Using web application firewall policies

Chapter 7: Security Features > Using web application firewall policies

Using web application firewall policies

You use web application firewall policies to scan HTTP requests and responses against known attack signatures and methods and filter matching traffic. This section includes the following topics:

Web application firewall basics
Web application firewall configuration overview
Configuring a Web Attack Signature policy
Configuring a URL Protection policy
Configuring an HTTP Protocol Constraint policy
Configuring an SQL/XSS Injection Detection policy
Configuring WAF Exception objects
Configuring a Bot Detection policy
Configuring a WAF Profile

Web application firewall basics

A web application firewall (WAF) is a security policy enforcement point positioned between a client endpoint and a web application. The primary purpose is to prevent attacks against the web servers. A WAF is deployed separately from the web application so that the process overhead required to perform security scanning can be offloaded from the web server, and policies can be administered from one platform to many servers.

A WAF uses methods that complement perimeter security systems, such as the FortiGate next-generation firewall. The FortiADC WAF module applies a set of policies to HTTP scanpoints, which are parsed contexts of an HTTP transaction.

Figure 47 illustrates the scanpoints. In the WAF policy configurations, you have options to enable rules to detect attacks at the request line, query string, filename, URI, request headers, request body, response code, or response body.

In particular:

Web Attack Signature policy—The signature database includes signatures that can detect known attacks and exploits that can be found in 22 scanpoints. In your policy configuration, you choose classes of scanpoints to process: HTTP Headers, HTTP Request Body, and HTTP Response Body.
URL Protection policy—This policy enables you to create rules that detect patterns in the URI or the file extension.
HTTP Protocol Constraint policy—This policy enables you to create rules that restrict URI, header, and body length; HTTP method, or HTTP response code.
SQL/XSS Injection Detection policy—This policy includes rules to detect SQL/XSS injection in the HTTP Request URI, HTTP Referer Header, HTTP Cookie Header, or HTTP Request Body.
Bot Detection—This policy includes rules to detect Bots. A Bot is an application that runs automated tasks over the Internet.The WAF supports two methods for detecting bad Bots: signature detection and behavior detection. You can also also use whitelists to exclude known trusted sources (good Bots) from detection.

Policy rules are enforced (action taken) when scanning is completed at four checkpoints:

HTTP Request Header
HTTP Request Body
HTTP Response Header
HTTP Response Body

If the HTTP Request Header violates a rule, and the action is Deny, the attempted session is dropped and scanning for the transaction stops. If the action is Alert, the event is logged and rules processing continues.

Figure 47: HTTP scanpoints

Web application firewall configuration overview

Figure 48 shows the relationship between WAF configuration elements. A WAF profile comprises a Web Attack Signature policy, URL Protection policy, HTTP Protocol Constraint policy, SQL/XSS Injection Detection, and Bot Detection policy. The profile is applied to a load balancing virtual server, so all traffic routed to the virtual server is subject to the WAF rules. WAF profiles can be applied to HTTP and HTTPS virtual servers but not HTTP Turbo virtual servers.

Figure 48: WAF configuration overview

Predefined configuration elements

The FortiADC WAF includes many predefined configuration elements to help you get started. It includes predefined WAF profiles, predefined Web Attack Signature policies, predefined HTTP Protocol Constraint policies, and predefined SQL/XSS Injection Detection policies.

Severity

The severity ratings for predefined Web Attack Signatures and the default severity rating for feature options like SQL/XSS Injection Detection are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. In order to harmonize the significance of severity levels in logs, we recommend you use this methodology to assign severity for any custom elements you create.

Exceptions

You can create exceptions so that traffic to specific hosts or URL patterns is not subject to processing by WAF rules. Exception lists are processed before traffic is inspected. If an exception applies, the traffic bypasses the WAF module.

Basic Steps

Create configuration objects that define the exception.
Add the exception to a WAF profile configuration or WAF rule configuration.

Configuring a Web Attack Signature policy

The FortiGuard Web Attack Signature service provides a database of attack signatures that is updated periodically to protect against new kinds of attacks. Table 58 summarizes the categories of threats that are detected by the signatures. The categories are reported in logs.

In the Web Attack Signature policy configuration, you can enable/disable the class of scanpoints and the action when traffic matches signatures.

