comment string is not recognized in pattern matching.

Example Applications
Outlined below are various examples of PCRE expressions.

141
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

Attack Patterns
You can create customized WAF policies with search criteria for attack patterns.
l Use the " | " symbol as a separator in lists of elements. Traffic matches a policy
rule if the traffic matches any of the elements delimited by " | ". For example, "
(apples | oranges)" is read as a single object that can be triggered when either
"apples" or "oranges" is found in traffic.
l Use parentheses to enclose each separate element. For example, the set of
elements "(apples) (oranges)" is read by WAF as two individual objects: an
"apples" object and an "oranges" object.

The following example uses a segment of the “bot_defs” file.

(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|ch
inaclaw|
cicc|civa|clipping|collage|collector|copyrightcheck|cosmos|crescent|cust
o|cyberalert|
deweb|diagem|digger|digimarc|diibot|directupdate|disco|dittospyder|downl
oad accelerator|download demon|download wonder)

To add three additional known bots under the names “brewster”, “nook” and
“peanut”, you would modify the policy file similar to the following. The additions
are indicated in bold:
(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|
chinaclaw|cicc|civa|clipping|collage|collector|brewster|nook|copyrightch
eck|
cosmos|crescent|custo|cyberalert|deweb|diagem|digger|digimarc|diibot|dir
ectupdate| disco|dittospyder|download accelerator|download
demon|download wonder|peanut)

Policy Rules
You can write WAF policy files to list more complicated policy rules. The following
examples illustrate the various rules that you can create as a PCRE expression.
The following example defines a rule for the URI Black List. The rule denies user
requests to access the image server at img.example.com directly:
^http://img[.]example[.]com$

142
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Policy Files

The following example defines a rule for the URI Black List. The rule denies user
requests to access CGI (.cgi) or PERL (.pl) scripts directly:
^http://www[.]example[.]com/(?:[0-9A-Za-z][0-9A-Za-z_-]*/)*
[0-9A-Za-z][0-9A-Za-z_.-]*[.](?:cgi|pl)

The following PCRE expression looks for strings that resemble a California driver’s
license ID number. This policy rule can be used in conjunction with the PCRE mask
option to mask strings that match the expression:
[A-Za-z][0-9]{7,7}

143
Overriding a WAF Template

The following topics are covered:

Configure an HTTP Policy Template 145
Bind the HTTP Policy Template to the Virtual Port 148

You can configure ACOS to override the WAF settings applied to the HTTP/HTTPS
virtual port with another set of WAF settings, using an HTTP policy template. You
can configure rules in the HTTP policy template to match on URLs, hostnames, or
cookie names in traffic.
To configure WAF override:
1. Configure a second WAF template with the alternative settings to use. See
either of the following:
l Using the GUI – Add/Edit a WAF Template
l Using the CLI – Creating a WAF Template
2. Configure an HTTP policy template. Within the template:
l Configure match rules. You can match on one or more of the following:
o Requested URL
o Requested hostname
o Cookie name within request
l Add (bind) the second WAF template to the HTTP policy template.
3. Bind the HTTP policy template to the virtual port.

NOTE: For the WAF to operate, it is still required to bind a WAF template
directly to the virtual port, to use as the virtual port’s primary WAF
template. HTTP policy templates can be used only to override the
primary WAF template with secondary WAF template, based on the
match rules in the HTTP policy template.

144
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Overriding a WAF Template

Configure an HTTP Policy Template

You can configure rules that match URLs, hostnames, query names, query value,
header names, header value, or cookie names within an HTTP policy template.
Requests that match a rule in the HTTP policy template are handled using the
alternative WAF template to bind to the HTTP policy template. The WAF template
associated with the rule that first matches are used.

Match Rules:
A template can have:
l single-match-rule: This rule is used to specify a single match rule.
l multi-match-rule: This rule is used to specify multiple rules match. These objects
are matched based on the given sequence number. For example, if the incoming
HTTP request satisfies two rules, the rule with the smaller sequence number is
selected.

The service group or WAF template selection for these rules is based on the
following priority order:
1. host

2. url

3. query-param-name

4. query-param-value

5. header-name

6. header-value

7. cookie-name

8. cookie-value

9. geo-location

NOTE: The geo-location condition type is not supported for the multi-
match-rule.

145
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Overriding a WAF Template

Match Options:
The following match options are applied regardless of the order in which the rules
appear in the configuration.
l equals string – matches only if the URL, hostname, query names, query value,
header names, header value, or cookie name completely matches the specified
string.
l starts-with string – matches only if the URL, hostname, query names, query
value, header names, header value or cookie name starts with the specified
string.
l contains string – matches if the specified string appears anywhere within the
URL, hostname, query names, query value, header names, header value or cookie
name.
l ends-with string – matches only if the URL, hostname, query names, query
value, header names, header value or cookie name ends with the specified string.

If a template has more than one rule with the same match option (equals, starts-
with, contains, or ends-with) and a URL matches on more than one of them, the
most-specific match is always used.

Configuration Examples:
The following example demonstrates single-match-rule usage:
ACOS(config)#slb template http-policy http-policy4.2.6
ACOS(config-http-policy)# header-name contains A template waf http-
policy-waf-A

The following example demonstrates multi-match-rule usage:

ACOS(config)# slb template http-policy http-policy4.2.6
ACOS(config-http-policy)# multi-match-rule A 1024
ACOS(config-http-policy-multi-match-rule)# host contains A1
ACOS(config-http-policy-multi-match-rule)# url contains exdomain
ACOS(config-http-policy-multi-match-rule)# cookie-name contains _Sec
ACOS(config-http-policy-multi-match-rule)# template-waf http-policy-waf-
A

The following example demonstrates the usage of geo location with waf-template-
1 (that has been configured previously).

