Web Applications

The Alert Logic Managed Web Application Firewall (WAF) Web Applications page includes the following sections. Click on the link to go to the corresponding section to learn more:

To go to the previous section, see Client Protection. To go to the next section, see Virtual Patches.

To access the Web application section in the WAF management interface:

  1. On the left panel, under Services, click Websites.
  2. On the Websites page, click the website you want to manage.
  3. Under WAF, click Policy, and then scroll down to the Web application section.

If you want to see all the settings on the Policy page, on the upper-right corner, change the Display preset to Advance.

To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.

The Web applications section allows for defining scope for specific web application and API endpoint URL paths with different policy rules for select policy components.

Web applications and API endpoints are either added manually or they are automatically created by tuning automation, API management automation (based on the API definition), or by the learning engine.

Web application and API endpoint policy rules define a set of (predominantly positive) validation criteria for requests targeting the specific web applications or API endpoints the policy rule covers.

Proxy mode

Requests with data in the request body (also known as “POST requests”) can either be buffered or streamed to the protected backend.

  • Buffer mode: Buffers and inspects the entire HTTP request body up to the configured limit before passing it to the backend server. This is the default and recommended mode as it provides the most comprehensive inspection and protection capabilities, including against slow DoS attacks. HTTP requests with content length exceeding the configured limit will be denied.
  • Streaming mode: Allows for an UNLIMITED HTTP request body size as it streams and inspects data in chunks. When the request body is parsed, individual parameter names and values are still subject to their own limits. When using this mode, some controls are not supported or behave differently:
    • Request body size is unrestricted
    • Allowed HTTP methods, protocol versions, and web services are configured in the web application scope
    • The POST section of Policy > Protocol Restrictions > Request parameters, restrict size and number is replaced by web application scope limits (when content type is parsed, otherwise they are not enforced)
    • CSRF protection is not enforced on streaming requests
    • When the content type is not parsed, the request body inspection is limited to the raw data stream, and controls that are parameter-specific, such as named parameter rules, cannot be enforced
    • Virtual patching is ineffective as rules are not applied to request body content

    The Streaming mode is recommended when the request body size is expected to be large or unlimited, resulting from factors such as file uploads or large JSON/XML payloads.

Scope

Web application and API endpoint rules are defined by a pattern that matches the incoming request URL path to select the specific web application policy definition. The pattern defines the scope of the policy rule.

A regular expression or OpenAPI syntax defines the scope pattern. A full match is implied (^regular expression$); the caret (^) and dollar ($) characters do not have to be included in the regular expression.

Scope overlap

Web application and API endpoint rules are listed in the validation order. Since the patterns that define the application rule scopes are regex-based, it is possible that they overlap as in the case of “.+\.aspx” vs “/morespecific/.+\.aspx”.

If scopes are overlapping, change the validation order so that more specific rules are evaluated first. In the case above, “/morespecific/.+\.aspx” should be evaluated before “.+\.aspx”.

The validation order can be changed in the "Web application validation order" section, located above the "web applications" group in the policy.

URL-based parameters

For API endpoints, Fortra WAF supports the OpenAPI parameter definition syntax where named input parameters extracted from the URL path are in curly quotes, such as /users/{id}.

When creating a web application of type OpenAPI Path, a definition such as /users/{id} is translated to a regular expression that matches the path ^\/users\/([^\/]+)$ (“/users/” followed by “non-/” until end-of-string).

When an incoming request URL path matches the resulting API endpoint scope regex, data is extracted from the part of the URL path following “/users/” assigned to the parameter “id”. The data is then validated using the policy rules within the web application scope that apply to the specific parameter “id”.

Non-API web applications that read parameters from the URL path can be created using the API path syntax as required.

Add web application or API endpoint rule

Web application or API endpoints can be created automatically in the policy section of Fortra Web Application Firewall (WAF) API Protection, based on the API definition.

To add and configure a web application or API endpoint rule manually, in Policy > Web applications:

  1. From the Add New drop-down list, select Path Regex or OpenAPI Path.
  2. Enter the path regex or OpenAPI path definition.
  3. Click Add.
  4. Click the web application or API endpoint rule to configure and then enable it.
Web application Scope Definition

Input field

Regular expression specifying the scope of the web application section.

