Académique Documents
Professionnel Documents
Culture Documents
USER GUIDE
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2020. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions :
Copyright Radware Ltd. 2020. Tous droits réservés.
Le copyright ainsi que tout autre droit lié à la propriété intellectuelle et aux secrets industriels
contenus dans ce guide sont la propriété de Radware Ltd.
Ce guide d’informations est fourni à nos clients dans le cadre de l’installation et de l’usage des
produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui
pour lequel il a été conçu.
Les informations répertoriées dans ce document restent la propriété de Radware et doivent être
conservées de manière confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement préalable écrit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschränkungen ausgeliefert:
Copyright Radware Ltd. 2020. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschäftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschließlichen Zweck ausgehändigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf für keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und müssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfältigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
The programs included in this product are subject to a restricted use license and can only be used in
conjunction with this application.
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and
the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both
licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL,
please contact openssl-core@openssl.org.
OpenSSL License
Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (http://www.openssl.org/)
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This
product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License
Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution
is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be
removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts
of the library used.
This can be in the form of a textual message at program startup or in documentation (online or
textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
"This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)"
The word 'cryptographic' can be left out if the rouines from the library being used are not
cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgment:
"This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS”' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code
cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence
[including the GNU Public Licence.]
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
This code is hereby placed in the public domain.
Redistribution and use of this software and associated documentation (“Software”), with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions in source form must retain copyright statements and notices,
2. Redistributions in binary form must reproduce applicable copyright statements and notices, this
list of conditions, and the following disclaimer in the documentation and/or other materials
provided with the distribution, and
3. Redistributions must contain a verbatim copy of this document.
The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished
by a version number. You may use this Software under terms of this license revision or under the
terms of any subsequent revision of the license.
THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS “AS IS”
AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR
OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The names of the authors and copyright holders must not be used in advertising or otherwise to
promote the sale, use or other dealing in this Software without specific, written prior permission.
Title to copyright in this Software shall at all times remain with copyright holders.
OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The
OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and
distribute verbatim copies of this document is granted.
This product contains the ACE RADIUS library developed by Mr. Alex Agranov. Copyright ©2004-
2009, Alex Agranov <alexagr@users.sourceforge.net> All rights reserved.
The ACE RADIUS library is licensed under BSD License, which allows its use both in open-source and
commercial projects.
The license terms are as follows:
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This software includes the SNMP++v3.2.25 library Copyright ©2001-2010 Jochen Katz, Frank Fock
The SNMP++v3.2.25 library is based on SNMP++2.6 from Hewlett Packard: Copyright ©1996
Hewlett-Packard Company
ATTENTION: USE OF THIS SOFTWARE IS SUBJECT TO THE FOLLOWING TERMS.
Permission to use, copy, modify, distribute and/or sell this software and/or its documentation is
hereby granted without fee. User agrees to display the above copyright notice and this license notice
in all copies of the software and any documentation of the software. User agrees to assume all
liability for the use of the software; Hewlett-Packard and Jochen Katz make no representations
about the suitability of this software for any purpose. It is provided “AS-IS” without warranty of any
kind, either express or implied. User hereby grants a royalty-free license to any and all derivatives
based upon this software code base.
Stuttgart, Germany, Thu Sep 2 00:07:47 CEST 2010
Copyrightvermerke
Die in diesem Produkt enthalten Programme unterliegen einer eingeschränkten Nutzungslizenz und
können nur in Verbindung mit dieser Anwendung benutzt werden.
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
öffentlich zugänglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code für den Rijndael cipher (jetzt AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
Der OnDemand Switch verwendet möglicherweise Software, die im Rahmen der DNU Allgemeine
Öffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschließlich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhältlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter http://www.gnu.org/licenses/old-licenses/
gpl-2.0.html.
Dieser Code wird hiermit allgemein zugänglich gemacht.
Dieses Produkt enthält einen vom OpenBSD-Projekt entwickelten Code
Copyright ©1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binärem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universität noch die Namen der Beitragenden dürfen ohne ausdrückliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (“Products”). Radware hardware products are
warranted against defects in material and workmanship for a period of one year from date of
shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days
after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at
its discretion, repair or replace the Product.
For hardware warranty service or repair, the product must be returned to a service facility
designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay
the shipping charges in returning the product to the customer. Please see specific details outlined in
the Standard Warranty section of the customer’s purchase order.
Radware shall be released from all obligations under its Standard Warranty in the event that the
Product and/or the defective component has been subjected to misuse, neglect, accident or
improper installation, or if repairs or modifications were made by persons other than Radware
authorized service personnel, unless such repairs by others were made with the written consent of
Radware.
EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE
PROVIDED BY “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED.
Garantie standard
Radware octroie une garantie limitée pour l’ensemble de ses produits (“Produits”). Le matériel
informatique (hardware) Radware est garanti contre tout défaut matériel et de fabrication pendant
une durée d’un an à compter de la date d’expédition. Les logiciels (software) Radware sont fournis
avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une durée maximum de 90 jours à compter de la date d’achat. Dans
l’hypothèse où un Produit présenterait un défaut pendant ladite (lesdites) période(s), Radware
procédera, à sa discrétion, à la réparation ou à l’échange du Produit.
S’agissant de la garantie d’échange ou de réparation du matériel informatique, le Produit doit être
retourné chez un réparateur désigné par Radware. Le Client aura à sa charge les frais d’envoi du
Produit à Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter
les conditions spécifiques décrites dans la partie “Garantie Standard” du bon de commande client.
Radware est libérée de toutes obligations liées à la Garantie Standard dans l’hypothèse où le Produit
et/ou le composant défectueux a fait l’objet d’un mauvais usage, d’une négligence, d’un accident ou
d’une installation non conforme, ou si les réparations ou les modifications qu’il a subi ont été
effectuées par d’autres personnes que le personnel de maintenance autorisé par Radware, sauf si
Radware a donné son consentement écrit à ce que de telles réparations soient effectuées par ces
personnes.
SAUF DANS LES CAS PREVUS CI-DESSUS, L’ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET
LOGICIELS) SONT FOURNIS “TELS QUELS” ET TOUTES GARANTIES EXPRESSES OU IMPLICITES
SONT EXCLUES, EN CE COMPRIS, MAIS SANS S’Y RESTREINDRE, LES GARANTIES IMPLICITES DE
QUALITE MARCHANDE ET D’ADÉQUATION À UNE UTILISATION PARTICULIÈRE.
Standard Garantie
Radware bietet eine begrenzte Garantie für alle seine Produkte (“Produkte”) an. Hardware Produkte
von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler für einen Zeitraum von
einem Jahr ab Lieferdatum. Radware Software verfügt über eine Standard Garantie zur
Fehlerbereinigung für einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt
innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt
nach eigenem Ermessen entweder reparieren oder ersetzen.
Für den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware
bezeichnete Serviceeinrichtung zurückzugeben. Der Kunde hat die Versandkosten für den Transport
des Produktes zu Radware zu tragen, Radware übernimmt die Kosten der Rückversendung des
Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard
Garantie im Bestellformular für Kunden.
Radware ist von sämtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das
Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlässigt, einem
Unfall ausgesetzt oder unsachgemäß installiert wurde oder sofern Reparaturen oder Modifikationen
von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen
wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher
Genehmigung seitens Radware durchgeführt.
MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND
SOFTWARE) GELIEFERT “WIE GESEHEN” UND JEGLICHE AUSDRÜCKLICHEN ODER
STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF
STILLSCHWEIGENDE GEWÄHRLEISTUNG DER MARKTFÄHIGKEIT UND EIGNUNG FÜR EINEN
BESTIMMTEN ZWECK AUSGESCHLOSSEN.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.
GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN
61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance.
These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance with the instruction
manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required to correct
the interference at his own expense.
SPECIAL NOTICE FOR NORTH AMERICAN USERS
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked “<HAR>”, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A.
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
• If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
• If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.
Instructions de sécurité
AVERTISSEMENT
Un dispositif de déconnexion facilement accessible sera incorporé au câblage du bâtiment.
En raison des risques de chocs électriques et des dangers énergétiques, mécaniques et d’incendie,
chaque procédure impliquant l’ouverture des panneaux ou le remplacement de composants sera
exécutée par du personnel qualifié.
Pour réduire les risques d’incendie et de chocs électriques, déconnectez le dispositif du bloc
d’alimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre l’étiquette d’avertissement apposée sur les plateformes Radware dotées
de plus d’une source d’alimentation électrique.
Figure 4: Avertissement de sécurité pour les systèmes dotes de deux sources d’alimentation
électrique (en chinois)
Traduction de la Avertissement de sécurité pour les systèmes dotes de deux sources d’alimentation
électrique (en chinois):
Cette unité est dotée de plus d’une source d’alimentation électrique. Déconnectez toutes les sources
d’alimentation électrique avant d’entretenir l’appareil ceci pour éviter tout choc électrique.
ENTRETIEN
N’effectuez aucun entretien autre que ceux répertoriés dans le manuel d’instructions, à moins d’être
qualifié en la matière. Aucune pièce à l’intérieur de l’unité ne peut être remplacée ou réparée.
HAUTE TENSION
Tout réglage, opération d’entretien et réparation de l’instrument ouvert sous tension doit être évité.
Si cela s’avère indispensable, confiez cette opération à une personne qualifiée et consciente des
dangers impliqués.
Les condensateurs au sein de l’unité risquent d’être chargés même si l’unité a été déconnectée de la
source d’alimentation électrique.
MISE A LA TERRE
Avant de connecter ce dispositif à la ligne électrique, les vis de protection de la borne de terre de
cette unité doivent être reliées au système de mise à la terre du bâtiment.
LASER
Cet équipement est un produit laser de classe 1, conforme à la norme IEC60825 - 1: 1993 + A1:
1997 + A2: 2001.
FUSIBLES
Assurez-vous que, seuls les fusibles à courant nominal requis et de type spécifié sont utilisés en
remplacement. L’usage de fusibles réparés et le court-circuitage des porte-fusibles doivent être
évités. Lorsqu’il est pratiquement certain que la protection offerte par les fusibles a été détériorée,
l’instrument doit être désactivé et sécurisé contre toute opération involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument à la ligne électrique, vérifiez que la tension de la source
d’alimentation correspond aux exigences de l’instrument. Consultez les spécifications propres à
l’alimentation nominale correcte du dispositif.
Les plateformes alimentées en 48 CC ont une tolérance d’entrée comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPÉCIFICATIONS
Les spécifications sont sujettes à changement sans notice préalable.
Remarque: Cet équipement a été testé et déclaré conforme aux limites définies pour un appareil
numérique de classe A, conformément au paragraphe 15B de la réglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC
61000-4-11, pour la marque de conformité de la CE. Ces limites sont fixées pour fournir une
protection raisonnable contre les interférences nuisibles, lorsque l’équipement est utilisé dans un
environnement commercial. Cet équipement génère, utilise et peut émettre des fréquences radio et,
s’il n’est pas installé et utilisé conformément au manuel d’instructions, peut entraîner des
interférences nuisibles aux communications radio. Le fonctionnement de cet équipement dans une
zone résidentielle est susceptible de provoquer des interférences nuisibles, auquel cas l’utilisateur
devra corriger le problème à ses propres frais.
NOTICE SPÉCIALE POUR LES UTILISATEURS NORD-AMÉRICAINS
Pour un raccordement électrique en Amérique du Nord, sélectionnez un cordon d’alimentation
homologué UL et certifié CSA 3 - conducteur, [18 AWG], muni d’une prise moulée à son extrémité,
de 125 V, [10 A], d’une longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la
connexion européenne, choisissez un cordon d’alimentation mondialement homologué et marqué
“<HAR>”, 3 - conducteur, câble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isolée. La
prise à l’extrémité du cordon, sera dotée d’un sceau moulé indiquant: 250 V, 3 A.
ZONE A ACCÈS RESTREINT
L’équipement alimenté en CC ne pourra être installé que dans une zone à accès restreint.
CODES D’INSTALLATION
Ce dispositif doit être installé en conformité avec les codes électriques nationaux. En Amérique du
Nord, l’équipement sera installé en conformité avec le code électrique national américain, articles
110-16, 110 -17, et 110 -18 et le code électrique canadien, Section 12.
INTERCONNEXION DES UNÎTES
Les câbles de connexion à l’unité RS232 et aux interfaces Ethernet seront certifiés UL, type DP-1 ou
DP-2. (Remarque- s’ils ne résident pas dans un circuit LPS).
PROTECTION CONTRE LES SURCHARGES
Un circuit de dérivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
être intégré au câblage du bâtiment pour chaque puissance consommée.
BATTERIES REMPLAÇABLES
Si l’équipement est fourni avec une batterie, et qu’elle est remplacée par un type de batterie
incorrect, elle est susceptible d’exploser. C’est le cas pour certaines batteries au lithium, les
éléments suivants sont donc applicables:
• Si la batterie est placée dans une zone d’accès opérateur, une marque est indiquée sur la
batterie ou une remarque est insérée, aussi bien dans les instructions d’exploitation que
d’entretien.
• Si la batterie est placée ailleurs dans l’équipement, une marque est indiquée sur la batterie ou
une remarque est insérée dans les instructions d’entretien.
ATTENTION
Risque de choc et de danger électriques. Le débranchement d’une seule alimentation stabilisée ne
débranche qu’un module “Alimentation Stabilisée”. Pour Isoler complètement le module en cause, il
faut débrancher toutes les alimentations stabilisées.
Attention: Pour Réduire Les Risques d’Électrocution et d’Incendie
1. Toutes les opérations d’entretien seront effectuées UNIQUEMENT par du personnel d’entretien
qualifié. Aucun composant ne peut être entretenu ou remplacée par l’utilisateur.
2. NE PAS connecter, mettre sous tension ou essayer d’utiliser une unité visiblement défectueuse.
3. Assurez-vous que les ouvertures de ventilation du châssis NE SONT PAS OBSTRUÉES.
4. Remplacez un fusible qui a sauté SEULEMENT par un fusible du même type et de même
capacité, comme indiqué sur l’étiquette de sécurité proche de l’entrée de l’alimentation qui
contient le fusible.
5. NE PAS UTILISER l’équipement dans des locaux dont la température maximale dépasse 40
degrés Centigrades.
6. Assurez vous que le cordon d’alimentation a été déconnecté AVANT d’essayer de l’enlever et/ou
vérifier le fusible de l’alimentation générale.
Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebäudes muss ein unverzüglich zugängliches Stromunterbrechungsgerät
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr dürfen Vorgänge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschließlich von
qualifiziertem Servicepersonal durchgeführt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gerät vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.
