ADC

Web Application Firewall profile settings

Following are the profile settings that you must configure on the appliance.

At the command prompt, type:

add appfw profile <name> [-invalidPercentHandling <invalidPercentHandling>] [-checkRequestHeaders ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-errorURL <expression>]  [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments <stripHtmlComments>] [-stripXmlComments ( none | all )]  [-postBodyLimitSignature <positive_integer>][-fileUploadMaxNum <positive_integer>][-canonicalizeHTMLResponse ( ON | OFF )][-percentDecodeRecursively ( ON | OFF )] [-multipleHeaderAction <multipleHeaderAction> ...][-inspectContentTypes    <inspectContentTypes> ...][-semicolonFieldSeparator ( ON | OFF )]  [-fieldScan ( ON | OFF )] [-fieldScanLimit <positive_integer>] [-JSONFieldScan ( ON | OFF )] [-JSONFieldScanLimit <positive_integer>] [-messageScan ( ON | OFF )] [-messageScanLimit <positive_integer>] [-JSONMessageScan ( ON | OFF )] [-JSONMessageScanLimit
       <positive_integer>] [-messageScanLimitContentTypes       <messageScanLimitContentTypes> ]
<!--NeedCopy-->

invalidPercentHandling - Configure the method for handling percent-encoded names and values.

asp_mode - Strips and Parses Invalid Percent for Parsing.

Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is stripped of and the rest of the content is inspected and action taken for the SQLInjection check.

secure_mode - We detect the invalid percent coded value and ignore it.

Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is detected, counters are incremented and content is passed as is to the server.

apache_mode - This mode works similar to secure mode.

Note:

Starting from release 13.1 build 45.x, the apache_mode function is deprecated.

Possible values: apache_mode, asp_mode, secure_mode

Default value: secure_mode

Example:

add appfw profile profile1 [-invalidPercentHandling secure_mode] [-checkRequestHeaders ON] [-URLDecodeRequestCookies OFF] [-optimizePartialReqs OFF]

optimizePartialReqs - When OFF/ON (without safe object), a NetScaler appliance sends the partial request to the back-end server. This partial response sent back to the client. OptimizePartialReqs makes sense when the Safe object is configured. The appliance sends requests for full response from the server when OFF, requests only partial response when ON.

ON - Partial requests by the client result in partial requests to the back-end server. OFF - Partial requests by the client are changed to full requests to the back-end server.

Possible values: ON, OFF Default value: ON

URLDecodeRequestCookies. When checkRequestHeaders is enabled, cookies are inspected for security checks (SQL, cross-site, cmd injection). If URLDecodeRequestCookies is enabled, the cookies are URL decoded and then inspected.

Possible values: ON, OFF Default value: OFF

Signature Post Body Limit (Bytes). Limits the request payload (in bytes) inspected for signatures with the location specified as ‘HTTP_POST_BODY’.

Default value: 8096 Minimum value: 0 Maximum Value: 4294967295

Post Body Limit (Bytes). Limits the request payload (in bytes) inspected by Web Application Firewall.

Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB

For more information about the Security setting and its GUI procedure, see Configure Web App Firewall Profile topic.

postBodyLimitAction. PostBodyLimit honors error settings when you specify the maximum size of HTTP body to be allowed. To honor error settings you must configure one or more Post Body Limit actions. The configuration is also applicable for requests where the transfer encoding header is chunked.

set appfw profile <profile_name> -PostBodyLimitAction block log stats

Where, Block - This action blocks connection that violates the security check and it is based on the maximum size of the configured HTTP body (post body limit). You must always enable the option.

Log - Log violations of this security check.

Stats - Generate statistics for this security check.

