diff --git a/content/includes/nap-waf/policy.html b/content/includes/nap-waf/policy.html
index de530f555..b76ab5fb3 100644
--- a/content/includes/nap-waf/policy.html
+++ b/content/includes/nap-waf/policy.html
@@ -270,153 +270,160 @@ policy
|
+| ip-intelligence |
+Yes |
+object |
+ |
+ |
+
+
| json-profiles |
Yes |
array of objects |
|
|
-
+
| json-validation-files |
Yes |
array of objects |
|
|
-
+
| login-enforcement |
Yes |
object |
|
|
-
+
| login-pages |
Yes |
array of objects |
A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions. |
|
-
+
| methods |
Yes |
array of objects |
|
|
-
+
name |
No |
string |
The unique user-given name of the policy. Policy names cannot contain spaces or special characters. Allowed characters are a-z, A-Z, 0-9, dot, dash (-), colon (:) and underscore (_). |
|
-
+
| open-api-files |
Yes |
array of objects |
|
|
-
+
| override-rules |
Yes |
array of objects |
This section defines policy override rules. |
|
-
+
| parameters |
Yes |
array of objects |
This section defines parameters that the security policy permits in requests. |
|
-
+
performStaging |
No |
boolean |
Determines staging handling for all applicable entities in the policy, such as signatures, URLs, parameters, and cookies. If disabled, all entities will be enforced and any violations triggered will be considered illegal. |
|
-
+
| response-pages |
Yes |
array of objects |
The Security Policy has a default blocking response page that it returns to the client when the client request, or the web server response, is blocked by the security policy. You can change the way the system responds to blocked requests. All default response pages contain a variable, <%TS.request.ID()%>, that the system replaces with a support ID number when it issues the page. |
|
-
+
| sensitive-parameters |
Yes |
array of objects |
This section defines sensitive parameters. The contents of these parameters are not visible in logs nor in the user interfaces. Instead of actual values a string of asterisks is shown for these parameters. Use these parameters to protect sensitive user input, such as a password or a credit card number, in a validated request. A parameter name of "password" is always defined as sensitive by default. |
|
-
+
| server-technologies |
Yes |
array of objects |
The server technology is a server-side application, framework, web server or operating system type that is configured in the policy in order to adapt the policy to the checks needed for the respective technology. |
|
-
+
| signature-requirements |
Yes |
array of objects |
|
|
-
+
| signature-sets |
Yes |
array of objects |
Defines behavior when signatures found within a signature-set are detected in a request. Settings are culmulative, so if a signature is found in any set with block enabled, that signature will have block enabled. |
|
-
+
| signature-settings |
Yes |
object |
|
|
-
+
| signatures |
Yes |
array of objects |
This section defines the properties of a signature on the policy. |
|
-
+
| template |
Yes |
object |
Specifies the template to populate the default attributes of a new policy. |
|
-
+
| threat-campaigns |
Yes |
array of objects |
This section defines the enforcement state for the threat campaigns in the security policy. |
|
-
+
| urls |
Yes |
array of objects |
In a security policy, you can manually specify the HTTP URLs that are allowed (or disallowed) in traffic to the web application being protected. When you create a security policy, wildcard URLs of * (representing all HTTP URLs) are added to the Allowed HTTP URLs lists. |
|
-
+
wafEngineVersion |
No |
string |
|
|
-
+
| xml-profiles |
Yes |
array of objects |
@@ -2925,6 +2932,87 @@ ipAddresses
+ip-intelligence
+
+ipIntelligenceCategories
+
+
+
+
+
+
+
+
+
+
+
+
+alarm |
+boolean |
+ |
+ |
+
+
+block |
+boolean |
+ |
+ |
+
+
+category |
+string |
+ |
+
+- Anonymous Proxy
+- BotNets
+- Cloud-based Services
+- Denial of Service
+- Infected Sources
+- Mobile Threats
+- Phishing Proxies
+- Scanners
+- Spam Sources
+- Tor Proxies
+- Web Attacks
+- Windows Exploits
+ |
+
+
+
json-profiles
@@ -3359,6 +3447,7 @@ login-pages
http-digest: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
ntlm: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
ajax-or-json-request: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
+request-body: The web server uses the request body to authenticate users trying to access the web application through the login URL. This allows brute force login detection using, for example, SAML authentication used on Microsoft Federation Services for SSO which uses SOAP API to login.
