From f55899dfd73791f9c034fbd1916034641218040f Mon Sep 17 00:00:00 2001 From: ohad-perets Date: Mon, 27 Jan 2025 16:59:07 +0000 Subject: [PATCH] doc: Update policy schema Compiler 11.246.0-nap-release-4-13-0-13336475 (7fab3dc1) --- content/includes/nap-waf/policy.html | 1138 +++++++++++++++++++++----- data/nap-waf/schema/policy.json | 561 +++++++++++-- 2 files changed, 1446 insertions(+), 253 deletions(-) diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html index 016b5004b..9c9bc348f 100644 --- a/content/includes/nap-waf/policy.html +++ b/content/includes/nap-waf/policy.html @@ -93,27 +93,34 @@

policy

+brute-force-attack-preventions +Yes +array of objects +Defines configuration for Brute Force Protection feature. There is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page. + + + caseInsensitive No boolean Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration. - + character-sets Yes array of objects - + cookie-settings Yes object The maximum length of a cookie header name and value that the system processes. The system calculates and enforces a cookie header length based on the sum of the length of the cookie header name and value. - +

cookies

Yes

array of objects

@@ -126,42 +133,42 @@

policy

- + csrf-protection Yes object - + csrf-urls Yes array of objects - + data-guard Yes object Data Guard feature can prevent responses from exposing sensitive information by masking the data. - + description No string Specifies the description of the policy. - + disallowed-geolocations Yes array of objects Specifies a list of countries that may not access the web application. - + enforcementMode No string @@ -178,14 +185,14 @@

policy

  • transparent
    • - + enforcer-settings Yes object This section contains all enforcer settings. - +

    filetypes

    Yes

    array of objects

    @@ -199,62 +206,69 @@

    policy

    - + fullPath No string The full name of the policy including partition. - + general Yes object This section includes several advanced policy configuration settings. - + graphql-profiles Yes array of objects - + grpc-profiles Yes array of objects - + header-settings Yes object The maximum length of an HTTP header name and value that the system processes. The system calculates and enforces the HTTP header length based on the sum of the length of the HTTP header name and value. - + headers Yes array of objects This section defines Header entities for your policy. - + host-names Yes array of objects - + idl-files Yes array of objects + +ip-address-lists +Yes +array of objects +An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy. + + json-profiles Yes @@ -270,131 +284,131 @@

    policy

    +login-pages +Yes +array of objects +A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. + + + methods Yes array of objects - + name No string The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). - + open-api-files Yes array of objects - + override-rules Yes array of objects This section defines policy override rules. - + parameters Yes array of objects This section defines parameters that the security policy permits in requests. - + performStaging No boolean Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. - + response-pages Yes array of objects The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. - + sensitive-parameters Yes array of objects This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. - + server-technologies Yes array of objects The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. - + signature-requirements Yes array of objects - + signature-sets Yes array of objects Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. - + signature-settings Yes object - + signatures Yes array of objects This section defines the properties of a signature on the policy. - + template Yes object Specifies the template to populate the default attributes of a new policy. - + threat-campaigns Yes array of objects This section defines the enforcement state for the threat campaigns in the security policy. - + urls Yes array of objects In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. - + wafEngineVersion No string - -whitelist-ips -Yes -array of objects -An IP address exception is an IP address that you want the system to treat in a specific way for a security policy. You can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools. You can add an IP address exception and instruct the system how to handle traffic coming from that address. - - xml-profiles Yes @@ -567,14 +581,400 @@

    keyFiles

    -fileName -string +fileName +string + + + + + +

    location

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    instring
      +
    • header
      • +
    • query
      • +
    namestring
    +

    usernameExtraction

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    claimPropertyNamestring
    enabledboolean
    isMandatoryboolean
    +

    blocking-settings

    + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameReferenceTypeDescriptionAllowed Values
    evasionsYesarray of objectsThis section defines behavior of 'Evasion technique detected' (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'Evasion technique detected' violation, defined in /policy/blocking-settings/violations section: - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations
    http-protocolsYesarray of objectsThis section defines behavior of 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'HTTP protocol compliance failed' violation, - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations
    violationsYesarray of objects
    +

    bot-defense

    + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameReferenceTypeDescriptionAllowed Values
    mitigationsYesobjectThis section defines the mitigation to each class or signature.
    settingsYesobjectThis section contains all bot defense settings.
    +

    browser-definitions

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    isUserDefinedboolean
    matchRegexstring
    matchStringstring
    namestring
    +

