diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
index 016b5004b..9c9bc348f 100644
--- a/content/includes/nap-waf/policy.html
+++ b/content/includes/nap-waf/policy.html
@@ -93,27 +93,34 @@ policy
|
+| brute-force-attack-preventions |
+Yes |
+array of objects |
+Defines configuration for Brute Force Protection feature. There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. |
+ |
+
+
caseInsensitive |
No |
boolean |
Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration. |
|
-
+
| character-sets |
Yes |
array of objects |
|
|
-
+
| cookie-settings |
Yes |
object |
The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. |
|
-
+
cookies |
Yes |
array of objects |
@@ -126,42 +133,42 @@ policy
|
-
+
| csrf-protection |
Yes |
object |
|
|
-
+
| csrf-urls |
Yes |
array of objects |
|
|
-
+
| data-guard |
Yes |
object |
Data Guard feature can prevent responses from exposing sensitive information by masking the data. |
|
-
+
description |
No |
string |
Specifies the description of the policy. |
|
-
+
| disallowed-geolocations |
Yes |
array of objects |
Specifies a list of countries that may not access the web application. |
|
-
+
enforcementMode |
No |
string |
@@ -178,14 +185,14 @@ policy
transparent
-
+
| enforcer-settings |
Yes |
object |
This section contains all enforcer settings. |
|
-
+
filetypes |
Yes |
array of objects |
@@ -199,62 +206,69 @@ policy
|
-
+
fullPath |
No |
string |
The full name of the policy including partition. |
|
-
+
| general |
Yes |
object |
This section includes several advanced policy configuration settings. |
|
-
+
| graphql-profiles |
Yes |
array of objects |
|
|
-
+
| grpc-profiles |
Yes |
array of objects |
|
|
-
+
| header-settings |
Yes |
object |
The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. |
|
-
+
| headers |
Yes |
array of objects |
This section defines Header entities for your policy. |
|
-
+
| host-names |
Yes |
array of objects |
|
|
-
+
| idl-files |
Yes |
array of objects |
|
|
+
+| ip-address-lists |
+Yes |
+array of objects |
+An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy. |
+ |
+
| json-profiles |
Yes |
@@ -270,131 +284,131 @@ policy
|
+| login-pages |
+Yes |
+array of objects |
+A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. |
+ |
+
+
| methods |
Yes |
array of objects |
|
|
-
+
name |
No |
string |
The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). |
|
-
+
| open-api-files |
Yes |
array of objects |
|
|
-
+
| override-rules |
Yes |
array of objects |
This section defines policy override rules. |
|
-
+
| parameters |
Yes |
array of objects |
This section defines parameters that the security policy permits in requests. |
|
-
+
performStaging |
No |
boolean |
Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. |
|
-
+
| response-pages |
Yes |
array of objects |
The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. |
|
-
+
| sensitive-parameters |
Yes |
array of objects |
This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. |
|
-
+
| server-technologies |
Yes |
array of objects |
The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
|
-
+
| signature-requirements |
Yes |
array of objects |
|
|
-
+
| signature-sets |
Yes |
array of objects |
Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. |
|
-
+
| signature-settings |
Yes |
object |
|
|
-
+
| signatures |
Yes |
array of objects |
This section defines the properties of a signature on the policy. |
|
-
+
| template |
Yes |
object |
Specifies the template to populate the default attributes of a new policy. |
|
-
+
| threat-campaigns |
Yes |
array of objects |
This section defines the enforcement state for the threat campaigns in the security policy. |
|
-
+
| urls |
Yes |
array of objects |
In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. |
|
-
+
wafEngineVersion |
No |
string |
|
|
-
-| whitelist-ips |
-Yes |
-array of objects |
-An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception and instruct the system how to handle traffic coming from that address. |
- |
-
| xml-profiles |
Yes |
@@ -567,14 +581,400 @@ keyFiles
|
-fileName |
-string |
+fileName |
+string |
+ |
+ |
+
+
+
+location
+
+
+
+
+
+
+
+
+
+
+
+
+in |
+string |
+ |
+ |
+
+
+name |
+string |
+ |
+ |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+claimPropertyName |
+string |