146
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Overriding a WAF Template

ACOS(config)# gslb geo-location America.USA.LSG.LSG

ACOS(config-geo-location:America.USA.LSG.)# ip 100.100.100.1 mask
255.255.255.255
ACOS(config-geo-location:America.USA.LSG.)# exit
ACOS(config)# slb template http-policy waf-http-policy
ACOS(config-http-policy)# geo-location America.USA.LSG.LSG template waf
waf-template-1
ACOS(config-http-policy)# exit
ACOS(config)# slb virtual-server vs-geo_location 100.17.3.70
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template http-policy waf-http-policy

GUI Configuration
To configure a WAF HTTP policy template using the GUI:
1. Hover over Security on the menu bar, then select WAF > WAF Templates.
2. Click + Add WAF Template. The Add / Edit WAF Template page appears.
3. Enter a name for the template in the Template Name field. Configure the required
settings in the HTTP Protocol Checks and HTTP Limit Checks fields.
4. Configure match rules and other fields as desired; refer to the GUI online help for
detailed
information about each field.
5. Click Save.

CLI Configuration
To configure an HTTP policy template, use the slb template http-policy command
at the global configuration level of the CLI. For more information about this
command, refer to the Command Line Interface Reference.
Below is an example of this command and HTTP policy template configuration:
ACOS(config)# slb template http-policy http-pol-temp1
ACOS(config-http-policy)# url contains exampledomain template waf waf-
temp1

147
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Overriding a WAF Template

Bind the HTTP Policy Template to the Virtual Port

The HTTP policy does not take effect until you bind it to the HTTP/HTTPS virtual port.

GUI Configuration
To bind the HTTP policy to an existing virtual port:
1. Hover over Security on the menu bar, then select WAF.
2. Select the WAF Bindings tab.
3. Click + Bind WAF Template.
4. Select the virtual server name, IP address, and port and protocol to which you
will bind the template.
5. In the HTTP Policy field, select the HTTP policy template you want to bind to the
specified virtual port.
6. Click Save.

CLI Configuration
To bind a template to a virtual service port, create the VIP and the port, as well as
the service group, and then enter the template waf command at the configuration
level for the port. For example:
ACOS(config)# slb virtual-server vs1 8.8.8.8
ACOS(config-slb vserver)# port 80 http
ACOS(config-slb vserver-vport)# template http-policy http-pol-temp1

For a complete CLI example, see HTTP Virtual Port Configuration.

148
WAF Statistics

This section describes GUI and CLI procedures to display WAF statistics.

The following topics are covered:

Displaying WAF Statistics 150
Clearing WAF Statistics 150

NOTE: Statistics counters increment from 0 after the most recent reboot or
from when the statistics were most recently cleared.

149
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Statistics

Displaying WAF Statistics

GUI Configuration
You can use the GUI to view global WAF statistics by:
1. Hover over Security in the menu bar, then select WAF.
2. Select the Global Stats tab.

CLI Configuration
From the CLI, use the show waf stats command to view statistics for a specific virtual
server and virtual port.
See show waf stats for sample output.

Clearing WAF Statistics

GUI Configuration
You can use the GUI to clear global WAF statistics by:
1. Hover over Security in the menu bar, then select WAF.
2. Select the Global Stats tab.
3. Click Clear.

CLI Configuration
You can use the CLI to clear global WAF statistics by:

150
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Statistics

l use the clear waf command to clear all “show waf” counters.
l use the clear waf stats command to clear statistics for a specific virtual server and
virtual port.
See clear waf stats for more information about this CLI command.

151
Deployment and Logging Examples

This section provides some examples for WAF deployment. Since logging is a crucial
part of WAF configuration and management of the WAF, the examples include
applicable log messages.

The following topics are covered:

Initial Configuration 153
Learning 155
Response Header Filtering 160
SQLIA Check 162
Cross-site Scripting Check 162
Cookie Encryption 164

152
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

Initial Configuration
The commands in this example configure the following resources:
l Logging configuration
l WAF template
l HTTP virtual port

Logging Configuration
The commands in this section configure the resources required for external logging of
WAF events.
To begin, the following commands configure external logging for the WAF. A single
log server is used. Log messages are sent over TCP.
A TCP-proxy template is used to periodically send keepalive probes to the syslog port
on the server. The keepalive probes prevent the TCP session from aging out during
periods of inactivity.
The following commands create the server configuration and add it to a TCP service
group:
ACOS(config)# slb server waf-log2 10.10.10.22
ACOS(config-real server)# port 514 tcp
ACOS((config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config)# slb service-group waf-log tcp
ACOS(config-slb svc group)# member waf-log1 514

The following commands configure the TCP-proxy template, to enable keepalive

messages:
ACOS(config)# slb template tcp-proxy logtcp
ACOS(config-tcp proxy)# keepalive-probes 4

The following commands configure the logging template. This includes binding the
TCP-proxy template to the logging template.