    brute-force-attack-preventions

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    bruteForceProtectionForAllLoginPagesbooleanWhen enabled, enables Brute Force Protection for all configured login URLs. When disabled, only brute force configurations for specific login pages are applied in case they exist.
    captchaBypassCriteriaobjectSpecifies configuration for CAPTCHA Bypass Mitigation.
    clientSideIntegrityBypassCriteriaobjectSpecifies configuration for Client Side Integrity Bypass Mitigation.
    detectionCriteriaobjectSpecifies configuration for detecting distributed brute force attacks.
    leakedCredentialsCriteriaobjectSpecifies configuration for Leaked Credentials Detection.
    loginAttemptsFromTheSameDeviceIdobjectSpecifies configuration for detecting brute force attacks for Device ID.
    loginAttemptsFromTheSameIpobjectSpecifies configuration for detecting brute force attacks from IP Address.
    loginAttemptsFromTheSameUserobjectSpecifies configuration for detecting brute force attacks for Username.
    measurementPeriodinteger minimum: 60 maximum: 90000Defines detection period (measured in seconds) for distributed brute force attacks.
    preventionDuration
      +
    • integer minimum: 60 maximum: 90000
      • +
    • string
      • +
    		Defines prevention period (measured in seconds) for distributed brute force attacks.
      +
    • Integer values
      • +
    • "unlimited"
      • +
    reEnableLoginAfterinteger minimum: 60 maximum: 90000Defines prevention period (measured in seconds) for source-based brute force attacks.
    sourceBasedProtectionDetectionPeriodinteger minimum: 60 maximum: 90000Defines detection period (measured in seconds) for source-based brute force attacks.
    urlobjectReference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature.
    +

    captchaBypassCriteria

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values

    action

    string

    Specifies action that is applied when defined threshold is reached.

    +
    +
      +
    • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
      • +
    • alarm-and-drop: The system will log the login attempt and reset the TCP connection.
      • +
    • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
      • +
    +
      +
    • alarm-and-blocking-page
      • +
    • alarm-and-drop
      • +
    • alarm-and-honeypot-page
      • +
    enabledbooleanWhen enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID.
    thresholdinteger minimum: 1 maximum: 100After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt
    +

    clientSideIntegrityBypassCriteria

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values

    action

    string

    Specifies action that is applied when defined threshold is reached.

    +
    +
      +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    +
      +
    • alarm-and-captcha
      • +
    enabledbooleanWhen enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username. Legitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge.
    thresholdinteger minimum: 1 maximum: 100After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt
    -

    location

    +

    detectionCriteria

    @@ -592,23 +992,51 @@

    location

    - - - + + + - - + + + + + + + + + + + + + + + + + + + +
    instring

    action

    string

    Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.

    +
    +
      +
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
      • +
    • alarm-and-client-side-integrity-captcha: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.
      • +
    +
      -
    • header
      • -
    • query
      • +
    • alarm
      • +
    • alarm-and-captcha
      • +
    • alarm-and-client-side-integrity
      • +
    • alarm-and-client-side-integrity-captcha
    namestringcredentialsStuffingMatchesReachedinteger minimum: 1 maximum: 10000After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.
    detectCredentialsStuffingAttackbooleanWhen enabled, the system detects login attempts that match known leaked credentials library.
    detectDistributedBruteForceAttackbooleanWhen enabled, the system detects distributed brute force attacks.
    failedLoginAttemptsRateReachedinteger minimum: 1 maximum: 10000After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt.
    -

    usernameExtraction

    +

    leakedCredentialsCriteria

    @@ -626,30 +1054,36 @@

    usernameExtraction

    - - - - + + + + - - - - - - - +
    claimPropertyNamestring

    action

    string

    Specifies action when leaked credentials detected.

    +
    +
      +
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
      • +
    • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
      • +
    • alarm-and-leaked-credentials-response-page: The default response page warns the user that the username and password have been leaked and the password should be changed.
      • +
    +
      +
    • alarm
      • +
    • alarm-and-blocking-page
      • +
    • alarm-and-honeypot-page
      • +
    • alarm-and-leaked-credentials-response-page
      • +
    enabled boolean
    isMandatorybooleanWhen enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials.
    -

    blocking-settings

    +

    loginAttemptsFromTheSameDeviceId

    --+@@ -657,7 +1091,6 @@

    blocking-settings

    - @@ -665,33 +1098,46 @@

    blocking-settings

    - - - - - + + + + - - - - + + + - - - - + + +
    Field NameReference Type Description Allowed Values
    evasionsYesarray of objectsThis section defines behavior of 'Evasion technique detected' (VIOL_EVASION) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'Evasion technique detected' violation, defined in /policy/blocking-settings/violations section: - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violations

    action

    string

    Specifies action that is applied when defined threshold is reached.