+ |
+ |
+
+
+enabled |
+boolean |
+ |
+ |
+
+
+isMandatory |
+boolean |
+ |
+ |
+
+
+
+blocking-settings
+
+
+
+
+
+
+
+
+
+
+
+
+
+| evasions |
+Yes |
+array of objects |
+This section defines behavior of 'Evasion technique detected' (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'Evasion technique detected' violation, defined in /policy/blocking-settings/violations section: - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations |
+ |
+
+
+| http-protocols |
+Yes |
+array of objects |
+This section defines behavior of 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'HTTP protocol compliance failed' violation, - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations |
+ |
+
+
+| violations |
+Yes |
+array of objects |
+ |
+ |
+
+
+
+bot-defense
+
+
+
+
+
+
+
+
+
+
+
+
+
+| mitigations |
+Yes |
+object |
+This section defines the mitigation to each class or signature. |
+ |
+
+
+| settings |
+Yes |
+object |
+This section contains all bot defense settings. |
+ |
+
+
+
+browser-definitions
+
+
+
+
+
+
+
+
+
+
+
+
+isUserDefined |
+boolean |
+ |
+ |
+
+
+matchRegex |
+string |
+ |
+ |
+
+
+matchString |
+string |
+ |
+ |
+
+
+name |
+string |
+ |
+ |
+
+
+
+brute-force-attack-preventions
+
+
+
+
+
+
+
+
+
+
+
+
+bruteForceProtectionForAllLoginPages |
+boolean |
+When enabled, enables Brute Force Protection for all configured login URLs. When disabled, only brute force configurations for specific login pages are applied in case they exist. |
+ |
+
+
+| captchaBypassCriteria |
+object |
+Specifies configuration for CAPTCHA Bypass Mitigation. |
+ |
+
+
+| clientSideIntegrityBypassCriteria |
+object |
+Specifies configuration for Client Side Integrity Bypass Mitigation. |
+ |
+
+
+| detectionCriteria |
+object |
+Specifies configuration for detecting distributed brute force attacks. |
+ |
+
+
+| leakedCredentialsCriteria |
+object |
+Specifies configuration for Leaked Credentials Detection. |
+ |
+
+
+| loginAttemptsFromTheSameDeviceId |
+object |
+Specifies configuration for detecting brute force attacks for Device ID. |
+ |
+
+
+| loginAttemptsFromTheSameIp |
+object |
+Specifies configuration for detecting brute force attacks from IP Address. |
+ |
+
+
+| loginAttemptsFromTheSameUser |
+object |
+Specifies configuration for detecting brute force attacks for Username. |
+ |
+
+
+measurementPeriod |
+integer minimum: 60 maximum: 90000 |
+Defines detection period (measured in seconds) for distributed brute force attacks. |
+ |
+
+
+preventionDuration |
+
+- integer minimum: 60 maximum: 90000
+- string
+ |
+Defines prevention period (measured in seconds) for distributed brute force attacks. |
+
+- Integer values
+- "unlimited"
+ |
+
+
+reEnableLoginAfter |
+integer minimum: 60 maximum: 90000 |
+Defines prevention period (measured in seconds) for source-based brute force attacks. |
+ |
+
+
+sourceBasedProtectionDetectionPeriod |
+integer minimum: 60 maximum: 90000 |
+Defines detection period (measured in seconds) for source-based brute force attacks. |
+ |
+
+
+| url |
+object |
+Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature. |
+ |
+
+
+
+captchaBypassCriteria
+
+
+
+
+
+
+
+
+
+
+
+
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-drop: The system will log the login attempt and reset the TCP connection.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
+
+ |
+
+- alarm-and-blocking-page
+- alarm-and-drop
+- alarm-and-honeypot-page
+ |
+
+
+enabled |
+boolean |
+When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID. |
+ |
+
+
+threshold |
+integer minimum: 1 maximum: 100 |
+After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt |
+ |
+
+
+
+clientSideIntegrityBypassCriteria
+
+
+
+
+
+
+
+
+
+
+
+
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+
+ |
+ |
+
+
+enabled |
+boolean |
+When enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username. Legitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge. |
|
+
+
+threshold |
+integer minimum: 1 maximum: 100 |
+After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt |
|
-location
+detectionCriteria
@@ -592,23 +992,51 @@ location
-in |
-string |
- |
+action
|
+string |
+Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+- alarm-and-client-side-integrity-captcha: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.
