firewall advanced protections (security checks) are a set of filters designed to catch
complex or unknown attacks on your protected web sites and web services. The
security checks use heuristics, positive security, and other techniques to
detect attacks that may not be detected by signatures alone. You configure the
security checks by creating and configuring an application firewall
which is a collection of user-defined settings that tell the application
firewall which security checks to use and how to handle a request or response
that fails a security check. A profile is associated with a
object and with a
to create a security configuration.
firewall provides twenty security checks, which differ widely in the types of
attacks that they target and how complex they are to configure. The security
checks are organized into the following categories:
The security checks
protect against a wide range of types of attack, including attacks on operation
system and web server software vulnerabilities, SQL database vulnerabilities,
errors in the design and coding of web sites and web services, and failures to
secure sites that host or can access sensitive information.
All security checks
have a set of configuration options, the check actions, which control how the
application firewall handles a connection that matches a check. Three check
actions are available for all security checks. They are:
A fourth check
available for more than half of the check actions. It observes traffic to a
protected Web site or web service and uses connections that repeatedly violate
the security check to generate recommended exceptions (relaxations) to the
check, or new rules for the check. In addition to the check actions, certain
security checks have parameters that control the rules that the check uses to
determine which connections violate that check, or that configure the
application firewall's response to connections that violate the check. These
parameters are different for each check, and they are described in the
documentation for each check.
To configure security checks, you can use the application firewall wizard, as described in "The Application Firewall Wizard," or you can configure the security checks manually, as described in "Manual Configuration By Using the Configuration Utility." Some tasks, such as manually entering relaxations or rules or reviewing learned data, can be done only by using the configuration utility, not the command line. Using the wizard is usually best configuration method, but in some cases manual configuration might be easier if you are thoroughly familiar with it and simply want to adjust the configuration for a single security check.
Regardless of which
method you use to configure the security checks, each security check requires
that certain tasks be performed. Many checks require that you specify
exceptions (relaxations) to prevent blocking of legitimate traffic
before you enable blocking for that security check. You can do this manually,
by observing the log entries after a certain amount of traffic has been
filtered and then creating the necessary exceptions. However, it is usually
much easier to enable the learning feature and let it observe the traffic and
recommend the necessary exceptions.
Application Firewall uses packet engines (PE) during processing the transactions. Each packet engine has a limit of 100K sessions which is sufficient for most deployment scenarios. However, when Application Firewall is processing heavy traffic and the session timeout is configured at a higher value, the sessions might get accumulated. If the number of alive Application Firewall sessions exceed the 100K per PE limit, the Application Firewall security check violations might not be sent to the Security Insight appliance. Lowering the session timeout to a smaller value, or using sessionless mode for the security checks with sessionless URL closure or sessionless field consistency might help in preventing the sessions getting accumulated. If this is not a viable option in scenarios where transactions might require longer sessions, upgrading to a higher-end platform with more packet engine is recommended.