Electromagnetic-Interference Statements
The following statements are presented in English, French, and German.
Electromagnetic-Interference Statements
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN
61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance.
These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. This equipment generates, uses and can
radiate radio frequency energy and, if not installed and used in accordance with the instruction
manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required to correct
the interference at his own expense.
VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
KCC KOREA
Figure 12: KCC—Certificat de la commission des communications de Corée pour les equipements de
radiodiffusion et communication.
Figure 13: Déclaration pour l’équipement de classe A certifié KCC en langue coréenne
Hinweis: Dieses Gerät wurde geprüft und entspricht den Beschränkungen von digitalen Geräten der
Klasse 1 gemäß Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC
61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 für Konformität mit der CE-Bezeichnung.
Diese Beschränkungen dienen dem angemessenen Schutz vor schädlichen Interferenzen bei Betrieb
des Gerätes in kommerziellem Umfeld. Dieses Gerät erzeugt, verwendet und strahlt
elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im
Handbuch montiert und benutzt, könnte es mit dem Funkverkehr interferieren und ihn
beeinträchtigen. Der Betrieb dieses Gerätes in Wohnbereichen wird höchstwahrscheinlich zu
schädlichen Interferenzen führen. In einem solchen Fall wäre der Benutzer verpflichtet, diese
Interferenzen auf eigene Kosten zu korrigieren.
ERKLÄRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ
关于在非热带气候地区使用的设备,必须在随时可见的位置处粘贴包含如下内容的警告标记:
附件 DD:有关新安全警告标记的说明。
DD.1 海拔警告标记
标记含义:设备的评估仅基于温带气候条件,因此设备只适用于该运行条件。如果在热带气候地区使用设备,可能
会存在某些安全隐患。
Document Conventions
The following describes the conventions and symbols that this guide uses:
Example
Possible damage to Endommagement Mögliche Schäden an
equipment, software, or possible de l’équipement, Gerät, Software oder
Caution: data des données ou du Daten
logiciel
Additional information Informations Zusätzliche
complémentaires Informationen
Note:
A statement and Références et Eine Erklärung und
instructions instructions Anweisungen
To
A suggestion or Une suggestion ou Ein Vorschlag oder eine
workaround solution Umgehung
Tip:
Possible physical harm to Blessure possible de Verletzungsgefahr des
the operator l’opérateur Bedieners
Warning:
TABLE OF CONTENTS
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Standard Warranty ...................................................................................................... 10
Limitations on Warranty and Liability ........................................................................... 12
Safety Instructions ....................................................................................................... 13
Electromagnetic-Interference Statements ................................................................... 22
Altitude and Climate Warning ...................................................................................... 26
Document Conventions ............................................................................................... 27
Overview
Strong network-level protection against attacks, such as, firewalls and intrusion detection systems,
is mandatory in all enterprise Web application environments.
However, in many cases, hacking techniques can legitimately access your Web application and
attack the back-end system using transactions that appear to be normal. These “application level”
attack techniques cannot be detected by network firewalls and intrusion detection systems. They
pass through unchecked, enabling access to sensitive information and systems.
In addition, because this activity looks like perfectly legitimate Internet traffic, the network security
team is completely unaware of these attacks until their effects are noticed.
Web Application Security makes use of software and hardware to protect Web applications from
internal and external threats.
As the tools and technology approaches used to create Web Applications change rapidly, developers
tend to spend more time in implementing these tools and technologies, and less time implementing
security in the Application. An application that has been developed with security in mind minimizes
holes and backdoors to the application. Holes and back doors leave the Application vulnerable to
potential hackers.
Security is becoming an increasingly important concern during development as applications become
more frequently accessible over networks and are, as a result, vulnerable to a wide variety of
Application-Layer threats.
Hacking or attacking Web Applications is a field of security that has no limits as to the number of
methods and techniques that can be used to gain illegal access, manipulate information or cause
damage to an enterprise. As these methods and techniques develop it is our aim to develop methods
and techniques through advanced technology to prevent harm to an application.
The following sections provide in-depth information about HTTP, the main protocol used to deliver
files and data across the Internet, as well as information on the known threats, vulnerabilities and
attack types as they are classified today by Security authorities such as the FBI, SANS (SysAdmin,
Audit, Network, Security) Institute, WASC (Web Application Security Consortium) and OWASP (Open
Web Application Security Project).
Introduction to HTTP
HTTP (Hypertext Transfer Protocol) is perhaps the most significant protocol used on the Internet
today. Web services, network-enabled appliances and the growth of network computing continue to
expand the role of the HTTP protocol beyond user-driven web browsers, while increasing the number
of applications that require HTTP support.
HTTP is the network protocol used to deliver virtually all files and other data (collectively called
resources) on the World Wide Web, including HTML files, image files, query results, or anything else.
A browser, known as an HTTP client, sends requests to an HTTP server (Web server), which then
sends responses back to the client. HTTP usually takes place over TCP connections, usually to port
80, though this can be overridden and another port used.
After a successful connection, the client transmits a request message to the server, which sends a
reply message back. The simplest HTTP message is “GET URL”, to which the server replies by
sending the named document. If the document does not exist, the server will send an HTML-
encoded message stating this.
HTTP is used to transmit resources, not just files. A resource is a chunk of information that can be
identified by a URL. The most common kind of resource is a file, but a resource may also be a
dynamically-generated query result, the output of a CGI script, a document that is available in
several languages, or something else.
HTTP Methods
HTTP defines eight methods (sometimes referred to as “verbs”) indicating the desired action to be
performed on the identified resource.
• HEAD—Asks for the response identical to the one that would correspond to a GET request, but
without the response body. This is useful for retrieving meta-information written in response
headers, without having to transport the entire content.
• GET—Requests a representation of the specified resource. By far the most common method
used on the Web today. Should not be used for operations that cause side-effects (using it for
actions in web applications is a common misuse).
• POST—Submits data to be processed (for example, from an HTML form) to the identified
resource. The data is included in the body of the request. This may result in the creation of a
new resource or the updates of existing resources or both.
• PUT—Uploads a representation of the specified resource.
• DELETE—Deletes the specified resource.
• TRACE—Echoes back the received request, so that a client can see what intermediate servers
are adding or changing in the request.
• OPTIONS—Returns the HTTP methods that the server supports for specified URI. This can be
used to check the functionality of a web server by requesting '*' instead of a specific resource.
• CONNECT—Converts the request connection to a transparent TCP/IP tunnel, usually to facilitate
SSL-encrypted communication (HTTPS) through an unencrypted HTTP proxy.
Caution: Your application is not susceptible to attack if it is not vulnerable. Maintaining the
Application constantly and keeping up-to-date with vulnerability information and fixing potential
risks in the application must be considered a priority and not an unpleasant task.
The following table summarizes the Top Ten vulnerabilities in Web Application security as classified
by OWASP.
AppWall Overview
Web Application Security includes diverse methods and techniques that protect Web applications
from internal and external threats. Alteon Web Application Security capabilities include:
• AppWall—The Alteon integrated AppWall capability secures Web applications and enables PCI
compliance through mitigation of Web application security threats and vulnerabilities. It
prevents data theft, manipulation of sensitive corporate data, and protects customer
information. AppWall incorporates scalable intrusion detection and prevention systems that work
seamlessly to detect threats, generate events, and block both internal and external attacks
against critical corporate data without impacting day-to-day operations.