+
+ |
-- header
-- query
+- alarm
+- alarm-and-captcha
+- alarm-and-client-side-integrity
+- alarm-and-client-side-integrity-captcha
|
-name |
-string |
+credentialsStuffingMatchesReached |
+integer minimum: 1 maximum: 10000 |
+After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt. |
|
+
+
+detectCredentialsStuffingAttack |
+boolean |
+When enabled, the system detects login attempts that match known leaked credentials library. |
+ |
+
+
+detectDistributedBruteForceAttack |
+boolean |
+When enabled, the system detects distributed brute force attacks. |
+ |
+
+
+failedLoginAttemptsRateReached |
+integer minimum: 1 maximum: 10000 |
+After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. |
|
-
+leakedCredentialsCriteria
@@ -626,30 +1054,36 @@
-claimPropertyName |
-string |
- |
- |
+action
|
+string |
+Specifies action when leaked credentials detected.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
+- alarm-and-leaked-credentials-response-page: The default response page warns the user that the username and password have been leaked and the password should be changed.
+
+ |
+
+- alarm
+- alarm-and-blocking-page
+- alarm-and-honeypot-page
+- alarm-and-leaked-credentials-response-page
+ |
enabled |
boolean |
- |
- |
-
-
-isMandatory |
-boolean |
- |
+When enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials. |
|
-blocking-settings
+loginAttemptsFromTheSameDeviceId
-
-
+
@@ -657,7 +1091,6 @@ blocking-settings
-| evasions |
-Yes |
-array of objects |
-This section defines behavior of 'Evasion technique detected' (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'Evasion technique detected' violation, defined in /policy/blocking-settings/violations section: - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations |
- |
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+- alarm-and-drop: The system will log the login attempt and reset the TCP connection.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
+
+ |
+
+- alarm
+- alarm-and-blocking-page
+- alarm-and-captcha
+- alarm-and-client-side-integrity
+- alarm-and-drop
+- alarm-and-honeypot-page
+ |
-| http-protocols |
-Yes |
-array of objects |
-This section defines behavior of 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'HTTP protocol compliance failed' violation, - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations |
+enabled |
+boolean |
+When enabled, the system counts failed login attempts for Device ID. |
|
-| violations |
-Yes |
-array of objects |
- |
+threshold |
+integer minimum: 1 maximum: 100 |
+After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt. |
|
-bot-defense
+loginAttemptsFromTheSameIp
-
-
+
@@ -699,7 +1145,6 @@ bot-defense
-| mitigations |
-Yes |
-object |
-This section defines the mitigation to each class or signature. |
- |
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+- alarm-and-drop: The system will log the login attempt and reset the TCP connection.
+- alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
+
+ |
+
+- alarm
+- alarm-and-blocking-page
+- alarm-and-captcha
+- alarm-and-client-side-integrity
+- alarm-and-drop
+- alarm-and-honeypot-page
+ |
-| settings |
-Yes |
-object |
-This section contains all bot defense settings. |
+enabled |
+boolean |
+When enabled, the system counts failed login attempts from IP Address. |
+ |
+
+
+threshold |
+integer minimum: 1 maximum: 1000 |
+After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt. |
|
-browser-definitions
+loginAttemptsFromTheSameUser
@@ -740,27 +1206,32 @@ browser-definitions
-isUserDefined |
-boolean |
- |
- |
+action
|
+string |
+Specifies action that is applied when defined threshold is reached.
+
+
+- alarm: The system will log the login attempt.
+- alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
+- alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
+
+ |
+
+- alarm
+- alarm-and-captcha
+- alarm-and-client-side-integrity
+ |
-matchRegex |
-string |
- |
+enabled |
+boolean |
+When enabled, the system counts failed login attempts for each Username. |
|
-matchString |
-string |
- |
- |
-
-
-name |
-string |
- |
+threshold |
+integer minimum: 1 maximum: 100 |
+After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt. |
|
@@ -2431,12 +2902,18 @@
|
-checkSignatures |
+autoDetectBinaryValue |
boolean |
|
|
+checkSignatures |
+boolean |
+ |
+ |
+
+
decodeValueAsBase64
|
string |
Specifies whether the the system should detect or require values to be Base64 encoded:
@@ -2453,25 +2930,25 @@
required
|
-
+
htmlNormalization |
boolean |
|
|
-
+
mandatory |
boolean |
|
|
-
+
maskValueInLogs |
boolean |
Specifies, when true, that the headers's value will be masked in the request log. |
|
-
+
name
|
string |
Specifies the HTTP header name. The header name length is limited to 254 characters.