@@ -3380,7 +3469,7 @@ login-pages
passwordRegex |
string |
- |
+PCRE regular expression for capturing the password. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the password. For example: "pwd=(w+)". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body. |
|
@@ -3398,7 +3487,7 @@ login-pages
usernameRegex |
string |
- |
+PCRE regular expression for capturing the username. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the username. For example: "user_id=(w+)". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body. |
|
@@ -6414,6 +6503,7 @@ violations
- VIOL_XML_MALFORMED
- VIOL_GEOLOCATION
- VIOL_WEBSOCKET_BAD_REQUEST
+- VIOL_MALICIOUS_IP
|
diff --git a/data/nap-waf/schema/policy.json b/data/nap-waf/schema/policy.json
index 66234108d..c4c5e6798 100644
--- a/data/nap-waf/schema/policy.json
+++ b/data/nap-waf/schema/policy.json
@@ -433,7 +433,8 @@
"VIOL_XML_FORMAT",
"VIOL_XML_MALFORMED",
"VIOL_GEOLOCATION",
- "VIOL_WEBSOCKET_BAD_REQUEST"
+ "VIOL_WEBSOCKET_BAD_REQUEST",
+ "VIOL_MALICIOUS_IP"
],
"type" : "string"
}
@@ -2424,6 +2425,58 @@
}
]
},
+ "ip-intelligence" : {
+ "oneOf" : [
+ {
+ "properties" : {
+ "enabled" : {
+ "default" : false,
+ "type" : "boolean"
+ },
+ "ipIntelligenceCategories" : {
+ "items" : {
+ "properties" : {
+ "alarm" : {
+ "default" : false,
+ "type" : "boolean"
+ },
+ "block" : {
+ "default" : false,
+ "type" : "boolean"
+ },
+ "category" : {
+ "enum" : [
+ "Anonymous Proxy",
+ "BotNets",
+ "Cloud-based Services",
+ "Denial of Service",
+ "Infected Sources",
+ "Mobile Threats",
+ "Phishing Proxies",
+ "Scanners",
+ "Spam Sources",
+ "Tor Proxies",
+ "Web Attacks",
+ "Windows Exploits"
+ ],
+ "type" : "string"
+ }
+ },
+ "required" : [
+ "category"
+ ],
+ "type" : "object"
+ },
+ "type" : "array"
+ }
+ },
+ "type" : "object"
+ },
+ {
+ "$ref" : "#/definitions/reference"
+ }
+ ]
+ },
"json-profiles" : {
"oneOf" : [
{
@@ -2848,7 +2901,7 @@
},
"authenticationType" : {
"default" : "none",
- "description" : "Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.\n\n- **none**: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.\n- **form**: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.\n- **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text.\n- **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.\n- **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.\n- **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.",
+ "description" : "Authentication Type is method the web server uses to authenticate the login URL's credentials with a web user.\n\n- **none**: The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.\n- **form**: The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.\n- **http-basic**: The user name and password are transmitted in Base64 and stored on the server in plain text.\n- **http-digest**: The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.\n- **ntlm**: Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.\n- **ajax-or-json-request**: The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.\n- **request-body**: The web server uses the request body to authenticate users trying to access the web application through the login URL. This allows brute force login detection using, for example, SAML authentication used on Microsoft Federation Services for SSO which uses SOAP API to login.",
"enum" : [
"ajax-or-json-request",
"form",
@@ -2865,6 +2918,7 @@
"type" : "string"
},
"passwordRegex" : {
+ "description" : "PCRE regular expression for capturing the password. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the password. For example: \"pwd=(\\w+)\". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body.",
"type" : "string"
},
"url" : {
@@ -2877,6 +2931,7 @@
"type" : "string"
},
"usernameRegex" : {
+ "description" : "PCRE regular expression for capturing the username. The regular expression must include exactly one capturing group (in rounded parentheses) for the value of the username. For example: \"user_id=(\\w+)\". The entered expression is validated and any invalid code is noted and must be corrected. Note: This setting is only relevant if authenticationType is request-body.",
"type" : "string"
}
},