• Authentication—The integrated Authentication gateway capability reduces operational costs
by providing centralized and simplified identity and access management infrastructure, by
offloading the user authentication process, and by simplifying the identity and access
management infrastructure. The module can be used independently of, or together with, the
AppWall capability to create role-based policies.
Licensing
AppWall and Authentication Gateway capabilities can be used together or separately, thus each
capability requires its own license.
The AppWall license allows for AppWall capability on the entire device.
To view the AppWall license, on the Global Administrator Web UI navigate to Configuration >
System > Licensing and select the Feature Licenses tab.
The Authentication license allows for Authentication capability on the device and limits the number
of concurrent users that can be authenticated on the device.
To view the Authentication license, on the Global Administrator Web UI navigate to Configuration >
System > Licensing and select the Capacity Licenses tab.
Note: For more information regarding core affinity, refer to the Alteon Application Switch
Operating System Application Guide.
2. In the vADC tab, click the (Add) button to configure a new vADC, or select a vADC and click
With extensible and highly-granular security filters and policy management features, AppWall
Management Application enables users to define acceptable Web Application behavior. Any behavior
that deviates from explicit policy generates an event or triggers specific action to counter an attack.
AppWall supports RESTful API for configuration of specific settings and common flows.
To view the full RESTful API documentation, including a list of supported actions, go to:
https://<AppWall IP>/appwall-api-doc/v2/
AppWall Management Application provides centralized administration, management, reporting, and
forensics for the AppWall module. This information is presented through four views based on the
individual’s role in the organization:
• The Configuration view allows IT and/or security personnel to configure AppWall. They can also
establish and manage user privileges for viewing threat information and policies.
• The Security Policies view is where security rules and filters are defined using a flexible and
powerful interface.
• The Auto Discovery view provides linkage between the Security Policy and the physical view of
the application. This is performed by automatic detection of the entire Web Application structure
and displaying the tunnel, host, folders, files (pages), cookies and parameters related to the
application. The Auto Discovery view is available only in the Java based app.
• The Forensics view provides access to historical information, allowing users to perform detailed
analysis of event logs to identify trends and needed areas of improvement as well as generate
reports based upon the recorded events.
• The Dashboard view offers at-a-glance views of the entire Web Application’s security posture of
the enterprise. Authorized users can view real-time security events, respond to violation events,
and check on the status of servers, gateways, and monitors across the organization.
Note: When TACACS is configured in Alteon, authentication to the AppWall management console is
based on the TACACS configuration and the user role (in version 31.0.230.5.5, Admin only). Alteon
send the authentication information to AppWall to allows an open connection to the AppWall
Management Application.
Note: Many toolbar functions are available as right-click menus. Right-click a node to display its
menu.
Status Bar
The Status Bar provides updates on the AppWall .
Context–Sensitive Help
AppWall Management Application has context-sensitive help. Click ? on the top right corner of the
window to access help on any node, toolbar button, dialog box, or window.
The Help contains a Table of Contents, Index, and a full-text search function.
Property Description
Server IP The IP of the server.
Admin Port The admin port number.
Server Type Type of AppWall server: Gateway.
Server Version The software version of the AppWall server, including build number.
Service Last Date and time AppWall was last started.
Started
Last Changes Date and time the last Apply was performed.
Applied
Pending Reports whether changes await an Apply before updating AppWall.
Operating Operating system on which this AppWall server is running. Can be Windows, SUN
System or Linux.
Current Status Current status of AppWall: starting, running, or stopped.
Login Requires Reports whether this login user requires authorization.
Authorization
Logged-in User Login name of user running the AppWall Management Application Console and
the name of the Group to which the user belongs.
Deployed In Type of deployment (for example, Inline, Reverse Proxy).
Initialization Details if initialization ended successfully.
Status
Cluster Manager Member of a cluster: True or false
Member
Auto Discovery On or Off (whether auto-configuration is enabled or disabled).
Status
Initial Configuration
To activate AppWall and/or Authentication capabilities on a specific Web Application, the flowing
steps are required:
• Enable AppWall and Authentication on the Alteon vADC.
• Configure a Secure Web Application object and enable for it AppWall and/or Authentication.
• Attach the Secure Web Application to the virtual service that processes the required traffic.
• Edit Security Policy for the Secure Web Application.
Configuration Options
For common AppWall deployment scenarios, the full range of deployment, configuration, and
maintenance options offered may be superfluous, unnecessary, and time consuming. Some
advanced security policy tools may generate false positives and may require manual policy
management, which is prone to human error and requires knowledge of Web application security
and familiarity with secured Web application technologies and structures.
To address these challenges, a simplified mode of delivery is available that
• applies global policies, instead of page-based or application path-based settings. A single
application path "/" is created per application.
• removes the option of low-severity rules that have a high tendency for false positives (for
example, in the Database Security filter).
• provides out-of-the box settings, which reduce human interaction when not required (for
example, when a syslog sever is configured, there are default publishing rules).
This mode of delivery also reduces the complexity of the user interface to shorten the learning curve
and reduce the time required by administrators to review and maintain the security policy.
The two license options available are:
• AppWall for Alteon—Comprises the simplified mode of delivery.
• AppWall+ for Alteon—Offers the full range of all options and features for advanced users.
The differences between the AppWall for Alteon and AppWall+ for Alteon options are detailed for:
• Configuration View, page 59
• Security Policies View, page 60
• Forensics View, page 60
Configuration View
The AppWall for Alteon option includes the following differences from the full AppWall+ for
Alteon version in the Configuration view:
• The Web farm, hosts, filters and TCP tunnels are hidden.
• In the HTTP tunnel, General Properties tab:
— The following options are hidden: Include tunnel in default Web app, Auto tunnel
optimization, Tunnel Thread Count, Ignore Automatic Escalation, Propagation
— Escalation Default Mode change to Operational Mode
• In the HTTP Properties tab, all options are hidden with permissive settings, except the following:
— Only Use Code Page Encoding for URL and parameter
— Allow Message with Parameter value that failed text normalization
— URL Query string delimiter
— Parameter Delimiter
— Session Delimiter
— Code page
— Custom headers: XFF
— Protection Against Slowloris
— Masquerade Server Identity
— Replace http reply message (500)
• The HTTP Message Size options are hidden. The following are set, non-editable, values:
— Start line: 20 KB
— Body: 1024 MB
— Total Headers: 50 KB
— Single Header: 5 KB
— Cookie header:10 KB
— Referer header: 5 KB
• In HTTP Parsing, the following are the differences:
— Exceptions are set for All URIs.
— All properties are hidden with permissive settings, with the exception of JSON parsing
(enable) and parameter parsing (for CDN flood mitigation).
• In Forensics view, the Escalation Log folder is removed.
• In Services > Publishers > Recipients and SMTP are removed.
• Publisher options are Syslog and SNMP.
• In Events, if the syslog sever is configured, a single publishing rule is automatically created for
all events.
Forensics View
In the Forensics view, the AppWall for Alteon option includes the following differences from the
full AppWall+ for Alteon version:
• Only default Forensics views display, with the option for filters.
• No folders display.
Note: The AppWall and Authentication capabilities must be provisioned on the vADC, before they
are activated.
Note: The tunnel and Web Application objects are inactive as long as the Secure Web Application is
not enabled and attached to a virtual service.