@@ -2496,25 +2973,25 @@
Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard. |
|
-
+
normalizationViolations |
boolean |
|
|
-
+
percentDecoding |
boolean |
|
|
-
+
| signatureOverrides |
array of objects |
Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this header, and which action the security policy takes when it discovers a request for this header that matches these attack signatures. |
|
-
+
type |
string |
Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such. |
@@ -2523,13 +3000,13 @@
wildcard
-
+
urlNormalization |
boolean |
|
|
-
+
wildcardOrder |
integer |
Specifies the order index for wildcard header matching. Wildcard headers with lower wildcard order will get checked for a match prior to headers with higher wildcard order. |
@@ -2611,7 +3088,118 @@ host-names
-idl-files
+idl-files
+
+
+
+
+
+
+
+
+
+
+
+
+contents |
+string |
+ |
+ |
+
+
+fileName |
+string |
+ |
+ |
+
+
+isBase64 |
+boolean |
+ |
+ |
+
+
+
+ip-address-lists
+
+
+
+
+
+
+
+
+
+
+
+
+blockRequests
|
+string |
+
+- Specifies how the system responds to blocking requests sent from this IP address list.
+
+- Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address list.
+- Never Block: Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.
+- Always Block: Specifies that the system blocks requests sent from this IP address list.
+
+
+Optional |
+
+- always
+- never
+- policy-default
+ |
+
+
+description |
+string |
+Specifies a brief description of the IP address list. Optional |
+ |
+
+
+| ipAddresses |
+array of objects |
+Specifies the IP addresses. |
+ |
+
+
+matchOrder |
+integer |
+Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder. |
+ |
+
+
+name |
+string |
+Specifies the name of ip address list. |
+ |
+
+
+neverLogRequests |
+boolean |
+Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic. |
+ |
+
+
+setGeolocation |
+string |
+Specifies a geolocation to be associated for this IP address list. Optional |
+ |
+
+
+
+ipAddresses
@@ -2629,23 +3217,11 @@ idl-files
-contents |
-string |
- |
- |
-
-
-fileName |
+ipAddress |
string |
|
|
-
-isBase64 |
-boolean |
- |
- |
-
json-profiles
@@ -2967,6 +3543,170 @@ json-validation-files
+login-pages
+
+
+
+
+
+
+
+
+
+
+
+
+| accessValidation |
+object |
+Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL. |
+ |
+
+
+authenticationType
|
+string |
+Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.
+
+
+- none: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
+- form: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
+- http-basic: The user name and password are transmitted in Base64 and stored on the server in plain text.
+- http-digest: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
+- ntlm: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
+- ajax-or-json-request: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
+
+ |
+
+- ajax-or-json-request
+- form
+- http-basic
+- http-digest
+- none
+- ntlm
+- request-body
+ |
+
+
+passwordParameterName |
+string |
+A name of parameter which will contain password string. |
+ |
+
+
+passwordRegex |
+string |
+ |
+ |
+
+
+| url |
+object |
+URL string used for login page. |
+ |
+
+
+usernameParameterName |
+string |
+A name of parameter which will contain username string. |
+ |
+
+
+usernameRegex |
+string |
+ |
+ |
+
+
+
+accessValidation
+
+
+
+
+
+
+
+
+
+
+
+
+cookieContains |
+string |
+A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL. |
+ |
+
+
+headerContains |
+string |
+A header name and value that the response to the login URL must match to permit user access to the authenticated URL. |
+ |
+
+
+headerContainsMatchCondition |
+string |
+ |
+ |
+
+
+headerOmits |
+string |
+A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL. |
+ |
+
+
+headerOmitsMatchCondition |
+string |
+ |
+ |
+
+
+parameterContains |
+string |
+A parameter that must exist in the login URL's HTML body to allow access to the authenticated URL. |
+ |
+
+
+responseContains |
+string |
+A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, "Successful Login". |
+ |
+
+
+responseHttpStatus |
+string |
+An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, "200". |
+ |
+
+
+responseHttpStatusOmits |
+array of strings |
+An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL. |
+ |
+
+
+responseOmits |
+string |
+A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, "Authentication failed". |
+ |
+
+
+
methods
@@ -5223,12 +5963,21 @@ urlContentProfiles
|
+decodeValueAsBase64 |
+string |
+ |
+ |
+
+
headerName |
string |
Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive. |
|
-
+
headerOrder |
- integer
@@ -5240,13 +5989,13 @@ urlContentProfiles
- "default"
|
-
+
headerValue |
string |
Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive. |
|
-
+
type |
string |
@@ -5328,7 +6077,7 @@ urls
|
-whitelist-ips
+xml-profiles
@@ -5346,97 +6095,54 @@ whitelist-ips
-blockRequests |
-string |
-
-- Specifies how the system responds to blocking requests sent from this IP address.
-
-- Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address.
