Web Application Firewall (WAF) RESTful API Updates
This section contains details about the Web Application Firewall API commands and parameters. You can retrieve or configure each of these parameters using the get or set RESTful API commands.
Here are few examples of a set command to set the parameters of WAF on a virtual service:
Enable legacy WAF
access/modvs?vs=1&InterceptMode=1
Enable OWASP WAF
access/modvs?vs=1&InterceptMode=2
The following WAF parameters can be retrieved or configured using the get or set commands:
| Name | Type | Default | Range | Description |
|---|---|---|---|---|
| Intercept | B | 0 | 0 – Disabled 1 – Enabled | Enable/disable the Web Application Firewall (WAF) for this Virtual Service. |
| InterceptMode | B | 0 | 0 – Disabled 1 – Legacy 2 – OWASP | Enable/disable the Web Application Firewall (WAF) for this Virtual Service. |
| InterceptOpts | S | <unset> | Most of the fields in the WAF Options (Legacy) section of the Virtual Service modify screen in the LoadMaster WUI can be set using this parameter. | |
| OwaspOpts | S | <unset> | Most of the fields in the WAF section of the Virtual Service modify screen in the LoadMaster WUI can be set using this parameter. | |
| BlockingParanoia | I | 1 | 1 - 4 | The paranoia level at which the OWASP engine blocks the request coming from the server. |
| ExecutingParanoia | I | 1 | 1 - 4 | The paranoia level at which the OWASP engine logs requests that are coming from the server. This value should not be lower than the BlockingParanoia level. |
AnomalyScoringThreshold | I | 100 | 1 - 10000 | Set the Anomaly Scoring Threshold value. Every detection rule in the CRS raises the anomaly score. If the cumulative anomaly score per request hits the configured limit, the request will be blocked |
| pcrelimit | I | 3000 | 1000 - 99999 | This setting sets the maximum iterations that the internal PCRE engine will use to resolve a regular expression before failing a match. |
| AlertThreshold | I | 0 - disabled | 0 - 100000 | This is the threshold of incidents per hour before sending an alert. Setting this to 0 disables alerting. |
InterceptPOSTOtherContentTypes | S | <unset> | When the otherctypesenable parameter is enabled, use the InterceptPOSTOtherContentType s parameter to enter a comma separated list of POST content types allowed for WAF analysis, for example text/plain,text/css. By default, all types (other than XML/JSON) are enabled. To set this to any other content types, set the value to any. | |
| PostOtherContentTypes | S | When the otherctypesenable parameter is enabled, use the POSTOtherContentTypes parameter to enter a comma separated list of POST content types allowed for WAF analysis, for example text/plain,text/css. By default, all types (other than XML/JSON) are enabled. To set this to any other content types, set the value to any. | ||
IPReputationBlocking | B | 0 | 0 – Disabled 1 – Enabled | Enables the checking of client addresses against the IP reputation database. |
| RuleSets | S | In OWASP CRS rulesets are described by three digit numbers. Specify the three digit number of the rulesets you wish to enable. For example: RuleSets=911, 913, 920…. | ||
| ExcludedWorkLoads | S | Specify a list of workloads that the customer is running. By default, some workloads cause a lot of false positives, if someone is running one of workloads (drupal, wordpress, nextcloud, dokuwiki, cpanel, xenforo), add its name to the list will stop certain checks that are known to cause problems. | ||
| BlockedCountries | S | Enter the two letter country codes that are to be blocked. | ||
| AuditParts | S | ABEFHKZ | Enter a valid string which contains the sections that are to be put in the wafaudit log for each request. Currently, only four values B, E, F, H are enabled. | |
| CustomRules | Specify a list of custom rules that are to be configured for the Virtual Service. | |||
| DisabledRules | Specify a list of disabled rules. |
OWASP Cutom Rulesets
To add a new custom rule, run the addowaspcustomrule command. For example:
/access/addowaspcustomrule?filename=owasp-cus.conf
To delete an existing rule, run the delowaspcustomrule command. For example:
/access/delowaspcustomrule?filename=owasp-cus
To downlaod a custom rule, run the downloadowaspcustomrule command. For example:
/access/downloadowaspcustomrule?filename=owasp-cus
OWASP Cutom Data
To add a custom data, run the addowaspcustomdata command. For example:
/access/addowaspcustomdata?filename=owasp-cust.data
To delete an existing data, run the delowaspcustomdata command. For example:
/access/delowaspcustomdata?filename=owasp-cust
To downlaod a custom data, run the downloadowaspcustomdata command. For example:
/access/downloadowaspcustomdata?filename=owasp-cust