WAF counter measures

The Counter measures section of the WAF Profile provides a collection of custom counter measures that can quickly and easily be applied to your policy.

Each counter measure has a quick access bar that allows you to select from three options to determine how your policy must implement the selected counter measure.

  • None - The default setting for any new policy, which indicates the specified counter measure is not being implemented.
  • Log - If a violation is detected, the action (traffic) is allowed, but the incident is logged and saved for review.
  • Block and Log - If a violation is detected, the action (traffic) is denied, and the details of the incident is saved for review.

Advanced counter measures

The advanced counter measures feature require more knowledge of your traffic patterns and configuration methods.

counter measure name Description
Cookie Consistency The Cookie Consistency counter measures is designed to examine cookies that are returned, and then verify that they match the cookies that your website has configured. An attacker would normally modify a cookie to gain access to sensitive private information by posing as a previously authenticated user, or to cause a buffer overflow.
Field Consistency The Field Consistency counter measure is designed to prevent unauthorized changes to web forms and fields on a website. It can also be used to determine that the data a user provides adheres to any HTML restrictions set for length and type, and protecting any data that might be contained in hidden fields from being altered
Field Format The Field Format counter measure is designed to examine the length and type of data being provided in a form field to ensure it adheres to accepted formats. If invalid values are submitted, the counter measure blocks the request.
Content Type The Content Type counter measure is designed to inspect the Content-Type Header of a webserver. Common filtering rules apply to only one type of content (such as HTML), and are often ineffective when filtering different types of content. This counter measure allows you to customize the various Content Type to be filtered.
HTTP RFC Profile The HTTP RFC Profile counter measure inspects the incoming traffic that might violate HTTP RFC compliance violations (commonly a “Parsing Error”).
Deny URL The Deny URL counter measure inspects a list of common URLs used by hackers and malicious code that rarely appear in legitimate requests.
POST Body Limit The POST Body Limit counter measure checks the size of a POST body request. The default value is set to 4 GB.

XML counter measures

The XML counter counter measures require more knowledge of your XML traffic patterns and configuration methods.

counter measure Name Description
XML SQL Injection An XML SQL attack injects source code into a web application, often causing it to be interpreted and run as a valid SQL query, which is then able to perform a database operation with malicious intent. The XML SQL Injection countermeasure reviews XML payloads for inappropriate or injected SQL content.
XML XSS The XML cross-site scripting (cross-site scripting) countermeasure is designed to prevent cross-site scripting In essence, this bot protection counter measure prevents scripts from accessing or modifying content on a server in which they are not natively located.
XML Format The XML Format bot protection counter measure checks the XML format of incoming requests and blocks those requests that are not well-formed, or that do not meet specific pre-configured criteria for what a well-formed XML request must be.
XML SOAP Fault The XML SOAP Fault counter measure is designed to check the responses from your protected web services and filters out XML SOAP faults. This counter measure can prevent the leak of sensitive information.
Web Service Interoperability The Web Service Interoperability counter measure is designed to examine requests and responses against the WS-I standard, and then, block those requests and responses that do not adhere to the standard.
WAF counter measures