    +
    +
      +
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
      • +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
      • +
    • alarm-and-drop: The system will log the login attempt and reset the TCP connection.
      • +
    • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
      • +
    +
      +
    • alarm
      • +
    • alarm-and-blocking-page
      • +
    • alarm-and-captcha
      • +
    • alarm-and-client-side-integrity
      • +
    • alarm-and-drop
      • +
    • alarm-and-honeypot-page
      • +
    http-protocolsYesarray of objectsThis section defines behavior of 'HTTP protocol compliance failed' (VIOL_HTTP_PROTOCOL) violation sub-violations. User can control which sub-violations are enabled (alarmed/blocked). Behavior of sub-violations depends on the block/alarm settings of 'HTTP protocol compliance failed' violation, - If both alarm and block are disabled - enable flag becomes irrelevant, since there will be no block/alarm for all sub-violationsenabledbooleanWhen enabled, the system counts failed login attempts for Device ID.
    violationsYesarray of objectsthresholdinteger minimum: 1 maximum: 100After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt.
    -

    bot-defense

    +

    loginAttemptsFromTheSameIp

    --+@@ -699,7 +1145,6 @@

    bot-defense

    - @@ -707,22 +1152,43 @@

    bot-defense

    - - - - - + + + + - - - - + + + + + + + + +
    Field NameReference Type Description Allowed Values
    mitigationsYesobjectThis section defines the mitigation to each class or signature.

    action

    string

    Specifies action that is applied when defined threshold is reached.

    +
    +
      +
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-blocking-page: The system will log the login attempt, block the request and send the Blocking page.
      • +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
      • +
    • alarm-and-drop: The system will log the login attempt and reset the TCP connection.
      • +
    • alarm-and-honeypot-page: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.
      • +
    +
      +
    • alarm
      • +
    • alarm-and-blocking-page
      • +
    • alarm-and-captcha
      • +
    • alarm-and-client-side-integrity
      • +
    • alarm-and-drop
      • +
    • alarm-and-honeypot-page
      • +
    settingsYesobjectThis section contains all bot defense settings.enabledbooleanWhen enabled, the system counts failed login attempts from IP Address.
    thresholdinteger minimum: 1 maximum: 1000After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt.
    -

    browser-definitions

    +

    loginAttemptsFromTheSameUser

    @@ -740,27 +1206,32 @@

    browser-definitions

    - - - - + + + + - - - + + + - - - - - - - - - + + + @@ -2431,12 +2902,18 @@

    headers

    - + + + + + + + - + - + - + - + - + - + - + - + @@ -2523,13 +3000,13 @@

    headers

  • wildcard
    • - + - + @@ -2611,7 +3088,118 @@

    host-names

    isUserDefinedboolean

    action

    string

    Specifies action that is applied when defined threshold is reached.

    +
    +
      +
    • alarm: The system will log the login attempt.
      • +
    • alarm-and-captcha: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.
      • +
    • alarm-and-client-side-integrity: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.
      • +
    +
      +
    • alarm
      • +
    • alarm-and-captcha
      • +
    • alarm-and-client-side-integrity
      • +
    matchRegexstringenabledbooleanWhen enabled, the system counts failed login attempts for each Username.
    matchStringstring
    namestringthresholdinteger minimum: 1 maximum: 100After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt.
    checkSignaturesautoDetectBinaryValue boolean
    checkSignaturesboolean

    decodeValueAsBase64

    string

    Specifies whether the the system should detect or require values to be Base64 encoded:

    @@ -2453,25 +2930,25 @@

    headers

  • required
    		•
    htmlNormalization boolean
    mandatory boolean
    maskValueInLogs boolean Specifies, when true, that the headers's value will be masked in the request log.

    name

    string

    Specifies the HTTP header name. The header name length is limited to 254 characters.

    @@ -2496,25 +2973,25 @@

    headers

    Note: Wildcards do not match regular expressions. Do not use a regular expression as a wildcard.
    normalizationViolations boolean
    percentDecoding boolean
    signatureOverrides array of objects Array of signature overrides. Specifies attack signatures whose security policy settings are overridden for this header, and which action the security policy takes when it discovers a request for this header that matches these attack signatures.
    type string Determines the type of the name attribute. Only when setting the type to wildcard will the special wildcard characters in the name be interpreted as such.
    urlNormalization boolean
    wildcardOrder integer Specifies the order index for wildcard header matching. Wildcard headers with lower wildcard order will get checked for a match prior to headers with higher wildcard order.
    -

    idl-files

    +

    idl-files

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    contentsstring
    fileNamestring
    isBase64boolean
    +

    ip-address-lists

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values

    blockRequests

    string

    +
    Specifies how the system responds to blocking requests sent from this IP address list.
    +
      +
    • Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address list.
      • +
    • Never Block: Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.
      • +
    • Always Block: Specifies that the system blocks requests sent from this IP address list.
      • +
    +
    +
    +

    Optional

      +
    • always
      • +
    • never
      • +
    • policy-default
      • +
    descriptionstringSpecifies a brief description of the IP address list. Optional
    ipAddressesarray of objectsSpecifies the IP addresses.
    matchOrderintegerSpecifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy. IP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder.
    namestringSpecifies the name of ip address list.
    neverLogRequestsbooleanSpecifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.
    setGeolocationstringSpecifies a geolocation to be associated for this IP address list. Optional
    +

    ipAddresses

    @@ -2629,23 +3217,11 @@

    idl-files

    - - - - - - - + - - - - - -
    contentsstring
    fileNameipAddress string
    isBase64boolean

    json-profiles

    @@ -2967,6 +3543,170 @@

    json-validation-files

    +

    login-pages

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    accessValidationobjectAccess Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.

    authenticationType

    string

    Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.