-- Never Block: Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.
-- Always Block: Specifies that the system blocks requests sent from this IP address on condition that IP is denylisted is set to Block under Policy Building Settings.
-
- |
-
-- always
-- never
-- policy-default
- |
+attackSignaturesCheck |
+boolean |
+ |
+ |
-description |
-string |
-Specifies a brief description of the IP address. |
+defenseAttributes |
+object |
+ |
|
-ipAddress |
+description |
string |
-Specifies the IP address that you want the system to trust. |
|
-
-
-ipMask |
-string |
-Specifies the netmask of the exceptional IP address. This is an optional field. |
|
-
-neverLogRequests |
+
+metacharAttributeCheck |
boolean |
-Specifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic. |
+ |
|
-
-
-xml-profiles
-
-
-
-
-
-
-
-
-
-
-
-attackSignaturesCheck |
+metacharElementCheck |
boolean |
|
|
-| defenseAttributes |
-object |
+metacharOverrides |
+array of objects |
|
|
-description |
-string |
- |
- |
-
-
name |
string |
|
|
-
+
| signatureOverrides |
array of objects |
|
|
-
+
useXmlResponsePage |
boolean |
|
@@ -5613,6 +6319,37 @@ defenseAttributes
+
+
+
+
+
+
+
+
+
+
+
+
+
+isAllowed |
+boolean |
+ |
+ |
+
+
+metachar |
+string |
+ |
+ |
+
+
+
signatureOverrides
@@ -5832,6 +6569,8 @@ violations
VIOL_ACCESS_MISSING
VIOL_ASM_COOKIE_MODIFIED
VIOL_BLACKLISTED_IP
+VIOL_BOT_CLIENT
+VIOL_BRUTE_FORCE
VIOL_COOKIE_EXPIRED
VIOL_COOKIE_LENGTH
VIOL_COOKIE_MALFORMED
@@ -5858,6 +6597,7 @@ violations
VIOL_JSON_FORMAT
VIOL_JSON_MALFORMED
VIOL_JSON_SCHEMA
+VIOL_LOGIN
VIOL_MANDATORY_HEADER
VIOL_MANDATORY_PARAMETER
VIOL_MANDATORY_REQUEST_BODY
diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json
index a27b4ad42..d833d8442 100644
--- a/data/nap-waf/schema/policy.json
+++ b/data/nap-waf/schema/policy.json
@@ -370,6 +370,8 @@
"VIOL_ACCESS_MISSING",
"VIOL_ASM_COOKIE_MODIFIED",
"VIOL_BLACKLISTED_IP",
+ "VIOL_BOT_CLIENT",
+ "VIOL_BRUTE_FORCE",
"VIOL_COOKIE_EXPIRED",
"VIOL_COOKIE_LENGTH",
"VIOL_COOKIE_MALFORMED",
@@ -396,6 +398,7 @@
"VIOL_JSON_FORMAT",
"VIOL_JSON_MALFORMED",
"VIOL_JSON_SCHEMA",
+ "VIOL_LOGIN",
"VIOL_MANDATORY_HEADER",
"VIOL_MANDATORY_PARAMETER",
"VIOL_MANDATORY_REQUEST_BODY",
@@ -707,6 +710,287 @@
}
]
},
+ "brute-force-attack-preventions" : {
+ "oneOf" : [
+ {
+ "items" : {
+ "description" : "Defines configuration for Brute Force Protection feature.\nThere is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page.",
+ "properties" : {
+ "$action" : {
+ "enum" : [
+ "delete"
+ ],
+ "type" : "string"
+ },
+ "bruteForceProtectionForAllLoginPages" : {
+ "default" : false,
+ "description" : "When enabled, enables Brute Force Protection for all configured login URLs.\nWhen disabled, only brute force configurations for specific login pages are applied in case they exist.",
+ "type" : "boolean"
+ },
+ "captchaBypassCriteria" : {
+ "description" : "Specifies configuration for CAPTCHA Bypass Mitigation.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm-and-drop",
+ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
+ "enum" : [
+ "alarm-and-blocking-page",
+ "alarm-and-drop",
+ "alarm-and-honeypot-page"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : true,
+ "description" : "When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID.",
+ "type" : "boolean"
+ },
+ "threshold" : {
+ "default" : 5,
+ "description" : "After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt",
+ "maximum" : 100,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "clientSideIntegrityBypassCriteria" : {
+ "description" : "Specifies configuration for Client Side Integrity Bypass Mitigation.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm-and-captcha",
+ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.",
+ "enum" : [
+ "alarm-and-captcha"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : false,
+ "description" : "When enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username.\nLegitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge.",
+ "type" : "boolean"
+ },
+ "threshold" : {
+ "default" : 3,
+ "description" : "After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt",
+ "maximum" : 100,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "detectionCriteria" : {
+ "description" : "Specifies configuration for detecting distributed brute force attacks.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm",