Valid input

A regular expression

For performance reasons the regular expression must be re2 compliant so zero-length lookaround assertions are not allowed.

All meta characters except slash (/) must be escaped if used as literals.

Input example

/differentrules/.+\.php - All php applications in directory /differentrules/ and below

.+\.aspx - Any application with extension .aspx

/ecommerce/cart\.php - The specific application /ecommerce/cart.php

Default value

None

OpenAPI Endpoint Scope Definition

Like web application rules, API endpoint URL path definitions are regular expressions, with the exception that URL path-based parameters are specified using curly quotes, such as /pets/{petId}, and therefore cannot be used to define quantifiers (such as /[a-z]{5,25}.php).

While it is technically possible to define an API path using a regular expression, a path definition such as /pets/[a-z]+/{petid} would be an invalid OpenAPI path definition as it must follow a specific format like /pets/{type}/{petid}.

The correct definition above will result in the parameters “type” and “petid” being created as parameters in the endpoint rule, and extracted from the URL path when a request matches the path definition, such as /pets/dog/fido.

For web applications that use URL path-based parameters (also known as “friendly URL”, “pretty URL”, “semantic URL”), the OpenAPI type can be used to extract parameters from the URL path.

The following examples show the difference between traditional and friendly URLs:

  • Traditional: https://example.com/products?id=123&category=books
  • Friendly: https://example.com/products/books/123
    • The friendly URL definition will be: /products/{category}/{id}
Valid input

An URL path regex without curly quotes as quantifiers and URL path parameters in curly quotes

Input examples

/pets/{type}/{petid} – A valid OpenAPI path definition

/pets/[a-z]+/{petid} –An invalid OpenAPI path definition, but will function

In these examples, the valid OpenAPI definition will result in the {type} section of the URL path being assigned to the a parameter named “type” and {petid} to “petid." In the latter invalid example, only {petid} will be assigned.

Web application settings

Proxy Mode

Drop-down list

Select Proxy Mode. See Proxy mode for more information.

Buffering

Buffer and validate the entire HTTP request before sending it to the protected web server

Streaming

Inspect the HTTP request body while streaming it to the protected web server. Streaming allows for unlimited HTTP request body size, but there are trade-offs in terms of what controls are available.

Default value

Buffering

Requests

Drop-down list

Configure URL request status.

When set to deny, a request for the web application will be denied.

allow

Allow requests

deny

Deny requests

Default value

allow

Update

Drop-down list

Configure URL update setting.

manual

When update is set to manual the ACL entry will not be maintained and updated by the Learner.

auto

When set to auto, the entry will be maintained by the Learner.

Default value

auto when an application is added automatically, manual when added manually

Violation action

Drop-down list

Action to take when a request for the web application is denied.

When set to block or detect this setting will override the global setting for the violation at hand.

Use global

Global settings will be used.

Protect

Block settings (as defined in global violation action) will be used no matter if the website is running in Protect or Detect.

Detect

Detect settings (as defined in global violation action) will be used no matter if the website is running in Protect or Detect.

Pass

Bypass violations for this specific application. Violations will neither be blocked nor logged.

Default value

Use global

Case sensitivity

Drop-down list

Control case sensitivity within the scope of the application and endpoint.

Unless case sensitivity is enabled, the WAF sets all input prior to name lookup and validation to lowercase format.

Use global

Global settings will be used.

On

Case sensitivity is enabled

Off

Case sensitivity is disabled

Payload size override

When uploads are allowed in Policy > Protocol restrictions > File uploads allowed, the upload max size overrides the POST form payload limit set in Policy > Protocol restrictions > Request, restrict length and number.

In turn, the payload size override allows for overriding the max upload size defined in Policy > Protocol restrictions > File uploads allowed.

File uploads must be allowed for the setting to be active.

Session protection

Require a valid session to access this resource

Check box

Enable / disable authorization of access to this resource based on session validity.

If enabled, whenever this resource is requested, WAF will only allow the request if it originates from a valid user session.

Note that session protection and request authorization have to be enabled for resource request authorization to be effective. See Session and CSRF protection

Default: <disabled>

Enable request origin validation for this application

Check box

Enable / disable validation of requests resulting from forms with this application as action.

