Appxcel Waf Ug

AppXcel
Web Application Firewall

January 2008
Table of Contents
Table of Contents
Chapter 1 - Web Application Firewall Overview................................ 1-1 Protection Layers .................................................................................... 1-2
Web Application on AppXcel ....................................................................... Signature-Based Intrusion Prevention ......................................................... Web Protocol Violations and Web Worms .................................................. Profile Violations .......................................................................................... 1-2 1-4 1-6 1-7
The Blocking Process ........................................................................... 1-10

Source Blocking versus Immediate Blocking ............................................ 1-10 IP Blocking versus Application Session Blocking ...................................... 1-11 The Process of Blocking Traffic ................................................................. 1-11
AppXcel WAF Management ................................................................. 1-13

AppXcel WAF Components ....................................................................... 1-13
Chapter 2 - Getting Started ................................................................. 2-1 Configuration Flow .................................................................................. 2-2

Introduction .................................................................................................. AppXcel WAF Add-on license ..................................................................... Launching AppXcel WAF Management Interface from APSolute Insite ...... AppXcel WAF Protection Flow .................................................................... 2-2 2-2 2-3 2-5
Touring the AppXcel WAF User Interface ............................................... 2-7

Introduction .................................................................................................. 2-7 On-Line Help ............................................................................................. 2-10
Initial Configuration ............................................................................... 2-11

Introduction ................................................................................................ Defining Server Groups ............................................................................. Defining Network Firewall Rules ............................................................... Services ..................................................................................................... Special Server Configuration ..................................................................... Active Profile Settings ............................................................................... 2-11 2-12 2-18 2-22 2-25 2-30
DefensePro User Guide
Table of Contents
Chapter 3 - Setting the Operation Mode ............................................ 3-1 Operation Modes .................................................................................... 3-2
Operation Modes - Introduction ................................................................... 3-2
IP Restrictions ......................................................................................... 3-3

Restrict Monitoring to only this Source IP Group ........................................ 3-3 Ignore this Source IP Group (except for firewall violations) ........................ 3-4
URL Restrictions ..................................................................................... 3-5

Restrict Learning and Protection to only these URLs/Directories ............... Ignore the following URLs/Directories ......................................................... Ignore Static Files ........................................................................................ Ignore Parameters ....................................................................................... Ignore XML Elements .................................................................................. 3-5 3-7 3-8 3-9 3-9
Automatic Profile Updates .................................................................... 3-10

Automatic Profile Updates - Introduction ................................................... 3-10
Chapter 4 - Configuring Actions........................................................ 4-1 Action Interfaces ..................................................................................... 4-2

Introduction .................................................................................................. 4-2 Defining Action Interfaces ........................................................................... 4-2
Configuring Action Policies ..................................................................... 4-4

Configuring Action Policies - Introduction .................................................... 4-4
Configuring Server Groups Security Rules ............................................ 4-7

Security Rules - Introduction ....................................................................... 4-7 Firewall Rules ............................................................................................ 4-10 Signature Rules ......................................................................................... 4-12 Protocol Violation Rules ............................................................................ 4-13 Web Worms Defender Rules ..................................................................... 4-19 Profile Violation Rules ............................................................................... 4-22 Custom Policy Rules ................................................................................. 4-26 Correlation Rules ....................................................................................... 4-32
Preventing Blocking of Specific IP Addresses ...................................... 4-36
Chapter 5 - Monitoring......................................................................... 5-1 Activity Console ...................................................................................... 5-2

Introduction .................................................................................................. 5-2
Alerts ....................................................................................................... 5-3

Reading Alerts ............................................................................................. 5-3
Table of Contents
Browsing Monitored Events ....................................................................... Operations on Alerts .................................................................................. Additional View options ............................................................................. Browsing Alerts ......................................................................................... Sorting Alerts ............................................................................................. Filtering Alerts ........................................................................................... Clearing the Alerts List .............................................................................. Clearing All Alerts that Match a Filter ........................................................ Alert Aggregation .......................................................................................
5-10 5-11 5-12 5-13 5-13 5-15 5-16 5-16 5-17
Gateways .............................................................................................. 5-21

Gateways - Introduction ............................................................................ 5-21
Blocked Sources ................................................................................... 5-24

Blocked Sources - Introduction ................................................................. 5-24
Reports ................................................................................................. 5-26

Reports - Introduction ................................................................................ Alert Analysis Reports ............................................................................... Top 20/100 Reports ................................................................................... Profile Reports ........................................................................................... Assessment Reports ................................................................................. 5-26 5-30 5-31 5-32 5-33
System Log ........................................................................................... 5-35

System Log - Introduction ......................................................................... 5-35
Notifications .......................................................................................... 5-37

Notifications - Introduction ......................................................................... 5-37
Chapter 6 - Web Profiles ..................................................................... 6-1 Dynamic Profiling .................................................................................... 6-2

Dynamic Profiling - Introduction .................................................................. 6-2 Web Server Group Profiles ......................................................................... 6-2 URLs Profile ............................................................................................... 6-3 URL Patterns ............................................................................................. 6-32 Cookie Profiles .......................................................................................... 6-38
Chapter 7 - Configuring Signatures ................................................... 7-1 Application Defense Center Window ...................................................... 7-2
Configuring Signatures - Introduction .......................................................... 7-2 Dictionary Types .......................................................................................... 7-4 Viewing Dictionaries ................................................................................... 7-5
Table of Contents
Viewing Signatures Window ........................................................................ 7-6 Updating the Signatures Database ........................................................... 7-13 Creating Dictionaries ................................................................................. 7-17 Viewing and Modifying Signatures in a Dictionary .................................... 7-24 Viewing and Modifying a Dictionary's Filters ............................................. 7-28 Deleting Dictionaries ................................................................................. 7-29
Appendix A - Defining IP Groups ....................................................... A-1

Configuring IP Groups ................................................................................. A-1
Appendix B - Action Interfaces........................................................... B-1

Action Interfaces .......................................................................................... B-1
Appendix C - Back-end SSL Encryption............................................ C-1

Configuring Back-end SSL Encryption ........................................................ C-1 Uploading Keys ........................................................................................... C-3
Appendix D - AppXcel WAF CLI Commands..................................... D-1 Appendix E - Database Overflow Protection..................................... E-1
The Overflow Mechanism ............................................................................ E-1
Appendix F - HTTP Methods ............................................................... F-1

Standard Methods ....................................................................................... F-1 WebDAV Methods ....................................................................................... F-3 Microsoft IIS WebDAV Extensions .............................................................. F-4
Appendix G - HTTP Response Codes ............................................... G-1 Appendix H - Parameter Value Types ................................................ H-1
Main Types .................................................................................................. H-1 Extended Value Types ................................................................................ H-2
Appendix I - Writing Signatures .......................................................... I-1

Single Part Signatures .................................................................................. Multi Part Signatures .................................................................................... Adding Absolute Modifiers ............................................................................ Regular Expression Parts ............................................................................. I-1 I-2 I-2 I-3
Table of Contents
Regular Expression Syntax .......................................................................... I-4
Table of Contents
Table of Figures
Figure 2-1 AppXcel WAF Device Upgrades......................................... 2-3 Figure 2-2 APSolute Insite WAF Launch Window................................ 2-4 Figure 2-3 Web Application Firewall Protection System Flow.............. 2-5 Figure 2-4 Web Application Firewall Interface Window........................ 2-8 Figure 2-5 Tree Menu .......................................................................... 2-9 Figure 2-6 On-Line Help Window....................................................... 2-10 Figure 2-7 Server Groups Overview Window..................................... 2-12 Figure 2-8 Default Group Server Definitions Window ........................ 2-13 Figure 2-9 Add IP to Default Server Group Window .......................... 2-13 Figure 2-10 Creating a New Server Group ........................................ 2-14 Figure 2-11 Web Server Group Icon .................................................. 2-15 Figure 2-12 New Web Server Group Window.................................... 2-16 Figure 2-13 New Web Server Group: Add IP..................................... 2-18 Figure 2-14 Firewall Rules Window ................................................... 2-20 Figure 2-15 Add Firewall Rule Window.............................................. 2-21 Figure 2-16 Edit Firewall Rule Window .............................................. 2-22 Figure 2-17 Service to Port Mapping Window.................................... 2-23 Figure 2-18 Add Service Window....................................................... 2-24 Figure 2-19 Error Page Window......................................................... 2-26 Figure 2-20 Session Tracking Window .............................................. 2-28 Figure 3-1 Restrict Learning and Protection ........................................ 3-6 Figure 3-2 Ignored URLs / Directories Dialog ...................................... 3-7
AppXcel Web Application Firewall User Guide
Table of Figures
Figure 3-3 Static File Extensions Window............................................ 3-8 Figure 3-4 Automatic Profiles Updates Window................................. 3-12 Figure 4-1 Action Policy ....................................................................... 4-6 Figure 4-2 Firewall Rules Window ....................................................... 4-8 Figure 4-3 Copy Action Policy From Window....................................... 4-9 Figure 4-4 Restore Defaults Window ................................................... 4-9 Figure 4-5 Firewall Actions Window................................................... 4-10 Figure 4-6 Signature Rules Window .................................................. 4-12 Figure 4-7 Protocol Violation Rules Window...................................... 4-14 Figure 4-8 Web Worm Defender Rules Window ................................ 4-19 Figure 4-9 Worm Protected Directories.............................................. 4-21 Figure 4-10 Profile Violation Rules Window....................................... 4-22 Figure 4-11 Custom Policy Rules....................................................... 4-28 Figure 4-12 Correlation Rules Window .............................................. 4-33 Figure 4-13 Non-Blockable IP Addresses ......................................... 4-36 Figure 5-1 Alerts Window..................................................................... 5-4 Figure 5-2 Knowledge Base Window ................................................... 5-9 Figure 5-3 Link to Monitored Events Window .................................... 5-10 Figure 5-4 Monitored Events Window ................................................ 5-11 Figure 5-5 Advanced Sort Window Box ............................................. 5-14 Figure 5-6 Filter Window .................................................................... 5-15 Figure 5-7 Gateways Window ............................................................ 5-21 Figure 5-8 Currently Blocked Sources Window ................................. 5-25 Figure 5-9 Reports Window ............................................................... 5-27 Figure 5-10 Top 20 Attacking IPs Report Window ............................. 5-29 Figure 5-11 System Log..................................................................... 5-35 Figure 5-12 Notifications .................................................................... 5-38
Table of Figures
Figure 6-1 URLs Window(Tree View) .................................................. 6-5 Figure 6-2 Learned URLs Window (List View) ..................................... 6-8 Figure 6-3 Filter URLs Window Box................................................... 6-10 Figure 6-4 Advanced Sort Window Box ............................................. 6-12 Figure 6-5 Add URL Window Box ...................................................... 6-13 Figure 6-6 Edit Methods Window ...................................................... 6-14 Figure 6-7 Delete URL Confirmation Window .................................... 6-15 Figure 6-8 Add Prefix Window ........................................................... 6-18 Figure 6-9 Configure Value Type Window ......................................... 6-19 Figure 6-10 Delete URL Prefix Confirmation Window........................ 6-20 Figure 6-11 URL Parameters Table ................................................... 6-21 Figure 6-12 Add Parameter Window.................................................. 6-22 Figure 6-13 Delete Parameter Confirmation Window ........................ 6-23 Figure 6-14 Copy Parameters............................................................ 6-24 Figure 6-15 Save As Pattern Window ................................................ 6-25 Figure 6-16 Host Mapping Window.................................................... 6-27 Figure 6-17 Add Host Window ........................................................... 6-28 Figure 6-18 Edit Host Groups Window............................................... 6-29 Figure 6-19 SOAP URL - Tree View .................................................. 6-30 Figure 6-20 SOAP URL - List View .................................................... 6-32 Figure 6-21 URL Patterns Window .................................................... 6-34 Figure 6-22 Add Pattern Window ....................................................... 6-35 Figure 6-23 Edit URL Pattern Window ............................................... 6-36 Figure 6-24 Add Parameter Window.................................................. 6-37 Figure 6-25 Delete Parameter Confirmation Window ........................ 6-38 Figure 6-26 Cookies Window ............................................................. 6-40 Figure 7-1 ADC Preferences Window .................................................. 7-3
Table of Figures
Figure 7-2 Dictionaries List .................................................................. 7-4 Figure 7-3 Manual Dictionary Window ................................................. 7-5 Figure 7-4 View All Signatures Window ............................................... 7-6 Figure 7-5 Filter Signatures Window.................................................... 7-8 Figure 7-6 Signature Info Window........................................................ 7-9 Figure 7-7 Attack Info Tab.................................................................. 7-10 Figure 7-8 Affected Systems Window ................................................ 7-11 Figure 7-9 References Window.......................................................... 7-11 Figure 7-10 Accuracy Window ........................................................... 7-12 Figure 7-11 Scheduler Window.......................................................... 7-14 Figure 7-12 Edit Task window............................................................ 7-15 Figure 7-13 Upload AppXcel WAF Signatures File Window .............. 7-16 Figure 7-14 Create a Dictionary Window ........................................... 7-18 Figure 7-15 Create Manual Dictionary ............................................... 7-18 Figure 7-16 Create Filter Dictionary - Step 1 ..................................... 7-19 Figure 7-17 Create Filter Dictionary - Step 2 Window........................ 7-20 Figure 7-18 Create Filter Dictionary Step 3 Window.......................... 7-22 Figure 7-19 Create "Dictionary Name" Step 4 Filter Parameters Window 723 Figure 7-20 Add New Signature........................................................ 7-25 Figure 7-21 Edit Signature: General Window..................................... 7-27 Figure A-1 Create New IP Group Window .......................................... A-2 Figure A-2 Define IP Addresses Window............................................ A-3 Figure B-1 Add Action Interface Window ............................................ B-2 Figure B-2 New Syslog Action Interfaces Window.............................. B-3 Figure B-3 New SNMP Trap Action Interface Window........................ B-5 Figure B-4 New Email Action Interface Window ................................. B-6 Figure E-1 Database Overflow Protection Window............................. E-2
Important Notice
This guide is delivered subject to the following conditions and restrictions: Copyright Radware Ltd. 2007-8. All rights reserved. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the AppXcel Web Application Firewall, known from here on as AppXcel WAF, and may not be used for any other purpose. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without the prior written consent of Radware. Refer to the Specifications for information about the correct power rating for the device.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
TRADEMARKS
AppXcelWAF, is a trade name of Radware Ltd. This document contains trademarks registered by their respective companies. The following notice refers to content provided by Imperva, Inc. and incorporated in this guide:
AppXcel User Guide
1-I
AppXcel User Guide
This document contains proprietary and confidential material of Imperva, Inc. Any unauthorized reproduction, use, distribution or disclosure of this material, or any part thereof, is strictly prohibited. This document is solely for the use of Radware customers. The material furnished in this document is believed to be accurate and reliable. However, no responsibility is assumed by Radware Ltd. or Imperva Inc. for the use or inaccuracy of this material. Nothing in this material shall be construed as a warranty with respect any products or services offered by Radware Ltd. or Imperva, Inc. All information in this document is provided as-is, and without warranty of any kind (whether expressed or implied). Radware Ltd. reserves the right to make changes to the material at any time and without notice. Copyright Imperva, Inc. 2006 Confidential and Proprietary Imperva and SecureSphere are registered trademarks; dynamic profiling, transparent inspection, and application defense center are trademarks of Imperva, Inc.
1-II
AppXcel User Guide
AppXcel User Guide
About This Guide

Chapter 1 -, Web Application Firewall Overview, explains how AppXcel WAF adds protection from attacks on Web Applications to Radware's Application Front End (AFE).The solution is part of AFE deployment. Chapter 2 -, Getting Started,explains how to access the AppXcel WAF user interface and perform the initial configuration. The AppXcel WAF implements a Web-based user interface that provides security administrators convenient and easy access to the software functions. Chapter 3 -, Setting the Operation Mode, describes how to set the operation mode for the server groups. Chapter 4 -, Configuring Actions,describes how to configure AppXcel WAF to invoke actions upon security events. Chapter 5 -, Monitoring, describes how to monitor alerts, logs and Gateways in the AppXcel WAF Activity Console. Chapter 6 -, Web Profiles, describes how to configure Dynamic Profiling for AppXcel WAF. Chapter 7 -, Configuring Signatures, describes the Application Defense Center, and how to configure signatures and dictionaries. Appendix A -, Defining IP Groups, describes how to define IP Groups, which are used in various places on the AppXcel WAF GUI. Use this feature to define the IP groups throughout the AFI, as often as required. Each IP group contains a collection of single IP addresses, IP ranges or IP subnets. Appendix B -, Action Interfaces, describes configuration of action interfaces. AppXcel WAF uses various devices in its operation. Some settings in AppXcel WAF refer to these devices, therefore requiring them to be defined in advance. Appendix C -, Back-end SSL Encryption, describes how to configure Back-end SSL Encryption, by first configuring AppXcel Tunnel and AppXcel WAF. Appendix D -, AppXcel WAF CLI Commands, lists the range of CLI Commands that are necessary to launch AppXcel WAF management and update the Signatures Database. Appendix E -, Database Overflow Protection, explains how to configure the AppXcel WAF database overflow protection. Appendix F -, HTTP Methods, describes the different HTTP methods used by Web servers.
AppXcel User Guide
1-III
AppXcel User Guide
Appendix G -, HTTP Response Codes,lists the various HTTP response codes returned by Web servers including a lists of the different response codes returned by a Web server. Appendix H -, Parameter Value Types,describes the different parameter value types, which define the group of characters allowed in the value of parameter. Appendix I -, Writing Signatures,describes the AppXcel WAF signature language.
1-IV
AppXcel User Guide
AppXcel User Guide
Document Conventions
This guide uses the following documentation conventions: Command paths in the GUI are presented as: File > Save As. Windows systems use a two-button mouse. To drag and drop an object, click and hold the left mouse button on the object, drag the object to the target location, then release the button. Screen displays can differ slightly from those included in this guide, depending on the system you use. For example, Microsoft Windows screens are different from XWindows screens. Various icons are used through the document to indicate the following:
Note: Important information that requires additional attention.
Note:
Tip: A recommendation, or an optimum way to perform an action.
Configuration Guidelines: General description of the configuration process. To Statement: Detailed operating instructions that explain the step by step configuration process. Example: An example configuration of an actual scenario.
AppXcel User Guide
1-V
AppXcel User Guide
1-VI
AppXcel User Guide
CHAPTER
Web Application Firewall Overview

This chapter describes how AppXcel WAF provides comprehensive protection against attacks on Web Application. This chapter includes the following sections: Protection Layers, page 1-2 The Blocking Process, page 1-10 AppXcel WAF Management, page 1-13
AppXcel User Guide
1-1
AppXcel User Guide
Section 1-1 Protection Layers

AppXcel WAF includes several protection layers that provide a comprehensive protection against attacks. This section contains the following topics: Web Application on AppXcel, page 1-2 Signature-Based Intrusion Prevention, page 1-4 Web Protocol Violations and Web Worms, page 1-6 Profile Violations, page 1-7
Web Application on AppXcel

AppXcel Web Application Firewall (WAF) provides the best protection in the market for Web applications and Web Servers. The WAF comes as an add-on service to Radwares Application Front End (AFE) solution and is integrated into AppXcel. Radwares open service architecture provides a set of add-ons that suit the customers need for scalability, security and acceleration while accommodating any performance or capacity requirements.This is achieved by having a separate platform for AppXcel with add-on services and the possibility to scale in number of AppXcels in a single AFE solution. Integrated into AppXcel, the WAF add-on serves as a scalable, comprehensive solution to protect the customers web servers and web applications by scanning all HTTP/S traffic going to and from them. AppXcel integrated WAF is based on Impervas SecureSphere award winning Web Application Firewall licensed to Radware by an OEM agreement. Its Dynamic Profiling technology builds a model of legitimate application behavior by automatically learning from users normal traffic at the customer site. As customers Web Applications change over time, it automatically updates its profiles.This keeps AppXcel WAFs application protection up to date and accurate without the need of manual analysis of applications and with no changes to the data centre infrastracture.This ability makes it more accurate and easier to deploy and maintain than other solutions.
1-2
AppXcel User Guide
AppXcel User Guide
Platforms
In order to enjoy the benefits of the Web Application Firewall add-on you should order AppXcel with a Web Application Firewall add-on or upgrade your existing AppXcel by installing version 1.11.03 and adding a license for WAF. WAF can run only on platform XS2v2 (i.e only AppXcel 4000 or 8000), with a minimum of 3 GB RAM. If your platform has less memory, order a memory extension for WAF from Radware.
AppXcel User Guide
1-3
AppXcel User Guide
Deployment
Being an Application Front End, Radwares solution enables the customer to benefit from virtualizing his applications. This means he can provide his applications logic to users while ensuring service availability, scaling up performance and providing strong security by filtering traffic and hiding his application servers. In AFE, AppXcel operates as a Reverse Proxy and is used to accelerate and protect the applications behind it. A Reverse Proxy software design is the web equivalent of being a front end, terminating HTTP connections from users and initiating new ones to backend servers. The WAF is an AFE service and as such it is designed to provide security only while running in AppXcels Proxy mode. The WAF functionality is not supported in AppXcels other modes of deployment e.g. Bridge mode (in-line deployment), Passive (out of path deployment) and Sniffing.
Traffic Processing flow

All traffic destined to a Tunnels IP address will first be handled by the AppXcel Tunnel which is the Application Acceleration entity and then processed by the WAF add-on before being sent to the backend server. Responses from the backend server will be handled first by the WAF and then by the Tunnel before being sent to the client. All AppXcels Application Acceleration features are supported. They are performed on the traffic packets going to and from the client. In this way SSL traffic is unencrypted by AppXcel before it is inspected by the WAF.
Signature-Based Intrusion Prevention

AppXcel WAF provides full Snort-based signature detection to protect applications from worms (and other attacks) that target known vulnerabilities in commercial infrastructure software (Apache, IIS etc.). The Snort database is enhanced by Imperva's Application Defense Center (ADC) with new signatures and content such as affected systems, risk, accuracy, frequency, and background information. Using this content and AppXcel WAF's ADC wizards, users can quickly isolate the most reliable signature dictionaries for their specific environment. Signatures are continuously and automatically updated via the Internet.
1-4
AppXcel User Guide
AppXcel User Guide
The AppXcel WAF signature updates are hosted on the Radware Web site and are updated on daily basis. The administrator can use the console to update signatures, and also use APSolute Insite to configure automatic daily updates of AppXcel WAF with the latest signatures from Radwares web site or from the console. You can also perform this process manually by downloading the latest signature database from the Radware Web site and then uploading it to the AppXcel WAF. To easily use the signature database, AppXcel WAF includes the concept of Signatures Dictionaries. A dictionary is a collection of signatures generated by applying a filter on the AppXcel WAF signature database. For example, you can easily define a filter of all high-risk, highly accurate, IIS 6 signatures. To do that, you follow a simple wizard and select high risk, high accuracy and IIS 6. AppXcel WAF instantly and automatically generates the dictionary for you. You can define as many dictionaries as you like. When a new signature is added to the AppXcel WAF signature database, it's automatically added to all relevant dictionaries. For example, if a new signature of a high risk attack for IIS 6 is added and the signature's accuracy attribute is set to high, the signature is automatically added to the previously described dictionary. AppXcel WAF comes with a predefined set of dictionaries. These dictionaries provide most customers with a quick start on the product without having to define dictionaries. You can select whether or not to use each dictionary with each one of the protected server groups. For example, you can select to use a specific dictionary only with specific server groups. When a certain dictionary is selected for a specific server group, AppXcel WAF detects the signatures in the dictionary if they appear in a communication to the protected server group.
AppXcel User Guide
1-5
AppXcel User Guide
Web Protocol Violations and Web Worms

Web Protocol Violations
AppXcel WAF protocol compliance checks ensure that HTTP protocols meet RFC and expected usage requirements. By ensuring that the HTTP protocol meets guidelines, protocol compliance prevents attacks on both known and unknown vulnerabilities in commercial Web server implementations. AppXcel WAF includes conclusions of a comprehensive research that collected a group of protocol violations that usually indicate attack attempts. You can enable or disable each of these violations for each group of protected Web servers.
Web Worms
This type of protection is only provided for Web servers. A Web worm utilizes a Web server vulnerability to spread to a large amount of Web servers in a short period of time. Some Web worms utilize well-known vulnerabilities. These worms can be easily stopped using the signatures layer, as a signature for that attack probably already exists. The real problem is with worms that utilize unknown vulnerabilities, i.e. vulnerabilities that were not published prior to the worm outbreak and thus no signature exists at the time of outbreak. The AppXcel WAF Web Worms protection layer was implemented for this type of worm. The Web Worms mechanism relies on AppXcel WAF's ability to build a profile of allowed URLs on each Web server. The assumption is that Web worms spread by sending a single URL, and the worm must be identifiable by that single URL only. The vulnerabilities used by the worm exists on a large number of Web servers, for example in all IIS 6 servers, in order for the worm to spread massively. Thus the worm must use a URL which exists on many Web servers. Only default URLs (URLs which exist by default when you install a Web server or a common application on a Web server) stand to that criteria. Using its learning and profiling capabilities, AppXcel WAF automatically learns the names of all default files which are actually being accessed by users on the protected Web server. A preconfigured list of directories (e.g. /, /scripts/, /cgibin/) instructs AppXcel WAF where default files are usually located. Once the profile is ready, AppXcel WAF blocks any attempt to access a non-profiled URL
1-6
AppXcel User Guide
AppXcel User Guide
on a default directory. This way, if for example, a new worm uses an unknown vulnerability by sending a URL to /scripts/page.aspx and this URL is not part of the learned profile, AppXcel WAF blocks the request, thus blocking the worm itself. The rate of false positives (i.e. blocking legitimate URLs which are part of the application) is very low as this feature only works on default directories. Default directories are rarely used by Web applications to store files and the chances are that AppXcel WAF quickly learns all files which are really used in default directories.
Profile Violations
AppXcel WAF's Web profiles represent a comprehensive model of all "allowed" interactions between users and Web applications. The Web Profile includes legitimate URLs, HTTP methods, parameters, cookies, SOAP actions, XML structures and more. The profiles are built automatically through a learning process and adapt to changes in the application environment over time by observing live traffic and applying AppXcel WAF's Persistent Learning technologies. The profiles, therefore, require no manual configuration or tuning. The Web profiles are the key to blocking sophisticated attack methodologies that target unknown vulnerabilities in custom or internally developed application code. By comparing these profiles of "allowed behavior" to actual traffic, AppXcel WAF is able to identify and block potentially malicious behavior of any kind. The following sections explain exactly what AppXcel WAF learns and which profile violations it generates for Web Applications.
AppXcel User Guide
1-7
AppXcel User Guide
Web Violations
Table 1-1 details the different characteristics included within a Web profile, and the violations AppXcel WAF detects in real-time based on each characteristic.
Table 1-1 Web Violations
Profile Includes All the URLs used by the application Violations Detected Attempts to access an unprofiled URL in a locked directory. Attempts to access URL using an unauthorized method. If the attacker tries to manually add or remove parameters or change the size or content of parameters. If the attacker tries to manually add or remove parameters or change the size or content of parameters. Attackers trying to exploit type mismatch vulnerabilities.
Access methods for each URL (GET,POST) URL parameters names.
The minimum and maximum size of each URL parameter.
The type (e.g. numbers only, Latin characters, foreign language characters) allowed in the value that each parameter accepts. Hidden fields, embedded links and fields whose value was set by the Web application. Cookies sent to the client by the Web application. HTTP
Attackers trying to manually alter parameter values.
Any unauthorized attempt to change the values inside cookies The attacker, as a result of abnormal activity, receives too many abnormal response codes, such as HTTP 500- Internal Server Error.
1-8
AppXcel User Guide
AppXcel User Guide
XML and Web Services Violations

Table 1-2 details the different characteristics included within a Web profile, and the XML violations AppXcel WAF detects.
Table 1-2 XML and Web Services Violations
Profile Includes All the URLs used by web services or URLs containing XML content. Whether a URL is accessed as SOAPonly or as a SOAP and regular URL. All SOAP actions in a URL Violations Detected Attempts to access an unprofiled URL in a locked directory. Attempt to exploit SOAP-enabled URLs with various vulnerabilities. Attempts to access URL using an unauthorized method. If the attacker tries to manually add or remove elements and attributes. If the attacker tries to manually change the size or content of values. If the attacker tries to exploit type mismatch vulnerabilities.
XML Elements and Attributes
The minimum and maximum size of each XML Element/Attribute value. The type (e.g. numbers only, Latin characters, foreign language characters) allowed in the value of each XML Element/Attribute.
AppXcel User Guide
1-9
AppXcel User Guide
Section 1-2 The Blocking Process

AppXcel WAF implements Source Blocking and Immediate Blocking with an option to block the IP address or the application session. This section contains the following topics: Source Blocking versus Immediate Blocking, page 1-10 IP Blocking versus Application Session Blocking, page 1-11 The Process of Blocking Traffic, page 1-11
Source Blocking versus Immediate Blocking