+ "description" : "Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-client-side-integrity-captcha**: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.",
+ "enum" : [
+ "alarm",
+ "alarm-and-captcha",
+ "alarm-and-client-side-integrity",
+ "alarm-and-client-side-integrity-captcha"
+ ],
+ "type" : "string"
+ },
+ "credentialsStuffingMatchesReached" : {
+ "default" : 100,
+ "description" : "After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.",
+ "maximum" : 10000,
+ "minimum" : 1,
+ "type" : "integer"
+ },
+ "detectCredentialsStuffingAttack" : {
+ "default" : true,
+ "description" : "When enabled, the system detects login attempts that match known leaked credentials library.",
+ "type" : "boolean"
+ },
+ "detectDistributedBruteForceAttack" : {
+ "default" : true,
+ "description" : "When enabled, the system detects distributed brute force attacks.",
+ "type" : "boolean"
+ },
+ "failedLoginAttemptsRateReached" : {
+ "default" : 100,
+ "description" : "After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. ",
+ "maximum" : 10000,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "leakedCredentialsCriteria" : {
+ "description" : "Specifies configuration for Leaked Credentials Detection.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm-and-blocking-page",
+ "description" : "Specifies action when leaked credentials detected.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.\n- **alarm-and-leaked-credentials-response-page**: The default response page warns the user that the username and password have been leaked and the password should be changed.",
+ "enum" : [
+ "alarm",
+ "alarm-and-blocking-page",
+ "alarm-and-honeypot-page",
+ "alarm-and-leaked-credentials-response-page"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : false,
+ "description" : "When enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials.",
+ "type" : "boolean"
+ }
+ },
+ "type" : "object"
+ },
+ "loginAttemptsFromTheSameDeviceId" : {
+ "description" : "Specifies configuration for detecting brute force attacks for Device ID.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm",
+ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
+ "enum" : [
+ "alarm",
+ "alarm-and-blocking-page",
+ "alarm-and-captcha",
+ "alarm-and-client-side-integrity",
+ "alarm-and-drop",
+ "alarm-and-honeypot-page"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : false,
+ "description" : "When enabled, the system counts failed login attempts for Device ID.",
+ "type" : "boolean"
+ },
+ "threshold" : {
+ "default" : 3,
+ "description" : "After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt.",
+ "maximum" : 100,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "loginAttemptsFromTheSameIp" : {
+ "description" : "Specifies configuration for detecting brute force attacks from IP Address.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm-and-blocking-page",
+ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.",
+ "enum" : [
+ "alarm",
+ "alarm-and-blocking-page",
+ "alarm-and-captcha",
+ "alarm-and-client-side-integrity",
+ "alarm-and-drop",
+ "alarm-and-honeypot-page"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : true,
+ "description" : "When enabled, the system counts failed login attempts from IP Address.",
+ "type" : "boolean"
+ },
+ "threshold" : {
+ "default" : 20,
+ "description" : "After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt.",
+ "maximum" : 1000,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "loginAttemptsFromTheSameUser" : {
+ "description" : "Specifies configuration for detecting brute force attacks for Username.",
+ "properties" : {
+ "action" : {
+ "default" : "alarm",
+ "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.",
+ "enum" : [
+ "alarm",
+ "alarm-and-captcha",
+ "alarm-and-client-side-integrity"
+ ],
+ "type" : "string"
+ },
+ "enabled" : {
+ "default" : true,
+ "description" : "When enabled, the system counts failed login attempts for each Username.",
+ "type" : "boolean"
+ },
+ "threshold" : {
+ "default" : 5,
+ "description" : "After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt.",
+ "maximum" : 100,
+ "minimum" : 1,
+ "type" : "integer"
+ }
+ },
+ "type" : "object"
+ },
+ "measurementPeriod" : {
+ "default" : 900,
+ "description" : "Defines detection period (measured in seconds) for distributed brute force attacks.",
+ "maximum" : 90000,
+ "minimum" : 60,
+ "type" : "integer"
+ },
+ "preventionDuration" : {
+ "default" : "3600",