153
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

ACOS(config-slb)# slb template logging waf-log

ACOS(config-logging)# service-group waf-log tcp
ACOS(config-logging)# template tcp-proxy log tcp

WAF Template Configuration

The following commands create a WAF template and bind the logging template to the
WAF template:
ACOS(config)# waf template waf1
ACOS(config-waf)# template logging waf-log

HTTP Virtual Port Configuration

The following commands configure an HTTP virtual port and bind the WAF template
to the port.
To begin, the following commands create server configurations for the web servers
to be load balanced and protected by the WAF:
ACOS(config)# slb server http1 20.20.25.11
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit
ACOS(config-waf)# slb server http2 20.20.25.12
ACOS(config-real server)# port 80 tcp
ACOS(config-real server-node port)# exit
ACOS(config-real server)# exit

The following commands add the server configurations to a service group:

ACOS(config)# slb service-group http tcp
ACOS(config-slb svc group)# member http1 80
ACOS(config-slb svc group)# member http2 80

The following commands configure the virtual server and bind it to the service group
and WAF
template:
ACOS(config)# slb virtual-server http-vip 20.20.25.130
ACOS(config-slb vserver)# port 80 http

154
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

ACOS(config-slb vserver-vport)# service-group http

ACOS(config-slb vserver-vport)# template waf waf1

At this point, the WAF is active.

Log Example
When done configuring, you can use the show log command to display log
messages. These log messages indicate whenever a WAF template is updated,
created, or deleted. Hypothetical log messages are shown below for illustration
purposes.
ACOS(config:8)#show log
Log Buffer: 30000
Mar 24 2016 15:37:12 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24
2016 15:37:11|config|2|
msg="Template waf-check-doc: bot-check ON (policy-file=bot_defs)"
Mar 24 2016 15:37:04 Info [VCS]:dcs config seq number increase
(45,0,651)
Mar 24 2016 15:37:02 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24
2016 15:37:01|config|2| msg="Template waf-check-doc created"
Mar 24 2016 15:37:02 Info [VCS]:dcs config seq number increase
(45,0,650)
Mar 24 2016 15:36:42 Info [WAF]:CEF:1|A10|AX3030|4.1.0|WAF|Mar 24
2016 15:36:41|config|2| msg="Template waf-check-doc deleted"

NOTE: If external logging has not been configured for the WAF, then the log
messages will appear in the local log buffer of the ACOS device.

Learning
The commands in this section use Learning Mode to dynamically set some WAF
options based on traffic.

NOTE: This example assumes that the VIP using the WAF template is not yet
receiving live traffic but is instead receiving known, valid traffic sent in
order to preset WAF parameters. The following caution explains why.

155
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

CAUTION: While Learning or Passive Mode is in operation, the WAF does not
block any traffic. Only Active Mode blocks traffic.

The following topics are covered:

Enable Learning Mode 156
Generate Allowed URL Paths for the URL Check 157
Save Template Settings 160

Enable Learning Mode

The following commands access the configuration level for the WAF template, and
change the mode to Learning Mode:
ACOS(config)# waf template waf1
ACOS(config-waf)# deploy-mode learning
Switching to learning mode will reset all WAF template parameters and may
expose you to attacks if done in a production environment.
Are you sure you wish to proceed? (N/Y): y

Generate Traffic
On a client device, the following requests are generated and sent to the HTTP virtual
port:
curl -v http://20.20.25.130/tours/index.html
curl -v http://20.20.25.130/batblue.html
curl -v http://20.20.25.130/file_set/dir00000/about.html

View External Log

On the external log server, messages such as the following one indicate that the WAF
is setting some of its parameters based on the traffic:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF| http-check|2|src=20.20.25.10
spt=32462 dst=20.20.25.130 dpt=80 req=" GET /tours/index.html HTTP/1.1" 0
msg="Learning: Updating allowed HTTP methods" cs1=waf1 act=n md=learn

156
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

This message indicates that the GET method was observed in the first request sent to
the HTTP virtual port, and that the Allowed HTTP Methods list was updated with the
method.

Generate Allowed URL Paths for the URL Check

An additional WAF parameter you can set during Learning Mode is the URL Check.
The URL Check prevents users from navigating directly to any URL paths other than
the ones explicitly defined by the URL Check policy file.
To configure the URL Check:
1. Set the WAF to Learning Mode.
2. Enable the URL Check within a WAF template.
3. Send secure traffic to the website. This step will generate a WAF policy file
containing acceptable URL paths.
4. After the URL Check policy file has been generated, change the WAF operational
mode to Active to enforce the URL Check on client requests.

Configuration Example
The following example outlines steps for customizing the URL Check in learning mode
and enforcing the check for your website.

Create the URL Check Policy File

1. The following commands set the WAF to learning mode and enable the URL Check
option in the WAF template:
ACOS(config) # waf template w1
ACOS(config-waf) # deploy-mode learning
Switching to learning mode will reset all WAF template parameters and
may expose you to attacks if done in a production environment.
Are you sure you wish to proceed? (N/Y): Y

NOTE: In this example, the WAF template “w1” is bound to a virtual server
with the IP address 192.168.25.130.