Note:

The log format for post body limit action is now changed to follow the standard audit logging format, for example: ns.log.4.gz:Jun 25 1.1.1.1. <local0.info> 10.101.10.100 06/25/2020:10:10:28 GMT 0-PPE-0 : default APPFW APPFW_POSTBODYLIMIT 1506 0 : <Netscaler IP> 4234-PPE0 - testprof ><URL> Request post body length(<Post Body Length>) exceeds post body limit.

inspectQueryContentTypes Inspect request query and web forms for injected SQL and cross-site scripts for the following content types.

set appfw profile p1 -inspectQueryContentTypes HTML XML JSON OTHER

Possible values: HTML, XML, JSON, OTHER

By default, this parameter is set as “InspectQueryContentTypes: HTML JSON OTHER” for both basic and advanced appfw profiles.

Example for inspect query content type as XML:

> set appfw profile p1 -type XML
Warning: HTML, JSON checks except “InspectQueryContentTypes” & “Infer Content-Type XML Payload Action” will not be applicable when profile type is not HTML or JSON respectively.
<!--NeedCopy-->

Example for inspect query content type as HTML:

> set appfw profile p1 -type HTML
Warning: XML, JSON checks except “InspectQueryContentTypes” & “Infer Content-Type XML Payload Action” will not be applicable when profile type is not XML or JSON respectively
Done
<!--NeedCopy-->

Example for inspect query content type as JSON:

> set appfw profile p1 -type JSON
Warning: HTML, XML checks except “InspectQueryContentTypes” & “Infer Content-Type XML Payload Action will not be applicable when profile type is not HTML or XML respectively
Done
<!--NeedCopy-->

errorURL expression. The URL that the NetScaler Web App Firewall uses as an error URL. Maximum Length: 2047.

Note:

For blocking violations in a requested URL, if the error URL is similar to the signature URL the appliance resets the connection.

logEveryPolicyHit - Log every profile match, regardless of security checks results. Possible values: ON, OFF. Default value: OFF.

stripXmlComments - Strip XML comments before forwarding a webpage sent by a protected website in response to a user request. Possible values: none, all, exclude_script_tag. Default value: none

postBodyLimitSignature - Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. The changes in value can impact CPU and latency profile. Default value: 2048. Minimum value: 0 Maximum Value: 4294967295

fileUploadMaxNum - Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. Default value: 65535 Minimum value: 0 Maximum value: 65535

fieldScan - Inspect the configured limit for each field value in the HTML requests.

fieldScanLimit - Enter the number of bytes that the Web App Firewall inspects for each field value in HTML requests.

Default Value: 2 KB
Maximum Limit - 8 KB

JSONFieldScan - Inspect the configured limit for each field value in JSON requests.

JSONFieldScanLimit - Enter the number of bytes that the Web App Firewall inspects for each field value in JSON requests.

Default Value: 2 KB
Maximum Limit - 8 KB

messageScan - Inspect the configured limit for each payload in the HTML requests.

messageScanLimit - Enter the number of bytes that the Web App Firewall inspects for each payload in the HTML requests.

Default Value: 1 MB
Maximum Limit - 8 MB

JSONMessageScan - Inspect the configured limit for each payload in the JSON requests.

JSONMessageScanLimit - Enter the number of bytes that the Web App Firewall inspects for each payload in the JSON requests.

Default Value: 1 MB
Maximum Limit - 8 MB

messageScanLimitContentTypes – Select any one of the following:

-  Form-Data – Select to inspect the payload for the HTML requests.

-  Json - Select to inspect the payload for the JSON requests.

canonicalizeHTMLResponse - Perform HTML entity encoding for any special characters in responses sent by your protected websites. Possible values: ON, OFF Default value: ON

percentDecodeRecursively - Configure whether the application firewall should use percentage recursive decoding. Possible values: ON, OFF Default value: ON

multipleHeaderAction - One or more multiple header actions. Available settings function as follows:

  • Block. Block connections that have multiple headers.
  • Log. Log connections that have multiple headers.
  • KeepLast. Keep only the last header when multiple headers are present.

inspectContentTypes – One or more InspectContentType lists.

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/x-gwt-rpc

Possible values: none, application/x-www-form-urlencoded, multipart/form-data, text/x-gwt-rpc

semicolonFieldSeparator - Allow ‘;’ as a form field separator in URL queries and POST form bodies. Possible values: ON, OFF Default value: OFF

Web Application Firewall profile settings

In this article