+ "description" : "Defines prevention period (measured in seconds) for distributed brute force attacks.",
+ "oneOf" : [
+ {
+ "maximum" : 90000,
+ "minimum" : 60,
+ "type" : "integer"
+ },
+ {
+ "enum" : [
+ "unlimited"
+ ],
+ "type" : "string"
+ },
+ {
+ "pattern" : "\\d+$",
+ "type" : "string"
+ }
+ ]
+ },
+ "reEnableLoginAfter" : {
+ "default" : 3600,
+ "description" : "Defines prevention period (measured in seconds) for source-based brute force attacks.",
+ "maximum" : 90000,
+ "minimum" : 60,
+ "type" : "integer"
+ },
+ "sourceBasedProtectionDetectionPeriod" : {
+ "default" : 3600,
+ "description" : "Defines detection period (measured in seconds) for source-based brute force attacks.",
+ "maximum" : 90000,
+ "minimum" : 60,
+ "type" : "integer"
+ },
+ "url" : {
+ "$ref" : "#/properties/policy/properties/urls/oneOf/0/items",
+ "description" : "Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature.",
+ "type" : "object"
+ }
+ },
+ "type" : "object"
+ },
+ "type" : "array"
+ },
+ {
+ "$ref" : "#/definitions/reference"
+ }
+ ]
+ },
"caseInsensitive" : {
"default" : false,
"description" : "Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration.",
@@ -2050,6 +2334,10 @@
"default" : true,
"type" : "boolean"
},
+ "autoDetectBinaryValue" : {
+ "default" : false,
+ "type" : "boolean"
+ },
"checkSignatures" : {
"default" : true,
"type" : "boolean"
@@ -2245,6 +2533,77 @@
}
]
},
+ "ip-address-lists" : {
+ "oneOf" : [
+ {
+ "items" : {
+ "description" : "An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy.",
+ "properties" : {
+ "$action" : {
+ "enum" : [
+ "delete"
+ ],
+ "type" : "string"
+ },
+ "blockRequests" : {
+ "default" : "policy-default",
+ "description" : "Specifies how the system responds to blocking requests sent from this IP address list.\n- **Policy Default:** Specifies that the Policy Blocking Settings will be used for requests from this IP address list.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address list.\nOptional",
+ "enum" : [
+ "always",
+ "never",
+ "policy-default"
+ ],
+ "type" : "string"
+ },
+ "description" : {
+ "description" : "Specifies a brief description of the IP address list. Optional",
+ "type" : "string"
+ },
+ "ipAddresses" : {
+ "description" : "Specifies the IP addresses.",
+ "items" : {
+ "properties" : {
+ "ipAddress" : {
+ "type" : "string"
+ }
+ },
+ "required" : [
+ "ipAddress"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ },
+ "matchOrder" : {
+ "description" : "Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy.\nIP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder.",
+ "type" : "integer"
+ },
+ "name" : {
+ "description" : "Specifies the name of ip address list.",
+ "type" : "string"
+ },
+ "neverLogRequests" : {
+ "default" : false,
+ "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.",
+ "type" : "boolean"
+ },
+ "setGeolocation" : {
+ "description" : "Specifies a geolocation to be associated for this IP address list. Optional",
+ "type" : "string"
+ }
+ },
+ "required" : [
+ "name"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ },
+ {
+ "$ref" : "#/definitions/reference"
+ }
+ ]
+ },
"json-profiles" : {
"oneOf" : [
{
@@ -2538,6 +2897,121 @@
}
]
},
+ "login-pages" : {
+ "oneOf" : [
+ {
+ "items" : {
+ "description" : "A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.",
+ "properties" : {
+ "$action" : {
+ "enum" : [
+ "delete"
+ ],
+ "type" : "string"
+ },
+ "accessValidation" : {
+ "description" : "Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.",
+ "properties" : {
+ "cookieContains" : {
+ "description" : "A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.",
+ "type" : "string"
+ },
+ "headerContains" : {
+ "description" : "A header name and value that the response to the login URL must match to permit user access to the authenticated URL.",
+ "type" : "string"
+ },
+ "headerContainsMatchCondition" : {
+ "default" : "exact",
+ "enum" : [
+ "exact",
+ "regex"
+ ],
+ "type" : "string"
+ },
+ "headerOmits" : {
+ "description" : "A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL.",
+ "type" : "string"
+ },
+ "headerOmitsMatchCondition" : {
+ "default" : "exact",
+ "enum" : [
+ "exact",
+ "regex"
+ ],
+ "type" : "string"
+ },
+ "parameterContains" : {
+ "description" : "A parameter that must exist in the login URL's HTML body to allow access to the authenticated URL.",
+ "type" : "string"
+ },
+ "responseContains" : {
