Forum Discussion
Icontrol REST upload and apply policy- section "http-protocols" ignored?
- May 05, 2023
Your settings for http-protocols are ignored because the json path is invalid. It must be a sub-key of blocking-settings.
{ "policy" : { "blocking-settings" : { "http-protocols" : [ { "description" : "Multiple host headers", "enabled" : true, "learn" : false } } } }
Hi JRahm, sure I will.
Below is example of the JSON policy. It contains only basic configuration as all important is in swagger itself.
{
"policy" : {
"applicationLanguage" : "utf-8",
"caseInsensitive" : true,
"description" : "API Security Policy for application",
"enablePassiveMode" : false,
"enforcementMode" : "transparent",
"fullPath" : "/Common/sp_wafenv_api_application",
"name" : "sp_wafenv_api_application",
"protocolIndependent" : false,
"signature-settings" : {
"signatureStaging" : false
},
"softwareVersion" : "f5version",
"template" : {
"name" : "POLICY_TEMPLATE_API_SECURITY"
},
"open-api-files": [
{
"filename": "file://swagger-file"
}
],
"type" : "security",
"http-protocols" : [
{
"description" : "Multiple host headers",
"enabled" : true,
"learn" : true
},
....
....
....
{
"description" : "Chunked request with Content-Length header",
"enabled" : true,
"learn" : true
}
],
"filetypes": [
{
"allowed": true,
"checkPostDataLength": true,
"checkQueryStringLength": true,
"checkRequestLength": true,
"checkUrlLength": true,
"name": "no_ext",
"performStaging": false,
"postDataLength": 10000,
"queryStringLength": 1000,
"requestLength": 10000,
"responseCheck": false,
"type": "explicit",
"urlLength": 100
}
],
"brute-force-attack-preventions": [
{
"captchaBypassCriteria": {
"action": "alarm-and-drop",
"enabled": false,
"threshold": 5
},
"clientSideIntegrityBypassCriteria": {
"action": "alarm-and-captcha",
"enabled": false,
"threshold": 3
},
......
......
......
"loginAttemptsFromTheSameUser": {
"action": "alarm-and-captcha",
"enabled": false,
"threshold": 3
},
"measurementPeriod": 900,
"preventionDuration": "3600",
"reEnableLoginAfter": 900,
"sourceBasedProtectionDetectionPeriod": 900,
"url": {
"method": "POST",
"name": "/oauth/token",
"protocol": "http",
"type": "explicit"
}
}
],
"json-profiles": [
{
"defenseAttributes": {
"maximumArrayLength": 1000,
"maximumStructureDepth": 10,
"maximumTotalLengthOfJSONData": 10000,
"maximumValueLength": 100,
"tolerateJSONParsingWarnings": false
},
"description": "",
"handleJsonValuesAsParameters": true,
"hasValidationFiles": false,
"name": "Default",
"validationFiles": []
}
],
"login-pages": [
{
"accessValidation": {
"cookieContains": "",
"headerContains": "",
"headerOmits": "",
"parameterContains": "",
"responseContains": "",
"responseHttpStatus": "200",
"responseOmits": ""
},
"authenticationType": "form",
"passwordParameterName": "xxxxxx",
"url": {
"method": "POST",
"name": "/oauth/token",
"protocol": "http",
"type": "explicit"
},
"usernameParameterName": "yyyyyy"
}
]
}
}
So for example If I want add new file type then I modify section "filetypes". Sections like "whitelist-ips", "urls", "login-pages" works fine. But I wanted to modify configuration for "HTTP Protocol Compliance" (http-protocols in JSON) to enable some items but this was not changed after policy was imported and applied.
I checked logs for some errors but nothing was reported. Also just to be sure that I have no issue during processing of the policy I changed values in brute force section and those changes has been visible in GUI. But changes related to "HTTP Protocol Compliance" were not.
In JSON has one item of the http-protocols parameters like
{
"description" : "Bad host header value",
"enabled" : true,
"learn" : true
},
Is decription sufficient identificator to define what property should be changed?
As workaround maybe will be to create custom API template and use it instead general "POLICY_TEMPLATE_API_SECURITY". But did not test it yet.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com