Hi JRahm, sure I will.
Below is example of the JSON policy. It contains only basic configuration as all important is in swagger itself.
{
"policy" : {
"applicationLanguage" : "utf-8",
"caseInsensitive" : true,
"description" : "API Security Policy for application",
"enablePassiveMode" : false,
"enforcementMode" : "transparent",
"fullPath" : "/Common/sp_wafenv_api_application",
"name" : "sp_wafenv_api_application",
"protocolIndependent" : false,
"signature-settings" : {
"signatureStaging" : false
},
"softwareVersion" : "f5version",
"template" : {
"name" : "POLICY_TEMPLATE_API_SECURITY"
},
"open-api-files": [
{
"filename": "file://swagger-file"
}
],
"type" : "security",
"http-protocols" : [
{
"description" : "Multiple host headers",
"enabled" : true,
"learn" : true
},
....
....
....
{
"description" : "Chunked request with Content-Length header",
"enabled" : true,
"learn" : true
}
],
"filetypes": [
{
"allowed": true,
"checkPostDataLength": true,
"checkQueryStringLength": true,
"checkRequestLength": true,
"checkUrlLength": true,
"name": "no_ext",
"performStaging": false,
"postDataLength": 10000,
"queryStringLength": 1000,
"requestLength": 10000,
"responseCheck": false,
"type": "explicit",
"urlLength": 100
}
],
"brute-force-attack-preventions": [
{
"captchaBypassCriteria": {
"action": "alarm-and-drop",
"enabled": false,
"threshold": 5
},
"clientSideIntegrityBypassCriteria": {
"action": "alarm-and-captcha",
"enabled": false,
"threshold": 3
},
......
......
......
"loginAttemptsFromTheSameUser": {
"action": "alarm-and-captcha",
"enabled": false,
"threshold": 3
},
"measurementPeriod": 900,
"preventionDuration": "3600",
"reEnableLoginAfter": 900,
"sourceBasedProtectionDetectionPeriod": 900,
"url": {
"method": "POST",
"name": "/oauth/token",
"protocol": "http",
"type": "explicit"
}
}
],
"json-profiles": [
{
"defenseAttributes": {
"maximumArrayLength": 1000,
"maximumStructureDepth": 10,
"maximumTotalLengthOfJSONData": 10000,
"maximumValueLength": 100,
"tolerateJSONParsingWarnings": false
},
"description": "",
"handleJsonValuesAsParameters": true,
"hasValidationFiles": false,
"name": "Default",
"validationFiles": []
}
],
"login-pages": [
{
"accessValidation": {
"cookieContains": "",
"headerContains": "",
"headerOmits": "",
"parameterContains": "",
"responseContains": "",
"responseHttpStatus": "200",
"responseOmits": ""
},
"authenticationType": "form",
"passwordParameterName": "xxxxxx",
"url": {
"method": "POST",
"name": "/oauth/token",
"protocol": "http",
"type": "explicit"
},
"usernameParameterName": "yyyyyy"
}
]
}
}
So for example If I want add new file type then I modify section "filetypes". Sections like "whitelist-ips", "urls", "login-pages" works fine. But I wanted to modify configuration for "HTTP Protocol Compliance" (http-protocols in JSON) to enable some items but this was not changed after policy was imported and applied.
I checked logs for some errors but nothing was reported. Also just to be sure that I have no issue during processing of the policy I changed values in brute force section and those changes has been visible in GUI. But changes related to "HTTP Protocol Compliance" were not.
In JSON has one item of the http-protocols parameters like
{
"description" : "Bad host header value",
"enabled" : true,
"learn" : true
},
Is decription sufficient identificator to define what property should be changed?
As workaround maybe will be to create custom API template and use it instead general "POLICY_TEMPLATE_API_SECURITY". But did not test it yet.
Cirrus