+ "description" : "A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, \"Successful Login\".",
+ "type" : "string"
+ },
+ "responseHttpStatus" : {
+ "description" : "An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, \"200\".",
+ "type" : "string"
+ },
+ "responseHttpStatusOmits" : {
+ "description" : "An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL.",
+ "items" : {
+ "type" : "string"
+ },
+ "type" : "array"
+ },
+ "responseOmits" : {
+ "description" : "A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, \"Authentication failed\".",
+ "type" : "string"
+ }
+ },
+ "type" : "object"
+ },
+ "authenticationType" : {
+ "default" : "none",
+ "description" : "Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.\n\n- **none**: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.\n- **form**: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.\n- **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text.\n- **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.\n- **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.\n- **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.",
+ "enum" : [
+ "ajax-or-json-request",
+ "form",
+ "http-basic",
+ "http-digest",
+ "none",
+ "ntlm",
+ "request-body"
+ ],
+ "type" : "string"
+ },
+ "passwordParameterName" : {
+ "description" : "A name of parameter which will contain password string.",
+ "type" : "string"
+ },
+ "passwordRegex" : {
+ "type" : "string"
+ },
+ "url" : {
+ "$ref" : "#/properties/policy/properties/urls/oneOf/0/items",
+ "description" : "URL string used for login page.",
+ "type" : "object"
+ },
+ "usernameParameterName" : {
+ "description" : "A name of parameter which will contain username string.",
+ "type" : "string"
+ },
+ "usernameRegex" : {
+ "type" : "string"
+ }
+ },
+ "required" : [
+ "url"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ },
+ {
+ "$ref" : "#/definitions/reference"
+ }
+ ]
+ },
"methods" : {
"oneOf" : [
{
@@ -4002,6 +4476,14 @@
},
"type" : "object"
},
+ "decodeValueAsBase64" : {
+ "default" : "disabled",
+ "enum" : [
+ "disabled",
+ "required"
+ ],
+ "type" : "string"
+ },
"headerName" : {
"default" : "*",
"description" : "Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.",
@@ -4076,60 +4558,6 @@
"wafEngineVersion" : {
"type" : "string"
},
- "whitelist-ips" : {
- "oneOf" : [
- {
- "items" : {
- "description" : "An IP address exception is an IP address that you want the system to treat in a specific way for a security policy.\nYou can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools.\nYou can add an IP address exception and instruct the system how to handle traffic coming from that address.",
- "properties" : {
- "$action" : {
- "enum" : [
- "delete"
- ],
- "type" : "string"
- },
- "blockRequests" : {
- "default" : "policy-default",
- "description" : "Specifies how the system responds to blocking requests sent from this IP address.\n- **Policy Default:** Specifies that the Policy Blocking Settings will be used for requests from this IP address.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address on condition that IP is denylisted is set to Block under Policy Building Settings.",
- "enum" : [
- "always",
- "never",
- "policy-default"
- ],
- "type" : "string"
- },
- "description" : {
- "description" : "Specifies a brief description of the IP address.",
- "type" : "string"
- },
- "ipAddress" : {
- "description" : "Specifies the IP address that you want the system to trust.",
- "type" : "string"
- },
- "ipMask" : {
- "default" : "255.255.255.255",
- "description" : "Specifies the netmask of the exceptional IP address. This is an optional field.",
- "type" : "string"
- },
- "neverLogRequests" : {
- "default" : false,
- "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic.",
- "type" : "boolean"
- }
- },
- "required" : [
- "ipAddress",
- "ipMask"
- ],
- "type" : "object"
- },
- "type" : "array"
- },
- {
- "$ref" : "#/definitions/reference"
- }
- ]
- },
"xml-profiles" : {
"oneOf" : [
{
@@ -4361,6 +4789,31 @@
"description" : {
"type" : "string"
},
+ "metacharAttributeCheck" : {
+ "default" : false,
+ "type" : "boolean"
+ },
+ "metacharElementCheck" : {
+ "default" : true,
+ "type" : "boolean"
+ },
+ "metacharOverrides" : {
+ "items" : {
+ "properties" : {
+ "isAllowed" : {
+ "type" : "boolean"
+ },
+ "metachar" : {
+ "type" : "string"
+ }
+ },
+ "required" : [
+ "metachar"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ },
"name" : {
"type" : "string"
},