    +
    +
      +
    • none: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
      • +
    • form: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
      • +
    • http-basic: The user name and password are transmitted in Base64 and stored on the server in plain text.
      • +
    • http-digest: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
      • +
    • ntlm: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
      • +
    • ajax-or-json-request: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
      • +
    +
      +
    • ajax-or-json-request
      • +
    • form
      • +
    • http-basic
      • +
    • http-digest
      • +
    • none
      • +
    • ntlm
      • +
    • request-body
      • +
    passwordParameterNamestringA name of parameter which will contain password string.
    passwordRegexstring
    urlobjectURL string used for login page.
    usernameParameterNamestringA name of parameter which will contain username string.
    usernameRegexstring
    +

    accessValidation

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    cookieContainsstringA defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.
    headerContainsstringA header name and value that the response to the login URL must match to permit user access to the authenticated URL.
    headerContainsMatchConditionstring
      +
    • exact
      • +
    • regex
      • +
    headerOmitsstringA header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL.
    headerOmitsMatchConditionstring
      +
    • exact
      • +
    • regex
      • +
    parameterContainsstringA parameter that must exist in the login URL's HTML body to allow access to the authenticated URL.
    responseContainsstringA string that must appear in the response for the system to allow the user to access the authenticated URL; for example, "Successful Login".
    responseHttpStatusstringAn HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, "200".
    responseHttpStatusOmitsarray of stringsAn HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL.
    responseOmitsstringA string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, "Authentication failed".

    methods

    @@ -5223,12 +5963,21 @@

    urlContentProfiles

    + + + + + + - + - + - +
    decodeValueAsBase64string
      +
    • disabled
      • +
    • required
      • +
    headerName string Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.
    headerOrder
    • integer
      • @@ -5240,13 +5989,13 @@

      urlContentProfiles

    • "default"
    headerValue string Specifies a simple pattern string (glob pattern matching) for the header value that must appear in legal requests for this URL; for example, json, xml_method?, or method[0-9]. If the header includes this pattern, the system assumes the request contains the type of data you select in the Request Body Handling setting. This field is case-sensitive.
    type string
      @@ -5328,7 +6077,7 @@

      urls
    -

    whitelist-ips

    +

    xml-profiles

    @@ -5346,97 +6095,54 @@

    whitelist-ips

    - - - - + + + + - - - + + + - + - - - - - - - - + + - + - -
    blockRequestsstring
    -
    Specifies how the system responds to blocking requests sent from this IP address.
    -
      -
    • Policy Default: Specifies that the Policy Blocking Settings will be used for requests from this IP address.
      • -
    • Never Block: Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.
      • -
    • Always Block: Specifies that the system blocks requests sent from this IP address on condition that IP is denylisted is set to Block under Policy Building Settings.
      • -
    -
    -
      -
    • always
      • -
    • never
      • -
    • policy-default
      • -
    		attackSignaturesCheckboolean
    descriptionstringSpecifies a brief description of the IP address.defenseAttributesobject
    ipAddressdescription stringSpecifies the IP address that you want the system to trust.
    ipMaskstringSpecifies the netmask of the exceptional IP address. This is an optional field.
    neverLogRequests
    metacharAttributeCheck booleanSpecifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic.
    -

    xml-profiles

    - ------ - - - - - - - - - - + - - + + - - - - - - - + - + @@ -5613,6 +6319,37 @@

    defenseAttributes

    Field NameTypeDescriptionAllowed Values
    attackSignaturesCheckmetacharElementCheck boolean
    defenseAttributesobjectmetacharOverridesarray of objects
    descriptionstring
    name string
    signatureOverrides array of objects
    useXmlResponsePage boolean
    +

    metacharOverrides

    + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
    Field NameTypeDescriptionAllowed Values
    isAllowedboolean
    metacharstring

    signatureOverrides

    @@ -5832,6 +6569,8 @@

    violations

  • VIOL_ACCESS_MISSING
  • VIOL_ASM_COOKIE_MODIFIED
  • VIOL_BLACKLISTED_IP
    • +
  • VIOL_BOT_CLIENT
    • +
  • VIOL_BRUTE_FORCE
  • VIOL_COOKIE_EXPIRED
  • VIOL_COOKIE_LENGTH
  • VIOL_COOKIE_MALFORMED
    • @@ -5858,6 +6597,7 @@