There are three classes of scanpoints:

HTTP Header—Scans traffic against HTTP header signatures. If you enable a policy at all, you are enabling HTTP header scanning.
HTTP Request Body—Scans traffic against HTTP request body signatures.
HTTP Response Body—Scans traffic against HTTP response body signatures.

Header scanning is always a good practice, so enabling a policy always enables header scanning. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

You can specify separate actions for three event severities:

High—We recommend you deny traffic for high severity events.
Medium—We recommend you deny or alert, according to your preference. To be strict, deny; otherwise, alert.
Low—We recommend you allow the traffic and log an alert for low severity events.

Table 56 describes the predefined policies. You can select the predefined policies in your WAF profiles, or you can create policies that enable a different set of scan classes or a different action. In this release, you cannot exclude individual signatures or create custom signatures. You can enable or disable the scan classes.

Table 56: Web Attack Signature predefined policies
Policy	Status	Action
High-Level-Security	Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled.	High Severity Action—Deny. Medium Severity Action—Deny. Low Severity Action—Alert.
Medium-Level-Security	Scan HTTP header—Enabled. Scan HTTP Request Body—Enabled. Scan HTTP Response Body—Disabled.	High Severity Action—Deny. Medium Severity Action—Alert. Low Severity Action—Alert.
Alert-Only	Scan HTTP header—Enabled. Scan HTTP Request Body—Disabled. Scan HTTP Response Body—Disabled.	High Severity Action—Alert. Medium Severity Action—Alert. Low Severity Action—Alert.

Basic Steps

Configure the connection to FortiGuard so the system can receive periodic WAF Signature Database updates. See Configuring FortiGuard service settings.
Optionally, if you do not want to use the predefined policies, configure Web Attack Signature policies. See below.
Select a policy when you configure the WAF profile that you associate with virtual servers. See Using web application firewall policies.

Before you begin:

You must have Read-Write permission for Security settings.

To configure a Web Attack Signature policy:

Go to Security > Web Application Firewall.
Click the Web Attack Signature tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 57.
Save the configuration.

Table 57: Web Attack Signature configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Status	Enable/disable scanning against the signature database. This includes HTTP header scanning but not HTTP body scanning.
Request Body Status	Enable/disable scanning of the HTTP request body.
Response Body Status	Enable/disable scanning of the HTTP response body.
High Severity Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert, but we recommend you deny traffic that matches high severity signatures.
Medium Severity Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert. For stricter security, you can deny traffic that matches medium severity signatures.
Low Severity Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert. Recommended for low severity signatures.
Signature
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Status	Enable/disable the signature.
Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
Description	A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.

Table 58 summarizes the categories of threats that are detected by the signatures.

Table 58: Web Attack Signature categories and subcategories
Category (ID)	Subcategory (ID)
Cross Site Scripting (1)
SQL Injection (2)
Generic Attacks (3)	OS Command Injection (1)
	Coldfusion Injection (2)
	LDAP Injection (3)
	Command Injection (4)
	Session Fixation (5)
	File Injection (6)
	PHP Injection (7)
	SSI Injection (8)
	UPDF XSS (9)
	Email Injection (10)
	HTTP Response Splitting (11)
	RFI Injection (12)

Trojans (4)
Information Disclosure (5)	Zope Information Leakage (13)
	CF Information Leakage (14)
	PHP Information Leakage (15)
	ISA Server Existence Revealed (16)
	Microsoft Office Document Properties Leakage (17)
	CF Source Code Leakage (18)
	IIS Information Leakage (19)
	Weblogic information leakage (20)
	Generic Filename and Directory leakage (21)
	ASP/JSP Source Code Leakage (22)
	PHP Source Code Leakage (23)
	SQL Error leakage (24)
	HTTP Header Leakage (25)
	WordPress Leakage (26)
Known Exploits (6)	Oracle 9i (27)
	Coppermine Photo Gallery (28)
	Netscape Enterprise Server (29)
	Cisco IOS HTTP Service (30)
	Microsoft SQL Server (31)
	HP OpenView Network Node Manager (32)
	Best Sofrware SalesLogix (33)
	IBM Lotus Domino Web Server (34)
	Microsoft IIS (35)
	Microsoft Windows Media Services (36)
	Dave Carrigan Auth_LDAP (37)
	427BB 38)
	RaXnet Cacti Graph (39)
	CHETCPASSWD (40)
	SAP (41)
Credit Card Detection (7)
Bad Robot (8)

Configuring a URL Protection policy

URL protection policies can filter HTTP requests that match specific character strings and file extensions.