Authentication Servers
When the Authentication Gateway capability is employed it is necessary to configure the external
authentication servers, LDAP or RADIUS.
Notes
• Two-factor authentication scheme is used for SSO capabilities.
• The first Factor is a domain controller/LDAP server or a RADIUS Server type Standard, RSA
SecurID or Azure.
• The second Factor is a RADIUS server of type RSA SecureID or SMS Passcode or Azure (only if
the first factor is Azure too).
IP Groups
In order to create an IP-based role, you can create a new IP address group in the Configuration
view, select Management > IP Groups and click on the + icon. The group can be set to included
and excluded IP address ranges or IP address and mask pairs. Additionally, you can include or
exclude countries, based on a geo-location database.
You can then create an IP Group-based role in the Web user Roles section.
You can also combine IP Group settings with Radius and LDAP settings:
LDAP Roles
For LDAP servers you can add additional roles by mapping AppWall policy role to a group in the LDAP
server. The mapping is performed with an LDAP browser, which will enable you to connect to the
configured LDAP server and select a group in the server.
Once the role is defined, you can select this role under the host in the Security Policy view.
Examples
A You can limit access to your administrative section of the secured Web application only to users
who are members of the LDAP “Admin” group and to those who access the application internally
(10.*.*.*). Users accessing over VPN will also have an internal address.
B On the other hand, you can create a more restricted policy for users who are members of the
LDAP “Admin” group who access from external addresses in your local geography (with no
privileges to stop the application).
C You can also configure a “monitor only” policy for administrators when accessing from trusted
remote geographies (for example, from the UK).
D You can prohibit access to your application for any user (including LDAP “Admin” users) who is
accessing from a non-trusted location (for example, from North Korea).
General Properties
The following table shows a list of the general Tunnel properties.
Parameter Description
External SSL Indicates that before the AppWall device there was performed SSL
Offloading offloading. This means that the client uses HTTPS even though AppWall
sees clear HTTP traffic.
AppWall uses this information to decide on if to add cookies with HTTPS
only attributes for the authentication features and for other purposes.
Auto Tunnel The tunnel object has different settings that require optimization and
Settings modification once AppWall is deployed. When Auto Tunnel Settings
Optimization Optimization is enabled for the tunnel, it instructs the Auto Policy
Generation engine to automatically optimize tunnel level settings,
including message size settings both for the request and the response,
the of adding of new headers with explicit size limitations, and HTTP
parsing properties exceptions. By default, this is enabled.
Note: Note: Auto Discovery must be enabled for the Auto Tunnel
Settings Optimization to function.
Tunnel Thread The number of threads allocated for the configured tunnel.
Count Three possible values can be assigned: High, Medium and Low.
The recommended and default value is Medium. with this value the
maximum number of tunnels which can be configure in the system is 50.
If more tunnels are reacquired on a the AppWall device, configure the
Thread Count to Low, enabling up to 100 tunnels to be configured.
Parameter Description
Escalation
Default Mode Use this field to set the desired default escalation mode of the tunnel.
Options are Active, Bypass, and Passive for the AppWall Gateway.
Passive Message Use this field to set the desired behavior for receipt of a Build Failure
Build Failure message when the tunnel is in passive mode.
Handling
Ignore Automatic By checking this field, the tunnel will remain in the default mode until the
Escalation user changes to a different tunnel mode. When this field is checked, the
tunnel is not affected by escalation rules.
Propagation
These setting determines how AppWall propagates connectivity problems with the Web server
to the load balancer or client, due to the Web server being too heavily loaded or in situations
where the Web server is down. Until now, AppWall continued attempts to connect to the Web
server and accept new connections from clients, even in cases where there is no response from
the Web server.
Automatically This property definition stops the tunnel from accepting new client
Suspend Tunnel connections when the Web server does not accept new connections from
Upon Web Server AppWall due to server failure.
Failure
After __ Connection This defines the number of consecutive attempts to connect to the Web
Attempts server that were refused, which will cause tunnel deactivation. After this
number of attempts, if the "Automatically Suspend Tunnel Upon Web
Server Failure" flag is on, the tunnel will stop accepting new connections
Connections
These settings define the maximum number of pending and active connections.
Maximum Pending Maximum number of incoming requests that the tunnel can queue for an
Connections available session.
Maximum Active Maximum number of active connections (network sessions) at one time.
Connections
X-FORWARDED-FOR Header
This allows the user to add the IP address of the client to the request header.
In order for AppWall to process the original client IP address and not to use the TCP connection
source IP address (in cases there are Reverse Proxies in front of AppWall), AppWall can be
configured to extract the IP address from the X-Forwarded-For header.
AppWall will use the excreted IP address for IP address presentation in security event logs, in
learning and Auto Policy Generation and for Session Security filter IP address enforcement.
X-FORWARDED-FOR Check the box to add the X-FORWARDED-FOR header and delimiter to
Header the requests sent to the server.
Host Name
The Host Name tab provides management of Host Names. These Host (Virtual Host) names are
name values used in the HTTP Header: Host=HostName.
A value of <Any Host> is used for any undefined Host Values or for requests that do not have hosts
specified in the HTTP header. If your Web server does not use virtual hosting, <Any Host> should be
the only value specified.
Wildcards ("*" ) are also supported in the host name, for example, *.micro*.*
HTTP Properties
The following table shows the HTTP properties available.
Parameter Description
Allow High ASCII When enabled, AppWall allows High-ASCII Characters (127-255) in any
Characters part of a request or reply. The Unicode representation of the identified
high-ASCII characters is based on the selected codepage for this tunnel.
When disabled, High-ASCII characters are not allowed.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Only Use Codepage When selected, AppWall performs text-normalization using the tunnel
Encoding for URL codepage instead of UTF-8. Enable this setting when an HTTP request
and Parameter includes codepage-encoded characters that may be mistaken for UTF-8.
Screening When disabled, UTF-8 translation is used for text-normalization to
Unicode. For details, see Codepage Encoding.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Disable Persistent When enabled, disables persistent HTTP connections by including a
HTTP Connections “Connection: close” header in the request messages sent to the Web
Application
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Allow Messages with When enabled, AppWall allows messages containing parameter values
Parameter Values that cannot be fully-normalized to Unicode to pass unchanged in value
that Failed Text- and treats them as a stream of bytes when evaluated. This occurs if
Normalization there is a failure with UTF-8, Codepage, Unescaping %HH Characters, or
Folding.
The failure to translate may be due to improper codepage usage,
improperly escaped characters or incorrect tunnel settings for
unescaping. For more information, see Codepage Encoding.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Support Quick-Click When enabled, AppWall allows Quick-Click Refinements on events
Refinement for generated for requests that cannot be matched to an enabled Application
Adding New Path.
Application Paths Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Session Delimiter The Session Delimiter is the character that separates the request URL
from the Session Token. The character is inserted twice into the request.
The Session Token is attached to the URL by the Session Security Filter.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box Enter the character to be used as a delimiter.
Note: The / character cannot be used.
Parameter Description
URL Query String Specifies the character used in query strings to delimit the beginning of
Delimiter query parameters.
Parameters Character that separates the parameters in the URL. This character is
Delimiter used as a delimiter for parsing the parameters in a multi-parameter
string.
Double-click the text field and enter the delimiter.
Codepage Encoding Specifies the type of special characters (languages) your Web Application
Scheme client uses in its requests. This setting should be changed for Web
Applications that use characters other than Microsoft Windows 1252
(ANSI). For more information on encoding, see Codepage Encoding.
