Example OWASP Top 10-compliant declarative WAF policy
Problem this snippet solves: This is an example of a basic declarative BIG-IP WAF policy that is OWASP Top 10-compliant. This policy can be used as a starting point for a production-ready version. ...
Published Jan 18, 2021
Version 1.0
Valentin_Tobi
Employee
EmployeeValentin_TobiEmployee
Employee
Valentin_TobiEmployee
Employeeforsan : here's an AS3 declaration that will deploy the WAF policy and the application it protects into Web-Prod partition.
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "Prod_Web_AS3",
"Web-Prod": {
"class": "Tenant",
"defaultRouteDomain": 0,
"arcadia": {
"class": "Application",
"template": "generic",
"VS_WebApp": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"virtualAddresses": ["10.1.10.26"],
"redirect80": false,
"pool": "pool_NGINX_WebApp",
"policyWAF": {
"use": "Arcadia_WAF_policy"
},
"securityLogProfiles": [{
"bigip": "/Common/Log all requests"
}],
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"serverTLS": { "bigip": "/Common/arcadia_client_ssl" }
},
"Arcadia_WAF_policy": {
"class": "WAF_Policy",
"url": "http://10.1.20.4/root/owasp_top10_awaf_policy/-/raw/master/WAF/ansible/bigip/policy.json",
"ignoreChanges": true
},
"pool_NGINX_WebApp": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["10.1.20.10"]
}]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60 }
}
}
}
}