Before you begin:

You must have Read-Write permission for Security settings.

After you have configured URL protection policies, you can select them in WAF profiles.

To configure a URL Protection policy:

Go to Security > Web Application Firewall.
Click the URL Protection tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 59.
Save the configuration.

Table 59: URL Protection configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
URL Access Rule
Full URL Pattern	Matching string. Regular expressions are supported.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low.
Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
File Extension Rule
File Extension Pattern	Matching string. Regular expressions are supported.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low.
Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring an HTTP Protocol Constraint policy

The HTTP Protocol Constraint policy includes the following rules:

HTTP request parameters—Limit the length of URIs, headers, and body to prevent several types of attacks, such as buffer overflow and denial of service.
HTTP request methods—Restrict HTTP methods allowed in HTTP requests. For example, do not allow the PUT method in HTTP requests to prevent attackers from uploading malicious files.
HTTP response codes—Drop response traffic containing HTTP response codes that might contain information attackers can use to craft attacks. For example, some HTTP response codes include fingerprint data like web server version, database version, OS, and so on.

Table 60 describes the predefined policies.

Table 60: Predefined HTTP protocol constraint policies
Predefined Rules	Description
High-Level-Security	Protocol constraints enabled with default values. Action is set to deny. Severity is set to high.
Medium-Level-Security	Protocol constraints enabled with default values. Action is set to alert. Severity is set to medium.
Alert-Only	Protocol constraints enabled with default values. Action is set to alert. Severity is set to low.

If desired, you can create user-defined rules to filter traffic with invalid HTTP request methods or drop packets with the specified server response codes.

Before you begin:

You should have a sense of legitimate URI lengths and HTTP request methods for the destination resources.
You should know whether your servers include application fingerprint information in HTTP response codes.
You must have Read-Write permission for Security settings.

To configure an HTTP Protocol Constraint policy:

Go to Security > Web Application Firewall.
Click the HTTP Protocol Constraint tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 61.
Save the configuration.

Table 61: HTTP Protocol Constraint configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Request Parameters
Maximum URI Length	Maximum characters in an HTTP request URI. The default is 2048. The valid range is 1-8192.
Illegal Host Name	Enable/disable hostname checks. A domain name must consist of only the ASCII alphabetic and numeric characters, plus the hyphen. The hostname is checked against the set of characters allowed by the RFC 2616. Disallowed characters, such as non-printable ASCII characters or other special characters (for example, '<', '>', and the like), are a symptom of an attack.
Illegal HTTP Version	Enable/disable the HTTP version check. Well-formed requests include the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). Malformed requests are a sign of traffic that was not sent from a normal browser and are a symptom of an attack.
Maximum Cookie Number In Request	Maximum number of cookie headers in an HTTP request. The default is 16. The valid range is 1-32.
Maximum Header Number In Request	Maximum number of headers in an HTTP request. The default is 50. Requests with more headers are a symptom of a buffer overflow attack or an attempt to evade detection mechanisms. The valid configuration range is 1-100.
Maximum Request Header Name Length	Maximum characters in an HTTP request header name. The default is 1024. The valid range is 1-8192.
Maximum Request Header Value Length	Maximum characters in an HTTP request header value. The default is 4096. Longer headers might be a symptom of a buffer overflow attack. The valid configuration range is 1-8192.
Maximum URL Parameter Name Length	Maximum characters in a URL parameter name. The default is 1024. The valid range is 1-2048.
Maximum URL Parameter Value Length	Maximum characters in a URL parameter value. The default is 4096. The valid range is 1-8192.
Maximum Request Header Length	Maximum length of the HTTP request header. The default is 8192. The valid range is 1-16384.
Maximum Request Body Length	Maximum length of the HTTP body. The default is 67108864. The valid range is 1-67108864.
Request Method Rule
Method	Select one or more methods to match in the HTTP request line: CONNECT DELETE GET HEAD OPTIONS POST PUT TRACE Others Note: The first 8 methods are described in RFC 2616. The group Others contains not commonly used HTTP methods defined by Web Distributed Authoring and Version (WebDAV) extensions.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low.
Exception	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
Response Code Rule
Minimum Status Code / Maximum Status Code	Start/end of a range of status codes to match. You can specify codes 400 to 599.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low.
Exception	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring an SQL/XSS Injection Detection policy

SQL/XSS Injection Detection policies detect SQL injection and cross-site scripting (XSS) attacks. Injection occurs when user-supplied data is sent to an interpreter as part of a command or query. In an SQL injection attack, attackers craft HTTP requests that cause SQL queries to be executed directly against the web application’s database. XSS injection attacks cause a web browser to execute a client-side script.