    violations

  • VIOL_JSON_FORMAT
  • VIOL_JSON_MALFORMED
  • VIOL_JSON_SCHEMA
    • +
  • VIOL_LOGIN
  • VIOL_MANDATORY_HEADER
  • VIOL_MANDATORY_PARAMETER
  • VIOL_MANDATORY_REQUEST_BODY
    • diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json index a27b4ad42..d833d8442 100644 --- a/data/nap-waf/schema/policy.json +++ b/data/nap-waf/schema/policy.json @@ -370,6 +370,8 @@ "VIOL_ACCESS_MISSING", "VIOL_ASM_COOKIE_MODIFIED", "VIOL_BLACKLISTED_IP", + "VIOL_BOT_CLIENT", + "VIOL_BRUTE_FORCE", "VIOL_COOKIE_EXPIRED", "VIOL_COOKIE_LENGTH", "VIOL_COOKIE_MALFORMED", @@ -396,6 +398,7 @@ "VIOL_JSON_FORMAT", "VIOL_JSON_MALFORMED", "VIOL_JSON_SCHEMA", + "VIOL_LOGIN", "VIOL_MANDATORY_HEADER", "VIOL_MANDATORY_PARAMETER", "VIOL_MANDATORY_REQUEST_BODY", @@ -707,6 +710,287 @@ } ] }, + "brute-force-attack-preventions" : { + "oneOf" : [ + { + "items" : { + "description" : "Defines configuration for Brute Force Protection feature.\nThere is default configuration (one with bruteForceProtectionForAllLoginPages flag and without url) that applies to all configured login URLs unless there exists another brute force configuration for a specific login page.", + "properties" : { + "$action" : { + "enum" : [ + "delete" + ], + "type" : "string" + }, + "bruteForceProtectionForAllLoginPages" : { + "default" : false, + "description" : "When enabled, enables Brute Force Protection for all configured login URLs.\nWhen disabled, only brute force configurations for specific login pages are applied in case they exist.", + "type" : "boolean" + }, + "captchaBypassCriteria" : { + "description" : "Specifies configuration for CAPTCHA Bypass Mitigation.", + "properties" : { + "action" : { + "default" : "alarm-and-drop", + "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", + "enum" : [ + "alarm-and-blocking-page", + "alarm-and-drop", + "alarm-and-honeypot-page" + ], + "type" : "string" + }, + "enabled" : { + "default" : true, + "description" : "When enabled, the system counts successful CAPTCHA challenges with failed logins from IP Address / Device ID.", + "type" : "boolean" + }, + "threshold" : { + "default" : 5, + "description" : "After configured threshold (number of successful CAPTCHA challenges with failed logins from IP Address / Device ID) defined action will be applied for the next login attempt", + "maximum" : 100, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "clientSideIntegrityBypassCriteria" : { + "description" : "Specifies configuration for Client Side Integrity Bypass Mitigation.", + "properties" : { + "action" : { + "default" : "alarm-and-captcha", + "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.", + "enum" : [ + "alarm-and-captcha" + ], + "type" : "string" + }, + "enabled" : { + "default" : false, + "description" : "When enabled, the system counts successful challenges with failed logins from IP Address / Device ID / Username.\nLegitimate users who have disabled JavaScripting on their browsers for security reasons will fail a client side integrity challenge.", + "type" : "boolean" + }, + "threshold" : { + "default" : 3, + "description" : "After configured threshold (number of successful challenges with failed logins from IP Address / Device ID / Username) defined action will be applied for the next login attempt", + "maximum" : 100, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "detectionCriteria" : { + "description" : "Specifies configuration for detecting distributed brute force attacks.", + "properties" : { + "action" : { + "default" : "alarm", + "description" : "Specifies action that is applied when one of the defined thresholds (credentialsStuffingMatchesReached, failedLoginAttemptsRateReached) is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-client-side-integrity-captcha**: The system sends a Client Side Integrity challenge upon the first failed login attempt from a source and a CAPTCHA challenge upon second and all subsequent failed login attempts. A login attempt is logged if client successfully passes the challenge. This enforcement action should be chosen if CAPTCHA is considered intrusive. Benign users who mistype their password will likely get only the Client Side Integrity challenge, while an attacker will eventually get the CAPTCHA challenge.", + "enum" : [ + "alarm", + "alarm-and-captcha", + "alarm-and-client-side-integrity", + "alarm-and-client-side-integrity-captcha" + ], + "type" : "string" + }, + "credentialsStuffingMatchesReached" : { + "default" : 100, + "description" : "After configured threshold (number of detected login attempts that match known leaked credentials library) defined action will be applied for the next login attempt.", + "maximum" : 10000, + "minimum" : 1, + "type" : "integer" + }, + "detectCredentialsStuffingAttack" : { + "default" : true, + "description" : "When enabled, the system detects login attempts that match known leaked credentials library.", + "type" : "boolean" + }, + "detectDistributedBruteForceAttack" : { + "default" : true, + "description" : "When enabled, the system detects distributed brute force attacks.", + "type" : "boolean" + }, + "failedLoginAttemptsRateReached" : { + "default" : 100, + "description" : "After configured threshold (number of failed login attempts within measurementPeriod) defined action will be applied for the next login attempt. ", + "maximum" : 10000, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "leakedCredentialsCriteria" : { + "description" : "Specifies configuration for Leaked Credentials Detection.", + "properties" : { + "action" : { + "default" : "alarm-and-blocking-page", + "description" : "Specifies action when leaked credentials detected.