AppXcel WAF implements two types of blocking scenarios. The first, source blocking, blocks the attacking source for a specified period of time. In this scenario the security event triggers a blocking action. From that moment, any communication coming from that source is blocked, for a specified period of time. Note that with source blocking, the request or packet that triggers the block gets to the attacked server. Any communication from this source that follows is blocked. The second scenario, immediate blocking, blocks the specific connection that triggered the security event. In this scenario, when the security event occurs,AppXcel WAF drops the packet that triggered the security event. Note that with this scenario, the attacker can continue communicating with the protected server by establishing a new connection to the protected server. The two scenarios can be used in parallel, i.e. immediately dropping the connection and also blocking the source for a specific period of time.
1-10
AppXcel User Guide
AppXcel User Guide
IP Blocking versus Application Session Blocking

When selecting to block a source for a certain period of time, you can choose between blocking the source IP address and blocking the application session identifier. Blocking the source IP address may be a problem when the attacked server is a Web server. Many users, especially attackers, use publicly available proxies to access Web applications. In such cases, all users who access through a particular proxy have the same IP address, the proxy's IP address. Blocking that particular IP address results in blocking all the users who access through that specific proxy. This is the reason that, for protected Web servers, AppXcel WAF implements an Application Session Tracking mechanism. AppXcel WAF can track user activity by tracking the session identifier that the Web application attaches to user sessions. Web applications automatically create session identifiers for each browser that accesses the application. Session identifiers are stored either within session cookies or in the HTTP parameters. Configuring AppXcel WAF to identify parameters and/or cookies that hold session identifiers enables AppXcel WAF to accurately track down user activity over time. Session tracking provides accurate alerts for specific malicious users, enabling you to block specific users, and not IP addresses, from accessing the Web application.
The Process of Blocking Traffic

When blocking, AppXcel WAF consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address of the malicious source to the Blocked IPs and Sessions list. Traffic first enters the Blocked IPs and Sessions engine. This engine checks the source of the communication against a dynamic list of IP addresses and Session Identifiers that are blocked at that specific time. If the source matches an entry on that list, then communication is blocked. Web traffic that passed the Blocked IPs and Sessions engine enters the Signature engine. This engine looks for signatures in the traffic according to the list of signatures selected. If a match is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the signature.
AppXcel User Guide
1-11
AppXcel User Guide
AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address and/or the Application Session Identifier of the malicious source to the Blocked IPs and Sessions list. Web traffic is examined next by the Web Worms Defender engine. If a suspected worm is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the worm. AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address of the malicious source to the Blocked IPs and Sessions list. Web traffic is next examined by the Protocol Violations layer. If a violation is found, and immediate connection blocking is enabled, the gateway drops the packet that triggered the worm. AppXcel WAF also consults the relevant action policy. If the policy includes source blocking, AppXcel WAFadds the IP address of the malicious source to the Blocked IPs and Sessions list. Web traffic is next examined by the Profile Violations engine. If a violation is found, and immediate connection blocking is enabled the gateway drops the packet that triggered the worm. AppXcel WAF also consuls the relevant action policy. If the policy includes source blocking, AppXcel WA adds the IP address of the malicious source to the Blocked IPs and Sessions list. Web traffic is next examined by the Correlated Attack Validation engine. When a correlation is found, AppXcel WAF consults the relevant action policy. If the policy includes source blocking, AppXcel WAF adds the IP address and/or the Application Session Identifier of the malicious source to the Blocked IPs and Sessions list.
1-12
AppXcel User Guide
AppXcel User Guide
Section 1-3 AppXcel WAF Management

A Web GUI manages AppXcel WAF. Servers and server groups need to be defined in the AppXcel WAF configuration. AppXcel WAF also includes a three-tier action architecture. This section contains the following topics: : AppXcel WAF Components, page 1-13
AppXcel WAF Components

Server Groups
To protect a certain server, you must define it in AppXcel WAF configuration. Before defining the specific server, you define a server group to which you can add servers. A server group is a group of servers that share the same profiles and the same security policy. Each server group presents a list of security violations which are relevant to it. To each violation on the list you can attach an action policy which is executed in case the specific event occurs on one of the servers in the group.
Action Interfaces and Policies

AppXcel WAF includes a three-tier action architecture. You first define your action interfaces. For example, you can define an interface to a specific Syslog server or a specific SMTP server. AppXcel WAF supports the following action interfaces: Syslog, SNMP, SMTP, operating system commands. Once your interfaces are defined, you can start defining action policies. An action policy is a group of actions executed together following a security event. In each action policy you can use one or more action interface. For example, you can define an action policy that blocks the attacking IP address for 5 minutes and sends an email alert to a specific group of recipients. You can name this policy as you wish. You can then define another action policy that blocks the attacking IP for 2 hours and sends email alert to two different groups of recipients and sends SNMP traps as well as syslog alerts to various devices. You can name this policy differently.
AppXcel User Guide
1-13
AppXcel User Guide
When you are done defining action policies, you can use them with all server groups. For example, for a specific security violation in a specific server group you can attach one policy while for another security event you can attach a different policy.
Application Defense Center

The ADC part of the AppXCel WAF allows you to view signatures with their attributes and documentation. It also allows you to review pre-configured dictionaries as well as define new dictionaries. For information about signatures.
Alerts
Alerts are organized according to the type of violation (signature, profile, etc) and contain detailed forensic information ranging from IP address to session ID. Advanced sorting and filtering technologies accelerate forensic investigation efforts.
Reporting
AppXcel WAF has a graphical report engine that enables trend analysis of a wide range of security events. A wide range of preconfigured reports can be used to identify the most common vulnerabilities in application code, contribute to security audit initiatives, and support executive-level decision making.
Other Monitoring Interfaces

In addition to the Alerts view, AppXcel WAF provides some additional monitor interfaces. The Blocked Sources monitor presents all IP addresses and Session Identifiers which are and were blocked during the last 72 hours. You can manually unblock blocked sources.
1-14
AppXcel User Guide
CHAPTER
Getting Started
This chapter describes how to access the AppXcel WAF user interface and perform the initial configuration. The AppXcel WAF implements a Web-based user interface that provides security administrators convenient and easy access to the software functions. This chapter includes the following sections: Section 2-1: Configuration Flow, page 2-2 Section 2-2: Touring the AppXcel WAF User Interface, page 2-7 Section 2-3: Initial Configuration, page 2-11
AppXcel User Guide
2-1
AppXcel User Guide
Section 2-1 Configuration Flow

This section explains the AppXcel WAF configuration flow and outlines the required configuration steps.
Introduction
System Configuration Flow configuration guidelines To configure the AppXcel WAF the following steps are required: 1. 2. 3. 4. 5. Set AppXcel mode to Active and Proxy (See AppXcel User Guide AppXcel Operation Modes) Configure AppXcel WAF Add on License, (See page 2-2) Configure a Basic Application Tunnel, (See AppXcel User Guide, Tunnels Chapter 5). Launch the AppXcel WAF User Management Interface, (See page 2-3) Configure AppXcel WAF Protection, (See page 2-5)
AppXcel WAF Add-on license

To upgrade your device to a software version that includes WAF add-on, you are required to enter a license to activate the WAF. To configure an add-on license for AppXcel WAF 1. 2. 3. From the main APSolute Insite window, right click on the AppXcel device icon and go to Set-Up > Device Upgrades button > License Upgrade. Enter license into the AppXcel WAF field.The license is obtained from Radware on request. Click OK. Allow up to 20 minutes until WAF starts as entering the license activates the WAF for the first time and initialization process is long
2-2
AppXcel User Guide
AppXcel User Guide
Figure 2-1 AppXcel WAF Device Upgrades
Alternatively configure an add-on license for AppXcel WAF by using the following CLI commands: system license web-application-firewall set <license string> To view the license system license web-application-firewall get Allow up to 20 minutes until WAF starts as entering the license activates the WAF for the first time and initialization process is long.
Launching AppXcel WAF Management Interface from APSolute Insite

To Launch AppXcel WAF management from APSolute Insite 1. Right click on the AppXcel device icon you are connected to and go to Application Security > Web Application Firewall > Manage.
AppXcel User Guide
2-3
AppXcel User Guide
Figure 2-2 APSolute Insite WAF Launch Window
2-4
AppXcel User Guide
AppXcel User Guide
AppXcel WAF Protection Flow

Each block in Figure 2-3 below describes a major step in the flow. The flow takes you from the first step after installing the system to the point where you reach full Enterprise Application Sphere protection.
Figure 2-3 Web Application Firewall Protection System Flow
AppXcel User Guide
2-5
AppXcel User Guide
Table 2-1 AppXcel WAF System Flow

Step Description Define the Web,and Server Groups. These are the servers protected by AppXcel WAF. Define the Default Server Group, used when traffic doesn't match any of the defined server groups.(See Defining Server Groups, page 2-12). Define required action interfaces such as email, syslog, and operating system commands. Define action policies, which are groups of actions executed together upon security events. This step is optional. The system can operate without action interfaces and policies (See Configuring Actions, page 4-1) Configure the actions, for each Server Group, that are taken on different security events. This step is optional; the system comes with default security rules (See Security Rules - Introduction, page 4-7). Set the operation mode: active, simulation or disabled and configure IP and URL exceptions (See Operation Modes - Introduction, page 3-2 Instruct the SecureSphere Management Server to send the new configuration to all gateways and start protection and learning (See Active Profile Settings, page 2-30). Continuously monitor alerts to detect attacks and intrusions. Monitor SecureSphere to make sure it is operational (See Reading Alerts, page 5-3). Review and modify the dynamic profile, if necessary. This step is optional. (See Dynamic Profiling - Introduction, page 6-2 Switch server groups to active mode after you fine-tune the system and make sure there are no false positives and all attacks are being blocked (See Operation Modes - Introduction, page 3-2).
Define Server Groups and Default Server Group
Define Action Interfaces and Action Policies
Configure Security Rules for each Server Group
Configure the Operation Page Activate Settings
Monitor Alerts and Status Fine-tune profiles.
Switch Between Simulation and Active Modes
2-6
AppXcel User Guide
AppXcel User Guide
Section 2-2 Touring the AppXcel WAF User Interface

This section explains how to view and configure the AppXcel WAF Interface (AFI).
Introduction
Browsing through the AppXcel WAF Interface (AFI) is as simple as browsing through an Internet site, once you understand how the system works. AppXcel WAF is configured using a dedicated Internet Explorer 6 window that is launched from the AppXcel Web Based Management interface. See Chapter 1, Overview, for a full explanation of the AppXcel WAF system. The AFI user interface consists of three components: "The Top Tab Bar includes four tabs that access the AppXcel WAF suite main functions. The tab bar appears in every window in the AFI, and enables quick and easy navigation between the various options. "The Left Tree Menu, located along the left edge of the browser window, is dependent on the selected tab. The left tree menu changes according to the tab selected in the tab bar, and displays all the items associated with that tab. "The Data Window displays the actual data for the item that is selected in the left tree menu. Note that you can double click on items in a data Window, such as parameter names and alerts, to open an edit Window.
AppXcel User Guide
2-7
AppXcel User Guide
Figure 2-4 Web Application Firewall Interface Window
The Top Tab Bar

The tab bar, located at the top of the Web Application Firewall Interface window, includes four tabs: Tab Server Groups Description Define and manage Web servers, and generic servers protected by the AppXcel WAF. A group of servers that share the same profile and the same security policy is called a server group. ADC (Application Defense Center) Global Settings Configure dictionaries and manage signatures. Configure various system objects: Action Interfaces, Action Policies, IP Groups, Non-blocked IPs, and Expert Window.
2-8
AppXcel User Guide
AppXcel User Guide
Activity Console
Displays Alerts, Reports, Gateways and provides various status indicators.
Two additional buttons are located towards the top-right corner of the window, next to the Tab Bar Button ? X Description Opens the AppXcel WAF on-line help. Ends the session and logs the user out of the system.
The Left Tree Menu

Navigating the left tree menu is similar to navigating a tree menu in Windows Explorer. AppXcel WAF uses a simple tree topology that is up to three levels deep, as displayed in Figure 2-5.
Figure 2-5 Tree Menu Each tree node can expand or collapse to display its sub-nodes. Click the plus sign (+) to the left of a menu item to expand it. When expanding a node, the plus sign becomes a minus sign and all the sub-nodes (branches) under the expanded node appear. Click the minus sign (-) to the left of an expanded menu item to collapse it. When collapsing a node, the minus sign becomes a plus sign and all the branches disappear. Node names without a plus or minus sign beside them do not have any sub-nodes and cannot be expanded.
AppXcel User Guide
2-9
AppXcel User Guide
The Bottom Toolbar

The Bottom Toolbar includes the Active Settings button.
On-Line Help
AppXcel WAF includes integrated on-line help. On-line help presents context-sensitive information relevant to the location in the WAF user interface. For example, if you click Help while creating a new Server Group, the on-line help displays information on how to define a new Server Group. To use the On-line Help 1. Click Help (?), located at the upper right corner of the Application Firewall Interface (AFI). The on-line help window appears in a separate window, as displayed in Figure 2-6.
Figure 2-6 On-Line Help Window 2. Click the Windows Close button (X) that appears at the upper right corner of the window to close the on-line help.
2-10
AppXcel User Guide
AppXcel User Guide
Section 2-3 Initial Configuration

This section explains how to configure and use the AFI for the first time. This section contains the following topics: Introduction, page 2-11 Defining Server Groups, page 2-12 Defining Network Firewall Rules, page 2-18 Services, page 2-22 Special Server Configuration, page 2-25 Active Profile Settings, page 2-30
Introduction
Upon installation, the AppXcel WAF system requires initial configuration and definition of the Server Groups - the servers that are to be protected by the AppXcel WAF. The AppXcel WAF is configured using the Firewall Configuration Tool.
Checking Firewall Status

AppXcel WAF includes a Firewall status monitor for verifying the following: The installed Gateway is in contact with the Management Server component. All Firewall processes are operational
AppXcel User Guide
2-11
AppXcel User Guide
Defining Server Groups

Server Groups are the servers that AppXcel WAF protects. AppXcel WAF provides different levels of protection for different types of servers. All servers are protected by AppXcel WAF's firewall and signature detection mechanism. Web servers are further protected by AppXcel WAF's Dynamic Profiling mechanism. Dynamic Profiling protection is available for any type of Web server (including Web services and XML). Server Groups are defined in two categories: The default server group, which serves two purposes: it defines the entire IP range of the protected network, as IP groups; and it defines the default security policy for servers that are not included in any other server group. The Web, server groups, which define security policies for a specific type of server, and a specific list of IP addresses.
Note: An IP address that is not defined either in the default server group, or one of the other server groups is not protected
Configuring and Enabling the Default Server Group

The default server group must be defined to include the entire protected network. To configure and enable the default server Group: 1. Click Server Groups. The Overview Window appears as displayed in Figure 2-7.
Figure 2-7 Server Groups Overview Window 2. 3.
In the Overview Window expand the Default Server Group entry on the
left tree menu. Expand the Server Group Settings entry and click Definitions.The Default Server Group definitions window appears, as displayed in Figure 2-8.
2-12
AppXcel User Guide
AppXcel User Guide
Figure 2-8 Default Group Server Definitions Window 4. In the Default Server Group definitions Window click Add. The Add window appears, as displayed in Figure 2-9.
Figure 2-9 Add IP to Default Server Group Window 5. In the Add window select an IP group that defines part of or the entire protected network. (To define IP Groups, see Appendix A- Defining IP Groups.) Click Save.
6.
AppXcel User Guide
2-13
AppXcel User Guide
7.
8.
Repeat steps 4, 5, and 6, until the entire protected network is defined. When you add IP Groups to the Default Server Group, the Default Server Group is automatically enabled. Click Save.
Creating a Web Server Group

Web Server Grouping including Web servers that provide Web services and accept XML-based content. To create a server group: 1. 2. Click Server Group. Click Create Server Group on the tree menu.Figure 2-10.
Figure 2-10 Creating a New Server Group Continue to the following sections, which describe the rest of the process for creating a Server Group. Note: Each unique IP address/ AppXcel pair can be defined in one server group only. If your network includes two Web applications on the same IP address on different ports, use the HTTP port and SSL port text boxes to enter a list of ports (e.g. 80,81,82). This allows you to define a group of servers with a group of ports on them.
Web Server
This section describes how to define a Web Server Group (including Web servers that provide Web services and accept XML-based content).
2-14
AppXcel User Guide
AppXcel User Guide
To define a Web Server Group: 1. Click the Web Server icon (Figure 2-11) in the Select a Server Group to create a window.
Figure 2-11 Web Server Group Icon
AppXcel User Guide
2-15
AppXcel User Guide
The New Web Server Group Window appears, as displayed in Figure 2-12
Figure 2-12 New Web Server Group Window The New Web Server Group Window displays the following: Field Name Character Set Description Unique name for the Web server group. If your Web server is not using the English character set to parse incoming requests' parameters, select the character set used by your Web server from the drop-down list.
2-16
AppXcel User Guide
AppXcel User Guide
HTTP Support HTTP Port
Check this check box if your Web server listens to HTTP traffic. The port used by the Web server to accept HTTP communication. Port number 80 is set as the default port number. Change the port number only if the Web server connects through a different port.
SSL Support
Select this check box if the communications to the Web server being defined is encrypted using SSL The SSL port number of the back end web server. The default SSL port number is 443. Required for WAF to protect tunnels created with back-end SSL.The traffic between the Tunnel and back-end server is encrypted. WAF therefore requires a private key for traffic decryption. Implemented in this version The IP address(es)) of the Web server(s) belonging to the Server Group. Enter more than one IP address only if these are totally identical servers (i.e. mirrored or clustered). The AppXcel WAF monitors the backend server only.
SSL Port
SSL Private Keys
HSM IP Addresses
Gateway 2. 3. 4.
Type the Server Group's name in the Name field. Fill in the fields as described above. Click Create.
AppXcel User Guide
2-17
AppXcel User Guide
5.
To define the IP address(es) of the Web server(s) belonging to this Server Group, click Add.The Add window appears, as displayed in Figure 2-13
Figure 2-13 New Web Server Group: Add IP 6. Type in the IP address of the Web server (i.e The back-end server from the Tunnel), and If the Web server has more than one NIC, enter the IP address of the card that is attached to the same network segment as the Firewall. Select the Firewall that monitors this server from the drop-down list of Firewall. Click Save. If this is a mirrored or clustered configuration, repeat steps 5 through 8 for the additional servers. Note that these servers must have the same ports, the same profile and share the same security policy.
7. 8. 9.
Defining Network Firewall Rules

AppXcel WAF operates as a reverse proxy. Therefore only services configured in its Tunnel configuration (see AppXcel user guide section 5-1), are handled and forwarded to the back end servers. Configure the Network Firewall Rules when back end servers use AppXcel as their default gateway and there is no need to control their outbound connections.You can configure Network Firewall rules, per Server Group.
2-18
AppXcel User Guide
AppXcel User Guide
The Server Group-specific rules can be one of the following: White list: Blocks all services except the specified service/source(/ destination) combination Black list: Allows all services except the specified service/source(/ destination) combination
The Firewall Rules Window is divided into two sections: Inbound and Outbound.Use the Outbound section to configure policy for traffic originating from the server group. Note: Inbound policy is redundant as service control is configured in the tunnel policy. To define Firewall Rules: 1. 2. 3. 4. Click Server Groups. Expand the Server Group. Expand the Security Rules folder. Click Firewall Rules > Unauthorized Access to Service.
AppXcel User Guide
2-19
AppXcel User Guide
5.
Click the click here link at the bottom of the window.The Firewall Rules window appears, as displayed in Figure 2-14
Figure 2-14 Firewall Rules Window The parameters in the Firewall Window include: Parameter Permit the following services Block the following Services Service Source / Destination Description Select this option to define an inbound/ outbound black list. Select this option to define an inbound/ outbound white list. The service that is blocked or permitted. An IP group or ANY (for any IP).
2-20
AppXcel User Guide
AppXcel User Guide
Services
A link to a table that maps services to port numbers. You can add, delete or modify services here. Select this option to allow the Server Group to accept ambiguous TCP packets. Ambiguous packets are part of TCP segments that make it virtually impossible for AppXcel WAF to determine whether or not the Server Group accepts them. If the Server Group does accept them, it is impossible for AppXcel WAF to determine which portion of the segments it uses. Ambiguous packets are used in various evasion techniques.
Allow Ambiguous TCP Packets
6.
To add a new Rule: a. Click Add in the Inbound or Outbound section. b. The Add Firewall Rule window appears, as displayed in Figure 2-15. c. Select a service name from the drop-down list of services.
Figure 2-15 Add Firewall Rule Window d. Select an IP group from the drop-down list of IP group. Select ANY for any source/destination. Click Save. The rule is saved and the window closes.
7.
To edit a Rule: a. Click the rule you want to edit b. Click Edit. The Edit Firewall Rule window appears, as displayed in Figure 2-16. c. Select a different source from the drop down list of IP groups. a. Click Save
AppXcel User Guide
2-21
AppXcel User Guide
Figure 2-16 Edit Firewall Rule Window 8. To delete a rule(s): a. Select the rule(s) to delete. b. Click Delete.
Services
The Services window maps Service names such as FTP, SMTP and Telnet to actual port numbers such as 21, 25 and 23. When you select a specific Service name to be used in a firewall rule or when AppXcel WAF checks for signatures on a specific service, the service's ports numbers are extracted from the Service to Port Mapping Window. Each server group has its own mapping. For example, you can have a Telnet service running on port 23 (default) on one server group and on port 2300 on another server group. If for example, you choose to block Telnet on both server groups, AppXcel WAF blocks access to port 23 on the first server group and to port 2300 on the second server group. Similarly, if you have a dictionary that checks for Telnet signatures and you use this dictionary on both server groups, AppXcel WAF check for these signatures on port 23 on the first server group and on port 2300 on the second server group. For each server group that you create, AppXcel WAF automatically generates a default list of services. You cannot delete these services but you can change their ports. For example, you can change the default port of the Telnet service from 23 to any number you choose. You can also add ports to these services. For example you can change the Telnet port to 23,2300 which means that Telnet is available both on port 23 and 2300 in this server group. When you change a port of a default service, AppXcel WAF asks you whether you want to
2-22
AppXcel User Guide
AppXcel User Guide
apply this change on all server groups. If you select Yes then the same change is applied on all server groups. Otherwise, this change is applied only on the specific server group. In addition to editing default services, you can add your own services. If you have a new service which is not listed in the default services list, you can manually add it to the list.Services which were manually added can also be deleted. Note: Use this feature in conjunction with Tunnel configuration (see AppXcel user guide section 5 - 1).To configure non standard ports for protocols, first configure Tunnel Service Type: HTTP, SMTP, FTP or Other, including the port and then configure changes in the section. UDP support is not implemented. Always select TCP. To configure the Service to Port Mirroring: 1. Click Services in the Firewall Rules Window. The Services to Port Mapping Window appears, as displayed in Figure 2-17.
Figure 2-17 Service to Port Mapping Window
AppXcel User Guide
2-23
AppXcel User Guide
The parameters in the Window include the following: Name The name of the services. For example, FTP, SMTP or DNS. The icon indicates a default service. The icon
indicates a manually added service. Protocol Ports Each service can use one of the following level-3 protocols: TCP and UDP, which is not implemented here. The port number on which the server listens to incoming requests for this service. Multiple control ports can be defined. Use a comma as the delimiter.
2.
To create a new Service: a. Click Add. The Add Service window appears, as displayed in Figure 2-18
Figure 2-18 Add Service Window b. Type a name for the new service. c. Select the protocol from the drop-down menu. d. Type the port number or a list of port numbers separated by commas. e. Click Save. To add/remove ports to/from a default service: a. Select the Service and click Edit or double-click on the Service row. b. Edit the port numbers, or add ports separated by commas, or delete port numbers. c. Click Save. To delete a service: a. Select the service. b. Click Delete. You cannot delete default services. Only services that were manually added can be deleted
3.
4.
2-24
AppXcel User Guide
AppXcel User Guide
Special Server Configuration

AppXcel WAF is designed to accommodate specialized server configurations, such as: Mirroring and redundancy of Web servers.
Mirroring
When an Enterprise Application Sphere is heavily used or operates mission critical applications, a single Web application is often not enough. In such cases, the servers operate in a mirrored, clustered, redundant, or load sharing configuration. In mirrored and redundant configurations, a group of servers are configured to operate identically, performing exactly the same tasks. In such configurations, normal user behavior, data and URL access, and the security requirements are all identical among the servers. The behavior learning process and protection are also identical. AppXcel WAF supports mirroring by allowing multiple IP addresses per Server Group. A group of mirrored servers are defined as a single Server Group with multiple IP addresses. This way, AppXcel WAF applies the exact same configuration and profile on all the mirrored servers of the Server Group.
Configuring Error Window for Web Server Groups

When AppXcel WAF blocks a connection it can display an error Window to the blocked user. AppXcel WAF can either redirect the blocked user's browser to an error Window that is available on a certain Web server or present a simple HTML Window that was uploaded to the AppXcel WAF management component. If AppXcel WAF is blocking an IP, the error Window does not display. To configure an error page for a web server group: 1. 2. 3. 4. 5. Click Server Group. Expand the Server group. Expand the Server Group Settings. Click Error Pages.The Error Pages window appears. To redirect the blocked user's browser to an error page: a. Select the radio button near "Error Page for Blocked Requests"
AppXcel User Guide
2-25
AppXcel User Guide
6.
7.
In the Error Window For Blocked Requests field, type a URL for the error Window (e.g. http://www.myweb.com/error.html). c. Click Test Link (optional) to test this link To present a simple HTML file a. Select the radio button near "Error text for blocked requests" b. Type the HTML text in the text area below (note that AppXcel WAF comes with a predefined HTML text). Click Save.
b.
Figure 2-19 Error Page Window Note: If the error Window is not configured, AppXcel WAF blocks the user without presenting any error Window. This is the default when you create a new Web Server Group.
2-26
AppXcel User Guide
AppXcel User Guide
Configuring AppXcel WAF to Work with Session Identifiers

What is a Session Identifier?
Web servers are stateless. When the user connects to a certain Web server and requests a certain Window, the Web server or the user's browser may close the connection after the response is sent. The next time the same user connects to that Web server, a new network connection is opened and the Web server has no way of knowing if the same user is connecting. This is a major problem with Web applications that are required to maintain a state for the user. If the user is required to authenticate when accessing the Web application, for example, the Web application maintains the state of each authenticated user. The application must know to whom each request belongs. Session Identifiers were introduced to solve this. The idea behind Session Identifiers is very simple. Whenever a user first accesses or authenticates with a Web application, the Web application or server generates a session identifier (usually a long random number or string). The Web application associates the Session identifier with a specific user. The session identifier is then forwarded to the user's browser, as explained below, and the browser is requested to present the session identifier with each request it sends to the Web application. Session identifiers can be exchanged between browsers and Web applications using two primary methods: HTTP Parameter: The Web application injects the session identifier as an HTTP parameter. Whenever the browser sends a request to the server, the request includes the appropriate parameter with the session identifier value. HTTP Cookie: The Web application sets a cookie that contains the session identifier value. Once the cookie is set, the browser automatically submits the cookie to the Web server with each request it sends.
The Web application is responsible for managing session identifiers. This includes generating and revoking session identifiers. Most Web applications and servers include a session expiration period. A session expires when it exists or is idle for too long. The Web application and servers do not accept the expired session identifier and the user has to re-authenticate (if authentication is required) to receive a new session identifier.
AppXcel User Guide
2-27
AppXcel User Guide
Why Configure AppXcel WAF to Support Session Identifiers?