In contrast to signature-based detection, the WAF SQL and XSS injection detector module detects SQL and XSS injection through lexical analysis, which is a complementary method and is faster.

The policy enables/disables scanpoints, the action when traffic matches signatures, and the event severity.

You can enable detection in the following scanpoints:

SQL Injection: URI—Analyzes content in the URI.
SQL Injection: Referer—Analyzes content in the HTTP Referer header.
SQL Injection: Cookie—Analyzes content in the HTTP Cookie header.
SQL Injection: Body—Analyzes content in the HTTP request body.
XSS Injection: URI—Analyzes content in the URI.
XSS Detection: Referer—Analyzes content in the HTTP Referer header.
XSS Detection: Cookie—Analyzes content in the HTTP Cookie header.
XSS Detection: Body—Analyzes content in the HTTP request body.

Header scanning is recommended. Body scanning impacts performance, so you have the option of disabling body scanning if system utilization or latency become an issue.

Table 62 describes the predefined policies.

Table 62: Predefined SQL injection and XSS detection policies
	SQL Injection			XSS
Predefined Rules	Detection	Action	Severity	Detection	Action	Severity
High-Level-Security	All except Body SQL Injection Detection	Deny	High	All except Body XSS Injection Detection	Deny	High
Medium-Level-Security	Only SQL URI SQL Injection Detection	Deny	High	None	Alert	Low
Alert-Only	Only SQL URI SQL Injection Detection	Alert	High	None	Alert	Low

If desired, you can create user-defined policies.

Before you begin:

You must have Read-Write permission for Security settings.

After you have created an SQL injection/XSS policy, you can specify it in a WAF profile configuration.

To configure an SQL/XSS Injection Detection policy:

Go to Security > Web Application Firewall.
Click the SQL/XSS Injection Detection tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 63.
Save the configuration.

Table 63: SQL/XSS Injection Detection configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
SQL
SQL Injection Detection	Enable/disable SQL injection detection.
URI Detection	Enable/disable detection in the HTTP request.
Referer Detection	Enable/disable detection in the Referer header.
Cookie Detection	Enable/disable detection in the Cookie header.
Body Detection	Enable/disable detection in the HTTP Body message.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert, but we recommend you deny SQL Injection.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low, but we recommend you rate this high or medium.
SQL Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
XSS
XSS Injection Detection	Enable/disable XSS injection detection.
URI Detection	Enable/disable detection in the HTTP request.
Referer Detection	Enable/disable detection in the Referer header.
Cookie Detection	Enable/disable detection in the Cookie header.
Body Detection	Enable/disable detection in the HTTP Body message.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert, but we recommend you deny XSS Injection.
Severity	High—Log matches as high severity events. Medium—Log matches as a medium severity events. Low—Log matches as low severity events. The default is low, but we recommend you rate this high or medium.
XSS Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

Configuring WAF Exception objects

Exceptions identify specific hosts or URL patterns that are not subject to processing by WAF rules.

Before you begin:

You must have Read-Write permission for Security settings.

After you have created an exception object, you can specify it in WAF profiles and individual WAF feature rules.

To configure an exception object:

Go to Security > Web Application Firewall.
Click the Exceptions tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 64.
Save the configuration.

Table 64: WAF Exception objects
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Exception Host Status	Enable/disable setting exceptions by host pattern.
Exception Host	Matching string. Regular expressions are supported. For example, you can specify `www.example.com`, `.example.com`, or `www.example.` to match a literal host pattern or a wildcard host pattern.
Exception URL	Matching string. Must begin with a URL path separator (/). Regular expressions are supported. For example, you can specify pathnames and files with expressions like `\/admin`, `.\/data\/1.html`, or `\/data.`.

Configuring a Bot Detection policy

Bot detection policies use signatures and source behavior tracking to detect client traffic likely to be generated by robots instead of genuine clients. Some bots, such as search engine crawlers, are "good bots" that perform search indexing tasks that can result in more legitimate users being directed to your site. You enable a whitelist to permit those. "Bad bots" are known to send traffic that has an negative impact on site availability and integrity, such as DDoS attacks or content scrapping. You want to block these.