Select the Codepage Encoding scheme from the drop-down menu or
double-click and select from menu.
Support parsing to By default, query parameters are expected to conform to the
NULL_PARAMETER conventional parameter_name=parameter_value. By default,
_NAME of values instances with a parameter_value and no parameter_name are failed.
when query
When enabled, this request allows the above type of request to pass by
parameter names
assigning NULL_PARAMETER_NAME to parameter_name in all such
are null
instances.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Allow Double-Slash Allows HTTP request message to include a double-slash (/ /) in the URL.
in URL Using this setting, AppWall converts the double-slash (//) into a single
slash (/) prior to analyzing the message.
When disabled, the double-slash URL would raise an event as an invalid
URL. If the request message includes the http://expression, the double
slash is not converted.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Purge Multiple When enabled, all multiple slashes will be changed to a single slash
Slashes Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Analyze Path Enables the tunnel to send path parameters to the parameter-related
Parameters security filters for analysis whenever possible. Path Parameters are
embedded parameters in the request message URL (for example, http://
www.site.com/ docs; PathParameterName=PathParameterValue/
register.jsp?id=3).
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Analyze Cookies as When enabled, the tunnel can send cookies as parameters to parameter
Parameters related security filters. This feature allows security filters, such as the
“Parameters” security filter, to check the submitted values in each
cookie.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Parameter Description
Allow Non-RFC When enabled, AppWall does not enforce the RFC requirements as stated
Compliant HTTP in the latest HTTP RFC (rfc2616).
Methods When disabled, any message containing an RFC-compliant method raises
an event. RFC documents are available from the World Wide Web
Consortium (W3C http://www.w3c.org/).
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Parse Multi-Part When selected, the process that unescapes parameter values using the
without Unescaping %HH convention will not be used for multipart-post request-body-
(%HH) Values parameters. Instead, the “%” character is treated as a language
character (ASCII 37) in text-normalization.
Note: If this setting is disabled and unescaping fails, the message will
be considered invalid and may be rejected. To prevent this, enable
Allow Messages with Parameter Values that Failed Text-
Normalization.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Allow Trailing “%” When enabled, “%” at the end of a parameter value will be treated as a
Character in language character (ASCII 37), and not an escape code.
Parameter Values
Note: If this setting is disabled and unescaping fails, the message will
be considered invalid and may be rejected.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Use IIS Extended When enabled, URLs containing extended Unicode characters in the path
Unicode Measures name raise an event. This property enables an extra level of processes to
secure extended Unicode code points (character representations) that
are converted by AppWall or target application.
For example, the code points U+0041, U+0100, U+0102, U+0104,
U+01CD, U+01DE, U+8721 are recognized as Unicode A. For more
information on encoding, see Using IIS Extended Unicode Measures.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Parameter Description
Custom Headers You can add any headers you wish to the incoming request using this
field.
After you have added headers, you can edit or remove a header by
selecting the header and clicking Edit or Remove.
To add a header:
1. Select Enable
Parameter Description
Signature When enabled, this feature allows you to select various parts of the
request message and include them in a Signature that will be sent in the
request. This allows the Web server to verify the message source and
authenticity.
To enable:
1. Select Enable
2. Select whether the signature should be added for each Session or
each Message.
3. Enter the Header Name for the signature.
4. Select a mode for the signature: Pass & Sign Incomplete, Pass
Incomplete Unsigned, Fail Incomplete (disconnect).
5. You can select a Private Key by clicking Select and selecting a
certificate.
6. You can also include: URL, Forwarding IP, Forwarding Port, Date Time
(and if so, a Time To Live, in seconds), and/or one or more selected
headers, either from the message or from the custom headers you
created in Custom Headers.
7. Click OK when you are finished.
Slowloris protection For a mitigation with TCP Timeout:
This setting enforces protection against slowloris attacks that consume
web server resources by opening a TCP connection without sending data
or sending data very slowly.
The protection has two settings:
• Time Gap Between Checks: The time span during which the AppWall
is counting the traffic rate on the inspected connection.
• The minimal traffic volume threshold to trigger the protection.
The inspection is enabled during the first 60 seconds (Idle Session
Timeout) and the protection is applied during the next coming 30
seconds (Time Gap Between Checks).
Allow Extra Space The HTTP request line specifies the type of document requested, the
Padding in the HTTP method that must be applied, and the version of the protocol used. The
Request Line line is made up of the three elements separated by a space.
This property allows up to four extra spaces before or up to three extra
spaces after the protocol version but not before the URI.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Fast upload Fast Upload is a mechanism, if activated, where AppWall will send data to
threshold (in KB) the web server before AppWall will receive all the HTTP request. This
parameter is a general threshold for the URI configured in the tunnel to
bypass the Fast Upload feature if the HTTP request size is more than the
threshold. By default this parameter is not activated. To configure it, you
must enable it from the "HTTP Properties" screen adding at least one URI
with the parameter "Fast Upload for large HTTP requests" checked.
Parameter Description
Compressed Replies The Compression configuration allows compressed content (gzip and
Settings deflate) to be sent as long as the request contains the “Accept-Encoding”
header. This setting determines how the HTTP header is to be handled.
When a reply contains a compressed content it must include the
“Content-Encoding:” header. Every security filter that is configured to
examine the reply body decompresses the message body in the event
the body is compressed; therefore, only inspected replies are
decompressed. If the reply body is modified by one security filter it can
than be examined by other security filters.
If Compression is disabled, the “Accept-Encoding” header is set to
"identity".
If "Force recompress" is selected, the modified reply body is then re-
compressed and sent to the client. If the reply was not modified, the
original buffer is sent to client.
Note: Encoded (compressed) content prohibits text-normalization and
greatly restricts security capabilities for analyzing outgoing reply
messages.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Terminate 100 When enabled, the appliance acts as a successful termination point for
Continue Replies HTTP 100 Continue requests, without forwarding these requests to the
Web servers.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Allow Client Cache When enabled, caching of POST data is permitted when Back is clicked
Control in the client’s browser.
Enable/Disable from the drop-down menu or double-click and check/
uncheck box.
Replace the HTTP Allows you to remove or replace the standard HTTP reply messages with
Reply Messages custom messages of your choice. You can change the replies according to
with Custom one or more ranges of status numbers. If replacing the message, place
Messages the new message into a file and include the file using the interface.
To enable:
Parsing Properties
The HTTP Parsing Properties Configuration tab under the tunnel configuration enables you to exclude
any of the 33 HTTP parsing settings which used to be enforced.
1. On the URL window, click New to add any URL or name a specific URL for parsing criteria to be
applied.
2. To update an existing list, click Edit or Delete as appropriate.
3. Once you open the URL Properties pane, mark in the value boxes which properties you wish to
apply to the URL.
Parameter Description
Property Allows parsing criteria.
Value Mark as appropriate for parsing.
4. Click to add values and then OK to exit. Your values are saved.
5. You can set the configuration for all the URLs in a tunnel or per specific URL.
6. When you have finished, the Parsing Properties pane should look like the following example.
7. By selecting the Parsing properties name, you can view more detail and edit if required.
8. Click Submit and Save to save your changes or Revert to discard them and revert to your
previous settings.
Parameter Description
Start Line Maximum length allowed for a request (URL) line. This accounts for path
and query parameters.