157
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

2. Send secure traffic from a client. In this example, traffic from the client is sent to
the following addresses:
http://192.168.25.130/tours/index.html
http://192.168.25.130/batblue.html
http://192.168.25.130/file_set/dir00000/about.html

3. Check the logs on the external log server. The log should contain a message such
as the following, for each URL path requested:
Mar 24 16:34:40 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016
15:46:12|session-id|2|src=172.17.3.100 spt=55150 dst=172.17.3.61
dpt=8080 hst="172.17.3.61:8080" cs1=waf-url-check cs2=90f0c225f82e4cb8
act=learn md=passive svc=http req="GET /foooo/rest/upload/aaa.txt
HTTP/1.1" 0 msg="New session created: Id=90f0c225f82e4cb8"

4. The log will contain similar messages for each URL path clients are allowed to
access. The following commands verify that the URL Check policy file is created
and display the contents of the file:
ACOS(config-waf) # show waf policy
Total WAF policy number: 14
Max WAF policy file size: 32K
Name Syntax Template
-----------------------------------------------------------------------
-
_w1_url_check_ Check Bind
allowed_resp_codes Check Bind
bot_defs Check Bind
jscript_defs Check Bind
...
ACOS(config-waf) # show waf policy _w1_url_check_
Name: _w1_url_check_
Syntax: Check
In WAF Template:
w1 (for url-check)

Content:
Matches Value
-----------------------------------------------------------------------
---

158
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

1 /tours/
1 /batblue.html
1 /file_set/dir00000/

Apply the URL Check

5. Change the WAF deployment mode. (See Save Template Settings.) When you
change the deployment mode from Learning Mode, ACOS writes the observed
URL paths into a policy file. The URL Check will start operating.
ACOS(config-waf) #waf template w1
ACOS(config-waf) #deploy-mode active

NOTE: In Passive Mode, requests for other URL paths still are allowed, but
they are logged. The URL path list is enforced only while the URL
Check is enabled and the WAF template is in Active Mode.

6. Optionally, edit the contents of the URL Check policy file to explicitly define
acceptable URI paths.

NOTE: The contents of the URL Check policy file are first generated in
Learning Mode. After which you can remove or define additional
URL paths in the policy file. You cannot create the URL Check policy
file without first deploying a WAF template in Learning Mode with
the URL Check enabled.

Check Form Method on Response

7. Add configuration to check FORM method from Response and also rename
current "NON-POST" to "REQUEST-NON-POST" using the following commands on
CLI.
ACOS(config)# waf template waf1
ACOS(config-waf)# form-protection
ACOS(config-waf-form-protection)# form-check request-non-post

159
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

Save Template Settings

To “lock down” WAF template settings configured by Learning Mode, change the
mode. The following command changes to Passive Mode:
ACOS(config-waf)# deploy-mode passive

In Passive Mode, WAF checks are performed but the filter actions are not applied.
Requests to the HTTP virtual port are logged but are sent to the server without being
altered. (For more information, see WAF Operational Modes.)

Response Header Filtering

Header Response Filtering removes the web server’s identifying headers in outgoing
responses. This information can be exploited by hackers to send an attack targeted
specifically to your server’s operating system (OS).

Header That Includes OS-identifying Fields

Here is an example of header fields in the HTTP response from a server. The fields
shown in bold provide information about the server OS.
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
< Content-Type: text/html
< Server: hpd
< X-Powered-By: Cavisson
< X-AspNet-Version: 1.0
< X-AspNetMvc-Version: 2.0
< Cache-Control: public, max-age=100
< Age: 52
< Via: AX-CACHE-2.7:130
<
...

Header Without OS-identifying Fields

Here is the same excerpt from the server response, with the OS-identifying headers
removed:

160
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

< HTTP/1.1 200 OK

< Transfer-Encoding: chunked
< Content-Type: text/html
< Cache-Control: public, max-age=100
< Age: 0
< Via: AX-CACHE-2.7:130
...

The response received by the client does not contain the OS-identifying headers.

Enable Header Response Filtering

The following commands access the configuration level for the WAF template and
enable Header Response Filtering:
ACOS(config)# waf template waf1
ACOS(config-waf)# filter-resp-hdrs

View External Log

Messages in the external WAF log indicate when header fields are removed by Header
Response Filtering:
Mar 24 16:39:12 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:50:44|session-
id|2|src=172.17.3.100 spt=50621 dst=172.17.3.73 dpt=8080
hst="172.17.3.73:8080" cs1=waf-filter-resp-hdrs cs2=8c59ef7fc665dbb
act=learn md=active svc=http req="GET /hello.php HTTP/1.1" 0 msg="New
session created: Id=8c59ef7fc665dbb"
Mar 24 16:39:12 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:50:44| filter-
resp-hdrs|6|src=172.17.3.100 spt=50621 dst=172.17.3.73 dpt=8080 hst=""
cs1=waf-filter-resp-hdrs cs2=8c59ef7fc665dbb act=sanitize md=active
svc=http req="GET /hello.php HTTP/1.1" 135 msg="Header Server filtered"
Mar 24 16:39:12 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 15:50:44| filter-
resp-hdrs|6|src=172.17.3.100 spt=50621 dst=172.17.3.73 dpt=8080 hst=""
cs1=waf-filter-resp-hdrs cs2=8c59ef7fc665dbb act=sanitize md=active
svc=http req="GET /hello.php HTTP/1.1" 135 msg="Header X-Powered-By
filtered"
Mar 24 16:39:12 173.17.3.14 A10
Mar 24 16:39:12 200.0.0.14 A10

161
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

SQLIA Check
The SQLIA Check protects against SQL commands hidden in requests sent to database
servers. The check looks for SQL code in form arguments, URLs, and cookies. In
general, these places are not supposed to contain SQL code.