AppXcel WAF can trace users' activity more accurately by tracing session identifiers. Without session identifiers, AppXcel WAF traces users according to IP address. If two users, for example, use the same IP address (highly probable when users are routed through a proxy server) AppXcel WAF does not differentiate between the two users and regards them as a single user. Configuring AppXcel WAF to work with session identifiers allows tracing each user separately, even when different users use the same IP address.
tracking support enabled by default. is
To configure AppXcel WAF to work with Session Identifiers 1. 2. 3. Click Server Groups. Click the plus (+) sign next to the Web server's name. Click the Web Server Group Settings > Session Tracking. The Session Tracking Window appears, as displayed in Figure 2-20.
Figure 2-20 Session Tracking Window The Session Tracking window includes fields to enter the names of cookies and/or parameters that contain the session identifier for the specific Web server or Web application. Enter the parameter, cookie or cookie prefix name in the Token Name field under Add New. Select the type of token (Parameter, Cookie, or Cookie Prefix) form the Token Type drop-down list next to the token name:
4. 5.
2-28
AppXcel User Guide
AppXcel User Guide
Parameter refers to a URL parameter that is included in every HTTP request sent by the user to the Web application or Web server. Cookie refers to a session cookie that is set by the Web application or Web server and is stored by the user, to be presented with every HTTP request.
Note: AppXcel WAF is pre configured with the most common session identifiers. Usually no additional configuration is required. You are to consult your application developers as to where the session information is kept
AppXcel WAF Operation and Session Identifiers

To better understand how AppXcel WAF uses session identifiers, assume that AppXcel WAF is configured with two tokens; Token A and Token B. Token A is a parameter and Token B is a cookie. When AppXcel WAF encounters an HTTP request, it looks for Token A in the list of parameters associated with that request and for Token B in the list of cookies associated with that request. Assume that Token A is found. AppXcel WAF examines the content of Token A. If the content is new to AppXcel WAF, it assumes that this is a new user. It then associates the specific token content with the new user. Every new request that comes and contains Token A and the specific content is associated with the same user. Now assume that a new HTTP request arrives and it contains Token A, but with a different value. AppXcel WAF then assumes that this is a new user, and adds the content of Token A to the list of monitored users. If a new HTTP request arrives that does not include Token A but includes Token B, with a specific value, AppXcel WAF assumes again that this is a new user and add the token's value to the list of monitored users. Now assume another scenario: A new HTTP request arrives and that HTTP request includes both Token A and Token B. Assume that the value of Token A is Value A and the value of Token B is Value B. In this case AppXcel WAF assumes that Value A and Value B together indicate the same user. Any request that arrives with Token A and Value A or Token B with Value B is regarded as the same user. This process is called a merge.
AppXcel User Guide
2-29
AppXcel User Guide
Active Profile Settings

The Activate Settings process activates the settings configured in the user interface. There is a difference between the configuration displayed in the user interface and the configuration that the system is actually using. Any configuration change only takes effect after the Activate Settings button is clicked. You can change alerts configuration, for example, close the user interface and open it the next day. The changes you made are displayed in the user interface but have not become active yet. You can continue making as many changes as you want, closing and opening the user interface. Click Activate Settings when you are finished and satisfied with the settings, then all the changes are activated. Two indicators in the AppXcel WAF Interface show that the settings in the user interface are different from the settings the system uses: A message at the bottom of your browser explains that the settings are different. The Activate Settings button becomes enabled (it is disabled if the settings match) Note: Profile changes (manual and automatic) take effect immediately and do not require an activate setting process
The Next Step

After defining the AppXcel WAF and Server Groups, the AppXcel WAF can start working.
2-30
AppXcel User Guide
CHAPTER
Setting the Operation Mode

This chapter describes how to set the operation mode for the server groups. It includes the following sections: Section 3-1: Operation Modes, page 3-2 Section 3-2: IP Restrictions, page 3-3 Section 3-3: URL Restrictions, page 3-5 Section 3-4: Automatic Profile Updates, page 3-10
AppXcel User Guide
3-1
AppXcel User Guide
Section 3-1 Operation Modes

This section explains the various operation modes for AppXcel WAF. This section includes the following topics: Operation Modes - Introduction, page 3-2
Operation Modes - Introduction

Server groups have three operation modes: active, simulation, and disabled. By default, newly created server groups are placed into simulation mode. When the server group is in active or simulation mode, there are some restrictions and exclusions you can enforce on the learning and protection processes. This chapter describes how to switch a server group from one operation mode to another and how to configure these restrictions and exclusions. A server group can be in one of the following operation modes: Active: The server group is fully active and behaves as expected. Simulation: The server group is fully active. However, if you defined block actions of any type, AppXcel WAF does not block the traffic. This mode is called Simulation mode because AppXcel WAF behaves as if it has blocked the traffic - the alert view and the alert details indicates that the traffic was blocked. To distinguish between an actual block and a simulated block, the alert includes an indication that this is a simulated block. This is the default mode when you create a new server group. It is recommended to leave the server group in simulation mode until you feel confident enough to switch it into active mode. Server groups in simulation mode have the following icon: Disabled: The server group is totally disabled. It does not generate violations or alerts; does not block traffic and does not learn new behaviors. You can switch the server group back to simulation or active mode at any time. Disabled server groups have the following icon:
To switch a server group from one mode to another, select the desired mode and click Save.
3-2
AppXcel User Guide
AppXcel User Guide
Section 3-2 IP Restrictions

This section explains how you can restrict monitoring to specific source IP groups. This section contains the following topics: Restrict Monitoring to only this Source IP Group, page 3-3 Ignore this Source IP Group (except for firewall violations), page 3-4.
Restrict Monitoring to only this Source IP Group

This feature instructs AppXcel WAF to only inspect certain IP addresses and not to inspect all other IP addresses. Attacks originating from IP addresses that do not appear in this list are not detected. Behaviors such as new URLs originating from IP addresses that do not appear in this list are not learned. You use this feature only if most of your traffic's sources are trusted and you need to monitor and protect from selective channels that go into your server group. Provided below is an example using this feature: If you have a reverse proxy in front of your Web application (e.g. Squid or NetCache) and all Internet traffic originates from the reverse proxy's IP address, you may want to consider using this feature. This way, all the activity of trusted internal users that does not originate from the reverse proxy is not monitored.
To enable this feature: 1. 2. 3. Select the Restrict monitoring to only this source IP group check box. Select a defined IP group from the drop-down list. See Appendix A, for instructions on how to define a group of IP addresses. Click Save.
AppXcel User Guide
3-3
AppXcel User Guide
Ignore this Source IP Group (except for firewall violations)

This feature allows defining a group of IP addresses that AppXcel WAF ignores, except for firewall violations. AppXcel WAF does not generate any violations or alerts for IP addresses from this group, except for firewall violations. AppXcel WAF does not learn any behavior, such as new URLs or new queries from IP addresses in this group. Use this feature to allow administrators access to the server group. By definition, System Administrators have escalated privileges and even full control over applications and servers. Consider excluding the source IP addresses of administrators that AppXcel WAF monitors. To enable this feature: 1. 2. 3. Select the option Ignore this source IP group (except for firewall violations). Select a defined IP group from the drop-down list. See Appendix A for instructions on how to define a group of IP addresses. Click Save.
3-4
AppXcel User Guide
AppXcel User Guide
Section 3-3 URL Restrictions

This section explains how to configure URL restrictions for Web server groups. This section contains the following topics: Restrict Monitoring to only this Source IP Group, page 3-3 Ignore the following URLs/Directories, page 3-7 Ignore Static Files, page 3-8 Ignore Parameters, page 3-9 Ignore XML Elements, page 3-9
Restrict Learning and Protection to only these URLs/Directories

AppXcel WAF only learns and protects URLs and directories that appear on this list and ignores all other URLs and directories in this server group. Use this feature if you have a sub-application that you wish to protect and you wish to ignore all other URLs in this server group. To enable this feature: 1. 2. Select the Restrict Learning and Protection to only these URLs/ Directories check box. Click on the linked word these in that row.The Restrict Learning and Protection window appears, as displayed in Figure 3-1.
AppXcel User Guide
3-5
AppXcel User Guide
Figure 3-1 Restrict Learning and Protection 3. To add a URL or Directory: a. Enter a URL or Directory (for example /public/protectme.asp or / public/protectus/) under Add a new URL/Directory. b. Click Add. c. Repeat steps A and B above to add more URLs and Directories to the list. To remove a URL/Directory from the list, select it and click Delete. Click Close. Note: When you add a directory to this list, all sub-directories and subURLs are learned and protected.
4. 5.
3-6
AppXcel User Guide
AppXcel User Guide
Ignore the following URLs/Directories

AppXcel WAF includes several mechanisms for ignoring URLs. The most important is the Ignore Static Files feature. In addition, the Ignore URLs/ Directories feature is used if for some reason you want to completely ignore URLs/Directories, or if a certain URL cannot be learned properly for some technical reason. You can also use this feature if you want to avoid getting security alerts on these URLs/Directories. To add ignored URLs/Directories: 1. 2. Select the Ignore the following URLs/Directories checkbox. Click on the linked word following. The Ignored URLs/Directories window appears, as displayed in Figure 3-2.
Figure 3-2 Ignored URLs / Directories Dialog 3. 4. 5. 6. 7. Type in a URL or a Directory (for example /private/ignoreme.asp or / private/ignoreus) Click Add. Repeat steps 4 and 5 until all URL/directories are added. To delete a URLs/Directories, select them and click Delete. Click Close. Note: When you add a directory to this list, all sub-directories and subURLs are ignored
AppXcel User Guide
3-7
AppXcel User Guide
Ignore Static Files

Static files, such as image files, Microsoft Office files and PDF files cannot usually be used to attack a Web application. However, much of the traffic to Web applications consists of static files. Hence, by not learning and protecting static files it is possible to increase the performance of AppXcel WAF by about 50%. Use this feature to select the types of static files you wish to ignore. Selected static files are not learned and do not appear in the specific Server Group profile. These file types are not protected either. To Ignore Static Files: 1. Select the Ignore Static Files checkbox. Click on the linked word static in this row.The Static File Extensions window appears, as displayed in Figure 3-3.The list is pre-configured with common static file extensions.
Figure 3-3 Static File Extensions Window 2. To add a static file extension:
3-8
AppXcel User Guide
AppXcel User Guide
3. 4.
Enter a static file extension, for example.pps under Insert a new extension. b. Click Add. c. Repeat steps A and B above to add more extensions to the list To remove a static file extension from the list, select it and click Delete. Click Close.
a.
Ignore Parameters
Use this feature to select parameter names that you wish to ignore. These parameters are not examined by the gateway and the following violations are not invoked for these parameters: Parameter Read-Only Violations, Parameter Type Violation, Parameter Unknown, Parameter Value Length Violation, Required Parameter Not Found.
Ignore XML Elements

Use this feature to select XML Elements and Attributes you wish to ignore. These elements and attributes are not examined by the gateway and the following violations are not invoked for these parameters: XML Value Type Violation, Unknown XML Element/Attribute, XML Value Length Violation, Required XML Element/Attribute Not Found.
AppXcel User Guide
3-9
AppXcel User Guide
Section 3-4 Automatic Profile Updates

This section explains how the automatic profile update feature ensures that the profile remains up-to-date even if some of the content and code on the Web site has changed. This section contains the following topics: Automatic Profile Updates - Introduction, page 3-10
Automatic Profile Updates - Introduction

Web sites are very dynamic and tend to change on a regular basis as developers keep updating source code and content. The automatic profile update feature ensures that the profile remains up-to-date even if some of the content and code on the Web site have changed. It defines rules for handling profile violations such that profile violations, for example, that occur at a high frequency from a number of IP addresses are added automatically to the profile, saving the administrator valuable time. Without this feature the administrator would need to regularly go over profile violation alerts, locate false positives and manually update the profiles accordingly. The automatic profile update rules check that if a specific violation occurred many times, over a relatively long period of time and originated from multiple sources. If this is the case, then AppXcel WAF automatically updates the profile according to the anomalous information. Changes to the profile take effect immediately (i.e. there is no need to activate this setting.) Note: Until the relevant Automatic Profile Update rule is triggered and the relevant part of the profile is updated, profile violations and alerts are still being generated and any defined action immediate or delayed, is executed. You can control the thresholds that cause different APU rules to be executed by modifying the rule, as explained below.
Web Profile Violations

The Web profile violations covered by this feature are: Cookie Tampering: This rule moves the cookie from the protected list to the ignored list.
3-10
AppXcel User Guide
AppXcel User Guide
Cookie Injection: This rule moves the cookie from the protected list to the ignored list. Missing Parameter: This rule removes the Required attribute from the parameter. Missing XML Element/Attribute: This rule removes the Required attribute from the XML Element/Attribute. Parameter Length Exceeds Constraints: This rule changes the minimum or maximum length of a parameter. XML Element/Attribute Length Exceeds Constraints: This rule changes the minimum or maximum length of an XML Element/Attribute. Unknown Parameter: This rule adds the parameter to the URL. Unknown XML Element/Attribute: This rule adds the XML Element/ Attribute to the SOAP Action. Parameter Read-Only: this rule removes the Read-Only attribute from the parameter. Parameter Type: This rule changes the value type of a parameter. XML Element/Attribute Type: This rule changes the value type of an XML Element/Attribute. Unauthorized Method: This rule adds the HTTP method to this URL. Unauthorized SOAP Action: This rule adds the SOAP action to this URL.
To configure, enable and modify the Automatic Profile Updates rules: 1. 2. Select the option Automatic profile updates. Click Updates. The Automatic Profile Updates window appears, as displayed in Figure 3-4.
AppXcel User Guide
3-11
AppXcel User Guide
Figure 3-4 Automatic Profiles Updates Window 3. 4. 5. 6. To enable a rule, select its Use check box. Only rules that are selected are used during any automatic profile update process. To change a rule's properties, select a rule name. The rule's properties appear in the lower pane. Modify values in the rule and click Save. Repeat for additional violations.
3-12
AppXcel User Guide
CHAPTER
Configuring Actions
This chapter describes how to configure AppXcel WAF to invoke actions upon security events. This chapter contains the following sections: Section 4-1: Action Interfaces, page 4-2 Section 4-2: Configuring Action Policies, page 4-4 Section 4-3: Configuring Server Groups Security Rules, page 4-7 Section 4-4: Preventing Blocking of Specific IP Addresses, page 4-36
AppXcel User Guide
4-1
AppXcel User Guide
Section 4-1 Action Interfaces

This section explains how to define Action Interfaces. This section contains the following topics: Introduction, page 4-2 Defining Action Interfaces, page 4-2
Introduction
AppXcel WAF can take various types of actions when a security event occurs. The action configuration process includes three steps: Defining Action Interfaces: an action interface allows AppXcel WAF to communicate with external devices. For example, you can define an action interface to a specific Syslog server, or an action interface to a specific SMTP server. Defining Action Policies: An action policy is a list of actions executed upon a security event. You can define various action policies and then use a different action policy or the same action policy for each security event. Action policies use Action Interfaces. Defining Security Rules per Server Group: For each server group, you can view the list of associated security events. You can then select the action policy to be executed when this event occurs.
Defining Action Interfaces

The first step in the process of defining actions is to define action interfaces. The following types of interfaces are available for AppXcel WAF: SNMP Traps: An interface that sends SNMP traps to an external SNMP manager.
4-2
AppXcel User Guide
AppXcel User Guide
Operating System Command: An interface to the AppXcel WAF Management Server component operation system. This interface allows execution of an operation system command or a specific file. Note: Under the Global Settings tab, Actions ' Action Interfaces ' Create Action Interface, we have the option to execute an Operating System Command.
Email: An interface to a specific SMTP server. This interface allows sending an email alert to a specific group of email addresses. Syslog: An interface to a specific Syslog server. This interface allows sending an email alert through a specific syslog server.
You can define multiple interfaces of each type. For example, you can configure two different syslog servers and two groups of email recipients. See Appendix B for information on how to define the various action interfaces.
AppXcel User Guide
4-3
AppXcel User Guide
Section 4-2 Configuring Action Policies

This section explains how to define an action policy. This section includes the following topics: Configuring Action Policies - Introduction, page 4-4
Configuring Action Policies - Introduction

An Action Policy defines a set of actions and operations that are executed immediately upon occurrence of a security event. The administrator can define different action policies and use them for different events The action policy window includes the following fields: Start Blocking Attacking IP An Action Policy defines a set of actions and operations that are executed immediately upon occurrence of a security event. The administrator can define different action policies and use them for different events The time period, in seconds, for which the attacking IP is blocked. Blocks the attacking session by dropping the packet each time this source session tries to connect the protected servers. The time period in seconds for which the attacking session is blocked. Records all requests/responses from the IP The time period, in seconds, for which the attacking IP is monitored Records all requests/responses from the Web application session. The time period in seconds for which the session is monitored
Block Duration (sec.) Start Blocking Attacking Session Block Duration (sec.) Start Monitoring Attacking IP Monitor Duration (sec.) Start Monitoring Session Monitor Duration (sec.)
4-4
AppXcel User Guide
AppXcel User Guide
Execute an Operating System Command
A list of all action interfaces of type Operating System Command.
The Action Policy window includes the various available actions. You can select one or more actions. Any combination of actions are allowed. To configure an action Policy: 1. 2. 3. 4. 5. 6. Click Global Settings. Expand the Actions tree entry. Expand the Action Policies tree entry. Click Create Action Policy. Type in the name of the policy in the Policy Name field. This name is used to identify the specific policy. If you wish to block the attacker's IP address for a specific period of time then select the "Start Blocking Attacking IP" checkbox. Otherwise continue with step 8. Enter the duration (in seconds) for which this IP is blocked. If you wish to block the attacker's Session Identifier (for Web protected servers only) for a specific period of time then select the Start Blocking Attacking Session checkbox. Otherwise continue with step 10. Enter the duration (in seconds) for which this Session is blocked. Upon a security event, AppXcel WAF can start monitoring the attacking IP by recording all requests this IP sends to the protected servers and all responses it receives. The monitored events are available for viewing from the Alert viewer. Select the Start Monitoring IP checkbox to monitor the violating IP address. If you selected Start Monitoring IP then type in the monitor duration in the Duration field. Upon a security event, AppXcel WAF can start monitoring the attacking session (for protected Web servers only) by recording all requests this session sends to the protected servers and all responses it receives. The monitored events are available for viewing from the Alert viewer. Select the Start Monitoring Session checkbox to monitor the violating session. If you selected Start Monitoring Session then type in the monitor duration in the Duration field. All alerts are logged in the AppXcel WAF Alert viewer. If you want to send the alert to external devices, select the Send Alert Using checkbox. Otherwise continue with step 19.
7. 8.
9. 10.
11. 12.
13. 14. 15.
AppXcel User Guide
4-5
AppXcel User Guide
16. The list below Send Alert Using includes all Email and Syslog action interfaces you defined. If no such interfaces exist, the option does not appear. Select the Email and Syslog interfaces you want to use in order to dispatch this alert by selecting the checkbox near the interface names. 17. Select the Execute Operating System Commands checkbox if you want AppXcel WAF to execute specific operating system commands as part of this policy. 18. The list below Execute Operating System Commands includes all the operating system command interfaces you defined. If you didn't define any interface then this option does not appear. Select the operating system commands you want to execute by checking the checkbox near the name of the interface. 19. Click Create.
Figure 4-1 Action Policy
4-6
AppXcel User Guide
AppXcel User Guide
Section 4-3 Configuring Server Groups Security Rules

This section explains how to configure the Server Groups Security Rules. This section contains the following topics: Security Rules - Introduction, page 4-7 Firewall Rules, page 4-10 Signature Rules, page 4-12 To update the signatures database refer to Updating the Signatures Database, page 7-13., page 4-13 Web Worms Defender Rules, page 4-19 Profile Violation Rules, page 4-22 Custom Policy Rules, page 4-26 Correlation Rules, page 4-32
Security Rules - Introduction

Security Rules are defined per Server Group. There are six categories defined by the type of security layer that generated the Alert: Network Firewall Rules Signature Rules Protocol Violation Rules Web Worm Defender Rules Profile Violation Rules Correlation Rules
AppXcel WAF defines default security rules for each Server Group type, (and default action policies). When a Server Group is defined, it automatically receives the default security rules definitions. You can modify these and restore the default rules. You can also copy the rules configured for another Server Group. Note that when you restore default rules, the Server Groupspecific configuration is irreversibly erased. There are two types of actions that you can attach to each rule: Immediate Actions: Actions taken as an immediate response to an attack (i.e. blocking the packet that generated the security event). Followed Actions: Follow-up actions taken by the system to continue blocking the attacker's source and further observe / analyze the violations
AppXcel User Guide
4-7
AppXcel User Guide
To define actions for security rules: 1. 2. 3. 4. Click Server Groups. Expand the Server Group's submenu. Expand Security Rules. Click the required security rules category. The Security Rules Window appears as displayed in Figure 4-2
Figure 4-2 Firewall Rules Window 5. 6. Configure the actions. To copy the configuration from another Server Group: a. Click Copy From.The Copy From window appears, as displayed in Figure 4-3.
4-8
AppXcel User Guide
AppXcel User Guide
Figure 4-3 Copy Action Policy From Window Select the Server Group. Select either: Copy policy only for this action category; or Copy policy for all action categories. d. Click OK.The configuration is copied from the selected Server Group to the displayed Server Group. To restore the default Server Group actions: Note: Warning: The Server Group-specific configuration is irreversibly erased when you restore the defaults a. Click Restore Defaults. The Window displayed in Figure 4-4 b. c.
7.
Figure 4-4 Restore Defaults Window b. c. Click Ok.The default configuration is restored. Click Save.
AppXcel User Guide
4-9
AppXcel User Guide
Firewall Rules
Firewall Rules define the actions taken when AppXcel WAF detects unauthorized access to the service, fragmented packets, or non-compliant TCP/IP packets.
Figure 4-5 Firewall Actions Window This window presents the following fields: Firewall Rules Enable Alert Immediate Action The Firewall Rule to be used. Enables the action. Choose the alert severity generated by the security event: Informative / Low / Medium / High None: Access is not blocked. Use this option if you only want to log unauthorized access attempts. Block Access: AppXcel WAF gateway drops the packet that violates the firewall rule.
4-10
AppXcel User Guide
AppXcel User Guide
Followed Actions
Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.
The supported firewall violations are: Fragmented Packet: This violation is invoked whenever the gateway encounters a fragmented packet. Non Compliant Packet: The IP, TCP, or UDP packet is non protocolcompliant. This includes issues such as incorrect checksum, invalid IP address, invalid flags, unknown options, and incorrect SYN usage. Unauthorized Access to Service: AppXcel WAF allows firewall access rules to be defined for each server group. These access rules include a list of services and sources allowed on the server group.
AppXcel User Guide
4-11
AppXcel User Guide
Signature Rules
Signature rules are activated when a signature is detected. Signature rules are defined for each dictionary defined in the system. The upper pane lists the dictionaries and their actions; the lower pane presents information on the selected dictionary: the description of the dictionary; the services on which it operates, and whether this is a filtered or manual dictionary.
Figure 4-6 Signature Rules Window
4-12
AppXcel User Guide
AppXcel User Guide
This window presents the following fields: Signature Dictionary A list of all dictionaries. The icons next to the name indicates the type of dictionary: Manually generated dictionary. Dictionary generated using a filter. Each dictionary name is also a link to the dictionary. Click the dictionary name to display the dictionary. Enable Alert Enables the action. Choose the alert severity generated by the security event: Informative / Low / Medium / High. None: No immediate action is taken. Block: The AppXcel WAF immediately drops the packet that contains the signature. Followed Actions Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.
Immediate Action
To update the signatures database refer to Updating the Signatures Database, page 7-13.
Protocol Violation Rules

Protocol Violation rules are activated when the attacker sends an HTTP request that doesn't fully comply with the HTTP specification. You can configure the actions to be taken for all protocol violations defined in the system. The upper pane presents a list of the violations and their actions; the lower pane presents a description of the selected violation.
AppXcel User Guide
4-13
AppXcel User Guide
Figure 4-7 Protocol Violation Rules Window The Protocol Violations Action Window presents the following fields: Protocol Violation List of protocol violations. See below for the complete list and a description of each violation. Enables the action. Choose the alert severity generated by the security event: Informative / Low / Medium / High. None: No immediate action is taken. Block: The AppXcel WAF immediately drops the packet that contains the violating HTTP message. Followed Actions Drop-down list of Action Policies (see Section 4-2, Configuring Action Policies,) If no action policies are defined, the list is empty.
Enable Alert
Immediate Action
The supported protocol violations are:
4-14
AppXcel User Guide
AppXcel User Guide
Abnormally long header line: The length of either the HTTP request Header name (e.g. Content-Type, Accept, etc.) or value exceeds the maximum threshold. Although the HTTP specification does not define a specific length limitation, when Header lines exceed this length it usually indicates a buffer overflow attempt. You can manually configure the thresholds. Abnormally long request: The length of one of the following parts within an HTTP request, exceeds the allowed threshold: HTTP Method, URL, Query String, HTTP Version. Although the HTTP specification does not define a specific length limitation, a URL that exceeds this length usually indicates a buffer overflow attempt. Violation of this length limitation may also indicate other types of attacks, such as partial validation by servers (the web server validates only the first part of a long string while the operating system or other backend service regards the entire string). You can manually configure the thresholds. Double URL encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the URL). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Double URL encoding is an evasion technique used by attackers to bypass access control, authorization and detection mechanisms applying URL encoding multiple times to the attack URL. For example, a '/' character in a directory traversal attack is encoded as%252F which is the result of applying URL encoding twice. Extremely Long URL Parameter: The length of a URL parameter exceeds 4096 characters (the maximum allowed length of both the parameter's name and value are configurable). Although the HTTP specification does not define a specific length limitation, a parameter that exceeds this length usually indicates a buffer overflow attempt. Violation of this length limitation may also indicate other types of attacks, such as partial validation by servers (the web server validates only the first part of a long string while the operating system or other backend service regards the entire string). You can manually edit the threshold. Note that this violation only applies to HTTP requests that use the POST method. HTTP requests that use the GET method does not invoke this violation Illegal Byte Code Character in Request: A non-printable ASCII character (ASCII 1 - 31, 127) is embedded in an HTTP request Header field's name or value (e.g. Content-Type, Accept). This behavior is banned by the HTTP standard and is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism.
AppXcel User Guide
4-15
AppXcel User Guide
Illegal Byte Code Character in Request Content: A non-printable ASCII character (ASCII 1 - 31, 127) is embedded in the content of an HTTP request containing an HTML form data. This behavior is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism. Illegal Host Name: The name of the target host within an HTTP request contains non-printable (ASCII 1 - 31, 127) or extended (ASCII 128 - 255) ASCII characters. This behavior is banned by the HTTP standard and is indicative of an attacks involving injection of malicious code or attacks aimed at the request parsing mechanism. Illegal HTTP Version: Each HTTP request must contain the version of the protocol used by the client, in the form of HTTP/v where v is replaced by the actual version number (one of 0.9, 1.0, 1.1). This anomaly indicates a malformed request not sent from a normal browser. Illegal Response Code: An HTTP response does not include a legal HTTP response code. The HTTP standard specifies that the code is a 3 digit number. A non-compliant code indicates an ill-formed response which is usually the consequence of a severe failure. Illegal Parameter Encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the values of parameters). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Illegal encoding within parameter values is a technique used by malicious individuals both for evasion and attack by embedding ill-crafted sequences preceded by the percentile symbol. These sequences (e.g.%vv,%t0, etc.) are banned by the standard and are usually decoded in an unexpected manner by different web servers. Illegal URL Path Encoding: URL encoding is a standard based format for embedding non-printable, or special characters within HTTP request fields (such as the URL). The character is represented by a percentile symbol ('%') followed by the hexadecimal representation of its value (e.g. the TAB character whose ASCII value is 9 can be represented as '%09'). Illegal encoding within the URL is a technique used by malicious individuals both for evasion and attack by embedding ill-crafted sequences preceded by the percentile symbol. These sequences (e.g.%vv,%t0, etc.) are banned by the standard and are usually decoded in an unexpected manner by different web servers. Malformed HTTP Header Line: An HTTP Header field is comprised of a name (e.g. Content-type, Content-length, etc.) and a value separated by a Colon (':') character. A malformed header line does not include the Colon character making it impossible to correctly parse the content of the line. This is an indication of an attack on the server's parsing mechanism.
4-16
AppXcel User Guide
AppXcel User Guide
Malformed URL: The URL in a request must begin with a '/' character and may include a protocol and host prefix (e.g. http://myserver.com/ default.asp). Omission of the '/' character or a protocol prefix other than http are usually an indication of a malicious attempt to tunnel other protocols (e.g. SMTP) using the web server. Malformed XML/SOAP Message: If the HTTP request includes an XML message which cannot be parsed, AppXcel WAF invokes this violation. NULL Character in Header Line: The use of a NULL (0 valued) character within the name or value of an HTTP request Header field is banned by the standard. An attacker embeds NULL characters within the Header field in order to evade detection mechanisms. NULL character in Request Content: The use of a NULL (0 valued) character within the content of an HTTP request containing form data is banned by the standard. An attacker embeds NULL characters within the Header field in order to evade detection mechanisms. Redundant HTTP Headers: An HTTP request contains protocol information and processing hints in header fields. Some of the fields have a crucial role in the interpretation of the message by the server and a significant effect on the processing of the request by the server. Those fields are required to appear only once in any request. The "Redundant HTTP Headers" anomaly is invoked if an HTTP request contains multiple instances of such headers. The default list of headers that are affected by this anomaly includes the "Content-length" header field (which affects the number of bytes from the network stream that are associated with the message), the "Content-type" header field (which affects the parsing of the message content), the "Host" header fields and others. Redundant UTF-8 Encoding: UTF-8 is a popular character encoding scheme for representing Unicode characters in using variable length byte sequences. Promiscuous interpretation of UTF-8 strings by web servers results in the translation of multiple sequences into the same ASCII character (e.g. '/' or '.'). This technique known as "Redundant UTF-8 Encoding" is used by attackers to evade access control, authorization and detection mechanisms. Too Many Cookies in a Request: AppXcel WAF invokes this request if an HTTP request includes too many cookies. The number of allowed requests appears in the bottom pane. Change the number, as required, and then click Save. Too Many Headers per Request: An HTTP request contains more than 15 Header fields. This is an indication of a buffer overflow attack or an attempt to evade detection mechanisms. Change the number as required and then click Save.
AppXcel User Guide
4-17
AppXcel User Guide
Too Many Headers per Response: An HTTP reply contains more than 20 Header fields. This is an indication of information leakage (e.g. credit card numbers, user identifiers, etc.) through the Header fields rather than through the response body. Change the number as required and then click Save. Too Many URL Parameters: The number of parameters in the URL exceeds the threshold. Change the number as required and then click Save. Note that this violation only applies to HTTP requests that use the POST method. HTTP requests that use the GET method does not invoke this violation Unauthorized Request Content Type: This anomaly occurs for a variety of HTTP requests in which the content-type cannot be correctly established according to the RFC, or in which the content-type is identified as an unauthorized type. Click the "click here" link to add and remove content types. Unknown HTTP Request Method: Each HTTP request must start with a field called HTTP method or HTTP verb (e.g. GET or POST). The list of methods is defined by various standards. Some of the methods have a potentially dangerous effect on the web server and hence only a partial list of the methods are allowed by most web servers. This anomaly detects a method that is not one of the following: GET, POST, HEAD, PUT, OPTIONS, TRACE, CONNECT, DELETE, LOCK, UNLOCK, PROPPATCH, PROPFIND, COPY, MOVE, MKCOL, SEARCH, RMDIR, INDEX, MKDIR, BCOPY, BDELETE, BMOVE, BPROPFIND, BPROPPATCH, NOTIFY, POLL, SEARCH, SUBSCRIBE, UNSUBSCRIBE, indicating an attempt to execute a dangerous and illegal operation on the web server. (See Appendix G.) URL is Above Root Directory: URL points to a file residing outside of the Web server's root directory. This usually indicates a directory traversal attack in which the attacker tries to access files outside of the root directory. In some poorly written applications some embedded links may point outside of the Web server's root directory. Note: Protocol violations also participate in several correlation rules (Malformed HTTP attacks). If you want to avoid receiving alerts that involve certain protocol violations, you need to disable them from the relevant correlation rules as well.
4-18
AppXcel User Guide
AppXcel User Guide
Web Worms Defender Rules