To get started, you can use predefined whitelists (known good bots) and blacklists (known bad bots). You can also specify a rate limit threshold of HTTP requests/second for sources not matched to either whitelist or blacklist. The rate limit threshold can be useful in detecting "unknown bots".

In the event of false positives, you can use the user-specified whitelist table to fine-tune detection.

Before you begin:

You must configure the connection to FortiGuard so the system can receive periodic WAF Signature Database updates, including "good bot" and "bad bot" signatures and lists. See Configuring FortiGuard service settings.
You must have Read-Write permission for Security settings.

After you have configured Bot Detection policies, you can select them in WAF profiles.

To configure a Bot Detection policy:

Go to Security > Web Application Firewall.
Click the Bot Detection tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 65.
Save the configuration.

Table 65: Bot Detection configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Status	Enable/disable Bot detection.
Search Engine Status	Enable/disable the predefined search engine spider whitelist. The list is included in WAF signature updates from FortiGuard.
Bad Robot Status	Enable/disable the predefined bad robot blacklist. The list is included in WAF signature updates from FortiGuard.
HTTP Request Rate	Specify a threshold (HTTP requests/second/source) to trigger the action. Bots send HTTP request traffic at extraordinarily high rates. The source is tracked by source IP address and User-Agent. The default is 0 (off). The valid range is 0-100,000,000 requests per second.
Action	Alert—Allow the traffic and log the event. Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event. The default is alert.
Severity	High—Log as high severity events. Medium—Log as a medium severity events. Low—Log as low severity events. The default is low.
Block Period	The default is 3600 seconds. The valid range is 1-3600. The maximum size of the block IP address table is 100,000 entries. If the table is full, the earliest entry will be deleted.
Whitelist
IPv4/Netmask	Matching subnet (CIDR format).
URL Pattern	Matching string. Regular expressions are supported.
URL Parameter Name	Matching string. Regular expressions are supported.
Cookie Name	Matching string. Regular expressions are supported.
User Agent	Matching string. Regular expressions are supported.

Configuring a WAF Profile

A WAF profile references the WAF policies that are to be enforced.

Table 66 describes the predefined profiles. In many cases, you can use predefined profiles to get started.

Table 66: Predefined WAF profiles
Predefined Profiles	Description
High-Level-Security	Web Attack Signature policy: High-Level-Security HTTP Protocol Constraints policy: High-Level-Security SQL/XSS Injection Detection policy: High-Level-Security
Medium-Level-Security	Web Attack Signature policy: Medium-Level-Security HTTP Protocol Constraints policy: Medium-Level-Security SQL/XSS Injection Detection policy: Medium-Level-Security
Alert-Only	Web Attack Signature policy: Alert-Only HTTP Protocol Constraints policy: Alert-Only SQL/XSS Injection Detection policy: Alert-Only

If desired, you can create user-defined profiles. The maximum number of profiles per VDOM is 255.

Before you begin:

You can use predefined WAF profiles, create profiles based on predefined feature options, or create profiles based on user-defined configuration objects. If you want to add user-defined configuration objects, you must create them before using this procedure to add them to a WAF profile.
You must have Read-Write permission for Security settings.

After you have created a WAF profile, you can specify it in a virtual server configuration.

To configure a WAF Profile:

Go to Security > Web Application Firewall.
Click the WAF Profile tab.
Click Add to display the configuration editor.
Complete the configuration as described in Table 67.
Save the configuration.

Table 67: WAF Profile configuration
Settings	Guidelines
Name	Configuration name. Valid characters are `A`-`Z`, `a`-`z`, `0`-`9`, `_`, and `-`. No spaces. After you initially save the configuration, you cannot edit the name.
Description	A string to describe the purpose of the configuration, to help you and other administrators more easily identify its use.
Web Attack Signature	Select a predefined or user-defined Web Attack Signature configuration object.
URL Protection	Select a user-defined URL Protection configuration object.
HTTP Protocol Constraint	Select a predefined or user-defined HTTP Protocol Constraint configuration object.
SQL/XSS Injection Detection	Select a predefined or user-defined SQL/XSS Injection Detection configuration object.
Exception Name	Select a user-defined exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.
Bot Detection	Select a user-defined Bot Detection configuration object.