If enabled, whenever a request for this application contains a specific parameter (see below) it is verified that the request origins from a form on a web page/application belonging to the web system and that the form has been issued on a page belonging to the current users session.

Note that for the validation token to be generated Generate request form validation tokens (CSRF protection) has to be enabled. See Session and CSRF protection.

Default: <disabled>

Validate parameter name

Input field

String specifying the name of a specific parameter to be present for WAF to perform request origin validation.

Valid input

A string defining a parameter name.

Input example

amount

Default value

<none>

Global violation action override

Global violation action override allows for an even more fine grained violation action exception handling than simply specifying violation action for the web application. This override feature allows for specifying exceptions from the global violation action on a per violation type basis.

If, for instance, you have an application that generates "Malformed XML" because of some custom built client application sending XML requests that does not conform to standards it is possible to specify a policy exception for that specific violation for that specific application. This way you do not have to bypass XML validation globally or put the entire application in Pass or Detect mode.

To add a violation exception:

  1. Select the violation type from the drop-down list Global violation action override
  2. The selected violation type is listed above the drop-down list with two action types: One for global Protect mode and one for global Detect mode.
  3. For each mode select the desired action which can be either of Protect, Detect or Pass.

Methods allowed

Restrict which HTTP methods are allowed.

Corresponding violation: Method illegal

HEAD

Check box

Allow / disallow HTTP method HEAD.

Default: <allow>

GET

Check box

Allow / disallow HTTP method GET.

Default: <allow>

POST

Check box

Allow / disallow HTTP method POST.

Default: <allow>

OPTIONS

Check box

Allow / disallow HTTP method OPTIONS.

Default: <disallow>

PUT

Check box

Allow / disallow HTTP method PUT.

Default: <disallow>

DELETE

Check box

Allow / disallow HTTP method DELETE.

Default: <disallow>

MKCOL

Check box

Allow / disallow HTTP method MKCOL.

Default: <disallow>

COPY

Check box

Allow / disallow HTTP method COPY.

Default: <disallow>

MOVE

Check box

Allow / disallow HTTP method MOVE.

Default: <disallow>

PROPFIND

Check box

Allow / disallow HTTP method PROPFIND.

Default: <disallow>

PROPPATCH

Check box

Allow / disallow HTTP method PROPPATCH.

Default: <disallow>

LOCK

Check box

Allow / disallow HTTP method LOCK.

Default: <disallow>

UNLOCK

Check box

Allow / disallow HTTP method UNLOCK.

Default: <disallow>

PATCH

Check box

Allow / disallow HTTP method PATCH.

Default: <disallow>

Streaming name/value limits

When Proxy mode is set to Streaming, limitations on the parameter name (key) and value defined in Policy > Protocol restrictions > Request, restrict length and number do not apply within the scope of the application/endpoint rule since much larger values are possible due to the payload being parsed and validated while streamed to the protected web server.

Streaming name/value limits only apply to content types that are parsed (that is, the payload that is being processed by the WAF engine, extracting name=value pairs from it):

  • Name – bytes: maximum allowed name size. Maximum value allowed is 1024 bytes.
  • Value – bytes: maximum allowed value size. Maximum value allowed is 16777216 bytes (16 MiB).

If an unlimited name or value size is required, the content type in question can be set to unparsed and raw inspection. Not parsing a content type has the drawback that name-based policy rules do not apply and payload inspection becomes similar to an IDS/IPS.

Streaming HTTP body inspection signature exceptions

The dominant tuning methodology in Fortra WAF is to make exceptions for a specific named input, preferably within the particular scope of a web application/API endpoint rule. A key requirement for this methodology is that HTTP requests are parsed and the input is assigned to name=value pairs.

If a content type is not parsed (either because the content type is not supported or because of size requirements), the named input exception method is not possible, and the only options are to bypass the application (as defined by URL path) entirely, disable entire signature classes globally, or to exclude specific named signatures in the scope of the URL path.

This option allows for the latter, disabling named signatures specifically within the scope of the URL path.

To disable a signature: Copy the signature name from the deny log record and then insert it into the input area. Multiple signatures must be separated by a new line.

Streaming content types

Defines how different Content-Types in HTTP requests are handled when HTTP body streaming is enabled.