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.\n- **alarm-and-leaked-credentials-response-page**: The default response page warns the user that the username and password have been leaked and the password should be changed.", + "enum" : [ + "alarm", + "alarm-and-blocking-page", + "alarm-and-honeypot-page", + "alarm-and-leaked-credentials-response-page" + ], + "type" : "string" + }, + "enabled" : { + "default" : false, + "description" : "When enabled, the system can match presented credentials to those in the credentials dictionary to detect leaked credentials.", + "type" : "boolean" + } + }, + "type" : "object" + }, + "loginAttemptsFromTheSameDeviceId" : { + "description" : "Specifies configuration for detecting brute force attacks for Device ID.", + "properties" : { + "action" : { + "default" : "alarm", + "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", + "enum" : [ + "alarm", + "alarm-and-blocking-page", + "alarm-and-captcha", + "alarm-and-client-side-integrity", + "alarm-and-drop", + "alarm-and-honeypot-page" + ], + "type" : "string" + }, + "enabled" : { + "default" : false, + "description" : "When enabled, the system counts failed login attempts for Device ID.", + "type" : "boolean" + }, + "threshold" : { + "default" : 3, + "description" : "After configured threshold (number of failed login attempts for Device ID) defined action will be applied for the next login attempt.", + "maximum" : 100, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "loginAttemptsFromTheSameIp" : { + "description" : "Specifies configuration for detecting brute force attacks from IP Address.", + "properties" : { + "action" : { + "default" : "alarm-and-blocking-page", + "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-blocking-page**: The system will log the login attempt, block the request and send the Blocking page.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.\n- **alarm-and-drop**: The system will log the login attempt and reset the TCP connection.\n- **alarm-and-honeypot-page**: The system will log the login attempt, block the request and send the Honeypot page. The Honeypot page is used for attacker deception. The page should look like an application failed login page. Unlike with the Blocking page, when the Honeypot page is sent an attacker is not able to distinguish a failed login response from a mitigation. As a result, the attacker will not change identity (Source IP or Device ID) and the brute force attack will be rendered ineffective. The Honeypot page is recommended when mitigation is request blocking.", + "enum" : [ + "alarm", + "alarm-and-blocking-page", + "alarm-and-captcha", + "alarm-and-client-side-integrity", + "alarm-and-drop", + "alarm-and-honeypot-page" + ], + "type" : "string" + }, + "enabled" : { + "default" : true, + "description" : "When enabled, the system counts failed login attempts from IP Address.", + "type" : "boolean" + }, + "threshold" : { + "default" : 20, + "description" : "After configured threshold (number of failed login attempts from IP Address) defined action will be applied for the next login attempt.", + "maximum" : 1000, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "loginAttemptsFromTheSameUser" : { + "description" : "Specifies configuration for detecting brute force attacks for Username.", + "properties" : { + "action" : { + "default" : "alarm", + "description" : "Specifies action that is applied when defined threshold is reached.\n\n- **alarm**: The system will log the login attempt.\n- **alarm-and-captcha**: The system determines whether the client is a legal browser operated by a human user by sending a CAPTCHA challenge. A login attempt is logged if the client successfully passes the CAPTCHA challenge.\n- **alarm-and-client-side-integrity**: The system determines whether the client is a legal browser or a bot by sending a page containing JavaScript code and waiting for a response. Legal browsers are able to execute JavaScript and produce a valid response, whereas bots cannot. A login attempt is logged if the client successfully passes the Client Side Integrity challenge.", + "enum" : [ + "alarm", + "alarm-and-captcha", + "alarm-and-client-side-integrity" + ], + "type" : "string" + }, + "enabled" : { + "default" : true, + "description" : "When enabled, the system counts failed login attempts for each Username.", + "type" : "boolean" + }, + "threshold" : { + "default" : 5, + "description" : "After configured threshold (number of failed login attempts for each Username) defined action will be applied for the next login attempt.", + "maximum" : 100, + "minimum" : 1, + "type" : "integer" + } + }, + "type" : "object" + }, + "measurementPeriod" : { + "default" : 900, + "description" : "Defines