This section is only available for Web Server Groups. To defend against Worm attacks, AppXcel WAF blocks Unknown HTTP Requests on specific directories which are usually targeted by worms. Before blocking, AppXcel WAF verifies that the request has no legitimate host value and no legitimate session ID. You can add and remove directories on which this feature operates. Note that worm-protected directories must go through a learning period before AppXcel WAF starts protecting them, as explained below.
Figure 4-8 Web Worm Defender Rules Window
AppXcel User Guide
4-19
AppXcel User Guide
This window presents the following fields: Web Worm Defender Rules Enable Alert Immediate Action The name of the violation that the Worm Defender engine generates. Enables the violation Choose the alert severity generated by the violation: Informative / Low / Medium / High. None: Worm is not blocked. Use this option for a log only policy. Block: The AppXcel WAF immediately drops the packet that contains the suspected worm. Followed Actions Drop-down list of Action Policies (see Section Configuring Action Policies, page 4-4). If no action policies are defined, the list is empty. Saves the changes to the directories.
Save
When you create a new Web server group, it is created with a list of preconfigured worm-protected directories. This list includes worm-susceptible directories such as default IIS and Apache directories. You can add and remove directories from this list as required. Note that the list mostly contains directories which are not part of your application. This is normal as one the main purposes of this feature is to block access to default directories that exist on the protected Web server and were created during the Web server's installation process or the installation process of add-on components. In order to protect worm-susceptible directories AppXcel WAF must first learn whether the protected application uses any URLs in these directories, as URLs which are legitimately used by the Web application are not be blocked by the worm defender. Thus when you create a new Web server group all the wormprotected directories enter a learning period. During this period AppXcel WAF learns which URLs belong to the directories that are used by the application. The learning period is different for each directory and different directories can enter protect mode at different times, based on various factors such as how much traffic AppXcel WAF has recorded for a specific directory. When a directory enters protect mode, AppXcel WAF starts generating Worm violations for it. AppXcel WAF automatically transfers directories from learn to protect mode, however you can also manually switch directories between learn and protect mode.
4-20
AppXcel User Guide
AppXcel User Guide
To manage the list of worm-protected directories: 1. 2. Click the clicking here link on the bottom panel.The Worm Protected Directories window appears as presented in Figure 4-9 To add a new directory: a. Enter the directory name in the Directory field. b. Click Add. The directory is added in learn mode. To delete directories: a. Select the check boxes to the left of the directories you wish to delete. b. Click Delete. To switch directories between learn and protect mode: a. Select directories in learn mode or select directories in protect mode. b. Click Switch to Learn/Protect. c. Click Close to close this window.
3.
4.
Figure 4-9 Worm Protected Directories
AppXcel User Guide
4-21
AppXcel User Guide
Profile Violation Rules

Web AppXcel WAF builds Dynamic Profile traffic and compares incoming and outgoing HTTP against the learned profile. Any deviation from the profile generates a Profile Violation. This section allows you to enable and take actions on profile violations. The upper pane presents a list of the violations and their actions; the lower pane presents a description of the violation and the configuration parameters for those violations that can be configured.
Figure 4-10 Profile Violation Rules Window This window presents the following fields: Profile Violation Rules Enable Alert List of available violations. See below for a description of available violations. Enables the action. Choose the alert severity generated by the security event: Informative / Low / Medium / High.
4-22
AppXcel User Guide
AppXcel User Guide
Immediate Action
None: No immediate action is taken. Block: The AppXcel WAF immediately drops the packet that contains the violating HTTP message.
Followed Actions
Drop-down list of Action Policies (see Configuring Action Policies, page 4-4) If no action policies are defined, the list is empty.
The following profile violations are supported for Web server groups: Cookie Tampering:AppXcel WAF learns which cookies are protected and which are ignored (see Section Error! Reference source not found. for more information on learning and profiling cookies). A protected cookie is a cookie where AppXcel WAF can always trace the value that the Web application assigns to it. The value of a protected cookie must remain fixed and not altered by the user's browser. For protected cookies AppXcel WAF traces them and stores the values assigned to them by the Web application during the entire user session. If a browser sends a protected cookie to the Web application with a different value than what was assigned by the Web application, then AppXcel WAF invokes the Cookie Tampering violation. Cookie Injection:AppXcel WAF learns which cookies are protected and which are ignored. A protected cookie is a cookie where AppXcel WAF can always trace the value that the Web application assigns to it. The value of a protected cookie must remain fixed and not altered by the user's browser. AppXcel WAF traces and remembers all protected cookies assigned by the Web application to each session. If a browser sends to the Web application a protected cookie which is not assigned to it by the Web application, then AppXcel WAF invokes the Cookie Injection violation. Custom Policy Rules: Custom policy rules allow you to generate alerts and optionally block traffic based on specific attributes of the HTTP request. Reuse of Expired Sessions Cookies: When the user sends an HTTP request with an expired session, the Web server forces the user's browser to accept a new session identifier. This is a rather common scenario: for example, when the user leaves the browser open on a specific site for a few hours and after returning continues to browse the same site, it is likely that the original session was expired and the Web application forces the browser to accept a new session identifier. This violation is invoked if after receiving the new session identifier the user's browser continues to send protected cookies and protected cookies' values that were assigned to the expired session. This is a security event as neither AppXcel WAF nor the
AppXcel User Guide
4-23
AppXcel User Guide
application can tell whether these protected cookies were actually assigned to the browser by the Web application or were maliciously injected by user, as the session was expired together with all the relevant information. Note that as some applications allow this type of behavior, enabling this violation may lead to false positives. These false positives indicate a bad coding practice and most likely a security breach which needs to be fixed. Parameter Value Length Violation: For each parameter AppXcel WAF learns, using statistical algorithms, the minimum and maximum length of the parameter. During Protect Mode, AppXcel WAF checks all parameter values against the learned profile. If the parameter length exceeds the learned lengths, AppXcel WAF invokes this violation. Parameter Unknown: AppXcel WAF learns the names of all parameters used by each URL. During Protect Mode, AppXcel WAF checks that each URL includes only the learned parameter names. If a URL includes a parameter name which is not part of the profile, AppXcel WAF invokes this violation. Required Parameter Not Found: AppXcel WAF learns the names of all parameters used by each URL. For each parameter, AppXcel WAF learns whether it's required or not (i.e. must be included or optional). During Protect Mode, if a required parameter is missing, AppXcel WAF invokes this violation. Parameter Type Violation: For each parameter AppXcel WAF learns the type of the parameter. For example, AppXcel WAF can learn that a certain parameter's values consist only of numbers. During protect mode, if a certain parameter value doesn't match the learned types, AppXcel WAF invokes this violation. Parameter Read Only Violation: AppXcel WAF learns which parameters are hidden parameters or embedded links whose values are set by the Web server and not changed manually by the user. During Protect Mode, AppXcel WAF traces the values that were set by the Web server and if the user manually altered a value, AppXcel WAF invokes this violation. Note: The Parameter Read Only Violation must be enabled during learn mode in order for AppXcel WAF to learn which parameters are read-only. Currently this is the only violation that needs to be enabled during learn mode in order for AppXcel WAF to learn its behavior
4-24
AppXcel User Guide
AppXcel User Guide
Unauthorized URL Access: It is possible for the AppXcel WAF administrator to lock directories in the Web profile (see Error! Reference source not found.). AppXcel WAF invokes this violation when someone tries to access a URL which is not listed in the profile and is part of a locked directory. Note that when someone tries to access a URL which is not listed in the profile and is not part of a locked directory, AppXcel WAF either ignores this request (in-case the URL doesn't really exist on the Web application) or start learning it (in-case this URL does exist on the Web application). Unauthorized Method for Known URL: AppXcel WAF builds a profile of all allowed URLs. For each allowed URL the profile includes the allowed methods with that URL (e.g. GET, POST, HEAD). AppXcel WAF invokes this violation if, during Protect Mode, a known URL is sent with an unknown method. Too Many of the Same Response Code: During Protect Mode, AppXcel WAF counts the number of HTTP responses with a 200, 302, 304, 500, 400, 404, and 403 response codes. AppXcel WAF counts these responses for each session identifier and for each IP address that accesses the Web application. AppXcel WAF also counts these responses for all sources (i.e. all IP addresses) that access the Web application. If the number of responses for any of these sources exceeds the policy limit AppXcel WAF generates this violation. You can control the policy limit by editing the table on the lower panel. The numbers in the table represent the maximum number of allowed responses of a specific code per five minutes. If for example, you place 100 in the Session/500 cell it means that AppXcel WAF generates this violation for each session identifier that generates more than 100 HTTP 500 response codes. Click Save after editing the table.
The following profile violations are available for Web servers that provide XMLbased or SOAP services: Unauthorized SOAP Action: AppXcel WAF learns and builds a profile of all allowed SOAP actions for each URL. AppXcel WAF invokes this violation if the URL is accessed with a SOAP action not listed in the profile. XML Element/Attribute Value Length Violation: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each value AppXcel WAF learns, using statistical algorithms, the minimum and maximum length of the value. During Protect mode, AppXcel WAF checks all XML values against the learned profile. If the value length exceeds the learned lengths, AppXcel WAF invokes this violation.
AppXcel User Guide
4-25
AppXcel User Guide
XML Element/Attribute Value Type Violation: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each value AppXcel WAF learns the type of the value. For example, AppXcel WAF can learn that a certain XML value consists of numbers only. During Protect mode, if a certain XML value does not match the learned types, AppXcel WAF invokes this violation. Required XML Element/Attribute Not Found: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. For each XML element or attribute, AppXcel WAF learns whether it is mandatory or optional. During Protect mode, if a mandatory XML element or attribute is missing, AppXcel WAF invokes this violation. Unknown XML Element/Attribute: For each XML-based URL, AppXcel WAF learns and builds a profile of XML elements and XML attributes that have values in them. During Protect mode, AppXcel WAF checks that each URL includes only the learned XML value names. If a URL includes a value name which is not part of the profile, AppXcel WAF invokes this violation. SOAP Access to a Non-SOAP URL: If an HTTP request includes a SOAP message but the URL was not profiled as a SOAP-enabled URL, AppXcel WAF invokes this violation. Non-SOAP Access to a SOAP-Only URL: If an HTTP request does not include a SOAP message but the URL was profiled as only being accessed through SOAP, AppXcel WAF invokes.
Custom Policy Rules

Custom policy rules allow you to generate alerts and optionally block traffic based on specific attributes of the HTTP request. Custom policy rules are manually configured and provide the power to perform operations that are not available through profile and protocol violation rules. For example, using custom policy rules you can limit access to specific URLs and directories based on the source IP address. You can also restrict the permitted HTTP headers, user agents (browsers), and more. You can define as many custom policy rules as you want. However, each rule you define influences performance. Thus it is recommended to perform most operations using profile and protocol violations and use custom profile rules
4-26
AppXcel User Guide
AppXcel User Guide
only for operations that are impossible to perform using the profile or protocol violations. When the HTTP request/response matches a certain custom policy rule AppXcel WAF invokes the "Custom Policy Rule" violation. Note that the same violation is invoked for all custom policy rules. The Custom Policy Rule violation appears in the list of profile violations. Note that it appears there although it is not really a profile violation.
You configure Custom violation configure setting immediate followed Note common profile define. that violations violation, enable, Policy the action to these any action, all way other the alert Rules fields. fields by that you custom and level, you are
To define a new custom policy rule, edit or delete an existing rule: 1. 2. Access the Custom Policy Rules violation in the Profile violations section. Click the click here link in the bottom panel of the Custom Policy Rules violation.The custom policy rules popup appears as displayed in Figure 411.
AppXcel User Guide
4-27
AppXcel User Guide
Figure 4-11 Custom Policy Rules 3. To define a new custom policy rule: a. Click Add b. Enter the rule's name (a description of the rule) c. Select or un-select the Do not block checkbox. This checkbox overrides the Immediate action field of the Custom Policy Rules violation. If the Immediate Action field is set to block, all custom policy rules invoke the immediate block action except for those with the Do not block checkbox selected. d. Click Save. The rule is now created and you can edit its attributes to define the checks to perform. To delete an existing rule:
4.
4-28
AppXcel User Guide
AppXcel User Guide
5.
a. Select the rule by checking the checkbox to the left of the rule's name. b. Click Delete. To edit an existing rule's attributes: a. Enter values for attributes you want to be included in this rule. For each required attribute, select one of the available operations: =, <>, = (All), = (Any), <> (All), <> (Any). b. Click Save.
Available attributes for Web server groups: Source IP: the HTTP request source IP. Select one of the available IP groups (see Appendix A for information about IP groups). To invoke this rule on HTTP requests that originate from this IP group select the "=" operator. To invoke this rule on HTTP requests that do not originate form this IP group select the "<>" operator. To ignore this attribute select "None". Host Name: The HTTP request host name. Enter a single host name or a list of host names separated by commas. To invoke this rule on HTTP requests that target one of the host names on the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not target any of the host names on this list select the "<> (Any)" operator. To ignore this attribute leave this field empty. URL Prefix: The HTTP request's exact URL or prefix. Enter a single URL prefix or a list of prefixes separated by commas. To invoke this rule on HTTP requests that target any of the prefixes in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not target any of the prefixes in this list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Methods: The HTTP methods (for example GET or POST). Enter a single method or a list of methods separated by commas. To invoke this rule on HTTP requests that include any of the methods in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the methods in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Services: The service used for this connection. Select HTTP, HTTPS, or both. To invoke this rule on requests that include one of the selected services select the "= (Any)" operator. To invoke this rule on requests that do not include any of the selected services select the "<> (Any)" operator. To ignore this attribute leave this field empty.
AppXcel User Guide
4-29
AppXcel User Guide
Session: Whether AppXcel WAF identified a session identifier on this request, and whether this session was validated by AppXcel WAF or not. A validated session is a session where AppXcel WAF noted the application being assigned. Select one of the three options, or None to ignore this attribute. For HTTP requests that match your selection, select the "=" operator. For HTTP requests that do not match you selection, select the "<>" operator. Request Headers: The HTTP header names on the request. Enter a single header name or a list of headers separated by commas. To invoke this rule on HTTP requests that include any of the headers on the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the headers in the list, select the "<> (Any)" operator. To ignore this attribute leave this field empty. Response Headers: This is the same as "Request Headers" though it is for the HTTP response only. Parameters: The URL parameter names in this request. Enter a single parameter name or a list of names separated by commas. To invoke this rule on HTTP requests that include any of the parameter names in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the parameter names in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. File Types: The URL file type (for example.asp). Enter a single file type or a list of file types separated by commas. To invoke this rule on HTTP requests that include any of the file types in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the file types in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. User-Agent: The value of the User-Agent HTTP header. The User-Agent header identifies the type of browser used. Enter a single agent name or a list of agents separated by commas. To invoke this rule on HTTP requests that include any of the agents in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the agents in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Content Types: The value of the Content-Type HTTP header. Enter a single content type (for example "text/plain") or a list of types separated by commas. To invoke this rule on HTTP requests that include any of the types in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the types in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty.
4-30
AppXcel User Guide
AppXcel User Guide
Accept Language: The value of the Accept-Language HTTP header. Enter a single accepted language or a list of accepted languages separated by commas. To invoke this rule on HTTP requests that include any of the accepted languages in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the accepted languages in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Referrer Hostname: The hostname in the value of the Referrer HTTP header (for example www.radware.com). Enter a single hostname or a list of host names separated by commas. To invoke this rule on HTTP requests that include any of the host names in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the host names in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Referrer Hostname (profiled): The hostname in the value of the Referrer HTTP header (for example www.radware.com). Select "Profiled Hostnames" for all hostnames that are part of this server group's profile. To invoke this rule on HTTP requests that include any of the profiled host names select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the profiled host names select the "<> (Any)" operator. To ignore this attribute leave this field empty. Referrer URL Prefix: The URL prefix value of the Referrer HTTP header (for example www.radware.com/home/dynamic). Enter a single prefix or a list of prefixes separated by commas. To invoke this rule on HTTP requests that include any of the prefixes in the list select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the prefixes in the list select the "<> (Any)" operator. To ignore this attribute leave this field empty. Violations: Profile, protocol, firewall, and signature violations that were invoked on this HTTP request or response. Select one or more violations from the available list of violations. To invoke this rule on HTTP requests that include all of the violations you chose, select the "= (All)" operator. To invoke this rule on HTTP requests that include any of the violations you chose, select the "= (Any)" operator. To invoke this rule on HTTP requests that do not include any of the selected violations, select the "<> (Any) operator. To ignore this attribute leave this field empty. Note: When selecting multiple attributes in a single rule, the AND operator is used between the selected attributes. For example, if you enter a specific URL prefix and then a list of HTTP headers the rule is invoked, if both the URL prefix and the headers match the values in the rule.
AppXcel User Guide
4-31
AppXcel User Guide
Correlation Rules
AppXcel WAF includes a correlation engine that correlates different types of security events over time. Correlation rules come as part of the AppXcel WAF software. Each correlation rule correlates different types of events and variables to detect different types of attacks. Correlation rules allow accurate detection and low false positive rate as they rely on a sequence of security events and not a single event. You can enable and disable correlation rules and set the action policy to follow this event. The upper pane of the Correlation Rules Window presents a list of the rules and their actions; the lower pane presents a description of the rule and its configuration, as relevant.
4-32
AppXcel User Guide
AppXcel User Guide
Figure 4-12 Correlation Rules Window This window presents the following fields: Correlation Rule Enable Alert Followed Actions List of correlation rules. See below for a description of available rules. Enables the action. Choose the alert severity generated by this security event: Informative / Low / Medium / High. Drop-down list of Action Policies (see Configuring Action Policies, page 4-4) If no action policies are defined, the list is empty.
AppXcel User Guide
4-33
AppXcel User Guide
The following correlation rules are available: Suspected Buffer Overflow Attack (Long Parameter Invokes Bad Reply): A correlation rule that detects buffer overflow attacks. This rule examines HTTP requests that invoked a Parameter Value Length profile violation. This rule is invoked if the length of the exceeding parameter value is longer than 512 bytes and the HTTP response either indicates an HTTP error code or generates a signature violation. Suspected Parameter Tampering Attack (Repeated Required Parameter Not Found Violation): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Required Parameter Not Found protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address. Suspected Parameter Tampering Attack (Repeated Parameter Unknown): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Parameter Unknown protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address. Suspected Parameter Tampering Attack (Repeated Parameter Value Length Violations): A correlation rule that detects parameter tampering attacks. This rule is invoked if a sequence of at least five Parameter Value Length Violation protocol violations for the same URL were invoked during a five minute time period. Each event occurs within one minute of the proceeding event. All violations are associated with the same source IP address. Suspected Parameter Tampering Attack (Parameter Violation Generates Error Code): A correlation rule that detects parameter tampering attacks. This rule is invoked if an HTTP request generates a parameter profile violation (Required Parameter Not Found or Parameter Unknown or Parameter Type or Parameter Length) and the corresponding HTTP response indicates an HTTP error code. Suspected Source Code Leakage (Code in Response Follows a Request Violation): A correlation rule that detects a source code leakage from the Web site. This rule is invoked if an HTTP request includes a Source Code Leakage signature or is not part of the profile the corresponding HTTP response includes a Source Code Leakage signature.
4-34
AppXcel User Guide
AppXcel User Guide
Suspected Scanning Attack (Unprofiled URLs and Signatures): This rule detects scanning attacks, mainly automatic scanning tools. These tools generate a large amount of unprofiled URLs and signature violations. This rule is invoked if more than five unprofiled URLs combined with more than two HTTP signatures arrive from a common source IP address within three minutes. Suspected Scanning Attack (Signatures and Parameter Value Length Violations): This rule detects scanning attacks, mainly automatic scanning tools. This rule is invoked if more than two Parameter Value Length profile violations combined with more than two HTTP signature violations, arrive from a common source IP address within three minutes. Malformed HTTP Attack (Non compatible HTTP): This rule detects protocol compliance attacks. This rule is invoked if a sequence of more than four HTTP requests within three minutes generates an HTTP protocol violation. The requests must have the same source IP address. The time between each consecutive request must be no more than one minute. When you click on this rule the lower panel presents a list of the protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save. Malformed HTTP Attack (Non compatible HTTP Results Error code): This rule detects protocol compliance attacks. This rule is invoked if an HTTP request generates a protocol violation and the matching HTTP response indicates an HTTP error code. When you click on this rule the lower panel presents a list of the protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save. Malformed HTTP Attack (Non compatible HTTP With Signature): This rule detects protocol compliance attacks. This rule is invoked if a single HTTP request generates a protocol violation together with a signature violation. When you click on this rule the lower panel presents a list of protocol violations that participate in this rule. You can enable and disable these protocol violations by checking or unchecking the checkbox and clicking Save. Suspected Cookie Poisoning (Consecutive Cookie Tampering/Cookie Injection): This rule detects cookie brute force attacks in which the attacker alters cookie values that were set by the Web application. This rule is invoked if a sequence of at least two Cookie Injection or Cookie Tampering violations (according to either IP address or session) are generated within three minutes, from the same IP address and associated with the same URL.
AppXcel User Guide
4-35
AppXcel User Guide
Section 4-4 Preventing Blocking of Specific IP Addresses

This section explains how to prevent blocking of specific IP Addresses. Some IP addresses are never blocked, for example the IP address of your Firewall or the IP address of your proxy server. AppXcel WAF allows you to configure a list of IP addresses that are never blocked, even if these IP addresses generate violations and alerts. It is recommended to add the IP address of your Firewall and any reverse proxy you have in front of your Web applications into this list. Another common scenario for using this feature is when large portions of the access to your Web application is going through specific proxy servers. In this case consider adding the IP addresses of these proxy servers to the list to prevent AppXcel WAF from blocking the entire proxy communication when one of the users generates alerts. In order to configure this feature you first define a new IP group and add all required IP addresses to this group. For more information on configuring IP groups see Appendix A. Once the IP group is defined you instruct AppXcel WAF to use this IP group in this feature. To prevent blocking of an IP group: 1. 2. Click Global Settings. Select Non-Blockable IP Addresses on the left tree menu.The NonBlockable IP Addresses Window appears, as displayed in Figure 4-13..
Figure 4-13 Non-Blockable IP Addresses 3. 4. 5. In the Non-Blockable IP Addresses window, Select the Do not block this IP group checkbox. Select the IP group from the drop-down list. Click Save.
4-36
AppXcel User Guide
AppXcel User Guide
To remove this option: 1. 2. Click Global Settings. Select Non-Blockable IP Addresses on the left tree menu.The NonBlockable IP Addresses Window appears, as displayed in Figure 17 above. Clear the Do not block this IP group check box. Click Save. To change the list of Unblocked IP addresses edit the appropriate IP group, see Defining IP Groups.
3. 4.
AppXcel User Guide
4-37
AppXcel User Guide
4-38
AppXcel User Guide
CHAPTER
Monitoring
This chapter describes how to monitor alerts, logs and Gateways in the AppXcel WAF Activity Console. This chapter includes the following sections: Section 5-1: Activity Console, page 5-2 Section 5-2: Alerts, page 5-3 Section 5-3: Gateways, page 5-21 Section 5-4: Blocked Sources, page 5-24 Section 5-5: Reports, page 5-26 Section 5-6: System Log, page 5-35 Section 5-7: Notifications, page 5-37
AppXcel User Guide
5-1
AppXcel User Guide
Section 5-1 Activity Console

This section explains how the AppXcel WAF Activity Console enables you to monitor intrusion attempts (in the form of Alerts), and system and progress status (to make sure the system is working as expected). The Activity Console has its own section in the AppXcel WAF Interface; and is accessed by its tab in the top tab bar
Introduction
The AppXcel WAF Activity Console collects and displays the system's recorded activity, including the following information: Alerts: AppXcel WAF saves the content of every alert generated. Gateways: Basic information on Firewall status and statistics. Blocked Sources: A list of all IP addresses and session IDs that are currently blocked. You can manually release currently blocked IPs and session IDs. The Currently Blocked Users Window includes a link to the Blocked Log. The Blocked Log is a list of all IP addresses and session IDs that were blocked during the last 72 hours. Reports: AppXcel WAF has extensive report capabilities covering alert, violations, attacking IPs, etc. System Log: The AppXcel WAF Management Server log consists of information on each change to the product configuration, and important system events.
5-2
AppXcel User Guide
AppXcel User Guide
Section 5-2 Alerts

AppXcel WAF generates Alerts using the six detection engines: firewall, signature, protocol violation, Web worm, profile violation, and correlations. This section includes the following topics: Reading Alerts, page 5-3 Browsing Monitored Events, page 5-10 Operations on Alerts, page 5-11 Additional View options, page 5-12 Browsing Alerts, page 5-13 Sorting Alerts, page 5-13 Filtering Alerts, page 5-15 Clearing the Alerts List, page 5-16 Clearing All Alerts that Match a Filter, page 5-16 Alert Aggregation, page 5-17
Reading Alerts
This describes how to read the various Alerts which include those that can assist you in acknowledging automated profile updates and system violations. To read alerts: 1. 2. Click Activity Console. Click Alerts in the left tree menu.The Alerts Window appears, as displayed in Figure 5-1.
AppXcel User Guide
5-3
AppXcel User Guide
Figure 5-1 Alerts Window Note: Alerts in red are those that generated a block command. Block commands can be immediate or as a result of an action policy that includes an IP or session block
5-4
AppXcel User Guide
AppXcel User Guide
The following information is presented for each alert:

Field Icon Description
Alert Severity Information Low Severity Medium Severity High Severity This field is manually set and allows you to mark specific alerts according to the following: ! Important Alert: Use it to mark important alerts that require further inspection.
Acknowledged Alert: Acknowledging an alert is useful for automated profile updates (see Section Error! Reference source not found.). If a certain alert is acknowledged, the Automated Profile Updates does not use it to update the profile. For example, if a certain new URL appears in a large group of URLs, the Automated Profile Update feature may add it to the profile. To avoid that, mark one of the alerts as acknowledged and the feature does not update the URL. X Dismissed Alert: A dismissed alert is an alert that was reviewed and identified as false positive by the operator.
AppXcel User Guide
5-5
AppXcel User Guide
No Time Type
Alert number: A unique number automatically assigned to each Alert. Date and time the Alert was generated. Alert type. One of the following options: Firewall Signature HTTP Worm Protocol Violation Profile Violation Correlation
In addition, next to each of these icon types one or more of the following icons can appear.
This security event generated an immediate block command. This is an aggregated alert. Source IP Server Group The Source IP address that generated the alert. The name of the destination server group.
5-6
AppXcel User Guide
AppXcel User Guide
Description
Alert description. Includes different information for different types of alerts: Firewall: Blocked service name or port number Signature: Signature name Protocol violation: Violation name Profile Violations: Violation name Worms: URL accessed Correlation rules: Correlation rule name
Note: You can click the informative alerts click
button to hide informative alerts. To show
Select an Alert to display its details in the bottom panel. The details depend on the type of alert: All types: Immediate Action: Blocked/None. Provides information on whether an immediate action was taken to block the connection. Information regarding alert aggregation: Whether this alert aggregates several alerts, the time aggregation started, the time it ended and the aggregation rule. Followed Action policy name. If the Action Policy includes a Monitor action then a link "View Monitored Events" appears near the Action Policy's name. Firewall Events: Service name Source Port Destination Port Protocol (TCP/UDP/ICMP) Signature Events: Full dump of the packet (for Snort-based dictionaries) Full request and response code for HTTP signatures in Radware Web dictionaries Protocol Violations: Full HTTP request and response code Profile Violations: Full HTTP request and response code for HTTP violations Worms:
AppXcel User Guide
5-7
AppXcel User Guide
URL and Method (e.g. GET, POST) Correlation Rules: Rule and description The violations and information associated with each violation For HTTP - The Full HTTP Requests and the response codes (URL, headers, parameters, cookies)
Three buttons may appear near each violation: Add to Profile button: This button appears near Unknown URL and Untreatable Cookie profile violations. By clicking this button you can add the URL or the cookie to the profile. Use this button in case of false positives to immediately add the URL or cookie to the profile. Knowledge Base button: This button appears near each violation description. By clicking the button you invoke the knowledge base. The knowledge base provides detailed information about the violation, the attacks associated with it, and false positives scenarios. The knowledge base is a great tool for learning more about application security and the suspected attack. Show Signature button: This link appears near each Signature violation. It opens the signature Window, displaying the signature that caused the violation. (This button represents both Show Signature and View Profile, depending on the violation.) View Profile button: This button appears near each Profile violation. It opens the Server Group > Profiles > Learned URLs window for viewing details on the selected Alert's URL.
5-8
AppXcel User Guide
AppXcel User Guide
Figure 5-2 Knowledge Base Window
AppXcel User Guide
5-9
AppXcel User Guide
Browsing Monitored Events

An Action Policy may include a monitor command. In this case a "Click to view monitored events" link appears near the policy name in the bottom panel, as displayed in Figure 5-3.
Figure 5-3 Link to Monitored Events Window
5-10
AppXcel User Guide
AppXcel User Guide
Click the link to view monitored events, as displayed in Figure 5-4.
Figure 5-4 Monitored Events Window The window presents the first monitored event. Use the buttons on the topright corner to browse monitored events.
Operations on Alerts
The following operations may be performed on a single Alert or a group of Alerts. Select the check box to the left of each Alert row to select an Alert or a group of Alerts. Mark selected alerts as Acknowledged Mark selected alerts as Dismissed. Mark selected alerts as Important.
AppXcel User Guide
5-11
AppXcel User Guide
Clear the field for the selected alerts. Deletes all alerts. If a filter is applied the button reads "Clear Filtered Alerts" and deletes only filtered alerts. Deletes the selected alerts.
Additional View options

The following options of modifying the view appear on the Alert View Window: Open the Alert viewer in a separate window. Refresh the display Show informative alerts Hide informative alerts Open the Filter window Remove the Filter. Open the Sort window.
5-12
AppXcel User Guide
AppXcel User Guide
Browsing Alerts
AppXcel WAF displays up to 200 alerts per page. You can browse the pages using the following options: Go to the first page present a list of the previous 5 pages. Present a list of the next five pages. Go to a specific page out of 5 presented. Click the relevant page number. Set a number of alerts displayed on each page. Select the number from the dropdown list.
Sorting Alerts
The advanced sort enables you to sort by parameters that do not appear in the Alert View: Type, Number, Severity and IP Address. To perform advanced sorting on the alert view: 1. Click on the sort button.The Advanced Sort window appears, as displayed in Figure 5-5
AppXcel User Guide
5-13
AppXcel User Guide
Figure 5-5 Advanced Sort Window Box 2. To add a sort parameter: a. Select the field name from the drop-down list. b. Select the field's sort order, ascending or descending, from the dropdown list. c. Click Add. d. Repeat steps A to C to add all the fields according to which you want to sort. Add fields according to the sort order priority. To remove a field from the list, click on the field's name and then click Remove. Click Save to close the Window and execute the sort.
3. 4.
5-14
AppXcel User Guide
AppXcel User Guide
Filtering Alerts
AppXcel WAF enables the alert viewer to filter alerts according to their characteristics. To filter Alerts: 1. Click the filter Figure 5-6 button. The filter window appears, as displayed in
Figure 5-6 Filter Window The Filter window displays all the fields according to which you can filter alerts. Fill in the values for the fields according to which alerts are filtered. The viewer uses the AND operator between the fields if more than one field is filled. For example, if the Source IP is set to 200.200.200.100 and Alert type to Signatures, the viewer displays all signature alerts that originated from 200.200.200.100.
AppXcel User Guide
5-15
AppXcel User Guide
Note: That you can select either = or <> for most fields. The viewer filters all alerts that are equal to the value entered when = is selected. The viewer filters all alerts that are not equal to the value entered when <> is selected. 2. Enter a date either in the following format; MMM DD, YYYY (e.g. Jun. 11, 2003), or click the (calendar) button and pick a date from a calendar window. Click OK to execute the filter or Cancel to cancel. A filter can be removed by clicking the Clear Filter button
3.
Clearing the Alerts List

The following steps describe how to clear the entire Alerts List. Note: Clearing the Alerts list is irreversible. To delete the entire Alerts List: 1. 2. 3. Ensure no alert filter is applied. Click Clear All Alerts.The Clear All Alerts window appears requesting confirmation. Click OK to clear all alerts.
Clearing All Alerts that Match a Filter

The following steps describe how to clear all the alerts that match a particular filter. Note: Clearing the Alerts list is irreversible
5-16
AppXcel User Guide
AppXcel User Guide
To delete all alerts that match a certain filter: 1. 2. 3. In the Filter window, Apply a filter. In the Filter window, click Clear All Filtered Alerts.The Clear All Filtered Alerts window appears requesting confirmation. Click OK to clear all alerts.
Alert Aggregation
To avoid alert storms, AppXcel WAF aggregates similar alerts into a single alert. An alert storm can occur when your servers are being attacked constantly by the same type of attack, or when there is a false positive. An example of a false positive is when the firewall feature has been used to block a service that users require and many computers are trying to access that service. The alert aggregation mechanism handles multiple alerts in order to prevent thousands of similar alerts from being generated. Alert aggregation is enabled for all layers. Aggregation occurs according to the following rules: Network Firewall Aggregation Rules: a. All Firewall alerts with the same source IP, destination server group, destination port and protocol are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented. b. All Firewall alerts with the same source IP, protocol (i.e. TCP, UDP) and destination server group are aggregated into a single alert. This rule aggregates Firewall alerts with different destination ports (for example a port scan). The first 100 accessed ports that are different are presented in the aggregated alert. c. All Firewall alerts with the same destination server group, protocol (i.e. TCP, UDP), and destination port are aggregated into a single alert. This rule aggregates Firewall alerts that are generated when the sources are different but the destination port is the same. The first 20 source IP addresses that are different are presented in the alert. Signature Aggregation Rules a. All Signature alerts with the same session or source IP, the same destination server group, protocol and attack type are aggregated into
AppXcel User Guide
5-17
AppXcel User Guide
a single alert. As these alerts are all very similar, only the content of the first alert is presented. b. All Signature alerts with the same session or source IP and the same destination server group and protocol are aggregated into a single alert. This rule aggregates Signature alerts when different signatures originate from the same source (e.g. scanner). The first 100 signatures that are different are presented in the alert. c. All Signature alerts with the same destination server group, protocol and attack type are aggregated into a single alert. This rule aggregates similar Signature alerts generated by different sources. This type of aggregation could indicate a false positive or a widespread worm. The first 20 sources that are different are presented in the alert. Worm Aggregation Rules a. All Web Worm alerts with the same source IP, destination server group, HTTP host name, URL and HTTP method are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented. b. All Web Worm alerts with the same source IP and destination server group are aggregated into a single alert. This rule aggregates Worm alerts with different URLs that all originate from the same source (e.g. a URL guessing attack). The first 100 URLs that are different are presented in the alert. c. All Web Worm alerts with the same destination server group and destination host name, URL and method are aggregated into a single alert. This rule aggregates Worm alerts that are generated by different sources yet they all target the same URL. This could indicate a false positive (i.e. the URL exists but is not part of the profile) or a widespread worm. The first 20 sources that are different are presented in the alert. Protocol Violation Alert Aggregation Rules a. All protocol violation alerts with the same source IP or source session, the same destination server group, and the same violation type are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented. b. All protocol violation alerts with the same destination server group and the same violation type are aggregated into a single alert. This rule aggregates protocol violation alerts generated by different sources. The first 20 sources that are different are presented in the alert. Cookie-related Profile Violation Alert Aggregation Rules a. All cookie-related profile violation alerts with the same source IP or source session, the same destination server group, and the same
5-18
AppXcel User Guide
AppXcel User Guide
cookie name are aggregated into a single alert. As these alerts are all similar, only the content of the first alert is presented. b. All cookie-related profile violation alerts with the same destination server group, and the same cookie name are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same cookie name. This could indicate a false positive (i.e. the cookie is not traceable) or a widespread attack. The first 20 sources that are different are presented. Parameter-related Profile Violation Aggregation Rules a. All parameter-related profile violation alerts with the same source IP or source session, the same destination server group, and the same HTTP host name, URL, method and parameter name are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented. b. All parameter-related profile violation alerts with the same destination server group, and the same HTTP host name, URL, method and parameter name are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same parameter name. This could indicate a false positive (i.e. the parameter's actual behavior is different than the profiled behavior) or a widespread attack. The first 20 sources that are different are presented. Response Code Profile Violation Aggregation Rules a. All response code profile violation alerts with the same source IP or source session, the same destination server group, and the same response code are aggregated into a single alert. As these are all similar alerts only the content of the first alert is presented. b. All response code profile violation alerts with the same destination server group, and the same response code are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same response code. The first 20 sources that are different are presented. URL-related Profile Violation Aggregation Rules a. All URL-related profile violation alerts with the same source IP or source session, the same destination server group, and the same HTTP host name, URL, and method are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented. b. All URL-related profile violation alerts with the same destination server group, and the same HTTP host name, URL, and method are aggregated into a single alert. This rule aggregates profile violation alerts generated by different sources but on the same URL. This could
AppXcel User Guide
5-19
AppXcel User Guide
indicate a false positive (i.e. the URL exists but is not part of the profile) or a widespread attack. The first 20 sources that are different are presented. c. All URL-related profile violation alerts with the same destination server group, and the same source IP or source session are aggregated into a single alert. This rule aggregates profile violation alerts generated by the same source but on different URLs. This could indicate a false positive or a widespread attack. The first 100 URLs that are different are presented. Correlation Rule Aggregation Rules a. All Correlation alerts with the same source IP or source session and the same destination server group are aggregated into a single alert. As these are all similar alerts, only the content of the first alert is presented below. When aggregating alerts, AppXcel WAF only presents a single alert row in the alert viewer. The folder icon is presented near the alert type icon to indicate that this alert is aggregated. If the rule aggregates different sources (i.e. IP addresses/Sessions) then another folder icon appears next to the IP address field to indicate that the presented IP addresses in the first out of possibly multiple IP addresses. If the rule aggregates different event properties (for example different signatures, different services, different URLs, or different cookies) then another folder icon appears next to the Description filed to indicate that the presented description belongs to the first aggregated alert. When selecting the alert and viewing the bottom panel, AppXcel WAF presents the time at which aggregation started and the time at which it ended. If the aggregation has not ended, the time of the last alert in this sequence is presented. Aggregation of the same alert continues until an hour passes without the alert being generated. If after an hour the alert is generated again, it is aggregated into a new alert. Thus if an alert storm occurs, a large number of aggregated alerts can be generated on a particular day. A single alert aggregation ends after six hours, and if the same alert is still being generated after six hours, a new alert aggregation starts.
5-20
AppXcel User Guide
AppXcel User Guide
Section 5-3 Gateways

This section explains the functionality of the Gateways Window. This section contains the following topics: Gateways - Introduction, page 5-21
Gateways - Introduction
The status and load of the AppXcel WAF is monitored constantly. To view the Gateways Window: 1. 2. Click Activity Console. Select Gateways on the tree menu.The Gateways window appears. The Gateways window displays status, errors and load, for the Eb AppXcel WAF as displayed in Figure 5-7.
Figure 5-7 Gateways Window
AppXcel User Guide
5-21
AppXcel User Guide
3.
Click the Gateway name.The statistics of the selected Gateway are displayed: Gateway Name The name of the Gateway. Inline gateways are identified by the Status icon
Running: The gateway is up and running. Loading: The gateway is loading a new configuration after Activate Settings has been selected. Down: The gateway is down. Disconnected: The management server cannot connect to the gateway. Gateway Failure: The gateway is down due to a failure. Internal Error: The gateway is up but one or more of its modules failed. Connection Stalled: The connection between the gateway and the management server has stalled due to memory problems on the management server. The gateway is running. Connecting: The management server tries to establish connection with the gateway.
Mbit / sec Events / sec CPU Utilization Topology IP Address Fail Mode Warnings Up Since Connections / sec
Indicates the current throughput on the gateway in Mbit/sec The total number of HTTP requests currently passing through the gateway. Indicates the current CPU utilization under which the gateway's kernel is operating. Gateway Topology The gateway's Management NIC IP address. See Warnings below A list of warnings generated by the Gateway. Last time the gateway rebooted The number of new TCP connections/sec passing through the gateway
5-22
AppXcel User Guide
AppXcel User Guide
HTTP events / sec View Histrogram Blocked Ambiguous Packets/Min. Overload Policy
The total number of HTTP requests currently passing through the gateway Opens a Microsoft Excel file (CSV format) with the gateway's statistics from the last 72 hours. The total number of ambiguous packets blocked recently. The action taken by the gateway when it is overloaded with traffic: Pass - the gateway passes queued packets without inspection when it is overloaded Block - the gateway postpones or blocks packets when it is overloaded with traffic. To change the mode click the Change Policy link and select the checkbox if you don't want the gateway to postpone or block packets when the gateway is overloaded with traffic.
List of Server Groups Protected by this Gateway
Lists the Server Groups being monitored by the Gateway and their status. Name of the Server Group Whether the gateway monitors this server group (running) or not.
AppXcel User Guide
5-23
AppXcel User Guide
Section 5-4 Blocked Sources

This section explains how to view and manually release blocked sources. This section contains the following topics: Blocked Sources - Introduction, page 5-24
Blocked Sources - Introduction

There are two blocked sources views: Currently Blocked Sources; and a log of those that were blocked in the last 72 hours. In the currently blocked sources view, you can manually release blocked IP addresses and sessions. To view all currently blocked IP addresses and sessions: 1. 2. Click Activity Console. Select Currently Blocked Sources in the left tree menu. The Currently Blocked Sources window appears, as displayed in Currently Blocked Sources Window, page 5-25 All columns can be sorted alphanumerically by clicking the sort button: The highlighted icon indicates the sorted column and the sort direction.
5-24
AppXcel User Guide
AppXcel User Guide
Figure 5-8 Currently Blocked Sources Window This window displays blocked IPs and sessions as described below: Blocked By The context of blocking - either IP address or Session. When you select a certain row to be released, the context determines what is released. If the context is IP Address then the blocked IP address is released. If the context is Session then the blocked session is released. The session ID associated with this block. The IP address associated with this block. The time at which the block duration began. The time at which the source is released. The alert number associated with this block. Click the number to view the alert.
Session ID IP Address Time Release Time Alert No
To release blocked sessions / IPs: 1. 2. Select the session(s)/IP(s). Click Release. To view a log of all blocked sources in the last 72 hours, click the View Log link. This window presents the same details as the Blocked Sources Window.
AppXcel User Guide
5-25
AppXcel User Guide
Section 5-5 Reports

This section explains how to view and produce reports. This section contains the following topics: Reports - Introduction, page 5-26 Alert Analysis Reports, page 5-30 Top 20/100 Reports, page 5-31 Profile Reports, page 5-32 Assessment Reports, page 5-33
Reports - Introduction
AppXcel WAF provides a wide range of reports. To generate a report the user assigns values to the report's input parameters. This following is a general description of creating reports. The following sub-sections describe each report in detail. To generate a report 1. 2. 3. Click Activity Console. Expand the Reports folder. Click a report category.The Reports window appears, as displayed in Figure 5-9
5-26
AppXcel User Guide
AppXcel User Guide
Figure 5-9 Reports Window 4. 5. Click a report name. The Selected Report Parameters Window appears. Enter / select values for the report parameters, as described in the following table (most reports include a subset of the parameters below): Report Period Source IP Server Group The time interval during which the alerts or violations were generated. Attacker's source IP. Leave blank to include all IPs. List of targeted Server Groups. You can select multiple Server Groups by holding down the Ctrl key while clicking the Server Group names. You must select at least one Server Group. Alert severity to be included in the report: Informative High Medium Low
Severity
You can select multiple entries by holding down <Ctrl> while clicking the severity levels.
AppXcel User Guide
5-27
AppXcel User Guide
Type
The alert type to be included in the report: Firewall Signature Worm Protocol Violations Profile Violations Correlated
You can select multiple entries by holding down <Ctrl> while clicking the types. Time Frame The time frame during which the alerts or violations were generated. Select a time frame from the combo box. A specific day during which the alerts were generated.
Date 6.
Click OK. The report appears presenting a typical Top 20 Attacking IPs.
5-28
AppXcel User Guide
AppXcel User Guide
Figure 5-10 Top 20 Attacking IPs Report Window You can browse the report by using the following buttons:
Button Description
Go to the first page Go to the previous page Go to the next page
AppXcel User Guide
5-29
AppXcel User Guide
Go to the last page Search for text Go to a specific page
7.
To export a report or open it in another format: click the Export. button and select a format from the drop down list: Crystal Reports (RPT), Acrobat Format (PDF), MS Word, MS Excel 97-2000, MS Excel 97-2000 (Data only), Rich Text Format. To print a report, click the Print button. To change the size of the report, select a zoom size from the drop-down list, ranging from 25% to 400%.
8. 9.
Alert Analysis Reports

This category includes reports that either print subsets of the alerts database or the results of an analysis of the alert database. Available reports in this category are: Alerts by Severity Type Report: This report presents a pie graph of informative, high, medium and low severity alerts for one or more Server Groups. The input parameter window allows you to select a report period and server groups. List of Alerts Report: This report presents a list of all alerts and the alert details. Each alert is presented in one line, and includes: the alert number, arrival time, severity, alert type, Source IP address, Server Group, and description. The alert details are presented below each summary line. If the alert is an aggregated alert, you can open a window that contains detailed information on all the alerts which were aggregated. The input parameter window allows you to select a report period, source IP (leave blank to include any IP), server groups, and alert severities.
5-30
AppXcel User Guide
AppXcel User Guide
List of Alerts Summary Report: This report presents a list of all alerts. The summary of each alert is presented in one line, and includes: the alert number, arrival time, severity, alert type, IP address, session ID and Server Group. The input parameter window allows you to select a report period, source IP (leave blank to include any IP), server groups, and alert severities. Number of Alerts per Day Report: This report presents a graph with the number of alerts generated each day. Each column is divided into four color coded sections: informative, high, medium and low severity. The input parameter window allows you to select a report period and server groups. Number of Alerts per IP - Daily: This report presents a graph with the number of alerts generated by the selected IP, as distributed over the selected time period. The input parameter window allows you to select a time frame (either the last 5 or 10 days) and a source IP. Number of Alerts per IP - Hourly: This report presents a graph with the number of alerts generated per hour during the selected day, by the selected IP. The input parameter window allows you to select a specific day and a specific source IP. Number of Alerts per Server Group Report: This report presents a graph with the number of alerts for each Server Group defined in the system. Each column is divided into four color coded sections: informative, high, medium and low severity. The input parameter window allows you to select a report period. Distribution of HTTP Protocol Alerts Report: This report presents a graph with the number of instances of each HTTP Protocol violation type. The input parameter window allows you to select a report period and server groups.
Top 20/100 Reports

This category includes management and fine-tuning of reports in a top 20/100 graphical and textual format. Top 20 Attacking IPs Report: This report presents a graph of the 20 IP addresses perpetrating the highest number of attacks on the system. The report presents a list of all the attacking IP addresses sorted by the number of alerts per IP address. The input parameter window allows you to select the report period.
AppXcel User Guide
5-31
AppXcel User Guide
Top 20 Signatures Report: This report presents a graph of the 20 signatures that generated violations with the most length. The report presents a list of all alerted signatures sorted by the number of alerts per signature. The input parameter window allows you to select a report period and server groups. Top 100 Unauthorized URLs Report: This report presents a list of the 100 URLs that produced the most Unauthorized URL violations for the selected Server Group(s). For each URL it lists: the server group, the occurrence, method, host, and URL. The input parameter window allows you to select a report period and server groups. Top 20 Suspected Worms Report: This report presents a graph of the 20 URLs that produced the most Worm violations for the selected Server Group(s). The report presents a list of all the URLs that produced Worm violations. IP addresses sorted by the number of alerts per IP address. The input parameter window allows you to select a report period and server groups. Top 20 Alerted Firewall Services Report: This report presents a graph of the 20 services that were alerted most often by the firewall layer. The report presents a list of all the alerted services sorted by the number of alerts per service. The input parameter page allows you to select a report period and server groups. Top 20 Alerted Signature Services Report: This report presents a graph of the 20 services that were alerted most often by the signatures layer.The report presents a list of all alerted services sorted by the number of alerts per service. The input parameter window allows you to select a report period and server groups. Note: Other reports listed in the management interface, including those for SQL are not implemented.
Profile Reports
This category includes reports on the learning progress of the profile layer. In Learning vs. Protected URL Groups: This report presents a pie chart with URL groups in learning vs. URL groups in protection. Distribution of HTTP Profile Violation Report: This report presents a graph with the number of instances of each HTTP Profile violation type. The input parameter window allows you to select a report period and server groups.
5-32
AppXcel User Guide
AppXcel User Guide
Number of URLs that Entered Protection per Day: This report presents a graph with the number of unique URLs that were switched from learn to protect mode during each day. The input parameter window allows you to select a report period and server groups. Number of URLs Added to the Profile per Day: This report presents a graph with the number of unique URLs that entered the profile during each day. The input parameter window allows you to select a report period and server groups.
Assessment Reports
This category includes a set of assessment reports that analyze Web profiles. Top Accessed URLs Assessment: This report presents all URLs in the profile. It doesn't present URLs that are pending. For each URL it presents: the Host Group, URL, Method, Occurrence (how many times this URL was observed during "Learn" mode. The URLs are ordered by occurrence (descending). For each URL it also presents a list of parameters. For each parameter it presents the following information: the name, minimum size, maximum size, required, read only and prefix. The input parameter window allows you to select server groups. Least Accessed URLs Assessment: This report presents all URLs that are pending. It doesn't present URLs in the profile. For each URL it presents: the Host Group, URL, Method, Occurrence (how many times this URL was observed during "Learn" mode. The URLs are ordered by occurrence (ascending). For each URL the report also presents a list of parameters. For each parameter it presents: the name, minimum size, maximum size, required, read only and prefix. The input parameter window allows you to select server groups. Broken Links Report: This report presents all broken links in the selected web server groups. For each link the report presents the referrer fields used to access the URL. Broken References Reports: This report presents all broken references in the selected web server groups. A broken reference is a link to a URL that doesn't exist. The link is not located on the protected web application but rather on a different web application (for example Google). For each link the report presents the referrer fields used to access the URL.
AppXcel User Guide
5-33
AppXcel User Guide
Note: The following parameters are not implemented in this version: Database IP Sources Assessment, User Access Assessment, Database Default Packages And Stored Procedures Assessment, Database System Objects Access Assessment, Database Users Assessment, Large Queries Assessment, Least Accessed Queries Assessment, Top Accessed Queries Assessment and User Privilege Assessment.
5-34
AppXcel User Guide
AppXcel User Guide
Section 5-6 System Log

This section explains how to view and configure the system log. This section contains the following topics: System Log - Introduction, page 5-35
System Log - Introduction

The system log includes activities related to signature updates, changes to configuration, activation of settings, building profiles, automatic profile updates, rebuilding database indexes, server start/stop, etc. To view the system log: 1. 2. Click Activity. Click System Log in the left tree menu. The System Log window appears, as displayed in Figure 5-11.
Figure 5-11 System Log
AppXcel User Guide
5-35
AppXcel User Guide
The fields listed in this window are: Type Event generated by an ADC user Event generated by the AppXcel WAF system. Failed event The username that generated this event. If the event was generated by the AppXcel WAF system, the username is System. Time Message The time of the event. A description of the event.
5-36
AppXcel User Guide
AppXcel User Guide
Section 5-7 Notifications

This section explains the Notifications Window, which allows you to get email notification on important system events This section includes the following topics: Notifications - Introduction, page 5-37
Notifications - Introduction
The notifications window allows you to get email notification on important system events. The events supported in this version are: When the Automated Profile Update engine changes the profile: Each time the Automated Profile Update engine updates one of the profiles an email notification is sent to the list of recipients. The notification includes details about the change. When gateway goes up: When a certain gateway which was down went up an email notification is sent to the list of recipients. The notification includes details about the gateway. When gateway goes down: When a certain gateway which was up went down an email notification is sent to the list of recipients. The notification includes details about the gateway. When AppXcel WAF internal database approaches or passes its limit: See appendix E - database overflow protection. When the number of ambiguous packets blocked by a gateway passes a configured threshold. To set email notification: 1. 2. Click Activity Console. Click Notification in the left tree menu.The Notifications Window appears, as displayed in Figure 5-12.
AppXcel User Guide
5-37
AppXcel User Guide
Figure 5-12 Notifications 3. 4. 5. 6. Check the Send email notification using the following email interface checkbox to enable this feature. Select an Email Interface from the combo box. Select the notifications you would like to receive. Click Save.
5-38
AppXcel User Guide
CHAPTER
Web Profiles
This chapter describes how to configure Dynamic Profiling for AppXcel WAF and includes the following sections: Section 6-1: Dynamic Profiling, page 6-2
AppXcel User Guide
6-1
AppXcel User Guide
Section 6-1 Dynamic Profiling

This section describes monitoring all interactions between users and Web servers. This section contains the following topics: Dynamic Profiling - Introduction, page 6-2 Web Server Group Profiles, page 6-2 URLs Profile, page 6-3 URL Patterns, page 6-32
Dynamic Profiling - Introduction

Immediately after you create a new Web server group, Dynamic Profiling begins monitoring all interactions between users and Web servers to automatically build a profile of the application's normal structure and dynamics. Then, by comparing profiles to actual traffic, AppXcel WAF can identify and block potentially malicious activity of any kind. The dynamic profiles can be manually changed, and information can be added and removed. This layer allows AppXcel WAF to detect and protect against threats which are specific to the custom code of the Web application such as unauthorized values to a specific Web page. These types of attacks cannot be detected by signature or firewall mechanisms. They require a learning phase in which the product learns the structure of each protected URL. AppXcel WAF automatically builds these profiles and uses them to detect deviations (or violations) and block attacks on the custom code of the application.
Web Server Group Profiles