Enable the SQLIA Check

The following commands access the configuration level for the WAF template and
enable the SQLIA Check.
ACOS(config)# waf template waf1
ACOS(config-waf)# request-check
ACOS(config-waf-request-check)# sqlia-check reject waf_policy_file

View External Log

The following log messages indicates that SQL was detected and denied:
Mar 24 17:13:21 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 16:24:52|session-
id|2|src=172.17.3.100 spt=44427 dst=172.17.3.57 dpt=8080
hst="172.17.3.57:8080" cs1=waf-sql-check cs2=61b6f0af51703b87 act=learn
md=active svc=http req="GET /hello.php?aa=bb-- HTTP/1.1" 0 msg="New
session created: Id=61b6f0af51703b87"
Mar 24 17:13:21 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 16:24:52| sqlia-
check|6|src=172.17.3.100 spt=44427 dst=172.17.3.57 dpt=8080
hst="172.17.3.57:8080" c s1=waf-sql-check cs2=61b6f0af51703b87 act=deny
md=active svc=http req="GET /hello.php?aa=bb-- HTTP/1.1" 0 msg="SQLIA
pattern detected! bb-- matches #1 in rule1"
Mar 24 17:13:22 1730::14 A10

Cross-site Scripting Check

The Cross-site Scripting Check (XSS Check) protects against cross-site scripting
attacks.

162
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

Enable the XSS Check

The following commands access the configuration level for the WAF template and
enable the XSS Check. In this example, the reject option is used. This option logs the
XSS attempt and then drops the request.
ACOS(config)# waf template waf1
ACOS(config-waf)# request-check
ACOS(config-waf-request-check)# xss-check reject waf_policy_file

View External Log

The following log message indicates that an XSS attempt was detected and denied:
Mar 24 17:17:03 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 16:28:35|session-
id|2|src=172.17.3.100 spt=58140 dst=172.17.3.54 dpt=81
hst="172.17.3.54:81" cs1=waf-xss-check cs2=ffde33f6ff0dfa70 act=learn
md=active svc=http req="POST /digest.html HTTP/1.1" 9 msg="New session
created: Id=ffde33f6ff0dfa70"
Mar 24 17:17:03 CEF: 1|A10|AX3030|4.1.0|WAF|Mar 24 2016 16:28:35| xss-
check|6|src=172.17.3.100 spt=58140 dst=172.17.3.54 dpt=81
hst="172.17.3.54:81" cs1=waf-xss-check cs2=ffde33f6ff0dfa70 act=deny
md=active svc=http req="POST /digest.html HTTP/1.1" 9 msg="Javascript
pattern detected! applet matches #1 in a1"
Mar 24 17:17:04 173.17.3.221 A10

Since the reject option is used in the configuration, a Deny page such as the one in
Deny page is sent to the client.
Figure 32 : Deny page

163
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

Cookie Encryption
Cookie Encryption protects against cookie tampering by encrypting cookies before
sending server replies to clients.

You can enable encryption based on specific cookie names or for all cookies that
match a PCRE expression. The encryption uses a secret string to decrypt and
encrypt cookies that are transferred between the web server and client.
The following commands access the configuration level for WAF template “resetti”
and configure encryption for all cookies containing “hiddencookie” in the name:
ACOS(config) # waf template resetti
ACOS(config-waf) # cookie-encrypt ".*hiddencookie" r0cc0

The secret value “r0cc0” is used for encryption. To view the encrypted value created
by the WAF and used in responses, display the configuration:
ACOS(config-waf)# show default-running-config | section waf
waf template waf1
...
cookie-encrypt ".*hiddencookie" secret-encrypted
m3nvbYs/EBg8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
...

164
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
Deployment and Logging Examples

NOTE: Do not enter the secret-encrypted option when configuring this check.
This option is placed into the configuration by the WAF to indicate that
the string is the encrypted form.

165
WAF Template Reference

WAF templates allow you to easily enforce the following security filters.
Table 9 lists the parameters you can configure.

NOTE:
This table is a reference. For configuration procedures, see either of
the following:
l Configuring WAF Using GUI
l Configuring WAF Using CLI

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
General Fields
Template Name of the WAF template in the ACOS String
Name configuration.
Default: Not set
[no] waf template template-name

GUI:

Security > WAF > WAF Templates > +

WAF Template > Add / Edit WAF
Template
Deploy Sets the operational mode for the WAF You can select one of
Mode template. the following:
[no] deploy-mode l Active – Standard
{active | passive | learning} operational mode. You
GUI: must use Active Mode
Security > WAF > WAF Templates > + if you want the WAF to
WAF Template > + Add / Edit WAF sanitize or drop traffic
Template, and then select the Deploy based on the
Mode drop-down. configured WAF

166
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
(For more information, see WAF policies.
Operational Modes .) l Passive – Provides
passive WAF
operation. All enabled
WAF checks are
applied, but no WAF
action is performed
upon matching traffic.
This mode is useful in
staging environments
to identify false
positives for filtering.
l Learning – Provides a
way to initially set the
thresholds for certain
WAF checks based on
known, valid traffic.

Default: Active Mode

Logging Applies a configured logging template Name of a logging
to the WAF template. See WAF Event template
Logging.
Default: None selected
[no] template logging template-name

GUI:

Security > WAF > WAF Templates > +

WAF Template > + Add / Edit WAF
Template, and then select the Logging
Template drop-down.
Request Checks
URL White Enforces the rules contained within a Name of a WAF policy
List WAF policy file for the URL White List. file
For more information about URL White
Default: uri_wlist_defs
Lists, see URI White List.

