Web Application Firewall profile settings

Following are the general application firewall profile settings that you must configure on the appliance.

At the command prompt, type:

add appfw profile <name> [-invalidPercentHandling <invalidPercentHandling>] [-checkRequestHeaders ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )]

Example:

add appfw profile profile1 [-invalidPercentHandling secure_mode] [-checkRequestHeaders ON] [-URLDecodeRequestCookies OFF] [-optimizePartialReqs OFF]

Where,

invalidPercentHandling. Configure the method that the application firewall uses to handle percent-encoded names and values.

Available settings function as follows:

asp_mode - Strips and Parses Invalid Percent for Parsing. Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is stripped of and rest of the content is inspected and action taken for SQLInjection check. secure_mode - We detect the Invalid Percent coded value and ignore it . Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is detected, counters are incremented and content is passed as is to the server. apache_mode - This mode works as same as the secure mode. Possible values: apache_mode, asp_mode, secure_mode Default value: secure_mode

optimizePartialReqs. Optimize handle of HTTP partial requests with range headers.

Available settings are as follows:

ON - Partial requests by the client result in partial requests to the back-end server. OFF - Partial requests by the client are changed to full requests to the back-end server Possible values: ON, OFF Default value: ON

URLDecodeRequestCookies. URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF Default value: OFF

optimizePartialReqs. Optimize handle of HTTP partial requests with range headers.

Available settings are as follows: ON - Partial requests by the client result in partial requests to the back-end server. OFF - Partial requests by the client are changed to full requests to the back-end server. Possible values: ON, OFF Default value: ON

Signature Post Body Limit (Bytes). Limits the request payload (in bytes) inspected for signatures with location specified as ‘HTTP_POST_BODY’.

Default value: 8096 Minimum value: 0 Maximum Value: 4294967295

Web Application Firewall profile settings