Body Maximum length of the entire body of a request message. Because Files
> Upload places the files in the Body you may need to increase this to
accommodate file sizes. This total should also include addition bytes for
the body HTTP protocol.
Total Headers Maximum length of the entire HTTP Header of a request. This value
should be larger than the total of the sizes of the expected Header values
included in any given request plus additional bytes for the header HTTP
protocol. This value cannot be less than the Single Header setting.
Parameter Description
Single Header Maximum length of a single Header entry. This entry must be greater
than or equal to the largest value in the Header table below.
The Header table lists all the headers by names and maximum size for each Header Name
added to the list.
Click the (Add) button to add a header name and maximum size (in Bytes) to the Header
table, or select an entry and click the (Edit) button to edit the header name and/or
maximum size of that header.
The maximum size should be less than or equal to the Single Header entry and should be the
total bytes for the Header Name and Header Value statement (that is, Header Name length +
Header Value length + 1). For example, the HTTP Header:Cookie=123456789 is 16 characters
total.
Security Bypass
The Security Bypass feature allows you to indicate file types and parameters that can be requested
without additional validation.
There are many file types and parameters that pose little or no threat in an HTTP or HTTPS
request, such as images and video. By not subjecting these requests to further processing, you can
reduce resource usage and increase speed.
For any of the listed file types, select the file extensions for which the Security Bypass feature should
be applied. Deselect the file extension to remove the Security Bypass feature from that file type.
Similarly, for any of the listed parameters, select the parameter for which the Security Bypass
feature should be applied and deselect it to remove the Security Bypass feature.
To add a file type or parameter to the list, click for either the file type or parameter, enter the
extension or parameter, respectively, and click OK.
Parameter Description
Enable Enables/Disables the Publisher.
Publisher Server IP The IP address of the server where the Publisher resides.
TCP Port The port number for the machine on which the Publisher resides.
Parameter Description
Accept Connections Use Add, Edit, or Remove to enable connections. You can enter an
from IPs unlimited number of IP addresses to the Publisher.
To specify multiple IPs, use two asterisks in an IP subnet mask. The
wildcard characters can hold one placeholder in the IP format and
represent a range of 0-255.
The following table shows correct and incorrect use of the asterisk
wildcard for specifying an IP subnet mask:
Correct Incorrect
255.*.*.1 10.*2.*.188
10.6.204.* 145.*.*.*
*.*.10.93* .1.*.*
Deny Connections Use Add, Edit, or Remove to deny connections. This list refines the Deny
from IPs Connections From list. By itself, the Deny Connections From field has no
affect because all IPs are automatically blocked unless listed in the
Accept Connections From field.
Maximum The maximum number of concurrent connections permissible.
Connections Limit
4. Click Submit and Save.
5. On the AppWall Management Application toolbar click Apply .
Notes
• Many of the settings in the Events node affect the Publisher’s functionality for the various levels
of events.
• The ability to use a centralized publisher for multiple AppWall servers allows you to specify which
Publisher handles certain AppWall servers. This raises certain sharing issues, which should be
understood.
• Adding the Deny Connections from IP settings effectively disconnects publishing for the specified
AppWall servers, including AppWall servers configured in other Consoles.
Parameter Description
Enable Clear to disable feature. Select to enable an event to send a syslog
notification and fill in remaining fields to specify where to send the trap.
Forwarding Address IP address sending the trap.
Destination/Port IP address and port number where the syslog notification is sent. Use
Add, Edit, or Remove to manage this setting.
4. Click Test Settings to check the settings.
5. Click Submit and Save. The Publisher automatically restarts when the configuration is saved.
Out-Of-Path Mode
AppWall for Alteon supports out-of-path deployment mode. In this mode, ingress and egress traffic
is duplicated for inspection by AppWall resulting in a risk-free WAF deployment. AppWall inspects the
incoming and outgoing traffic without any impact, delay, or risk on the inline traffic.
This mode is ideal for performance sizing, fine tuning the security policies, and easy turnover to
inline active mode once configuration is set.
Both HTTP and HTTPS traffic are supported.
Out-of-path mode enables simple deployment for the purpose of application traffic analysis and
security visibility. Policy can be automatically generated similarly to the inline gateway with no
impact of client traffic performance or risk.
Note: This deployment option is relevant for WAF functionality only. Authentication and SSO are not
supported in this mode.
Note: For DefensePro x420 devices, you must manually add the AppWall Profile (AppWallAttack)
to the network policy of the relevant destination network.
Escalation
AppWall Gateways are deployed in-line for intrusion prevention. They offer multiple modes of
operation:
• In Bypass Mode—AppWall Gateways allow traffic to pass through with zero performance
impact
• In Passive Mode—They examine inbound and outbound traffic to detect security violations
• In Active Mode—AppWall Gateways provide full intrusion prevention to immediately detect
threats, generate alerts, and block attacks
Radware’s Intelligent Escalation technology grants superior control over Web application security. It
allows policy establishment that trigger the escalation of AppWall Gateways across the enterprise.
For example, an organization could deploy AppWall Gateways in Bypass or Passive Modes to
optimize operational performance and capacity until there is reason to believe the enterprise is
under attack.
Upon detection of a suspected attack attempt, the tunnel automatically escalates the security
posture proportionally to the estimated level of risk, promoting the mode AppWall Gateways into
Bypass or Active Mode. Escalation of the tunnel is configured according to Escalation Rules.
For further details see the APSolute Vision Reporter User Guide.
6. Click Apply.
7. Click the Vision Reporter button located at the top of the AppWall Management Application
window. You are taken to the Security Certificate window for the APSolute Vision address that
you specified in setup.
8. Follow the on-screen instructions including user/password authentication where appropriate.
The Vision Reporter window now displays.
Threat Description
Parameters Tampering Sends false input to the application using contrived parameters and
parameter values that bypass simple security mechanisms.
Cookie Poisoning Changes the content of cookies from what was originally set by the
application and can forge a cookie with stolen information.
SQL Injection Uses the Web Application’s database access to execute unauthorized
commands using SQL commands.
Session Hijacking Attempts to take over TCP sessions to seize control of a legitimate
user’s Web application session while that session is still in progress.
Web Services Exploits vulnerabilities inherent in web services formats, structure, and
Manipulation operations as well as dictionary and encoding manipulations.
Stealth Commands Smuggles command statements in text fields that will be executed
within a given layer of the infrastructure.
Debug Options Exploits vulnerabilities left open in internally developed code by using
debug constructs.
Backdoor Uses privileged or hidden access that applications may expose
unintentionally.
Manipulation of IT Exploits vulnerabilities in an integrated Internet environment, such as
Infrastructure known patterns and common fields/folders.
Vulnerabilities
3rd Party Misconfiguration Exploits configuration errors in third party components, such as web
and database servers.
Buffer Overflow Attacks Sends large request messages to the application attacking either 3rd
party or internally developed code.
Data Encoding Sends requests using different data encoding standards (for example,
Unicode, UTF-8, or UTF-16). These requests include code points
(character representations) used in Extended Unicode. Targets
variations in data encoding to pass and execute commands within
specific layers of the operating environment.
Protocol Piggyback Modifies the application protocol structure to include nested
commands, targeting variations in protocols to pass and execute
commands within specific layers of the operating environment.
Cross-Site Scripting (XSS) An XSS attack is a hacking technique that leverages vulnerabilities in
the code of a web application to bypass access controls such as the
same origin policy and inject client-side script (malicious content) into
Web pages viewed by other users. It may also collect some type of
data from the victim.
