Forum Discussion
Icontrol REST upload and apply policy- section "http-protocols" ignored?
I have templates defined for REST API security policies. Basic set up is done in JSON and remaining policy is build based on the swagger file. When I want add to JSON template for examples file types, json profiles, urls, brute force protection, parameters, ... it works well and changes are visible in GUI. But when I put to template section "http-protocols" it seems that is ignored. Security policy is uploaded, imported and applied with no errors but changes are not visible. Snippet of JSON is visible below.
"http-protocols" : [ { "description" : "Multiple host headers", "enabled" : true, "learn" : true }, { "description" : "Check maximum number of parameters", "enabled" : true, "learn" : true, "maxParams" : 100 }, { "description" : "Bad host header value", "enabled" : true, "learn" : true }, { "description" : "Check maximum number of headers", "enabled" : false, "learn" : true, "maxHeaders" : 30 }, { "description" : "Content length should be a positive number", "enabled" : true, "learn" : true } ]
For some item I want to change configuration. For example I want enable "Maximum numbers of parameters" and change value for number of parameters. But section "HTTP Protocol Compliance failed" under "Learning and Blocking Settings" is not changed.
Is it supported to modify "http-protocols" with icontrol (upload ->import->apply)?
Your settings for http-protocols are ignored because the json path is invalid. It must be a sub-key of blocking-settings.
{ "policy" : { "blocking-settings" : { "http-protocols" : [ { "description" : "Multiple host headers", "enabled" : true, "learn" : false } } } }
Your settings for http-protocols are ignored because the json path is invalid. It must be a sub-key of blocking-settings.
{ "policy" : { "blocking-settings" : { "http-protocols" : [ { "description" : "Multiple host headers", "enabled" : true, "learn" : false } } } }
- JustJozefCirrus
Hi JRahm, sure I will.
Below is example of the JSON policy. It contains only basic configuration as all important is in swagger itself.
{ "policy" : { "applicationLanguage" : "utf-8", "caseInsensitive" : true, "description" : "API Security Policy for application", "enablePassiveMode" : false, "enforcementMode" : "transparent", "fullPath" : "/Common/sp_wafenv_api_application", "name" : "sp_wafenv_api_application", "protocolIndependent" : false, "signature-settings" : { "signatureStaging" : false }, "softwareVersion" : "f5version", "template" : { "name" : "POLICY_TEMPLATE_API_SECURITY" }, "open-api-files": [ { "filename": "file://swagger-file" } ], "type" : "security", "http-protocols" : [ { "description" : "Multiple host headers", "enabled" : true, "learn" : true }, .... .... .... { "description" : "Chunked request with Content-Length header", "enabled" : true, "learn" : true } ], "filetypes": [ { "allowed": true, "checkPostDataLength": true, "checkQueryStringLength": true, "checkRequestLength": true, "checkUrlLength": true, "name": "no_ext", "performStaging": false, "postDataLength": 10000, "queryStringLength": 1000, "requestLength": 10000, "responseCheck": false, "type": "explicit", "urlLength": 100 } ], "brute-force-attack-preventions": [ { "captchaBypassCriteria": { "action": "alarm-and-drop", "enabled": false, "threshold": 5 }, "clientSideIntegrityBypassCriteria": { "action": "alarm-and-captcha", "enabled": false, "threshold": 3 }, ...... ...... ...... "loginAttemptsFromTheSameUser": { "action": "alarm-and-captcha", "enabled": false, "threshold": 3 }, "measurementPeriod": 900, "preventionDuration": "3600", "reEnableLoginAfter": 900, "sourceBasedProtectionDetectionPeriod": 900, "url": { "method": "POST", "name": "/oauth/token", "protocol": "http", "type": "explicit" } } ], "json-profiles": [ { "defenseAttributes": { "maximumArrayLength": 1000, "maximumStructureDepth": 10, "maximumTotalLengthOfJSONData": 10000, "maximumValueLength": 100, "tolerateJSONParsingWarnings": false }, "description": "", "handleJsonValuesAsParameters": true, "hasValidationFiles": false, "name": "Default", "validationFiles": [] } ], "login-pages": [ { "accessValidation": { "cookieContains": "", "headerContains": "", "headerOmits": "", "parameterContains": "", "responseContains": "", "responseHttpStatus": "200", "responseOmits": "" }, "authenticationType": "form", "passwordParameterName": "xxxxxx", "url": { "method": "POST", "name": "/oauth/token", "protocol": "http", "type": "explicit" }, "usernameParameterName": "yyyyyy" } ] } }
So for example If I want add new file type then I modify section "filetypes". Sections like "whitelist-ips", "urls", "login-pages" works fine. But I wanted to modify configuration for "HTTP Protocol Compliance" (http-protocols in JSON) to enable some items but this was not changed after policy was imported and applied.
I checked logs for some errors but nothing was reported. Also just to be sure that I have no issue during processing of the policy I changed values in brute force section and those changes has been visible in GUI. But changes related to "HTTP Protocol Compliance" were not.
In JSON has one item of the http-protocols parameters like
{ "description" : "Bad host header value", "enabled" : true, "learn" : true },
Is decription sufficient identificator to define what property should be changed?
As workaround maybe will be to create custom API template and use it instead general "POLICY_TEMPLATE_API_SECURITY". But did not test it yet.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com