A Server Group of the Web Server type includes three configurable profiles: URLs URL Patterns Cookie Profiles
6-2
AppXcel User Guide
AppXcel User Guide
To view these profiles: 1. 2. 3. Expand the Server Group's submenu. Expand Profiles under the Server Group's name. Click the profile name to display the profile in the data page.
URLs Profile
The URLs profile is the baseline from which AppXcel WAF detects deviations and generates violations on URLs that users request from protected Web servers. The URLs profile includes the following information: A list of host names used by this server group. A list of URLs used by this server group. HTTP methods used by each URL. A list of parameters included in each URL. A set of attributes for each parameter: value type, minimum length, maximum length, whether or not it is required, whether or not it is a readonly parameter, and whether or not it is a parameter prefix.
AppXcel WAF automatically builds the URLs profile based on actual traffic to the protected Web servers. The profile is built gradually and each URL starts in learn mode and can be put into protected mode when enough information is gathered. When you create a new Web server group, AppXcel WAF monitors HTTP and HTTPS traffic to this server group. AppXcel WAF identifies all the host names (for example www.radware.com) used by this server group and lists them in the host groups page. AppXcel WAF automatically adds all host names to a single host group and treats them as if they belong to the same application. You can manually extract hosts from the default host group and instruct AppXcel WAF to learn these hosts separately as if they are different applications. For each host group AppXcel WAF learns its entire set of URLs. Each URL that AppXcel WAF sees for the first time is added to the profile in learn mode. After a period of time, when AppXcel WAF gathers enough observations of this URL, it switches its mode from learn to protect and starts generating violations and actions whenever a deviation from its profile occurs. Note that AppXcel WAF avoids learning URLs which do not actually exist on the protected Web servers. When AppXcel WAF sees a request for a URL
AppXcel User Guide
6-3
AppXcel User Guide
which is not part of the profile, it first checks the response code before adding this URL to profile. If the response indicates that this URL does not exist (for example an HTTP 404 Not Found response), AppXcel WAF ignores this URL and does not add it to the profile. Otherwise, AppXcel WAF adds this URL to the profile and starts learning it. The profile view presents all URLs and their mode (i.e. Learn, Protect). AppXcel WAF automatically switches URLs from learn mode to protect mode. The URL mode is changed when AppXcel WAF gathers enough information on the specific URL, so at any given time the list of URLs can contain groups in any of the two modes. When a URL is in protect mode, AppXcel WAF starts generating violations and actions whenever a deviation from the profile occurs (see Error! Reference source not found. for a complete list of deviations). For each URL AppXcel WAF learns the following information: HTTP Methods: a list of HTTP methods (for example GET, POST, OPTIONS, or HEAD) used with this URL. Parameters: a list of parameters used with this URL. For each parameter AppXcel WAF learns the following information: a. Whether this parameter is required (i.e. must appear with each request of this URL) or not. b. Minimum and maximum parameter length. c. Allowed value types. d. Whether or not this parameter is Read-Only (i.e. either a hidden field or part of an embedded link). Add URLs manually Edit URL Delete URLs Manually switch URLs between learn mode and protect mode Lock and release URLs Lock and release Directories Define parameter prefixes Delete parameter prefixes Add Parameters to URLs Remove Parameters from URLs Determine minimum and maximum number of characters in parameter. Determine if the parameter is required Define the parameter value type Release read-only parameters Define URL patterns Define host mapping Define host groups
The following actions can be performed on learned URLs:
6-4
AppXcel User Guide
AppXcel User Guide
The URLs that the system learned are displayed in both tree and list views. The tree view is the default. It gives an overall system view of the URLs according to their paths. The list view is more convenient as a working mode. It also provides a sort function. To switch between tree and list view: Select the Tree / List option near Display.
Browsing the Tree View

Browsing The Tree View appears in the window's top panel. To view the URL path tree: 1. 2. Follow the procedure in section Web Server Group Profiles, page 6-2 to display the Server Group's profiles. Click URLs under URL Profiles. The URLs window appears, as displayed in Figure 6-1.
Figure 6-1 URLs Window(Tree View) The Tree View appears in the window's top panel. Only the root is visible when the window first appears. 3. Expand the root icon.
AppXcel User Guide
6-5
AppXcel User Guide
4. 5. 6.
The tree appears and displays directory and URL (file) icons. Expand the directory icon. The tree displays another layer in the tree. Continue opening the directories until the desired parts of the tree are visible. Click on one of the URL icons. The URL's properties appear in a table below the Tree View, as displayed in Figure 6-1.
Regular URL in Learn Mode
Each URL can have one of the following icons:
Regular URL in Protect Mode
Broken Link in Learn Mode
Broken Link in Protect Mode
Broken Reference in Learn Mode
Broken Reference in Protect Mode
A broken link is a link on one of the site's window that points to a non-existing URL. Users that click this link get a 404 Not Found reply. Broken links can occur for a variety of reasons. For example, the page could have been deliberately removed but some links to it have been left. Another reason could be an attacker that tries to delete pages from the site or pages that were mistakenly deleted during maintenance jobs. AppXcel WAF automatically identifies broken links and presents them in the profile. A broken reference is a web link to one of the pages on the protected Web site. Unlike broken links, broken references are presented on external web sites (for example directories and search engines) and not on the protected web site itself. Users that click on broken references generate a request for a nonexisting URL on the protected Web site and get a 404 Not Found reply in response. AppXcel WAF automatically identifies broken references and presents them in the profile.
6-6
AppXcel User Guide
AppXcel User Guide
When selecting a broken link or a broken reference, it's possible to view its referrals (i.e. the URLs that point to this link) by clicking the Referrals button below the profile window. The following icon indicates that this URL is locked. A locked URL is not updated by the automated profile update engine. The following icon indicates that this directory is locked. Access to URLs in this directory that are not specifically listed in the profile generates an Unauthorized URL Access violation.
Browsing the List View

The following section describes how to browse the List View. To view the URL pate tree: 1. 2. 3. Follow the procedure in Section Web Server Group Profiles, page 6-2 to display the Server Group's profiles. Click URLs under URL Profiles.The URLs page appears, as displayed in Figure 6-1. Click List near Display. a. The list view appears, as displayed in Figure 6-2.
AppXcel User Guide
6-7
AppXcel User Guide
Figure 6-2 Learned URLs Window (List View)
6-8
AppXcel User Guide
AppXcel User Guide
b.
The list view includes five columns: The host group name to which the URL belongs. The actual URL he methods by which this URL is called (e.g. GET, POST). Average response time during learning. During Learn mode AppXcel WAF learns the average response time of each URL (the time that elapses between sending the HTTP request to the web server and receiving a response from the web server)
Host Group URL HTTP Methods
Occurrence
The exact number of times this URL was seen during Learn Mode. The number of parameters defined for the UR
URLs are presented in Windows. AppXcel WAF displays up to 200 URLs per page. You can browse the pages using the following options: Set the number of URLs displayed on each page. Select the number from the drop-down list Go to the first page Go to the last page Go to the previous page Go to the next page Go to a specific page. Select the page number from the drop-down list. To view a URLS parameters and Statistics: Click on the URL. The URL's properties are presented below the list view.
AppXcel User Guide
6-9
AppXcel User Guide
Filtering URLs
AppXcel WAF enables the profile viewer to filter the URLs displayed according to their characteristics. To filter URLs: 1. Click the filter Figure 6-3. button. The Filter Window appears, as displayed in
Figure 6-3 Filter URLs Window Box The Window displays all the fields by which queries can be filtered. Fill in the values of the fields to define the filter. The viewer uses the AND operator between the fields if more than one field is filled. For example, if the Host field is set to myhost and HTTP Method is GET, the viewer displays all the URLs that belong to myhost and use the GET method. Note that you can select either equal to (=) or not equal to (<>) for all fields. For the Occurrence field you can also use less than (<) and greater than (>). The viewer displays all the URLs that are equal to the value entered when = is selected. The viewer displays all URLs that are not equal to the value entered when <> is selected. The viewer displays all URLs whose occurrence is greater then the value entered when > is selected. The viewer displays all URLs whose occurrence is less then the value entered when < is selected.
6-10
AppXcel User Guide
AppXcel User Guide
2.
For the URL field you can also select the LIKE option. For example: home/ ab returns all the URLs that include the text "home/ab". Click OK to execute the filter or Cancel to cancel. A filter can be removed by clicking the remove button URLs Window. in the Learned
Note: The filter option is a presentation option, modifying the display to include the filtered URLs only. It does not filter any URLs from the profiling process
Sorting URLs
Sorting URLs according to a specific field. Note: This feature is only available in List view. This feature is only available in List view. URLs can be sorted by Host, URL, HTTP Method, Occurrence, and Average Response Time. Click the down arrow icon in the header to sort URLs according to the specific field. The icon turns yellow when clicked, indicating that URLs are sorted according to this field. The profile viewer also includes an advanced sorting option to sort URLs according to multiple fields and according to fields that do not appear in the URL line.
AppXcel User Guide
6-11
AppXcel User Guide
To perform advanced sorting 1. Click on the Sort button for advanced sorting.The Advanced Sort Window appears, as displayed in Figure 6-4. In this window you can define the fields and their order. Notice that the current sort order already appears in the window.
Figure 6-4 Advanced Sort Window Box 2. To add a field: a. Select the field name from the field name drop-down list. b. Select the field's sort order, ascending or descending, from the sort drop-down list. c. Click Add. Repeat step 2. until all the fields according to which you want to sort are added to the list. Add fields according to the desired sort order. To remove a field from the list, select the field name and click Remove. Click Save to execute the sort, or Cancel to cancel.
3. 4. 5.
Adding URLs to the URLs List

URLs may be manually added to the URLs list. To add a URL 1. 2. Follow the procedures in to display a tree view of the learned URLs. Click Add URL. The Add URL Window appears, as displayed in
6-12
AppXcel User Guide
AppXcel User Guide
Figure 6-5 Add URL Window Box 3. 4. 5. 6. Select the host group to which this URL belongs. Enter the URL relative to the root. Select the HTTP Methods from the checkboxes. See Appendix G for further explanation on HTTP methods. Select the SOAP checkbox if this URL contains SOAP messages: a. Enter a SOAP action name and click add b. Repeat step A until all actions are added. c. Click Save. Note: It is not recommended to manually add URLs as AppXcel WAF automatically detects new URLs and adds them to learning
Editing URLs
The URLs' attributes can be edited and changed.
AppXcel User Guide
6-13
AppXcel User Guide
To edit the URLs attributes 1. Follow the procedures in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs. Select one of the URLs in the tree/list view. Click the Edit button below the tree/list view.The Edit URL Methods Window appears, as displayed in Figure 6-6.
2. 3.
Figure 6-6 Edit Methods Window 4. 5. Make the required changes. Click Save to save the changed settings or Cancel to cancel.
Deleting URLs from the URLs List

Deleting a URL deletes that URL completely from the Profiles.
6-14
AppXcel User Guide
AppXcel User Guide
To delete a URL from the URLs list: 1. 2. 3. Follow the procedures in Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs. Select a URL in the tree/list view. Click Delete URL below the tree/list view. A delete confirmation Window appears, as displayed inFigure 6-7
Figure 6-7 Delete URL Confirmation Window 4. Click OK to delete the URL or Cancel to cancel. Note: Deleting a URL deletes that URL completely from the Profiles. The URL reappears if AppXcel WAF continues to see requests to this URL
Switching between Learn and Protect Mode

You can manually switch a URL from learn mode to protect mode. There is no real reason to do so as AppXcel WAF automatically switches URLs from learn mode to protect mode when enough observations are gathered. However, the administrator can review the URL and reach a decision that it's ready for protect mode, before AppXcel WAF automatically reaches the same decision. You cannot edit URLs and URLs' parameters when these URLs are in learn mode. You must first switch the URL to protect mode or wait for it to be switched automatically and then edit it. To switch a URL to protect mode, select the URL (in tree view) or check the URLs you want to switch (in list view) and click "Switch to Protect Mode" You can also manually switch a URL from protect mode to learn mode. You do that if you know the URL has changed and you want AppXcel WAF to immediately start learning the changes or if you reached a decision that AppXcel WAF hasn't learned properly certain URLs. To switch a URL to learn mode, select the URL (in tree view) or check the URLs you want to switch (in list view) and click "Switch to Learn Mode".
AppXcel User Guide
6-15
AppXcel User Guide
URLs which are switch to learn mode automatically returns to protect mode after a grace period of time.
Locking and Unlocking URLs

URLs in protect mode can be updated by the automatic profile updates (APU) mechanism (see Error! Reference source not found.). The APU can update things such as allowed methods, list of parameters, parameter lengths, allowed values for parameters and more. You can prevent the APU from updating specific URLs by locking them. By default all URLs are unlocked thus if you wish to prevent the APU from updating certain files, you must manually lock them. To lock a URL, click the URL (in tree view) or check the URLs you wish to lock (in list view) and click the Lock URL button. Locked URLs have a key on their icon. To unlock a URL, click the URL (in tree view) or check the URLs you whish to unlock (in list view) and click the Unlock URL button. Unlocked URLs are updated by the APU.
Locking and Unlocking Directories

When AppXcel WAF sees a request for URL that is not listed in the profile, AppXcel WAF immediately starts learning this URL. For some directories you might want to prevent this type of behavior. Consider for example a directory that consists of administrative pages which you do not want to be part of the profile as you do not want to allow users to access them, although they exist. In this scenario, you can ensure the pages are not part of the profile, or delete them if they are, and lock the directories they belong to so they do not appear again. When AppXcel WAF sees a request for URL that is not listed in the profile and belongs to a locked directory, AppXcel WAF does not learn this URL and instead generates the Unauthorized URL Access violation. You can only lock directories from the tree view. To lock a directory, click the directory and then click the Lock button. Locked directories have a key image on their icon: .
To unlock a directory, click the directory and then click the Unlock button.
6-16
AppXcel User Guide
AppXcel User Guide
Setting Methods for All URLs Under a Specific Directory

You can manually set the HTTP methods of all URLs under a specific directory, including all of its sub-directories. To do so: 1. 2. 3. Select the directory and click the Edit button. Select the methods you want to allow for all URLs under this directory and its sub-directories. Click Save.
The configuration you chose is copied to all the existing URLs in this directory, whether they are in Learn or Protect mode. Note that this is a copy operation. AppXcel WAF copies the methods you selected to all existing URLs under this directory. A new URL that arrives in this directory does not have these methods but learns the methods seen during the learning period. APU rules can change your setting, unless the URLs are locked. You can also manually change the methods of each URL individually after you used this copy operation.
Configuring Parameter Name Prefixes

Parameter names can be dynamic, for example param1, param2, param3, etc. AppXcel WAF learns all parameter names for each URL, therefore it never stops learning URLs with dynamic parameter names since the number of combinations is extremely large or even unlimited. To overcome this problem AppXcel WAF introduces the concept of parameter name prefixes. You can mark a certain parameter name as a prefix. Each parameter name that matches the prefix is allowed. For example, if the URL sample.asp you set the parameter name prefix to "param", then parameter names such as param1, param2, param5000 and paramabc is allowed. AppXcel WAF automatically identifies and configures prefixes. However, in some cases there is a need for manual intervention, as the automatic prefix mechanism didn't identify the prefix. To easily find parameters which could be dynamic you can sort the URL profile according to the number of parameters per URL. This way you get the URLs with a large number of parameters first, and are able to easily and quickly review them, find dynamic parameters with a prefix and configure the prefix. In order to keep the number of parameters manageable for a URL during Learn Mode, AppXcel WAF limits the number of parameters learned for each URL to 200. If you reach 200 parameters, look for prefixes, and define them.
AppXcel User Guide
6-17
AppXcel User Guide
To identify and configure a parameter name prefix: 1. Follow the procedures in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the URLs profile. Select a URL and then locate and check the check box near a dynamic parameter. Note: You can sort the profile according to the number of parameters per URL, to identify URLs with a large number of parameters. These URLs are more likely to include dynamic parameters 3. Click Make Prefix. A message appears: "Creating a prefix deletes all regular parameters that begin with that prefix". Click OK. The Add Prefix Window appears, as displayed in Figure 6-8.
2.
4.
Figure 6-8 Add Prefix Window 5. 6. Edit the parameter prefix name, the minimum and maximum length of the parameter value, the main value type, and whether it's required or not. Click Save. AppXcel WAF automatically removes all the parameters for this URL that match the new prefix. For example, if the URL included the parameters param1, param2, param3, param4, param5, and abparam by adding the parameter prefix param AppXcel WAF automatically removes the parameter names param1, param2, param3, param4 and param5, leaving
6-18
AppXcel User Guide
AppXcel User Guide
7. 8.
only one prefix and the parameter abparam which does not match the parameter prefix "param". Once the prefix is defined you can define extended value types. Click Save. The Configure Value Type window appears. In the Configure Value Type window,select the primary value types from the drop-down list, then select the additional value types and click Save.
Figure 6-9 Configure Value Type Window
Deleting a URL Parameter Prefix Name

Parameter prefix names can be deleted, however the parameter names that were absorbed into the prefix name cannot be automatically regenerated as individual names. The URL must be returned to Learn Mode, and the parameters relearned. In general, there is no reason to delete a prefix, unless it was defined incorrectly. To delete a URL parameter prefix name: 1. Select the URL prefix name and click Delete. A delete confirmation Window appears, as displayed in Figure 6-10.
AppXcel User Guide
6-19
AppXcel User Guide
Figure 6-10 Delete URL Prefix Confirmation Window 2.Click OK to delete the prefix or Cancel to cancel.
Changing URL Parameters

Each parameter has the following settings: Name Min Max Re The name of the parameter The minimum length (in characters) of the parameter. The maximum length (in characters) of the parameter. If the parameter is required or not (i.e. AppXcel WAF invokes a Profile Violation if the parameter is missing) The main value type of the parameter. See Appendix I for more information on each value type. Opens a window with additional allowed types of this parameter. See Appendix I for more information on each value type
Value Type
6-20
AppXcel User Guide
AppXcel User Guide
Read Only
A checkbox whether this parameter is read-only or not. A read-only parameter is a parameter whose value is set by the Web application (hidden fields and embedded links) and the user is not allowed to manually alter it. The Web application receives from the browser the exact same value as it sent. The attacks associated with read-only parameters are parameter tampering and hidden field manipulation. AppXcel WAF automatically learns which parameters are read-only and enforces that in real time. It is not recommended to manually set a parameter to read-only. You allow AppXcel WAF to learn that this is a read-only parameter. By manually setting a parameter as read-only you might generate false positives. You can however, release a read-only parameter in case of a false positive, by clearing this checkbox.
To configure URL Parameters: 1. Follow the procedure in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs. Select one of the URLs from the tree/list view. The parameter settings for each URL are displayed in a table below the tree/list view, as displayed in Figure 6-11.
2.
Figure 6-11 URL Parameters Table
AppXcel User Guide
6-21
AppXcel User Guide
Note: AppXcel WAF utilizes statistical algorithms to automatically determine the minimum and maximum length of parameters. For some parameters you might notice that the minimum length is 0 and the maximum is 1000. This means that AppXcel WAF has not collected enough statistical data on the specific parameter during Learn Mode to accurately determine its minimum and maximum lengths. Therefore AppXcel WAF uses a low minimum and a high maximum to avoid false positive scenarios 3. To change a parameter's settings: a. To make a non-required parameter required, or a required parameter non-required, select the check box in the Re column. b. To change the main value type, select the value type from the dropdown list. (See Appendix I for more information on value types.) c. To add or remove additional value types click to open the Configure Value Type Window, select or clear the required types and click Save. (See Appendix I for more information on value types). To release a read-only parameter, clear the read-only checkbox. a. Click Save below the Parameters table. To add a new parameter to the URL: a. Click Add below the Parameters table.The Add Parameter Window appears, as displayed in Figure 6-12.
4. 5.
Figure 6-12 Add Parameter Window b. c. d. e. f. Enter the new parameter's name in the Name field. Enter the parameter's minimum number of characters in the Min field. Enter the parameter's maximum number of characters in the Max field. Select the Req check box if the new parameter is required. Select the main value type from the drop-down list.
6-22
AppXcel User Guide
AppXcel User Guide
6.
g. Click Save to save the new parameter or Cancel to cancel. To delete an existing parameter: a. Select the parameter name. b. Click Delete below the Parameters table. A delete confirmation window appears, as displayed in Figure 6-13
Figure 6-13 Delete Parameter Confirmation Window c. Click OK to delete the parameter or Cancel to cancel.
Copying a Parameter
The Copy parameter operation allows you to copy the settings for a specific parameter to other parameters in other URLs in the profile. You can copy the settings of a parameter to all parameters that have a specific name or those where the name starts with a specific prefix. You can also copy the parameter's settings to all parameters that are located under a specific directory. You can also combine the two options: i.e. copy the parameter's settings to all parameters located under a specific directory where the name starts with a specific prefix. To copy parameters settings: 1. 2. 3. 4. 5. Click the parameter you want to copy. Click the Copy button. Enter the parameter prefix to which you want to copy the settings. Enter the URL prefix to which you want to copy the settings. Click Save. Note: That this is a copy operation. If you change the setting of one of the destination parameters or the copied parameter it does not affect the other settings.
AppXcel User Guide
6-23
AppXcel User Guide
Figure 6-14 Copy Parameters
Saving a URL as a Pattern

You can select a URL in the tree or list view and save it as a URL pattern. It is easier to track down possible URL patterns when reviewing the URL profile. To save a URL as a pattern: 1. Follow the procedure in Sections Browsing the Tree View, page 6-5 and Browsing the List View, page 6-7 to display a tree or list view of the learned URLs. Select the URL. Click Save as Pattern displayed in Figure 6-15 . The Save as Pattern Window appears, as
2. 3.
6-24
AppXcel User Guide
AppXcel User Guide
Figure 6-15 Save As Pattern Window 4. 5. 6. 7. Change the Host Group and the HTTP Methods if required. Edit the URL to reflect the pattern. Select the pattern type - either Prefix or Suffix. Click Save to create the pattern or Cancel to cancel. Once created, the new pattern appears in the URL patterns section . Note: All URLs that match the newly defined pattern is deleted from the profile. AppXcel WAF is not added to the profile URLs that match one of the existing patterns
Host Mapping
Each HTTP request that a browser generates includes a special header called HOST. For example, if the user accesses http://www.Radware.com/ contact.html, the browser sends a request for the page contact.html. The request contains a special HTTP header called HOST with the value Radwarewww.Radware.com.
AppXcel User Guide
6-25
AppXcel User Guide
Requests to a single application can be seen with by different hosts. Consider for example users accessing the Radware web site. They can use the URL http://www.radware.com which generates the host name www.radware.com. They can also use http://radware.com which generates the host name radware.com. Alternatively they can access http://209.218.228.121 which is the Radware web site's IP address. This access generates the host name 209.218.228.121. Due to the fact that a single application may include different host names, AppXcel WAF introduces the concept of host groups. A host group can include one or more host name. AppXcel WAF considers all hosts in the group as the same application and creates a single profile for these hosts. When you define a new Web server group AppXcel WAF automatically creates a default host group with the same name of the server group. All host names that AppXcel WAF sees on requests to this server group is added to the default host group. At any time you can view the list of hosts in the default host group and decide that one or more hosts are separated into different host groups. Why is it necessary sometimes to separate host groups from the default host group? Consider for example a scenario in which the same physical server hosts both the applications www.radware.com and support.radware.com. As these are two different applications, AppXcel WAF presents two different profiles - one for www.radware.com and the other for support.radware.com. However, since AppXcel WAF adds all host names to the default host groups, then both www.radware.com and support.radware.com is part of the default host group. You need to manually create a new host group for the support application and move the support.radware.com host from the default host group to the newly created support host group. When you create a new host group and move to it hosts from the default host group, AppXcel WAF restarts learning the hosts you moved. Radware therefore recommends looking at the default host group's host list after creating this server group. If you identify host names that belong to a different host group then create new host groups and move the relevant host to these groups so that AppXcel WAF is able to properly learn the different applications. To view Host Mapping: 1. 2. 3. Expand the Web Server Group submenu. Expand the Profiles submenu. Select URL Profile.The URL Profile window appears and displays the URLs the system learned from the activity of the Server Group. Click the Host Mapping button located in the top of the Window.The Host Mapping window appears, as displayed in Figure 6-16.
4.
6-26
AppXcel User Guide
AppXcel User Guide
Figure 6-16 Host Mapping Window This Window displays the defined hosts and their associated groups. (By default all hosts are associated with the default host group that has the same name as the server group). To reassign a host to a different group: 1. 2. From the main window select Host Mapping.The Host Mapping window appears. In the Host Mapping window, click the down arrow next to the host's group name in the Group column.A drop-down list of defined Host Groups appears. Select a Host Group name from the drop-down list. Click Save. Notice that only the default host group is listed the first time this Window is opened. Host groups must be configured manually. Note: If the host name does not appear in the list then add it manually 5. Click Add below the hosts list.The Add Host Window appears, as displayed in Figure 6-17.
3. 4.
AppXcel User Guide
6-27
AppXcel User Guide
Figure 6-17 Add Host Window 6. 7. In the Add Host window, enter the new host name in the Host field. Click Save to save the new host or Cancel to cancel.
Configuring Host Groups

This section describes how to configure the Host Groups from the Host Mapping window. To define a Host Group: 1. . From the main window click Edit Groups.The Edit Host Groups Window appears, as displayed in Figure 6-18.
Figure 6-18 Edit Host Groups Window
6-28
AppXcel User Guide
AppXcel User Guide
2.
To add a new Host Group:
a. Enter the group name in the Group field under Add New. b. Click Add.
3. The new Host Group is added to the list in the table above. To delete an existing Host Group:
a. Select the group. b. Click Delete.

4. The defined host group is deleted from the list. Click Close. Note: Requests that arrive with an unlisted host name are mapped to the Default Web Application host group and the host name is added to that group.
SOAP and XML Representation

AppXcel WAF automatically identifies URLs consisting of XML and SOAP content. These URLs have a special icon in the profile learning and for URLs in protection. for URLs in
For each SOAP/XML URL, AppXcel WAF presents all the SOAP actions that have been learned for this URL. If the URL doesn't include any SOAP actions but does contain XML., AppXcel WAF presents the "Default SOAP action". SOAP actions are presented differently in tree view and list view. In the tree view the actions are presented under the relevant URL. You can click on a specific action and see its attributes. In list view there are two links next to the URL: Parameters and Actions. The Parameters link presents the list of parameters associated with this URL and the Actions link presents a list of actions associated with this URL. The list of actions is presented in the bottomleft frame. You can select an action from the list and view its attributes in the bottom-right frame. When the URL is switched to protect mode AppXcel WAF invokes the "Unauthorized SOAP Action" violation whenever someone attempts to access the URL with an unauthorized SOAP action.
AppXcel User Guide
6-29
AppXcel User Guide
Figure 6-19 SOAP URL - Tree View To manually add or remove SOAP actions from a URL, click the Edit URL button. In the popup window select actions to delete and click Delete, or enter the name of the action you wish to add and click Add. AppXcel WAF breaks the XML file into structures. Each structure represents a value. Structures are created using the full hierarchy of nested tags containing each value. For example, an XML file based on the following schema: <schema> <complexType name="purchaseOrder"> <element name="comment" type="string"/> <element name="item" minOccurs="0"> <complexType> <element name="productName" type="string"/> <element name="quantity" /> <element name="Price" type="decimal"/> <attribute name="partNum" type="SKU"/> </complexType> </element> </complexType>
6-30
AppXcel User Guide
AppXcel User Guide
</schema> Is represented using the following structures: XML/purchase Order/comment XML/purchase Order/item/protactinium XML/purchase Order/item/quantity XML/purchase Order/item/Price These structures are learned automatically and added to the Parameters section of the SOAP action. For each of these structures AppXcel WAF learns its minimal and maximal size, its value type and whether or not it's required exactly the same way as it learns regular URL parameters. AppXcel WAF invokes the XML Value Length, XML Value Type, and Required XML Attribute/ Element Not Found violations when a request that doesn't match the profile arrives. For each URL AppXcel WAF also learns whether this URL can be accessed as a regular URL in addition to being accessed as a SOAP URL. This depends on whether the URL has HTTP Methods associated with it. You can edit this in the Edit URL popup window. If the URL has no methods it means that this URL can only be accessed as a SOAP URL and AppXcel WAF invokes the "NonSOAP Access to a SOAP-Only URL" violation whenever someone tries to access this URL as a non-SOAP URL. URLs which are not learned or configured as SOAP invoke the "SOAP Access to a Non-SOAP URL" violation whenever someone tries to access them as SOAP. To configure this manually open the Edit URL popup and select or unselect the SOAP checkbox.
AppXcel User Guide
6-31
AppXcel User Guide
Figure 6-20 SOAP URL - List View
URL Patterns
URL Patterns enable the administrator to define patterns within URL paths and thus avoid some of the problems that are often encountered with very large or dynamic sites. Consider, for example, a site that has a different folder for each user but the folder includes the same files. For example, the folders /mickey/ and /dave/ both include the files show.asp and order.asp. For each user the site introduces two new URLs, so AppXcel WAF would never stop learning new URLs. URL Patterns solves this problem. URL patterns allows the administrator to define a URL prefix or a URL suffix and treats that pattern as a group of learned URLs. Every new URL that matches this pattern is recognized as legitimate and does not invoke an Unknown URL Violation. In the example above it is possible to define both "show.asp" and "order.asp" as URL suffix patterns. This ensures these files are properly protected no matter where they are located.
6-32
AppXcel User Guide
AppXcel User Guide
Note that you can define suffix patterns for file types (for example ".aspx"); for specific files (for example "order.asp"); for a file name and part of its path (for example "/public/print.asp" matches both "/scripts/public/print.asp" and "/ home/public/print.asp"). Consider prefix patterns when you have folders that contain a large number of files of the same type. For example, if the folder "/public/calculators/" contains hundreds of files all with the same parameters and the same behavior, you can define "/public/calculators/" as a URL prefix and any file that matches this pattern is protected by it. Note: In case of static files (e.g. images, Office files) consider not learning or protecting these types of files. See Section Error! Reference source not found. for more information on avoiding learning and protecting static files To use URL Patterns: 1. 2. 3. Expand the Server Group's Submenu. Expand the Profiles submenu. Click URL Patterns. The URL Patterns Window appears, as displayed in Figure 6-21.
Figure 6-21 URL Patterns Window This window displays a list of URL patterns that AppXcel WAF recognizes when encountering a matching URL.
AppXcel User Guide
6-33
AppXcel User Guide
Creating a New URL Pattern