detection period (measured in seconds) for distributed brute force attacks.", + "maximum" : 90000, + "minimum" : 60, + "type" : "integer" + }, + "preventionDuration" : { + "default" : "3600", + "description" : "Defines prevention period (measured in seconds) for distributed brute force attacks.", + "oneOf" : [ + { + "maximum" : 90000, + "minimum" : 60, + "type" : "integer" + }, + { + "enum" : [ + "unlimited" + ], + "type" : "string" + }, + { + "pattern" : "\\d+$", + "type" : "string" + } + ] + }, + "reEnableLoginAfter" : { + "default" : 3600, + "description" : "Defines prevention period (measured in seconds) for source-based brute force attacks.", + "maximum" : 90000, + "minimum" : 60, + "type" : "integer" + }, + "sourceBasedProtectionDetectionPeriod" : { + "default" : 3600, + "description" : "Defines detection period (measured in seconds) for source-based brute force attacks.", + "maximum" : 90000, + "minimum" : 60, + "type" : "integer" + }, + "url" : { + "$ref" : "#/properties/policy/properties/urls/oneOf/0/items", + "description" : "Reference to the URL used in login URL configuration (policy/login-pages). This login URL is protected by Brute Force Protection feature.", + "type" : "object" + } + }, + "type" : "object" + }, + "type" : "array" + }, + { + "$ref" : "#/definitions/reference" + } + ] + }, "caseInsensitive" : { "default" : false, "description" : "Specifies whether the security policy treats microservice URLs, file types, URLs, and parameters as case sensitive or not. When this setting is enabled, the system stores these security policy elements in lowercase in the security policy configuration.", @@ -2050,6 +2334,10 @@ "default" : true, "type" : "boolean" }, + "autoDetectBinaryValue" : { + "default" : false, + "type" : "boolean" + }, "checkSignatures" : { "default" : true, "type" : "boolean" @@ -2245,6 +2533,77 @@ } ] }, + "ip-address-lists" : { + "oneOf" : [ + { + "items" : { + "description" : "An IP address list is a list of IP addresses that you want the system to treat in a specific way for a security policy.", + "properties" : { + "$action" : { + "enum" : [ + "delete" + ], + "type" : "string" + }, + "blockRequests" : { + "default" : "policy-default", + "description" : "Specifies how the system responds to blocking requests sent from this IP address list.\n- **Policy Default:** Specifies that the Policy Blocking Settings will be used for requests from this IP address list.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address list, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address list.\nOptional", + "enum" : [ + "always", + "never", + "policy-default" + ], + "type" : "string" + }, + "description" : { + "description" : "Specifies a brief description of the IP address list. Optional", + "type" : "string" + }, + "ipAddresses" : { + "description" : "Specifies the IP addresses.", + "items" : { + "properties" : { + "ipAddress" : { + "type" : "string" + } + }, + "required" : [ + "ipAddress" + ], + "type" : "object" + }, + "type" : "array" + }, + "matchOrder" : { + "description" : "Specifies the order index for IP Address List matching. If unspecified, the order is implicitly as the lists appear in the policy.\nIP Address Groups with a lower matchOrder will be checked for a match prior to items with higher matchOrder.", + "type" : "integer" + }, + "name" : { + "description" : "Specifies the name of ip address list.", + "type" : "string" + }, + "neverLogRequests" : { + "default" : false, + "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address list, even if the traffic is illegal, and even if your security policy is configured to log all traffic.", + "type" : "boolean" + }, + "setGeolocation" : { + "description" : "Specifies a geolocation to be associated for this IP address list. Optional", + "type" : "string" + } + }, + "required" : [ + "name" + ], + "type" : "object" + }, + "type" : "array" + }, + { + "$ref" : "#/definitions/reference" + } + ] + }, "json-profiles" : { "oneOf" : [ { @@ -2538,6 +2897,121 @@ } ] }, + "login-pages" : { + "oneOf" : [ + { + "items" : { + "description" : "A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.", + "properties" : { + "$action" : { + "enum" : [ + "delete" + ], + "type" : "string" + }, + "accessValidation" : { + "description" : "Access Validation define validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.", + "properties" : { + "cookieContains" : { + "description" : "A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.", + "type" : "string" + }, + "headerContains" : { + "description" : "A header name and value that the response to the login URL must match to permit user access to the authenticated URL.", + "type" : "string" + }, + "headerContainsMatchCondition" : { + "default" : "exact", + "enum" : [ + "exact", + "regex" + ], + "type" : "string" + }, + "headerOmits" : { + "description" : "A header name and value that indicates a failed login attempt and prohibits user access to the authenticated URL.", + "type" : "string" + }, + "headerOmitsMatchCondition" : { + "default" : "exact", + "enum" : [ + "exact", + "regex" + ], + "type" : "string" + }, + "parameterContains" : { + "description" : "A parameter that must