167
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
[no] uri-wlist-check file-name

GUI:

Security > WAF > WAF Templates > +

WAF Template > +Add/Edit WAF
Template, select the Request Checks
menu, and select the checkbox for URL
White List Check.
URL Black Enforces the rules contained within a Name of a WAF policy
List WAF policy file for the URL Black List. file
For more information about URL Black
Default: uri_blist_defs
Lists, see URI Black List.
[no] uri-blist-check file-name

GUI:

Security > WAF > WAF Templates > +

WAF Template > +Add/Edit WAF
Template, select the Request Checks
menu, and select the checkbox for URL Black
List Check.
Deny Action WAF response sent to the client if traffic is One of the following:
denied by the WAF template.
l http-resp-403 –
[no] deny-action options Sends a 403
resp-string Forbidden response
to the client. The
GUI:
default string
Security > WAF > WAF Templates > + returns a generic
WAF Template > +Add/Edit WAF “Request Denied!”
Template, and then select the Deny Action page to the client.
dropdown. l http-resp-200 –
Sends a 200 OK
response to the
client with the

168
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
specified resp-
string. The default
string returns a
generic “Request
Denied!” page to the
client.
l http-redirect –
Redirects the client
to the specified URL.
l reset-conn – Sends
a TCP RST to the
client to end the
connection.

Default: http-resp-
403

Allowed Checks requests to ensure they contain Valid HTTP method

HTTP only the HTTP methods that are allowed names:
Methods by this option.
l GET
[no] allowed-http-methods
method-name
l POST
l HEAD
GUI:
l PUT
Security > WAF > WAF Templates > +
WAF Template > +Add/Edit WAF l OPTIONS
Template, select the HTTP Protocol l DELETE
Checks menu, and select the checkbox for
l TRACE
Allowed HTTP Methods .
l CONNECT
l PURGE

Default: GET, POST

169
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
NOTE: The configuration of the
specific HTTP method
name can only be done
from the CLI. It cannot be
configured from the GUI.
From the GUI, you can
only turn a feature on or
off.
Bot Check Checks the user-agent of incoming Name of a WAF policy
requests for known bots. This check file
uses the list of defined bots in the
Default: bot_defs
specified WAF policy file. See Bot Check.
[no] bot-check file-name
Default: Disabled

GUI:

Security > WAF > WAF Templates > +

WAF Template > +Add/Edit WAF
Template, select the Request Checks
menu. Enable the Bot Check menu, and
from the File drop-down, select the bot_defs
file.
Disable Checks for attempts to cause a buffer Enabled or Disabled
Buffer overflow on the web server.
The maximum
Overflow Max Cookie Length – Sets the
l accepted URL length
Protection maximum length for cookies, cookie can be set between 0
names, and/or cookie values allowed to 16127. The
in a request. maximum accepted
l Max Headers Length – Sets the length for all other
maximum header length for headers, limits can be set
header names, and/or header values between 0 to 65535.
allowed in requests. Default: Enabled
l Max Line Length - Sets the maximum
If enabled, the
length for lines.

170
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
l Max Parameters Length - Sets the following default
maximum parameter length allowed values apply:
for the total parameters, the
l Max Request Length
parameter names, and/or the
default:20480.
parameter values.
range:0-2147483647
l Max Post Size – Sets the maximum
content length allowed in HTTP POST l Max Request Line
requests. Length default:4096
range:0-65535
l Max Query Length - Sets the
maximum length for queries. l Max URL Length
default:4096
l Max URL Length – Sets the maximum
range:0-65535
URL length allowed in requests.
[no] http-limit-check
l Max Query Length
{disable | max-content-length |
default:4096
max-cookie-header-length | max-
range:0-65535
cookie-name-length| max-cookie- l Max Content Length
value-length | max-cookies | max- default:4096
cookies-length | max-entities | range:0-2147483647
max-header-length | max-header-
name-length | max-header-value- l Max Headers Length
length | max-headers | max-headers- default:4096
length | max-param-name-length | range:0-65535
max-param-value-length | max-params
l Max Header Length
| max-params-length | max-post-
default:4096
length |
range:0-65535
max-query-length | max-request-
length | max-request-line-length| l Max Header Name
max-url-length} [bytes] Length default:64
range:0-65535
[no] max-parameters

GUI:
l Max Header Value
Length default:4096
Security > WAF > WAF Templates > + range:0-65535
WAF Template > +Add/Edit WAF
Template, and select the HTTP Limit l Max Headers

171
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Checks menu. default:64 range:0-
255
l Max Cookies Length
default:4096
range:0-65535
l Max Cookie Header
Length default:4096
range:0-65535
l Max Cookie Name
Length default:64
range:0-65535
l Max Cookie Value
Length default:4096
range:0-65535
l Max Cookies
default:256 range:0-
1023
l Max Entities
default:10 range:0-
512
l Max Parameters
Length default:4096
range:0-65535
l Max Parameter
Name Length
default:256 range:0-
65535
l Max Parameter
Value Length
default:4096
range:0-65535

172
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
l Max Parameters
default:64 range:0-
1024
l Max POST Length
default:20480
range:0-2147483647
Cross-Site Tags fields of a web form to protect against Enabled or Disabled
Forgery cross-site request forgery (CSRF).
Default: Disabled
(CSRF) Check
[no] csrf-check

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and select the Form Protection
menu. Then turn on the CSRF Check toggle
key.
Form Checks that user input to form fields is Enabled or Disabled
Consistency consistent with the intended format.
Default: Disabled
Check
[no] form-consistency-check

GUI:

Security > WAF > WAF Templates >+

Add WAF Template > +Add/Edit WAF
Template, and select the Form Protection
menu. Then select the checkbox for Form
Consistency Check.
HTTP Checks that user requests are compliant with Enabled or Disabled
Protocols HTTP protocols.
Default: Disabled
Check
[no] http-check

GUI:

Security > WAF > WAF Templates > +

173
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Add WAF Template > +Add/Edit WAF
Template, and then select the HTTP
Protocol Checks menu.
Session Checks that user requests match a unique 1-1440
Check session ID created for them.
Default: 10
[no] session-check [secs]

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Request
Checks menu. In the Session Checks menu,
enable Session Check and in the Limit field,
enter the session lifetime in minutes.
Max Cookies Specifies the maximum number of 0-1023
cookies a request can contain.
Default: 256
[no] max-cookies num

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the HTTP Limit
Checks menu. Then enter the number in the
Max Cookies field.
Max Headers Specifies the maximum number of 0-255
headers a request can contain.
Default: 64
[no] max-hdrs num

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the HTTP Limit
Checks menu. Then enter the number in the
Max Headers field.