AppXcel WAF allows the administrator to manually define new URL Patterns. This is useful when, for example, a group of legitimate URLs is stored within a particular directory. Note: The recommended way to add a URL pattern is to save a profiled URL as a pattern and not using the process below. When you save a profiled URL as pattern you save all its methods and parameters as well and you do not need to manually add them as with the process below To manually create a new URL pattern 1. 2. From the main window select URL Patterns. The URL Patterns window appears. In the URL Patterns window, click Add Pattern.The Add Pattern Window appears, as displayed in Figure 6-22.
Figure 6-22 Add Pattern Window 3. Select the host group to which this pattern applies. If no host name is specified then this pattern matches any host.
6-34
AppXcel User Guide
AppXcel User Guide
4.
Enter the pattern in the URL Pattern field. Note: The pattern is a simple text string. No escape characters are needed
5. 6. 7.
Select the pattern type, Suffix or Prefix, from the Pattern Type combo box. Select the HTTP methods from the HTTP Method checkboxes list. Click Save to save the new URL pattern or Cancel to cancel. Note: All URLs that match the newly defined pattern are deleted from the profile. AppXcel WAF does not add URLs to the profile that match one of the existing patterns.
Editing an Existing URL Pattern

Existing URL patterns may be changed and edited. To change an existing URL pattern: To change an existing URL pattern: 1. 2. From the main window select URL Pattern. The URL pattern window appears. In the URL pattern window, click Edit Pattern.The Edit Pattern window appears, as displayed in Figure 6-23.
AppXcel User Guide
6-35
AppXcel User Guide
Figure 6-23 Edit URL Pattern Window 3. 4. Change one or more of the pattern settings. Click Save to save the changes or Cancel to cancel. In addition to changing the pattern itself, the parameters in the URL pattern may also be changed.
To change the URL patterns parameter: 1. 2. 3. From the main window select URL Patterns.The URL Patterns window appears. In the URL Patterns window select Parameters.The Parameters table appears. In the Parameters Table to change a parameter's settings: a. Select the parameter. b. Change one or more of the parameter settings. c. To make a non-required parameter required, or a required parameter non-required, click the check box in the Req column. d. Click Save. To add a new parameter to the URL: a. Click Add below the Parameters table.The Add Parameter Window appears, as displayed in Figure 6-24.
4.
6-36
AppXcel User Guide
AppXcel User Guide
Figure 6-24 Add Parameter Window In the Add Parameter window enter the new parameter's name in the Name field. c. Enter the parameter's minimum number of digits in the Min field. d. Enter the parameter's maximum number of digits in the Max field. e. Click the Req check box if the new parameter is required. f. Select the value type: None, Numeric, Latin characters, Foreign language characters (UTF-8). g. Click Save. To delete an existing parameter: a. Select the parameter. b. Click Delete below the Parameters table. A delete confirmation Window appears, as displayed in Figure 6-25 b.
5.
Figure 6-25 Delete Parameter Confirmation Window c. Click OK.Your preferences are recorded.
AppXcel User Guide
6-37
AppXcel User Guide
Cookie Profiles
AppXcel WAF traces cookies and verifies (1) that users do not alter the content of cookies set by the Web applications and (2) that they do not attempt to inject cookies that were not sent to them by the Web application. When creating a new Web server group, AppXcel WAF starts learning which cookies belong to the server group. The learning period differs for each cookie. During the learning period the cookie appears in the Cookies Learning Window. At the end of the learning period AppXcel WAF either protects the cookie or ignores it and the cookie are either appear in the Protected Cookies Window or the Ignored Cookies Window. Protected and ignored cookies are explained below. Ignored cookies are cookies that their value is being changed during the session and AppXcel WAF is unable to validate the change. For example, when cookies can be changed by the browser using client-side code, such as JavaScript the cookie is irrelevant as the browser may change it to a completely different value. Another example is when a Web server which is not monitored by AppXcel WAF changes cookie values during the session. In this scenario AppXcel WAF may see different values for the same cookie but since AppXcel WAF doesn't monitor the Web server's SET commands it cannot validate the cookie's value. Protected cookies are cookies that do not change during the session or that AppXcel WAF can trace and validate the change. AppXcel WAF provides two levels of protection for protected cookies. The first level includes protection against cookie tampering. The second level includes protection against both cookie tampering and cookie injection. AppXcel WAF automatically decides what the proper protection level for each cookie is. This decision is based on the cookie's behavior. Some cookies can only be protected from cookie tampering while others can be protected from both cookie tampering and cookie poisoning. A full protection (i.e. against cookie injection and cookie tampering) is provided for cookies for which AppXcel WAF can always see the SET command that was issued by the Web application. The SET command is used by Web applications to send Web browsers new cookies or new values for existing cookies. When AppXcel WAF intercepts the cookie's SET command, it records the cookie's name and value and associates them with the specific user session. The next time that cookie arrives from the same user session, AppXcel WAF verifies that the name and value match what it recorded during the previous SET command. If the user manually altered the cookie's value and it does not match, AppXcel WAF
6-38
AppXcel User Guide
AppXcel User Guide
invokes a Cookie Tampering violation. If the cookie is not stored in AppXcel WAF (i.e. AppXcel WAF has not seen the SET command) it invokes a Cookie Injection violation, which means that the user is trying to inject a cookie to the Web server without first receiving this cookie from the Web server. Partial protection (i.e. against cookie tampering only) is provided for cookies for which AppXcel WAF cannot always see the SET command. This usually occurs for permanent cookies where the Web application sends the cookie once and it can remain in the user's browser for a number of months. AppXcel WAF usually has a much shorter time-out for cookies. So, if a user accessed a Web application and received a permanent cookie for three months, for example, and then after a month returns to the site, the user's browser sends that cookie to the Web site, but AppXcel WAF is unable to trace the SET command for that cookie, since it happened a month ago. For these cookies AppXcel WAF does not generate the Cookie Injection violation. When AppXcel WAF first sees an HTTP request consisting of a partially protected cookie, it records the cookie's name and value and associates them with the specific user session. The next time that cookie arrives from the same user session, AppXcel WAF verifies that the value matches what it recorded. If the user manually altered the cookie's value during the session, it does not match and AppXcel WAF invokes a Cookie Tampering violation. The server group's cookie profile window presents three different lists: a list of cookies that are being learned, a list of protected cookies and a list of ignored cookies. To view the cookies profiles window: 1. 2. 3. 4. Expand the Server Group's name in the left tree menu. A submenu appears below the Server Group's name. Expand the Profiles folder. Expand the Cookies folder Click one of the cookie pages: Protected Cookies, Ignored Cookies or Cookies in Learning. The relevant Cookies Window appears, as displayed in Figure 6-26
AppXcel User Guide
6-39
AppXcel User Guide
Figure 6-26 Cookies Window 5. To add a new cookie to this list: a. In the Add New section at the bottom of the window, enter the cookie name in the Cookie Name field. Some cookies have dynamic names, for example, the Microsoft IIS ASPSESSION cookie. These cookies usually have some kind of fixed prefix followed by a dynamic suffix (for example ASPSESSIONIDFFEDSSE). For such cookies, select the Prefix check box and enter only the fixed prefix in the Cookie Name field. Note that AppXcel WAF deletes all cookies that match this prefix from the cookie list. b. Click Add. The cookie appears in the relevant Cookie list.
Note: You cannot add cookies to the learning list directly. This is because AppXcel WAF automatically adds cookies to the learning list as soon as it detects a cookie which is not in one of the three lists. However, if for some reason you wish to add a cookie to the learning list, you can add it either to the protected list or to the ignored list and then move it to the learning list 6. To delete cookies from the list: a. Select the cookies. b. Click Delete.
6-40
AppXcel User Guide
AppXcel User Guide
7.
8.
To move cookies to the ignored list: a. Select the cookies. b. Click the relevant Move to Ignored button. The Protected Cookies Window includes an additional cookie attribute called Injection. If this checkbox is checked the cookie is fully protected (from both cookie injection and cookie tampering). If the checkbox is unchecked the cookie is not protected from cookie injection and is only protected from cookie tampering. To manually change the cookie's status: a. Check or uncheck the Injection checkbox b. Click Save
AppXcel User Guide
6-41
AppXcel User Guide
6-42
AppXcel User Guide
CHAPTER
Configuring Signatures
This chapter describes the Application Defense Center, and how to configure signatures and dictionaries and includes the following section: Section 7-1: Application Defense Center Window, page 7-2
AppXcel User Guide
7-1
AppXcel User Guide
Section 7-1 Application Defense Center Window

This section contains the following topics: Configuring Signatures - Introduction, page 7-2 Dictionary Types, page 7-4 Viewing Dictionaries, page 7-5 Viewing Signatures Window, page 7-6 Updating the Signatures Database, page 7-13 Creating Dictionaries, page 7-16 Viewing and Modifying Signatures in a Dictionary, page 7-23
Configuring Signatures - Introduction

Part of the protection provided by AppXcel WAF uses signatures. The signatures are text strings that match known server vulnerabilities and attack patterns. AppXcel WAF maintains a list of over 2500 signatures based on the Snort database and Radware's Application Defense Center (ADC). The ADC tests each new Snort signature and makes sure it's valid. It then classifies the signature according to different attributes such as the severity of the attack described by the signature, the accuracy of the signature (sensitivity to false positive scenarios), the systems that are affected by this attack (e.g. IIS Web server, Apache Web Server), and more. In addition to classifying the signature, ADC also documents it. Once the signature is verified, classified and documented, it is added to the Radware Signature Database on the Radware Web site from which it can be downloaded either automatically (if your AppXcel WAF Management Server is connected to the Internet) or manually. The Radware signature database also consists of signatures which were carefully crafted by the ADC to detect sophisticated application-level attacks. To make the usage of signatures easier, signatures are collected into dictionaries. You can then use different dictionaries in different server groups. Each server group can use multiple dictionaries. A dictionary is actually a filter on the signature database. Dictionaries can be created, modified and deleted. When you create a dictionary you define the filter. For example, you can define a dictionary that includes all highly accurate, medium severity signatures for IIS 5 and 6. Once you define a filter dictionary
7-2
AppXcel User Guide
AppXcel User Guide
new signatures that are added to the signature database are automatically added to the relevant dictionaries according to their classified attributes. AppXcel WAF includes a set of pre-defined dictionaries. These dictionaries are filters defined by Radware. These dictionaries are adequate for most networking environments and allow you to avoid defining new dictionaries. The following procedures describe how to create, enable and delete dictionaries; how to add, remove, and edit the signatures in the dictionaries; and how to update the signature database.
Application Defense Center Preferences Window

The Check for Updates and Upload buttons open Windows for managing the database signatures. The figure below illustrates the Application Center Preferences window;
Figure 7-1 ADC Preferences Window
AppXcel User Guide
7-3
AppXcel User Guide
Dictionary Types
Two attributes define each dictionary: Whether this is a Filtered or Manual dictionary. A filtered dictionary is created by applying a filter on the signature database. Once the filter is defined, all signatures in the database that match the filter are part of this dictionary. You can change the filter at any time, thus determining which signatures are included in the dictionary. When a new signature is added by Radware to the signature database, AppXcel WAF automatically adds it to all relevant dictionaries based on the filter. You can manually delete a signature from a filtered dictionary. However, you cannot add your own signatures to a filtered dictionary or edit existing signatures. For that you need to define a Manual dictionary. A manual dictionary is created empty and allows you to add your own signatures to it. A manual dictionary only includes your own signatures. You cannot add signatures from the Radware signature database to a manual dictionary. Whether it's a Predefined or User-Defined dictionary. A predefined dictionary was created by Radware and comes as part of the AppXcel WAF installation. A user-defined dictionary is defined by the user. You cannot delete or edit the filter of a predefined dictionary.
Dictionaries are listed in the menu of tree of the ADC tab in two categories: Predefined Dictionaries and My Dictionaries (user-defined dictionaries), as displayed in Figure 7-2.
Figure 7-2 Dictionaries List
7-4
AppXcel User Guide
AppXcel User Guide
Dictionary types are indicted by the following icons: Manually generated dictionary A filtered dictionary
Viewing Dictionaries
The following steps describe how to access and view a dictionary. To view a dictionary: 1. 2. 3. Expand the Application Defense Center item in the left tree menu. Expand the Predefined Dictionaries / My dictionaries item. Click the dictionary name.The Dictionary window appears, as displayed in Figure 7-3.
Figure 7-3 Manual Dictionary Window
AppXcel User Guide
7-5
AppXcel User Guide
Viewing Signatures Window

The Signatures Window presents a list of all signatures defined in the AppXcel WAF system. You can browse the signatures and their properties; disable them or restore them. Note that when you view a dictionary violation in the Alert view, you can click the violation to view a popup of the relevant signature. You can view all the attributes associated with this signature and can disable the signature. To view and modify signatures: Click View All Signatures in the ADC page. The Signatures window appears, as displayed in Figure 7-4
Figure 7-4 View All Signatures Window The Signatures Window presents a list of all signatures in the database. Each signature entry includes the signature name, the signature itself, and its status. You can click the sort arrows to sort the signatures and the signature names alphabetically. The signature status can be one of the following: Signature disabled in all dictionaries
7-6
AppXcel User Guide
AppXcel User Guide
Signature disabled in currently displayed dictionary Enabled (predefined) signature Enabled, user-created signature AppXcel WAF displays up to 50 Signatures per page. You can browse the pages using the following options: Set the number of signatures displayed on each page. Select the number from the drop-down list Go to the first page. Go to the previous page Go to the next page. Go to a specific page. Click on page number Go to the last page.
Filtering Signatures
AppXcel WAF enables the signature viewer to filter signatures according to their characteristics. Note: The filter option is a presentation option, modifying the display of signatures only. It does not filter any signatures from the dictionaries.
AppXcel User Guide
7-7
AppXcel User Guide
To filter signatures: 1. Click the filter Figure 7-5 button. The Filter window appears, as displayed in
Figure 7-5 Filter Signatures Window This filter returns all signatures containing the search string in either the signature itself or the signature description field. If you check "Show only disabled signatures" then only disabled signatures that match the text string are returned. To return all disabled signatures leave the 'Search String' empty. Click OK to execute the filter. A filter can be removed by clicking the remove button
2. 3.
Viewing Signature Properties

The signature properties are displayed in the five tabs at the bottom of the Window.
Signature Info
The Signature Info window is displayed in Figure 7-6.
7-8
AppXcel User Guide
AppXcel User Guide
Figure 7-6 Signature Info Window The Signature Info window presents the following information: Signature was created/ updated after Limits signatures to those created or updated after the specified date. Select the option and click date from the calendar Services Apply to to choose a
The service(s) to which this signature applies Server to Client: The filter includes signatures that are relevant for traffic that goes from the server to the client. Client to Server: The filter includes signatures that are relevant for traffic that goes from the client to the server Both Directions: The filter includes signatures that are relevant for traffic that goes from the server to the client, and from the client to the server.
AppXcel User Guide
7-9
AppXcel User Guide
URL Decoded Stream
For HTTP/S Signatures which are searched in the TCP stream, AppXcel WAF can either URL decode the stream prior to searching the signature or leave the stream encoded. If this field is set to "True", AppXcel WAF decodes the stream before searching the signature URL: Searches URLs only. HTTP Parameters: Searches HTTP parameters. HTTP Headers: Searches HTTP headers. Stream: Searches the entire TCP stream.
Search Signature in
Note: Query and Parsed Query are not implemented. Summary
Attack Summary
Attack Info
The Attack Info window is displayed in Figure 7-7.
Figure 7-7 Attack Info Tab The Attack Info window presents the following information: Attack Class Attack Complexity Class (type of attack) as defined in the knowledge base. Complexity of the attack type. Simple refers to attacks that are relatively easy to perpetrate; complex refers to attacks that are difficult to perpetrate
7-10
AppXcel User Guide
AppXcel User Guide
Risk
The relative damage that an attack using this signature causes: Informative, Low, Medium, High Frequency of attack: Values are: Low/ Medium/ High. High refers to common attacks while Low refers to rare attacks Detailed overview of the attack.
Attack Frequency Detail
Affected Systems
The affected systems window is displayed in Figure 7-8.
Figure 7-8 Affected Systems Window The affected systems window lists the systems that are affected by this signature, in the format <system name> <optional Boolean value><optional version>.
References
The References table is displayed in Figure 67.
Figure 7-9 References Window The References tab presents the following information: Cert CVE Bug Traq Vulnerability Cert ID as it appears on the cert.org Web site Vulnerability CVE ID as appears on the CVE Web site Bug Traq is another archive of vulnerabilities. This field is the number of the specific vulnerability on the Bug Traq Web site.
AppXcel User Guide
7-11
AppXcel User Guide
Snort ID
For signatures that are extracted from the Snort database, this field presents the ID as appears in the Snort database. This is a free text field that links to a description of how the attack is perpetrated Free text field with signature-specific notes
Exploit Value Notes
Accuracy
The Accuracy window is displayed in Figure 7-10.
Figure 7-10 Accuracy Window This window presents information on the accuracy of the attack, and the false scenarios: Signature Accuracy Probability that the occurrence of the signature indicates an attack, and not a false positive. Values are: Low/Medium/High. High refers to a very accurate signature, which rarely generates false positives. Low refers to inaccurate signatures that probably generate false positives as well. Information about false positive scenarios related to this signature. Information about false negative scenarios related to this signature Any other additional information regarding this signature
False Positives False Negatives Additional Info
7-12
AppXcel User Guide
AppXcel User Guide
Updating the Signatures Database

The user needs to order a subscription from Radware for the service when buying the AppXcel WAF add-on or when renewing the subscription.Updating the Signatures Database, is performed by first selecting the relevant window from the Scheduler engine.
Defining a Frequency and Task using the Scheduler Engine

APSolute Insite's built-in scheduler engine allows you to perform tasks according to a predefined schedule.
To view the Scheduler and define a frequency and a task:

1. From the main window, select Tools > Scheduler. The Scheduler window appears.
Figure 7-11 Scheduler Window 2. In the Scheduler window select Add.The Edit Task window appears.
AppXcel User Guide
7-13
AppXcel User Guide
Figure 7-12 Edit Task window 3. 4. 5. 6. In the Edit Task window, from the Task Selection drop down list, select AppXcel WAF Signatures. Set the Frequency to daily and select an hour for update in Start Hour. The End Hour is not applicable here and is grayed out. Click Next.Your preferences are recorded. The following information describes additional parameters to be set in the Edit Task table Select: Select the required action from the dropdown list. The possibilities are: Download and Install: Download the Attacks DB file and install it on the device. Download: Downloads the Attacks DB file. Ignore: Ignores the Attacks DB file (does nothing).
Behind the Proxy (checkbox):
Check this box if you are connecting to the Radware web site through a proxy to download attack updates.
7-14
AppXcel User Guide
AppXcel User Guide
IP:
The IP address of the proxy server (enabled only when Behind the Proxy is selected). The TCP port of the proxy (enabled only when Behind the Proxy is selected). Check this box if you are connecting to the Radware web site through a proxy, and the proxy requires user name and password authentication. The user name for authentication on the proxy. The password for authentication on the proxy. If an external server is used to download the Attacks DB file to the device, enter the external server's IP address here.
Port: Proxy Authentication (checkbox):
User Name: Password: External TFTP Server IP Address (checkbox):
To schedule the update of the Signatures Data base: 1. From the APSolute OS menu, select Security Updates > Upload AppXcel WAF Signature Updates. The Upload AppXcel WAF Signature Updates window appears.
Figure 7-13 Upload AppXcel WAF Signatures File Window 2. In the Upload AppXcel WAF Signature Updates window check the checkboxes for the AppXcel device you intend to update.
AppXcel User Guide
7-15
AppXcel User Guide
3. 4.
5. 6. 7.
If Insite has access to the Internet click Check Now. Otherwise go to http://www.radware.com/content/security/ web_application_firewall/default.asp and download the signatures file and copy it manually to the Insite server. Click Browse and find the signature file. Click Upload Signature File to Selected devices. Click OK. Your preferences are recorded.
To Upload the Signature File Database with CLI : 1. 2. 3. Upload the Signatures File from Radware support and save it locally. The file format is: time_in_second_AppXcel_MAC Copy the Signature File to the AppXcel via scp into A temporary directory on the device: scp /tmp/signature_file radware@<device ip>:/tmp Run the command: appxcel web-application-firewall signatures-import Wait to view the message: Signature file import succeed To verify that the signature file is updated run: appxcel webapplication-firewall signatures-get
4.
Creating Dictionaries
The following procedures describe how to create various dictionaries. To create a dictionary: 1. 2. 3. Click ADC. Expand the My Dictionaries submenu. Click Create a Dictionary. The Create a Dictionary window appears, as displayed in Figure 7-14
Figure 7-14 Create a Dictionary Window
7-16
AppXcel User Guide
AppXcel User Guide
4. 5. 6.
In the Dictionary Creation options drop-down list, select whether this is a Filter or Manual dictionary. Click Create.A wizard guides you through the rest of this process. A different wizard appears for Filter and Manual dictionaries. To create a Manual Dictionary: a. The Create Manual Dictionary window appears, as displayed in Figure 7-15.
Figure 7-15 Create Manual Dictionary b. Type in a name and description of the dictionary. c. Click Save. To create a Filter Dictionary: a. The Create Filter Dictionary Step 1 window appears, as displayed in Figure 7-16.
7.
AppXcel User Guide
7-17
AppXcel User Guide
Figure 7-16 Create Filter Dictionary - Step 1 b. c. Type in a name and description of the dictionary. If you want to filter signatures which are attached to specific services then select the Services check box and select the specific services from the list box. Otherwise, this dictionary may contain signatures of any service. Click Next. The Create Filter Dictionary - Step 2 window appears, as displayed in Figure 7-17.
d.
7-18
AppXcel User Guide
AppXcel User Guide
Figure 7-17 Create Filter Dictionary - Step 2 Window e. Select as many options as required, as described in the following table. First select the category to enable it, then the option(s) within the category. To select more than one option in a category, hold down <Ctrl> while you select the options. The operator AND is used between the options in a category. Limits signatures to those created or updated after the specified date. Select the option and click date from the calendar. to choose a
Include only signatures that were created/updated after
AppXcel User Guide
7-19
AppXcel User Guide
Apply Direction
Server to Client: The filter includes signatures that are relevant for traffic that goes from the server to the client. Client to Server: The filter includes signatures that are relevant for traffic that goes from the client to the server. Both Directions: The filter includes signatures that are relevant for traffic that goes from the server to the client, and from the client to the server.
Signature Accuracy
Probability that the occurrence of the signature indicates an attack, and not a false positive. Values are: Low; Medium; High. High refers to a very accurate signature, which rarely generates false positives. Low refers to inaccurate signatures that probably generate false positives as well.
Note: Each category has an enable check box. The check box is located left of the category name. You must select this check box to enable the category's parameters. If you do not specify any parameters, the filter assumes the value "any" for the category. f. Click Next. The Create Filter Dictionary Step 3 Window appears, as displayed in Figure 7-18.
7-20
AppXcel User Guide
AppXcel User Guide
Figure 7-18 Create Filter Dictionary Step 3 Window
g. Select as many options as required, (described in the following table).

First select the category, then the options within the category. To select more than one option in a category, hold down <Ctrl> while you select the options. The operator AND is used between the options in a category. Attack Class Attack Complexity Class (type of attack) as defined in the knowledge base. Complexity of the attack type. Simple refers to attacks that are relatively easy to perpetrate; complex refers to attacks that are difficult to perpetrate. The relative damage that an attack using this signature causes: Informative, Low, Medium, High Attack Frequency Frequency of attack: Values are: Low; Medium; High. High refers to common attacks while Low refers to rare attacks
Risk
h.
Click Next. The Create Filter Dictionary Step 4 window appears, as displayed in Figure 7-19.
AppXcel User Guide
7-21
AppXcel User Guide
Figure 7-19 Create "Dictionary Name" Step 4 Filter Parameters Window i. Define the system types to be included in the filter by filling in the fields as described in the following table: Affected Systems System Name Select this to enable the Affected Systems option. Drop-down list of system types that the signature attacks, e.g. Apache, Windows 2000. This field, together with the next field, defines the Version (optional). Version of the system that is included in the filter. (If no version is defined, all versions are included in the filter.)
Boolean Value Version
j. k. l.
Click Add. Repeat steps I and J until all systems have been added. Click Finish.
7-22
AppXcel User Guide
AppXcel User Guide
Viewing and Modifying Signatures in a Dictionary

This section describes viewing, adding, editing and disabling signatures. Note that when you view a dictionary violation in the Alert viewer, you can click the violation to view a popup of the relevant signature. You can view all the attributes associated with this signature and can disable and edit the signature.
Viewing Signatures in a Filter Dictionary

Signatures in filter dictionaries are presented in the same format as View All Signatures in the Preferences window. You can disable and enable signatures. To view signatures in a dictionary: 1. Click on the dictionary name in the tree view. The Dictionary window appears.
Adding Signatures
Note: This procedure is relevant for Manual dictionaries only A manually added signature only applies for the dictionary in which it is added. To add a signature: 1. In the Dictionary page, click Add Signature. The Add New Signature Step 1 General Details window appears, as displayed in Figure 7-20.
AppXcel User Guide
7-23
AppXcel User Guide
Figure 7-20 Add New Signature 2. 3. 4. Type in the signature name. Enter the signature itself (see appendix F for more information on writing signatures). Define the signature parameters, as described in the following table: Services Apply to Select a service to which this signature applies Server to Client: The signature is relevant for traffic that goes from the server to the client. Client to Server: The signature is relevant for traffic that goes from the client to the server. Both Directions: The signature is relevant for both directions. URL: Searches URLs only. HTTP Parameters: Searches HTTP parameters HTTP Headers: Searches HTTP headers Stream: Searches the entire TCP stream or the UDP packet
Search Signature In
7-24
AppXcel User Guide
AppXcel User Guide
Search this Signature in URL Decoded Stream
For HTTP/S signatures which are searched in the TCP stream, AppXcel WAF can either URL decode the stream prior to searching the signature or leave the stream encoded. If this field is checked, AppXcel WAF decodes the stream before searching the signature.
5.
Click Save. The signature is added to the dictionary.
Editing Signatures
The following procedures describe how to edit a signature. Note: This procedure is relevant for Manual dictionaries only To edit a signature: 1. 2. Select a signature in the Dictionary window. Click Edit Signature.The Edit Signature window appears, as displayed in Figure 7-21.
Figure 7-21 Edit Signature: General Window
AppXcel User Guide
7-25
AppXcel User Guide
3. 4.
Edit the details as required. Refer to Viewing Signature Properties, page 7-8 for an explanation of the fields. Click Save.
Disabling and Enabling Signatures

Signatures in a predefined or user-defined filtered dictionary can be disabled or enabled per dictionary, or for all dictionaries. A signature that is disabled in all dictionaries is also disabled in any new dictionary that is created. A signature that is disabled in all dictionaries still appears in the dictionary's list of signatures but it is marked as disabled. Note that disabled signatures are updated when a signature update is provided from Radware but they remain disabled. Enabling a signature reverses the disable action that you performed previously. If you disabled a signature in one dictionary and then enable it, it is enabled in that dictionary only. If you disabled a signature in all dictionaries and then enable it, it is enabled in all dictionaries. Note: For manual dictionaries, the Disable function is replaced with Delete. If you delete a manually added signature, the signature is removed from the dictionary To disable a signature: 1. Select the signature and click Disable. The system responds with the message "Click Yes to disable the signature/s? from all dictionaries; click No to disable the signature/s? from this dictionary only". Click Yes or No, depending on the action you wish to perform, or Cancel to cancel the action.
2.
To enable a signature: 1. 2. Select the signature(s) and click Enable. The system responds "Are you sure you want to enable the signatures(s)?". Click Yes.
Note: You cannot enable manually added signatures. Deleting signatures from a manual dictionary is irreversible
7-26
AppXcel User Guide
AppXcel User Guide
Viewing and Modifying a Dictionary's Filters