Content types can be set to either be parsed or not parsed. When a content type is parsed, individual parameter names and values are still subject to their own limits, per Streaming name/value limits.

When a content type is not parsed, request body inspection is limited to the raw data stream and controls that are parameter specific (for example, named parameter rules cannot be enforced).

The default rule (Content-Type: DEFAULT) should always be present and defines how all other content types not explicitly listed are handled.

Content types can also be disallowed by setting Allow content type to no.

Parse

Content types can either be parsed by assigning values to named inputs or processed as raw payloads.

When a content type is parsed, more granular policy rules and tuning exceptions are possible as rules can be specified for the named input.

The option to not parse a content type should only be chosen if the content type is not supported or requirements for very large input mandate it.

Validation method

The (advanced) WAF signatures are each flagged for what request elements they are suitable for. The Validation method determines how signatures are selected, and which signatures are used for validating a content type.

  • Advanced: The advanced signature model is used. Signatures are selected based on input type and connection trust.
  • Raw: Only signatures suitable for raw unparsed input will be used.
  • Upload: Only signatures intended for file uploads are used.
  • Bypass: Content type is bypassed and not validated.

Adding a content type

  1. Click Add new.
  2. Enter the content type in the Content-Type box.
  3. Select yes or no to allow or disallow the content type.
  4. In the Parse box, select yes or no to enable or disable parsing of the content type.
  5. In the Validation box, select the desired validation method.

DEFAULT content type

The DEFAULT rule defines how all content types not explicitly listed are handled.

If set to parse, supported content types will be parsed and individual parameter names and values are still subject to their own limits. Unsupported content types will be treated as "not parse" and validated using "raw" signatures.

It is recommended to set the DEFAULT rule to "not parse" when parameter names or values are expected to be larger than allowed.

When content type is not parsed, request body inspection is limited to the raw data stream and controls that are parameter specific (for example, named parameter rules cannot be enforced).

Attributes

Informational, read only.

Shows the type of policy rule: Web Application or API Path Definition. If built from an API definition, it shows the name of the API definition.

Parameters

This section contains a list of current defined parameters with corresponding input validation type and value and other settings.

To update a parameter simply change the values and click on the Save button.

Select parameter

Check box

Select or clear check box to mark for deletion.

Default: <not selected>

To mark an entry for deletion, check the box.

When the parameter list is saved the parameter will be deleted.

Name

Input field

String specifying the parameters name.

Valid input

A string defining a name. No regular expressions.

Input example

print - a parameter named "print"

Default value

The parameter name

Type

Drop-down list

Input validation type.

Class

A predeclared regular expression used by WAF for input request validation. Classes are defined on a proxy global basis. When a class is modified all parameters using that class are affected.

Static

Legitimate values for the parameter can only have fixed values defined. Values are separated by a newline.

Regex

Legitimate input values for the parameter are based on the regular expression defined. Only one regular expression is allowed.

Default value

Class

Value(s)

Depends on type

Value for input validation.

Valid input
When type Class is selected, a drop-down list is available in the values field

Input validation for the parameter is based on the regular expression corresponding to the selected class name.

When type Static is selected, a list of static values

Input values are validated against the static list of legitimate values for the parameter. If they match, the request is allowed by WAF. otherwise, the entire request is blocked.

When type Regex is selected, a regular expression

input values are validated against the defined regular expression. if they match, the request is allowed by WAF. otherwise, the entire request is blocked.

For examples of using regular expressions for input validation refer to Examples of regular expressions for input validation.

Full match is implied for each regular expression, meaning that each will match from the start to the end of the request (a caret ^ and dollar $ will be appended if not present)

Default value

Type Class Numeric

Negative Check

Drop-down options

Use negative checking if validation class is above configured threshold.

If set to Auto the policy configured in classes negative signatures policy will be applied when validating input.

Default value

Auto

Update

Drop-down options

Configure how the parameter should be handled by the Learner.

If set to Upgrade only the Learner will only change the parameter if the class needs to be set to a higher rank (relaxed).

When set to Auto the Learner will make all changes to the parameter, including removing it if it later is learned to be a global parameter.

Default value

Upgrade only

Null

Drop-down options

OpenAPI paths only.

When set to On, the literal string 'null' is allowed to designate and empty value.

Default value

Off