Configuring App Firewall profiles

To configure a user-defined App Firewall profile, first configure the security checks, which are called deep protections or advanced protections in the App Firewall wizard. Certain checks require configuration if you are to use them at all. Others have default configurations that are safe but limited in scope; your web sites might need or benefit from a different configuration that takes advantage of additional features of certain security checks.

After you have configured the security checks, you can also configure a number of other settings that control the behavior, not of a single security check, but the App Firewall feature. The default configuration is sufficient to protect most web sites, but you should review them to make sure that they are right for your protected web sites.

For more information about the App Firewall security checks, see “Advanced Protections.”

To configure an App Firewall profile by using the command line

At the command prompt, type the following commands:

  • set appfw profile <name> <arg1> [<arg2> ...]

    where:

    • <arg1> = a parameter and any associated options.
    • <arg2> = a second parameter and any associated options.
    • … = additional parameters and options.

    For descriptions of the parameters to use when configuring specific security checks, see “Advanced Protections.”

  • save ns config

Example

The following example shows how to enable blocking for the HTML SQL Injection and HTML Cross-Site Scripting checks in a profile named pr-basic. This command enables blocking for those actions while making no other changes to the profile.

set appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction block

To configure an App Firewall profile by using the GUI

  1. Navigate to Security > Application Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit.
  3. In the Configure App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.
    • To enable or disable an action for a check, in the list, select or clear the check box for that action.

    • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

      You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.

    • To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.

      • To edit the exception or rule, and then add it to the list, click Edit & Deploy.
      • To accept the exception or rule without modification, click Deploy.
      • To remove the exception or rule from the list, click Skip.
    • To refresh the list of exceptions or rules to be reviewed, click Refresh.

    • open the Learning Visualizer and use it to review learned rules, click Visualizer.

    • review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks, so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see “Logs, Statistics, and Reports.”

    • To completely disable a check, in the list, clear all of the check boxes to the right of that check.

  4. On the Settings tab, configure the profile settings.
    • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.

      Note: You may need to use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

    • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

      Note: You must first upload the error object that you want to use in the Imports pane. For more information about importing error objects, see Imports

    • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types. “»More….”
  5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile, as described in “Configuring and Using the Learning Feature”.
  6. Click OK to save your changes and return to the Profiles pane.