This help contains the following topics:

·     Introduction

¡     WAF profiles

¡     WAF actions

¡     WAF mechanism

·     Restrictions and guidelines

·     Configure WAF

¡     Configure a WAF profile

Introduction

The web application firewall (WAF) feature enables devices to monitor HTTP and HTTPS traffic to and from web applications for malicious activity and to proactively take prevention actions.

WAF profiles

WAF is implemented based on WAF profiles. A WAF profile contains a set of WAF signatures to match packets and the actions for the matching packets.

WAF signatures

The device compares packets with WAF signatures to detect, classify, and prevent network attacks.

Each WAF signature contains multiple attributes, including attack category, action, protected target, severity level, and direction. You can set criteria to filter WAF signatures that a WAF profile uses based on the signature attributes.

Signature exceptions

WAF signatures have default signature actions and enabling status.

To change the enabling status or action for a WAF signature in a WAF profile, set the WAF signature as a signature exception in the WAF profile. The action specified for the signature exception takes precedence over the global signature action.

WAF actions

When the device detects a packet matching a WAF signature, it takes the global action for the signature on the packet.

The device supports the following WAF actions:

·     Blacklist—Drops matching packets and adds the sources of the packets to the IP blacklist. If the IP blacklist feature is enabled, packets from the blacklisted sources will be blocked for the blacklist period. If the IP blacklist feature is not enabled, packets from the blacklisted sources are not blocked.

For more information about the IP blacklist feature, see attack defense online help.

To configure the blacklist period for the blacklist action, go to Objects > APPSecurity > Security Actions > Block.

·     Drop—Drops matching packets.

·     Permit—Permits matching packets to pass.

·     Reset—Closes the TCP or UDP connections for matching packets by sending TCP reset messages or ICMP port unreachable messages.

·     Redirect—Redirects matching packets to a webpage.

·     Default—Uses the default signature action.

·     Capture—Captures matching packets.

·     Logging—Logs matching packets.

WAF mechanism

As shown in Figure 1, upon receiving a packet, the device performs the following operations:

1.     The device compares the packet with the IP blacklist rules.

¡     If a matching rule is found, the device drops the packet.

¡     If no matching rule is found, the device goes to step 2.

2.     The device compares the packet with the security policies.

If the packet matches a security policy that is associated with a WAF profile, the device identifies the packet application layer protocol and extracts the packet signatures.

3.     The device determines the actions for the packet by comparing the extracted packet signatures with the WAF signatures in the WAF profile:

¡     If the packet does not match any WAF signatures, the device permits the packet to pass.

¡     If the packet matches only one WAF signature, the device takes the signature actions.

¡     If the packet matches multiple WAF signatures, the device uses the following rules to select the actions:

-     If the matching WAF signatures have two or more actions, including redirect, drop, permit, and reset, the device takes the action of the highest priority. The actions in descending order of priority are reset, redirect, drop, and permit.

-     The device will execute the blacklist, capture, and logging actions if they are in the matching WAF signatures.

Figure 1 WAF mechanism

 

Restrictions and guidelines

·     The WAF module requires a license to run on the device. If the license expires, you can still use the WAF functions but you can no longer upgrade the WAF signature library on the device. For more information about licenses, see license online help.

·     Changes to WAF profiles and WAF signatures must be activated to take effect. By default, the system automatically activates the changes 40 seconds after the changes are made. You can also click Submit to activate the changes immediately.

Configure WAF

Configure WAF as shown in Figure 2.

Figure 2 WAF configuration procedure

 

Configure a WAF profile

The device provides a predefined WAF profile named default. The default WAF profile uses all enabled WAF signatures on the device and cannot be modified or deleted.

You can also create WAF profiles on the device as needed..

You can configure global action for a WAF profile or change the action for individual WAF signatures in the profile.

The system selects the actions for packets matching a WAF signature in the following order:

1.     Actions configured for the WAF signature as a signature exception in the WAF profile.

2.     Global action configured for the WAF profile.

3.     Default action of the WAF signature.

Procedure

1.     Click the Objects tab.

2.     In the navigation pane, select APPSecurity > WAF > Profiles.

The WAF Profiles page opens.

3.     Click Create.

The Create WAF Profile page opens.

4.     Create a WAF profile.

Table 1 WAF profile configuration items

Item	Description
Signature filtering criteria	In the Signature filtering criteria area, set the criteria to filter the WAF signatures used in the WAF profile based signature attributes including the protected target, attack category, direction, default signature action, and severity level. By default, no signature filtering criteria are set and a WAF profile uses all enabled WAF signatures on the device. A WAF profile uses a WAF signature only if the signature matches all the configured criteria. For each attribute-based criterion, you can specify multiple attribute values. A WAF signature matches the criterion if it matches any of the specified attribute values. To view the signatures filtered out by using the criteria, click View matching signatures.
Protected target	Select the protected targets for the protected target criterion.
Attack category	Select the attack categories for the attack category criterion.
Direction	Select the traffic directions for the direction criterion. Options are: ·     To-server—Client to server direction. ·     To-client—Server to client direction.
Default action	Select the actions for the default signature action criterion. Options are Drop, Permit, Reset, and Blacklist.
Severity level	Select the severity levels for the severity levels criterion. Options are Criterial, High, Medium, and Low.
Global profile action	Apply the selected action to all traffic matching the signatures used by the profile. To apply the default signature-specific action to matching traffic, select Default.
Action	Select the global action for the WAF profile. Options are Default, Blacklist, Drop, Permit, Reset, and Redirect. The global action applies to all packets matching the signatures in the WAF profile. By default, the Default option is used. For packets matching a signature in the profile, the default signature action will be applied.
Logging	Select whether to enable logging for matching packets. Options are Enable and Disable.
Capture	Select whether to enable capture matching packets. Options are Enable and Disable. The capture action enables the device to capture packets and export the captured packets to the specified URL at the scheduled export time. For more information about configuring the capture action, see security actions online help.
Add signature exceptions	To set WAF signatures as signature exceptions in a WAF profile, use either of the following methods: ·     In the Signature exceptions area of the Create WAF Profile page, enter the ID of the WAF signature and click Add. ·     On the Create WAF Profile page, click View matching signatures. On the View Signatures page that opens, select the signatures you want to set as signature exceptions, and then click Add to signature exception list. The Edit Exception Rule window opens. Configure the following settings as needed, and then click OK. ¡     Select the action for the signatures. ¡     Enable or disable the signatures. ¡     Select whether to enable packet capture and logging for packets matching the signatures.
Edit Exception Rule	On the signature exception list, click the Edit icon  for a signature exception. On the Edit Signature Exception window that opens, configure the following settings, and then click OK. ·     Select the action for the signature. ·     Enable or disable the signature. ·     Select whether to enable packet capture and logging for packets matching the signature.

 

5.     Click OK.

The WAF profile is displayed on the WAF Profiles page.

6.     Use the WAF profile in a security policy. For more information about security policies, see security policy online help.

7.     To have the WAF profile configuration take effect immediately, click Submit.

A newly added WAF profile must be activated to take effect. By default, the system automatically activates a WAF profile 40 seconds after the profile is created.