The following procedure describes how to view and modify a Dictionarys Filters. Note: This procedure is relevant for Filter Dictionaries only.
To view and modify a dictionarys filters: 1. 2. 3. Expand the ADC tree and click on the dictionary name in the tree view. The Dictionary window appears. Click Edit. The dictionary details are presented in four tabs. In each tab: perform modifications as required and click Save.
Deleting Dictionaries
The following procedures describe how to delete a Dictionarys Filters. Note: You cannot delete predefined dictionaries. If you attempt to delete a dictionary that is currently in use, a warning message appears. You can then delete the dictionary To delete a dictionary: 1. 2. 3. Expand the ADC tree and click on the dictionary name in the tree view. The Dictionary window appears, as displayed in Figure 60 above. Click Delete This Dictionary. The message "Are you sure you want to delete the dictionary?" appears. Click OK.
AppXcel User Guide
7-27
AppXcel User Guide
7-28
AppXcel User Guide
APPENDIX
Defining IP Groups
This Appendix describes how to define IP Groups, which are used in various places on the AppXcel WAFGUI. Use this feature to define the IP groups throughout the AFI, as often as required. Each IP group contains a collection of single IP addresses, IP ranges or IP subnets.
Configuring IP Groups
The following steps describe how to configure an IP Group from the Create an IP Group window. To configure an IP Group: 1. 2. Click the Global Settings tab on the tab bar. Expand IP Groups in the tree menu and click Create an IP Group; or click IP Groups in the Overview page.The Create an IP Group Window appears, as displayed in Figure A-1.
A-1
Figure A-1 Create New IP Group Window 3. 4. In the Create an IP Group Window, enter a unique name for the IP group in the Name field. Click Create Group.The IP Group Window appears and displays fields to enter the IP group's IP addresses and subnet mask, as displayed in Figure A-2.This Window allows defining individual and groups of IP addresses.
Figure A-2 Define IP Addresses Window
A-2
Appendix A - Defining IP Groups
5.
To enter a single IP address, leave the Type drop-down list set to Single, and enter the address under Start IP. 6. To enter a range of IP addresses: a. Select Range in the Type drop-down list. b. Enter the first address in the range under Start IP. c. Enter the last address in the range under End IP. 7. Alternately, the range of IP addresses can be set according to the subnet: a. Select Network in the Type drop-down list. b. Enter the first address in the range under Start IP. c. Enter subnet mask under Subnet Mask. 8. Click Add to save the IP addresses and open a new row for entering more addresses. 9. To delete a range of IP addresses, select the checkbox to the left of the definition and then click Delete. 10. To edit a range, edit the relevant row and click Save. 11. To delete the entire IP group, click Delete this IP Group located at the bottom of the Window.
A-3
A-4
APPENDIX
Action Interfaces
This Appendix describes the configuration of action interfaces. AppXcel WAF uses various objects in its operation. Some settings in AppXcel WAF refer to these objects, thus requiring them to be defined in advance.
Action Interfaces
AppXcel WAF can execute certain actions upon detection of a security event, such as blocking attackers using various blocking mechanisms, and sending email alerts. Appropriate action interfaces must first be configured, as explained in this appendix, then implemented as part of an Action Policy (Section Error! Reference source not found.). You can define multiple action interfaces of each type. Then you can choose which action interface to use with each action policy. AppXcel WAF supports the following action interfaces: Syslog Email AppXcel WAF can send alerts using the Syslog protocol to an external syslog host AppXcel WAF can send alerts using the Simple Mail Transfer Protocol (SMTP) to an external SMTP server.
AppXcel User Guide
B-1
AppXcel User Guide
Operating System Command SNMP
AppXcel WAF calls an operating system command or any program that is installed on the AppXcel WAF Management Server. AppXcel WAF can send alerts via SNMP traps to external SNMP management devices
Configuring the AppXcel WAF Syslog Action Interface

The AppXcel WAF Syslog action interface allows you to send alerts to a central syslog server. Note: This configuration change does not take effect until setting changes are activated by clicking the Activate Settings button at the bottom-right corner of the AppXcel WAF Interface window To enable/modify the Syslog action driver: 1. 2. 3. 4. Click the Global Settings tab on the tab bar. Expand the Actions item in the left tree menu Expand the Action Interfaces item in the left tree menu. Click Create New Action Interface. The Add Action Interface Window appears as displayed in Figure B-1.
Figure B-1 Add Action Interface Window 5. Click Syslog.The New Syslog Action Interfaces Window appears, as displayed in Figure B-2.
B-2
AppXcel User Guide
AppXcel User Guide
Figure B-2 New Syslog Action Interfaces Window 6. 7. 8. 9. Type a name for the interface in the Display Name field. Type in the IP address of the syslog host in the Syslog host IP Address field. Select the syslog level from the drop-down list. Define the message. The message consists of text and place holders that the define the message that is written to the log. You can define the message with arguments containing values specific to the alert that occurred (e.g. offending IP). For this purpose several placeholders have been characterized; these are replaced by the actual values when the action occurs. (The rest of the argument string is used as is). The window opens with the default message. You can modify it with the placeholders listed below.
Note: Note that if you define a message longer than the log allows, it is truncated in the log display. The available placeholders are: {action.ip}The attacker IP address {action.session}The session value of the request {alert.severity}informative, low, medium, high {alert.id}The ID of the alert {alert.type}firewall, worm, signature, protocol, profile, correlation {alert.server_group_ip}The destination IP address (alert.server_group}The name of the server group
AppXcel User Guide
B-3
AppXcel User Guide
{alert.time}The last update time of the alert in the form: dow mon dd hh:mm:ss zzz yyyy (zzz is the time zone) {alert.description}The description of the alert (as shown in the alert view) {alert.rule.name}The name of the correlation rule (relevant only in case correlations) {alert.rule.description}The correlation rule description (relevant only in case correlations) 10. Click Save.
Configuring the AppXcel WAF SNMP Action Interface

The AppXcel WAF SNMP action interface send alerts via SNMP traps to external SNMP management devices. Note: This configuration change does not take effect until the setting changes are activated by clicking the Activate Settings button at the bottom-right corner of the AppXcel WAF Interface window. To enable/modify the SNMP action interface: 1. 2. 3. 4. 5. Click Global Settings on the tab bar. Expand the Actions item in the left tree menu Expand the Action Interfaces item in the left tree menu. Click Create New Action Interface. The Add Action Interface window appears as displayed in Figure B-1. Click SNMP Trap. The New SNMP Trap Action Interface window appears, as displayed in
B-4
AppXcel User Guide
AppXcel User Guide
Figure B-3 New SNMP Trap Action Interface Window 6. 7. 8. Type a name for the action interface in the Display name field. Type in the SNMP server IP address, the SNMP server port, and the SNMP community string. Click Save.
Configuring the Email Alerts Action Interface

An email interface includes a remote SMTP server and a list of one or more email addresses. To configure an email interface: 1. 2. 3. 4. 5. Click Global Settings on the tab bar. Expand the Actions item in the left tree menu. Expand the Action Interfaces item in the left tree menu. Click Create New Action Interface. The Add Action Interface Window appears as displayed in Figure B-1. Click Email. The New Email Action Interface window appears, as displayed in Figure B-4.
AppXcel User Guide
B-5
AppXcel User Guide
Figure B-4 New Email Action Interface Window 6. Enter the email address of the AppXcel WAF's email account in the Source Email field. 7. This address identifies the message's sender. 8. Enter the destination email address to which to send alerts in the Destination Email field (you can use multiple email addresses separated with a comma). 9. Enter the DNS name or IP address of the SMTP email server into the SMTP Server field. The email server (SMTP Gateway) routes the Emails. Check with your network administrator how Emails are sent within the organization. 10. Select Text or HTML for email type. Use Text only if your email servers block HTML email or your email client does not support HTML. 11. Enter the text of the email message in the Remarks text box. 12. Click Save. Note: Ensure that the AppXcel WAF Management Server is authorized to connect to port 25 in the email server (SMTP Server)
B-6
AppXcel User Guide
APPENDIX
Back-end SSL Encryption

This appendix describes how to configure Back-end SSL Encryption, by first configuring AppXcel Tunnel and AppXcel WAF. Procedures are also included on how to upload SSL Keys.
Configuring Back-end SSL Encryption

AppXcel supports Back-end SSL Encryption. To configure this to work with the WAF you need to configure AppXcel Tunnel to enable backend SSL first. To configure AppXcel Tunnel: 1. 2. 3. 4. 5. First, Configure a Tunnel (see AppXcel user guide section 5-1, Tunnels). In the Tunnel configuration page select Tunnel > Backend SSL. Select the relevant Tunnel. Change status to on. Select Backend SSL Cipher strength - Low, Medium or High.
C-1
Note: WAF with backend-SSL is not supported when the backend cipher is DH.
Using CLI to configure AppXcel Tunnel: AppXcel tunnel backendssl set <TunnelID/all> [-b <on/off>] Tunnel ID/all - the relevant Tunnel to perform Back-end SSL or all Tunnels. <On/Off> - turns the encryption On or Off. <Low/Medium/High> - determines the cipher's strength. p <TCP port> - sets the destination TCP port to be used to exchange L7 information with the WSD when backend encryption is enabled. This flag is available only for HTTP tunnels."
To configure AppXcel WAF: 1. 2. 3. 4. 5. In AppXcel WAFselect Server Groups. Create a web server group (select an existing one from the server groups in the left navigation tree). In the right pane select SSL Support. Configure the ports that the backend server listens on for SSL in the SSL ports text box. If there is more than one port use a comma separated list. Click the SSL Private Key button to upload the server private keys or delete old keys from AppXcel WAF.
Note: Although these are the same server private keys as configured in the Tunnel, it is necessary to upload them here as the second stage of this procedure.
C-2
Appendix C - Back-end SSL Encryption
Uploading Keys
Application Firewall protects Web servers that communicate using SSL encrypted HTTP protocol (HTTPS). SSL (Secure Socket Layer) encryption decrypts encrypted messages with certificates containing strings of 128 digits. Application Firewall also supports the Transport Layer Security (TLS) which is actually SSL version 3.1. A Application Firewall Gateway that monitors a Web server requires the same SSL Private Key in order to decrypt its communications. You can define multiple SSL Key files for one Server Group that uses multiple SSL keys. The group of SSL Key files will be associated with the Server Group. Each Key must have a unique name. Note: For non-IIS web servers you must load both the SSL private key and the SSL certificate that matches the key. To upload an SSL Key: 1. In AppXcel WAF select Web Server Group > Entity Settings > Definitions > SSL Private Key. In this dialog box you can copy the SSL Private Key file(s) from the protected Web server(s) to the Application Firewall server. Locate the SSL private key or export it from the Web server. If you are using a Microsoft IIS web server export the keys to .pfx file. If you are using any other web server, export the keys to a .pem file. Copy the file to the client machine which you use to access the Application Firewall Management Server. If you have a .pem file, locate the SSL certificate or export it from the browser. To export the certificate from Internet Explorer: a. Browse to an SSL protected page on the site. b. Double click the locker icon on the bottom panel of the browser. c. Switch to the Details tab. d. Click Copy to File. e. Click Next. f. Select Base-64 Encoded X.509 and save the file. Open the Application Firewall interface and log on to the server. Expand the Web Server Group submenu. Expand the Server Group Settings submenu and click Definitions. The data page displays the Server Group's basic settings. Select the SSL Support check box.
2.
3. 4.
5. 6. 7. 8. 9.
C-3
10. Enter the port number used for SSL communications in the text box next to SSL Port. The default port for SSL communications is 443. The default port for combined HTTP and HTTPS communications is 8433. 11. Click SSL Private Keys. 12. Select the file format you wish to upload. 13. Enter a name for the specific key 14. If you are uploading a .pfx file you should also provide the password for the file. 15. Browse to the location of each file 16. Click Add . 17. To add another private key, repeat step10. 18. Click Close. The Edit SSL Private Key dialog closes
C-4
APPENDIX
AppXcel WAF CLI Commands

This appendix lists the range of CLI Commands that are necessary to launch AppXcel WAF management and update the Signatures Database.
D-1
A List of CLI Commands in the AppXcel WAF User Guide

system license web-application-firewall get Web application firewall license exists system license web-application-firewall set <license string/none> The pin code is generated by Radware. Sets the Web Application Firewall license. system config web-application-firewall import Note: Once the Zmodem has been launched, the operation cannot be aborted. 1) Zmodem 2) SSH 3) Quit Please select import protocol [1-3]: 2 Please send (via scp) the waf configuration and ENTER to continue 09/04/2007 13:40:27 info User radware has logged in via SSH. Import Web Application Firewall configuration. It may take several minutes......OK Configuration Import completed. system device dbg web-application-firewall internallogs export Used to extract the internal logs from the device via SCP. copy /tmp/waf_logs.rdwr via scp: scp radware@<device ip>:/tmp/waf_logs.rdwr WARNING: the file will be deleted after the command ends.
system config web-application-firewall import

Note: Once the Zmodem has been launched, the operation cannot be aborted. 1) Zmodem 2) SSH 3) Quit Please select import protocol [1-3]: 1 Send the file. (file name is not important) Import Web Application Firewall configuration. It may take several minutes. Configuration Import completed. system config web-application-firewall erase The Web Application Firewall configuration is erased. Are you sure you want to continue? (Y/N) y
D-2
Appendix D - AppXcel WAF CLI Commands
appxcel web-application-firewall enable Enables the WAF. When enabling WAF, allow several minutes wait until WAF is started.
appxcel web-application-firewall disable

When WAF is disabled WAF protection is not available for any traffic going through AppXcel. Stopping Web Application Firewall ......... OK. appxcel web-application-firewall signatures get? Usage: appxcel web-application-firewall signatures get Shows the version of the Web Application Firewall signature file. Current Web Application Firewall Signature file version is the date, day-monthyear. The Customer is required to contact Radware support to obtain the signature update and send it to the updated file. Press enter. Wait for the prompt. appxcel web-application-firewall signatures import Imports signature file into the Web Application Firewall module.
D-3
D-4
APPENDIX
Database Overflow Protection

This appendix describes how to configure the AppXcel WAF database overflow protection. Alert information accumulates in the AppXcel WAF database. You can configure the action taken when the database approaches its capacity.
The Overflow Mechanism

There are two options for handling new alerts when the database is full: Old alerts are deleted as required to free up storage space for new alerts (Delete old alerts (cyclic)). New alerts are not stored due to unavailable space (Stop storing alerts).
AppXcel WAF sends an email alert when the database capacity reaches 80%. If configured for cyclic deletion of alerts, it also sends an email when old alerts are deleted.
E-1
Viewing and Modifying the Database Overflow Protection

The following procedures describe how to view and modify the Database Overflow Protection. To view/modify the database overflow protection: 1. 2. Click Global Settings. Click Database Overflow Protection in the left tree menu.The Database Overflow Protection window appears, as displayed in Figure E-1.
Figure E-1 Database Overflow Protection Window 3. 4. 5. Modify the storage option as required. Modify the email interface as required. Click Save.
E-2
APPENDIX
HTTP Methods
This appendix describes the different HTTP methods used by Web servers. The HTTP method used with the URL is required every time a new URL is manually added to the AppXcel WAF profiles. The method is set by the Web server and the application. This appendix describes the HTTP methods that AppXcel WAF supports. This HTTP method information is also very useful when an Unknown URL violation occurs with an Unknown Method attribute. It means that the user or attacker tried to access that URL using the wrong method. This appendix enables you to better understand the meaning of each method and when is it used. HTTP methods can be added or removed by editing the bootstrap.xml file, located in the directory {Gateway_installation}\agentdata\. This file includes the entire set of HTTP methods that AppXcel WAF 4.2 supports.
Standard Methods
These methods are part of the HTTP 1.1 Standard (RFC 2616). Method
Meaning
F-1
GET
This method means retrieve whatever data is identified by the URI, so where the URI refers to a data-producing process, or a script which can be run by such a process, it is this data which is returned, and not the source text of the script or process. This method is the same as GET but returns only HTTP headers and no document body. This method specifies that the data in the body?1 is to be stored under the supplied URL. The URL must already exist. The new content of the document are the data part of the request. This method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line. This method is used to invoke a remote, applicationlayer loop- back of the request message. This method is for use with a proxy that can dynamically switch to being a tunnel. The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI This method deletes a resource at the specified Uniform Resource Identifier (URI).
HEAD PUT
POST
TRACE CONNECT OPTIONS
DELETE
F-2
Appendix F - HTTP Methods
WebDAV Methods
WebDAV stands for Web-based Distributed Authoring and Versioning. It is a set of extensions to the HTTP protocol set that allows users to collaboratively edit and manage files on remote Web servers. See http://www.Webdav.org/ and RFC 2518 for more information on WebDAV. Method COPY
Meaning
This method creates a duplicate of the source resource identified by the Request-Uniform Resource Identifier (URI), in the destination resource identified by the Destination Header. This method is used to take out a lock of any access type on a resource so that another principal does not modify the resource while it is being edited. This method is used to move a resource to the location specified by a request Uniform Resource Identifier (URI). This method sets properties for the resource at the specified destination Uniform Resource Identifier (URI) This method retrieves properties for a resource identified by the request Uniform Resource Identifier (URI). This method is used to remove the lock on the resource at the request Uniform Resource Identifier (URI). This method creates a new collection at the location specified by the Request-Uniform Resource Identifier (URI).
LOCK
MOVE
PROPPATCH
PORPFIND
UNLOCK
MKCOL
F-3
Microsoft IIS WebDAV Extensions

BCOPY This Method is similar to the COPY Method but it is used to copy one or more target resources to a destination. The WebDAV BDELETE Method is similar to the DELETE Method but it is used to delete one or more target resources. The WebDAV BMOVE Method is similar to the MOVE Method but it is used to move one or more target resources to a destination. The WebDAV BPROPFIND Method is similar to the PROPFIND Method but it is used to retrieve the properties of one or more target resources. The WebDAV BPROPPATCH Method is similar to the PROPPATCH Method but it is used to set properties on one or more target resources. This method is called by the server whenever an event that the client has subscribed to fires. The NOTIFY method sends User Datagram Protocol (UDP) packets to the client until the subscription has timed out. This method is used to either acknowledge that the client has received and responded to a particular event, or to query the server for any events that may have fired. This method is used to search an Exchange store for resources. This method is used to create a subscription to a resource. This method is used to end a subscription to a resource.
BDELETE
BMOVE
BPROPFIND
BPROPPATCH
NOTIFY
POLL
SEARCH SUBSCRIBE UNSUBSCRIBE
F-4
APPENDIX
HTTP Response Codes

This appendix lists the various HTTP response codes returned by Web servers including a lists of the different response codes returned by a Web server. This information is useful when analyzing alerts. Code 100 101 200 201 202 203 204 205 206 300 301 302 303
Meaning
Continue Switching Protocols OK Created Accepted Non-Authoritative Information No Content Reset Content Partial Content Multiple Choices Moved Permanently Found See Other
G-1
304 305 307 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 500 501 502 503 504 505
Not Modified Use Proxy Temporary Redirect Bad Request Unauthorized Payment Required Forbidden Not Found Method Not Allowed Not Acceptable Proxy Authentication Required Request Time-Out Conflict Gone Length Required Pre conditional Failed Request Entity Too Large Request-URI Too Large Unsupported Media Type Requested Range Not Satisfied Expectation Failed Internal Server Error Not Implemented Bad Gateway Service Unavailable Gateway Time-Out HTTP Version Not Supported
G-2
APPENDIX
Parameter Value Types

This appendix describes the different parameter value types, which define the group of characters allowed in the value of parameter. AppXcel WAF automatically profiles the allowed value types for each learned parameter. If during protect mode the value of a certain parameter doesn't match the profiled value type, AppXcel WAF generates a Value Type Violation. Each parameter has a main value type and extended value types. The main value type together with the list of extended value types define the group of characters allowed in the value of parameter. Although AppXcel WAF automatically profiles value types, you can manually change them by accessing the profile.
Main Types
The main types of a parameter's value define the set of regular characters allowed in a value. You can only select a single main type for each parameter.
H-1
Foreign Language Characters (Extended ASCII) 48-57 65-90 97-122 193-223 225-239 241-247 249-251 253 129-191 128-192 224 240 248 252 254-255 30-39 41-5A 61-7A C1-DF E1-EF F1-F7 F9-FB FD 81-BF 80-C0 E0 F0 F8 FC FE-FF 0123456789 ABCDEFGHIJKLMNOPQRS TUVWXYZ abcdefghijklmnopqrstuzwx yz UTF-8 two byte combinations, first byte UTF-8 three byte combinations, first byte UTF-8 four byte combinations, first byte UTF-8 five byte combinations, first byte UTF-8 six byte combinations, first byte UTF-8 non-first byte
Extended Value Types

In addition to the main value type AppXcel WAF defines extended value types. These are mutually exclusive groups of characters not included in either of the main character sets. For each parameter you can select a list of extended value types allowed for its value. DEC White Spaces 9 32 Line Breaks
09 20
Hex
Characters
TAB Space
H-2
Appendix H - Parameter Value Types
10 13 Slash 47 92 Quote 39 50 52
0A 0D
LF CR / \ < > SQH STX ETX EQT ENQ ACK BEL BS VT FF SO SI DLE DC1 DC2 DC3 DC4 NAK SYN
2F 5C
27
Angled Brackets
3C 3E
ASCII Control Characters
1 2 3 4 5 6 7 8 11 12 14 15 16 17 18 19 20
21 22
01 02 03 04 05 06 07 08 09 QA 0B 0C 0D 11 12 13 14
15 16
H-3
23 24 25 26 27 28 29 30 31 127 Percent Sign 37 38 61 63 Parenthesis 40 41 Brackets 91 93 113 115 33 96 126 Double Quote 34 Asterix 42
17 18 19 1A 1B 1C 1D 1E 1F 7F 25 26 3D 3F 28 29 5B 5D 7B 7D 21 60 7E 22 2A
ETB CAN EM SUB ESC FS GS RS US DEL % & = ? ( ) [ ] { } ! ~ *
HTTP Query String Separators
OS Related Separators
H-4
Appendix H - Parameter Value Types
Plus Sign 43 Period Concatenation 124 Null 0 Others 35 36 58 64 94 95 23 24 3A 40 5E 5F # $ : @ ^ 00 NUL
2B
7C
H-5
H-6
APPENDIX
Writing Signatures
This appendix describes the AppXcel WAF signature language. AppXcel WAF includes a signature detection and prevention layer. For more information on the AppXcel WAF signature detection and prevention engine. AppXcel WAF comes with a pre configured database of more than 2500 signatures. This database is updated automatically from the Radware web sites on a regular basis. In addition to these pre configured and automatically downloaded signatures, users can write their own signatures to detect and block communication consisting of specific information. This appendix explains the language in which such signatures are written. The language resembles a Snort signature language, although there are some notable differences.
Single Part Signatures

The basic signature unit is part, which contains the actual signature text. The following signature searches for the term "hello world": part="hello world"
I-1
Use \x<hex value> to add binary characters to the signature. In the following signature the white space is replaced with \x20 which is the hexa representation of a white space. part="hello\x20world" To look for the back slash character, you must enter a double back slash. The following signature looks for the term "hello\world" part="hello\\world"
Multi Part Signatures

You can include as many parts as required in a signature to search for a sequence of terms. For example, the following signature can match either of the following strings: abcdRadwareApplication Firewall abcdRadwareabcdApplication Firewall abcdRadwareabcdSecure---Sphere
part="Radware", part="Secure", part="Sphere" Different parts are separated by a comma. White spaces are allowed before and after the comma.
Adding Absolute Modifiers

Absolute modifiers limit the part to be matched to a specific area of a stream. The absolute modifiers that are supported are: amin: The absolute position in the stream to start matching this part. amax: The absolute position in the stream to stop matching this part.
For example, the following signature has one part with absolute modifiers. The string "cmd.exe" is searched only from position 10 to position 20 in the stream. part="cmd.exe", amin="10", amax="20" You can include absolute modifiers after any part using commas. You can either add a single modifier or both modifiers for each part.
I-2
Appendix I - Writing Signatures
Adding Relative Modifiers Relative modifiers limit the part to a specific area after the previous part. The supported relative modifiers are: rmin: The position, relative to the previous part to start searching for this part. rmax: The position, relative to the previous part to stop searching for this part.
For example, the following signature includes two parts. The second part is searched for in a range of 10 characters from the first part. part="cmd", part=".exe", rmax="10" The string cmd12345.exe matches this signature. However the string cmd12345678.exe does not, as the ".exe" part ends 12 characters after the "cmd" part. You can include relative modifiers after any part using commas. You can either add a single modifier or both modifiers for each part. You can also include both relative and absolute modifiers for the same part. Relative modifiers are ignored for the first part, as the part must be relative to the previous part, which in this case doesn't exist.
Regular Expression Parts

The use of a regular expression part is optional and only applies to non-stream signatures (i.e. URL, parameters, and headers). You can only include one regular expression part per signature. The regular expression part must be the last part in the signature. Any number of non regular-expression parts can precede the regular expression part. The regular expression is searched only if all preceding parts were found. The regular expression is searched on the entire object (for example URL), and not on the text following the last part. For example, the following signature searches the term "cmd" and then searches the following ".exe" term. If both terms are found, the signature searches the regular expression "cmd\s*\.\s*exe" on the entire URL. This regular expression makes sure that between the term "cmd" and ".exe" only white spaces appear. part="cmd", part=".exe", rmax="10" rgxp="cmd\s*\.\s*exe"
I-3
Regular Expression Syntax

AppXcel WAF supports a simplified form of standard regular expressions. Supported constructs are: Character classes '\s' - Matches white space (tabs, spaces, etc). '\d' - Matches decimals (0-9) '.' - Matches any character '\w' - Matches alphanumeric characters and the underscore symbol ('_'). '\W' - Matches non-alphanumeric characters.
Sets
A set is a set of characters that can match any single character that is a member of the set. Sets are delimited by "[" and "]" and can contain literals, character ranges, character classes, collating elements and equivalence classes. For example '[abc]' matches any of the three letters a, b and c.
The Negation Operator

The negation operator '^' is not supported.
Repeats
A repeat is an expression that is repeated an arbitrary number of times. An expression followed by "*" can be repeated any number of times including zero. An expression followed by "+" can be repeated any number of times, but at least once. An expression followed by "?" may be repeated zero or one times only. When it is necessary to specify the minimum and maximum number of repeats explicitly, the bounds operator "{}" may be used, thus "a{2}" is the letter "a" repeated exactly twice, "a{2,4}" represents the letter "a" repeated between 2 and 4 times, and "a{2,}" represents the letter "a" repeated at least twice with no upper limit. Note that there must be no white space inside the {}, and there is no upper limit on the values of the lower and upper bounds. All repeat expressions refer to the shortest possible previous sub-expression: a single character; a character set, or a sub-expression grouped with "()" for example. Examples:
I-4
Appendix I - Writing Signatures
"ba*" matches all of "b", "ba", "baaa" etc. "ba+" matches "ba" or "baaaa" for example but not "b". "ba?" matches "b" or "ba". "ba{2,4}" matches "baa", "baaa" and "baaaa".
Parentheses
Parentheses serve two purposes: to group items together into a subexpression, and to mark what generated the match. For example the expression "(ab)*" matches all of the string "ababab".
Alternatives
Alternatives occur when the expression can match either one sub-expression or another, each alternative is separated by "|", or "\|". Each alternative is the largest possible previous sub-expression; this is the opposite behavior from repetition operators. Examples: "a(b|c)" could match "ab" or "ac". "abc|def" could match "abc" or "def".
Escaping
All "special characters" are matched by prefixing the escape character (\). Binary characters (\x) are also supported, as they are in the basic signature.
Line Anchors
An anchor is something that matches the null string at the start or end of a line: "^" matches the null string at the start of a line, "$" matches the null string at the end of a line.
I-5
I-6

Appxcel Waf Ug

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Appxcel Waf Ug

Încărcat de

Drepturi de autor:

Formate disponibile

AppXcel

Web Application Firewall

The Blocking Process ........................................................................... 1-10

AppXcel WAF Management ................................................................. 1-13

Chapter 2 - Getting Started ................................................................. 2-1 Configuration Flow .................................................................................. 2-2

Touring the AppXcel WAF User Interface ............................................... 2-7

Initial Configuration ............................................................................... 2-11

DefensePro User Guide

IP Restrictions ......................................................................................... 3-3

URL Restrictions ..................................................................................... 3-5

Automatic Profile Updates .................................................................... 3-10

Chapter 4 - Configuring Actions........................................................ 4-1 Action Interfaces ..................................................................................... 4-2

Configuring Action Policies ..................................................................... 4-4

Configuring Server Groups Security Rules ............................................ 4-7

Preventing Blocking of Specific IP Addresses ...................................... 4-36

Chapter 5 - Monitoring......................................................................... 5-1 Activity Console ...................................................................................... 5-2

Alerts ....................................................................................................... 5-3

DefensePro User Guide

5-10 5-11 5-12 5-13 5-13 5-15 5-16 5-16 5-17

Gateways .............................................................................................. 5-21

Blocked Sources ................................................................................... 5-24

Reports ................................................................................................. 5-26

System Log ........................................................................................... 5-35

Notifications .......................................................................................... 5-37

Chapter 6 - Web Profiles ..................................................................... 6-1 Dynamic Profiling .................................................................................... 6-2

DefensePro User Guide

Appendix A - Defining IP Groups ....................................................... A-1

Appendix B - Action Interfaces........................................................... B-1

Appendix C - Back-end SSL Encryption............................................ C-1

Appendix F - HTTP Methods ............................................................... F-1

Appendix I - Writing Signatures .......................................................... I-1

DefensePro User Guide

Regular Expression Syntax .......................................................................... I-4

DefensePro User Guide

DefensePro User Guide

AppXcel Web Application Firewall User Guide

AppXcel Web Application Firewall User Guide

AppXcel Web Application Firewall User Guide

AppXcel Web Application Firewall User Guide

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

About This Guide

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

Tip: A recommendation, or an optimum way to perform an action.

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

Web Application Firewall Overview

AppXcel User Guide

AppXcel User Guide

Section 1-1 Protection Layers

Web Application on AppXcel

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

AppXcel User Guide

Traffic Processing flow

Signature-Based Intrusion Prevention