174
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Max HTML Specifies the maximum number of 0-1024
Parameters parameters a request can contain.
Default: 64
[no] max-parameters num

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the HTTP Limit
Checks menu. Then enter the number in the
Max Parameters field.
Referer Validates that the referrer header in a request One of the following:
Check contains web form data from the specified
l Enabled
web server, rather than from an outside
website. This check protects against CSRF l Disabled
attacks. l Only-If-Present
l Enabled – Always validates the
If this check is
referrer header. If selected, the
activated, you can set
request fails the check if there is no
the following
referrer header or if the referrer
additional options:
header is invalid.
l Disabled – Configures WAF to not l Allowed Referer
validate requests based on the Domains – String
referrer header. l Safe URL – String
l Only-If-Present – Validates the referer Default: Disabled
header only if a referrer header
exists. If the check finds an invalid
referrer header, the request fails the
check. However, the request does not
fail the check if there is no referrer
header in the request.
[no] referer-check
{enable | only-if-present}

GUI:

175
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Security > WAF > WAF Templates > +
Add WAF Template > +Add/Edit WAF
Template, and then select the Request
Checks menu. Then select the checkbox for
Referer Check.
SQL Injection Checks for SQL strings to protect One of the following:
Attack against SQL injection attacks. This check
l Reject
(SQLIA) uses the list of defined SQL commands
Check in the “sqlia_defs” WAF policy file. See l Disabled
SQL Injection Attack Check.
Definition – Name of a
[no] sqlia-check {reject} configured WAF policy
file
GUI:
Default: Disabled
Security > WAF > WAF Templates > +
Add WAF Template > +Add/Edit WAF
Template, and select the Request Checks
menu. From the Injection Checks menu, for
the SQL Injection Attack Check, select
Reject from the Action dropdown.
Cross-site Checks for potential HTML XSS scripts One of the following:
Scripting to protect against cross-site scripting
l Reject
(XSS) Check attacks. This check uses the list of
defined Javascript commands in the l Disabled
“jscript_defs” WAF policy file. See XSS
Default: Disabled
Check .
[no] xss-check
{reject}

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and select the Request Checks
menu. From the XSS Check menu, select
Reject from the Action dropdown.

176
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
URL Check Select this option to prevent users from Enabled or Disabled
accessing the URLs of your website
Default: Disabled
directly. The URL Check allows users to
only access web pages by clicking a
hyperlink on your protected website.
Note: In the current release, the
approved URL path list for the URL
Check can be configured only using
Learning Mode. For a deployment
example that includes configuration of
the URL Check, see Generate Allowed
URL Paths for the URL Check.
[no] url-check

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Request
Checks menu. Then select the checkbox for
URL Learned List Check.
URL Options Use this command to normalize request Enabled or Disabled
URLs. This helps shorten the URLs and
Default: Disabled
helps protect web servers from attacks
that hide in the non-normalized,
recursive encoding of the data.
One example of such an attack is the so-
called directory traversal attack, which
exploits non-sanitized file names in
order to gain access to sensitive
directories or unauthorized files.
See Normalization Enhancements for
URL Options .
URL Normalization Options include:

177
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
l Decode Entities
l Decode Escaped Characters
l Decode HEX Characters
l Comment Removal
l Remove Self-References
l Remove Spaces
[no] url-options

GUI:

Security > WAF > WAF Templates > Add

WAF Template > +Add/Edit WAF
Template, and then select the Request
Checks menu.
Response Checks
CCN Mask Replaces all but the last four digits of credit Enabled or Disabled
card numbers with an “x” character.
Default: Disabled
[no] ccn-mask

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Data Leak
Prevention menu, and select the CCN
Mask checkbox.
SSN Mask Replaces all but the last four digits of US Enabled or Disabled
Social Security numbers with an “x”
Default: Disabled
character.

[no] ssn-mask

GUI:

Security > WAF > WAF Templates > +

178
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Add WAF Template > +Add/Edit WAF
Template, and then select the Data Leak
Prevention menu, and select the SSN Mask
checkbox.
Filter Removes the web server’s identifying Enabled or Disabled
Response headers in responses. By default, this check
Default: Disabled
Headers uses the “allowed_resp_codes” WAF policy
file for a list of accepmenule HTTP response
codes.

[no] filter-resp-hdrs

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Data Leak
Prevention menu, and select the Filter
Response Headers checkbox.
Hide “Cloaks” your web servers by hiding response Enabled or Disabled
Response codes from them instead of forwarding them
Default: Disabled
Codes to the client.

[no] hide-resp-codes
Definition – Name of a
waf-policy-file-name
configured WAF policy
file
GUI:
If disabled, the default
Security > WAF > WAF Templates > + policy file is “allowed_
Add WAF Template > +Add/Edit WAF resp_codes”
Template, and then select the Data Leak
Prevention menu, and turn on the Hide
Response Codes toggle keyw.