exist in the login URL's HTML body to allow access to the authenticated URL.", + "type" : "string" + }, + "responseContains" : { + "description" : "A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, \"Successful Login\".", + "type" : "string" + }, + "responseHttpStatus" : { + "description" : "An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, \"200\".", + "type" : "string" + }, + "responseHttpStatusOmits" : { + "description" : "An HTTP response code that indicates a failed login attempt and prohibits user access to the authenticated URL.", + "items" : { + "type" : "string" + }, + "type" : "array" + }, + "responseOmits" : { + "description" : "A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, \"Authentication failed\".", + "type" : "string" + } + }, + "type" : "object" + }, + "authenticationType" : { + "default" : "none", + "description" : "Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.\n\n- **none**: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.\n- **form**: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.\n- **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text.\n- **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.\n- **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.\n- **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.", + "enum" : [ + "ajax-or-json-request", + "form", + "http-basic", + "http-digest", + "none", + "ntlm", + "request-body" + ], + "type" : "string" + }, + "passwordParameterName" : { + "description" : "A name of parameter which will contain password string.", + "type" : "string" + }, + "passwordRegex" : { + "type" : "string" + }, + "url" : { + "$ref" : "#/properties/policy/properties/urls/oneOf/0/items", + "description" : "URL string used for login page.", + "type" : "object" + }, + "usernameParameterName" : { + "description" : "A name of parameter which will contain username string.", + "type" : "string" + }, + "usernameRegex" : { + "type" : "string" + } + }, + "required" : [ + "url" + ], + "type" : "object" + }, + "type" : "array" + }, + { + "$ref" : "#/definitions/reference" + } + ] + }, "methods" : { "oneOf" : [ { @@ -4002,6 +4476,14 @@ }, "type" : "object" }, + "decodeValueAsBase64" : { + "default" : "disabled", + "enum" : [ + "disabled", + "required" + ], + "type" : "string" + }, "headerName" : { "default" : "*", "description" : "Specifies an explicit header name that must appear in requests for this URL. This field is not case-sensitive.", @@ -4076,60 +4558,6 @@ "wafEngineVersion" : { "type" : "string" }, - "whitelist-ips" : { - "oneOf" : [ - { - "items" : { - "description" : "An IP address exception is an IP address that you want the system to treat in a specific way for a security policy.\nYou can use the IP address exception feature to create exceptions for IP addresses of internal tools that your company uses, such as penetration tools, manual or automatic scanners, or web scraping tools.\nYou can add an IP address exception and instruct the system how to handle traffic coming from that address.", - "properties" : { - "$action" : { - "enum" : [ - "delete" - ], - "type" : "string" - }, - "blockRequests" : { - "default" : "policy-default", - "description" : "Specifies how the system responds to blocking requests sent from this IP address.\n- **Policy Default:** Specifies that the Policy Blocking Settings will be used for requests from this IP address.\n- **Never Block:** Specifies that the system does not block requests sent from this IP address, even if your security policy is configured to block all traffic.\n- **Always Block:** Specifies that the system blocks requests sent from this IP address on condition that IP is denylisted is set to Block under Policy Building Settings.", - "enum" : [ - "always", - "never", - "policy-default" - ], - "type" : "string" - }, - "description" : { - "description" : "Specifies a brief description of the IP address.", - "type" : "string" - }, - "ipAddress" : { - "description" : "Specifies the IP address that you want the system to trust.", - "type" : "string" - }, - "ipMask" : { - "default" : "255.255.255.255", - "description" : "Specifies the netmask of the exceptional IP address. This is an optional field.", - "type" : "string" - }, - "neverLogRequests" : { - "default" : false, - "description" : "Specifies when enabled that the system does not log requests or responses sent from this IP address, even if the traffic is illegal, and even if your security policy is configured to log all traffic.", - "type" : "boolean" - } - }, - "required" : [ - "ipAddress", - "ipMask" - ], - "type" : "object" - }, - "type" : "array" - }, - { - "$ref" : "#/definitions/reference" - } - ] - }, "xml-profiles" : { "oneOf" : [ { @@ -4361,6 +4789,31 @@ "description" : { "type" : "string" }, + "metacharAttributeCheck" : { + "default" : false, + "type" : "boolean" + }, + "metacharElementCheck" : { + "default" : true, + "type" : "boolean" + }, + "metacharOverrides" : { + "items" : { + "properties" : { + "isAllowed" : { + "type" : "boolean" + }, + "metachar" : { + "type" : "string" + } + }, + "required" : [ + "metachar" + ], + "type" : "object" + }, + "type" : "array" + }, "name" : { "type" : "string" },