PCRE Mask Cloaks patterns in a response that match the You can specify the
specified PCRE pattern. following options:

179
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
l PCRE Pattern – Specifies the pattern l PCRE Pattern – Valid
to search for in responses. string
l Mask – Selects a character to mask l Mask – Single
the matched pattern of a string. character
l Keep Start – Sets the number of l Keep Start – 0-65535
unmasked characters at the l Keep End – 0-65535
beginning of the string.
l Keep End – Specifies the number of Default:
unmasked characters at the end of l PCRE Pattern – Not
the string. set
[no] pcre-mask pcre-pattern l Mask – x
[keep-end num-length |
l Keep Start – 0
keep-start num-length |
mask character ] l Keep End – 0

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Data Leak
Prevention menu.
Cookie Uses the specified Secret string to encrypt Cookie Name – String
Encryption and decrypt cookies in server to client or PCRE expression
Secret communication. For Cookie Name, you can
Cookie Encryption
enter the name of a specific cookie as a string,
Secret – String
or a PCRE expression to encrypt all cookies
which match the expression. Default: Not set
[no] cookie-encrypt
{cookie-name | pcre-pattern}

GUI:

Security > WAF > WAF Templates > +

Add WAF Template > +Add/Edit WAF
Template, and then select the Cookie

180
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide Feedback
WAF Template Reference

Table 9 : WAF Template Options

Parameter Description and Syntax Supported Values
Security menu.

181
Glossary
A B
ACL
Access Control List. A list in
computer file system that
contains permissions asso-
ciated to an object and spe-
cifies the users or the
system processes that are
allowed to access that
objects. It also grants per-
mission for performing
operations on given
objects.
aFlex
A scripting tool that is built
into the Thunder Series
Server Load Balancers.
aFleX is based on a stand-
ard scripting language, TCL,
enabling the load balancer
to perform Layer 7 deep-
packet inspection (DPI).
182
bot
A type of script or software
application performing
automated tasks according
to the user command.
buffer overflow
An anomaly occuring when
a program attempts to
store excesss of data in a
temporary storage beyond
the capacity. The extra data
gets spilled and corrupted,
and the program stops
working.
C
CCN
Credit Card Number. A
primary account number
that serves as an identifier
for the credit card being
used in a transaction.
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Glossary

F
cloak
An action that presents Form Field
information on the applic-
ation different from that An insertion which
on the user-end. It stops defines each element of a
hackers from retrieving Web page and configures
any data that helps them its appearance and beha-
successfully launch a sub- viour.
sequent attack.
H
cookie
HTML
A message passed by
web servers pass to web Hypertext Markup Lan-
browsers when Internet guage. The standard
sites are visited. It is markup language
stored by browsers in a developed for displaying
small .txt file and sent documents in a web
back to the server when browser.
a request for another
web page is made from HTTP
the browser. HyperText Transfer Pro-
tocol. An underlying web
D protocol that defines the
way messages can be
DSS formatted and sent, and
Data Security Standard. the actions to be taken
An InfoSec standard for by web servers and
organizations managing browsers for responding
high-value transaction to multiple commands.
data.

183
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Glossary

J R

JSON redirect
JavaScript Object Nota- The purposeful action of
tion is an open standard sending a signal or data,
file format, and data or other information to
interchange format, that an alternate location
uses human-readable instead of the intended
text to store and trans- destination.
mit data objects con-
sisting of attribute–value S
pairs and array data
types schema
The physical, logical, and
P
graphical design of a
database.
PCI
Payment Card Industry. SOAP
A sector of the financial
industry governing the Simple Object Access Pro-
usage of electronic pay- tocol. A binding process
ments. that allows allows either
rpc style or document
with encoding of a data
PCRE
value in an XML format.
Perl Compatible Regular
Expressions. A pro- SQL
gramming library
developed in C and used Structured Query Lan-
for implementing a reg- guage. A domain-based
ular expression engine language for pro-
with the Perl pro- gramming, designing and
gramming capabilities. managing data
developed by relational

184
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Glossary

database management structuring of data, par-

system. It also streams ticulalry the order of
the processing of a rela- information being pack-
tional data stream man- aged by a sender for a
agement system. receiver.

SQLIA U
Structured Query Lan-
guage Injection Attack. URI
An information security Uniform Resource Iden-
threat where an attacker tifier. A string of char-
adds SQL code to the acters which
input box of a Web form unambiguously specify
and gains unauthorized the particular resource
access to resources for and use to specific pro-
modifying sensitive data. tocols to enable inter-
action with its
SSN representations over the
World Wide Web.
Social Security Number.
A 9-digit number issued
by the U.S. government URL
to its citizens and per- Uniform Resource Loc-
manent residents, as well ator. A web address that
as working (temporary) works as a reference to
residents. It allows the specify the location of a
Social Security Admin- web resource on a com-
istration to monitor the puter network and also
social security process of runs a mechanism for its
individuals. retrieval.

Syntax
The rules and disciples
that define the

185
ACOS 5.2.1-P7 Web Application Firewall Configuration Guide
Glossary

XSS
Cross-site Scripting. An
information security
breach leveraging the
dynamically-developed
Web pages.

186
 ©2023 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, A10 Thunder,

Thunder TPS, A10 Harmony, SSLi and SSL Insight are trademarks or registered trademarks of A10 Networks, Inc. in

the United States and other countries. All other trademarks are property of their respective owners. A10

Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to

change, modify, transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit:
Contact Us
www.a10networks.com/company/legal/trademarks/.