Brute Force Attacks Attempts to guess the Username and/or Password of an authorized
user by employing various automated tools.
OS Command Injection OS command injection can allow attackers to execute unexpected,
dangerous commands directly on the operating system. This weakness
can lead to a vulnerability in environments in which the attacker does
not have direct access to the operating system, such as in web
applications.
Threat Description
Cross Site Request A CSRF attack forces a logged-on victim’s browser to send a forged
Forgery (CSRF) HTTP request, including the victim’s session cookie and any other
automatically included authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to
generate requests the vulnerable application thinks are legitimate
requests from the victim.
Hot Link Hot-linking is the act of one site embedding content (such as images,
audio files, and videos) hosted on another site. This uses up the
‘bandwidth’ (data transfer allowance) of the site hosting the file, which
can be very expensive for webmasters who pay for hosting by the
amount of data transferred. Usually, this type of attack is performed
using a GET method on static pages or resources (for example,
images).
Information Leakage Different types of sensitive information such as (CCN), social security
numbers (SSN) and other custom patterns that you define as sensitive
are often provided to web application and thus might potentially be
accessed in a backend database storing this information.
Path (directory) Traversal This type of an attack can enable the attacker to access the file system
of the operating system running the web server.
Predefined resource This is an attack technique used to uncover hidden web site content
location and functionality. By making educated guesses using brute force an
attacker can guess file and directory names not intended for public
viewing. Brute forcing filenames is easy because files/paths often have
common naming conventions and reside in standard locations. These
can include temporary files, backup files, logs, administrative site
sections, configuration files, demo applications, and sample files.
Malicious file upload Uploading a malicious file, a script or an application to the web
application can enable in a second phase, activation of the uploaded
file and result in a lethal attack.
Directory Listing This is a fingerprint attack that exposes the structure and content of
the application, enabling the attacker to properly target his attacks. To
prevent a Directory Listing attack use AppWall to identify suspicious
GET requests with “/” at the end of the URI. The replies for these
requests are inspected to validate that there is no Directory Listing
information contained.
Parameter Pollution (HPP) An HTTP Parameter Pollution attack is a scenario where two
parameters with the same name but with different values are sent to
the Web server.
You can run a full automatic configuration of your Security Filters by selecting the Full Auto option.
This ensures that the relevant Security Filters are automatically set with the required mode,
according to AppWall.
For further information, see Auto Policy Generation, page 166.
You can also work with Auto Refinements enabled (for the relevant Filters) to ensure that
refinements are still generated automatically, whatever the mode selected. See also Security Filters
in Detail, page 89 for information on working with Auto Policy Generation profiles, which provide a
pre-defined configuration.
• Refinements tab—Most Security Filters provide a Refinements tab to allow you to manually
control events issued by AppWall. See the procedure below.
• Auto Policy Generation—Define a Security Filter’s automation level which will gather traffic
and statistical data to determine whether to change the filter mode automatically or add
refinements. For further details, see Auto Policy Generation, page 166.
Notes
• In an event view, an event can be refined using Quick-Click Refinement if a quick-click icon
displays to the left of the event in the event list.
• Quick-Click Refinements are added to the Security Filter’s Refinements page.
Note: For refinements to function, when you create the Application Path you must enable the filter
on the Application Path level.
Default Status
The default status of the AllowList Security Filter is not enabled. Be sure to configure this Security
Filter before enabling it. If the Security Filter is enabled without configurations, all requests received
on the Application Path are automatically evaluated as invalid and will generate an event.
Example of Use
For this example, assume the AllowList Security Filter is enabled and configured with the following
list of paths (allowing path requests by remote users).
If a remote user requests the default.htm page, the HTTP message sent to the Web server is
equivalent to:
GET /default.htm HTTP/1.1
This request exactly matches record #1, therefore no event is generated. Note that this definition is
Global so that any GET request for a default.html, regardless of the Application Path under the host,
is evaluated as valid, as long as the Security Filter is enabled on each Application Path.
If a request is submitted for admin.asp in a directory named administrator, the HTTP message sent
to the Web server is equivalent to:
GET /administrator/admin.asp HTTP/1.1
In this case, there is no match for such a request and an event is generated.
Some examples of permitted requests:
GET /trashfire.mpeg HTTP/1.1
GET /images/image01.gif HTTP/1.1
GET /images/webhelp/15267.jpeg HTTP/1.1
PUT /PostDestination/MyFile.txt HTTP/1.1
GET /NewPages/specialoffers.htm HTTP/1.1
HEAD /BackUpPages/JANold/admin.htm HTTP/1.1
PUT PostDestination/banner.png HTTP/1.1
Some examples of prohibited requests:
PUT /images/innocent.exe HTTP/1.1
GET multimedia/news real/trashfire.mpeg HTTP/1.1
OPTIONS /NewPages/ HTTP/1.1
POST /Portfolio/Orders.asp HTTP/1.1
GET /DB/students.dbf HTTP/1.1
2. Click the (Add) button, or select an existing entry and click the (Edit) button to
modify.
3. Complete the fields using the table below, and click OK.
Note: All refinements added to the list are entered with the exact date and time it was last
matched by a request. This provides useful information when viewing the refinements by date.
Field Description
Application Path Level Select whether to apply only to a single Application Path or to all
Refinement/ Global Application Paths.
Refinement
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be
used.
Application Path Application Path where the Security Filter should be used.
HTTP Method HTTP method to be screened by this definition.
Page Allowed relative path/page below the host. Allows entry of extensions
using the asterisk character followed by the period and extension, for
example: *.xxx The entry must end with either an extension or a forward
slash.
Use Regular Select to enable use of a regular expression in the Page definition. You
Expression must add a valid regular expression and escape all necessary characters.
Recurse to Sub Allows requests below the path specified. When disabled, only the pages
Directories and files in the immediate folder are allowed.
Pathname Auto-generated field.
Notes
• You should include all security pages, redirected pages, multimedia, and other supporting files
on the Application Path into the AllowList specifications list. This includes files that reside in the
Application Path that are called by pages inside and outside of the Application Path.
• Any unlisted Path and Method combination will be considered invalid.
• If you remove an AllowList specification without providing another entry to cover the page,
requests for that page are treated as invalid. If you remove all specifications, all requests are
invalid.
• Any broken links leading to a specified page should be corrected in order to avoid unnecessary
events.
• If the AllowList Security Filter is enabled, the Security page must be in the list.
Default Status
The default status of the BruteForce Security Filter is disabled. Applying this Security Filter requires
configuration. Note that the Auto Policy Generation Full Auto mode is not available for this Security
Filter.
Example of Use
Consider a potential hacker attempting to execute a Brute Force attack against your Web server,
using an automatic tool. The hacker has acquired the username of an authenticated user, however,
has not managed to acquire the user’s password to login to the system.
The hacker applies the use of an automatic tool to guess the password of the user. The hacker then
sends requests to the login page with the user name and passwords generated by the automatic
tool. The hacker sends these requests at a rate of 50 requests per minute.
The BruteForce Security Filter, which has been configured to allow 5 login attempts per IP over a
time frame of 120 seconds, detects that hacker’s IP as a potential attack and blocks the IP for as
long as you have defined. After the IP is released from the block, it is monitored for an additional 10
minutes (to rule out cases where a legal user has forgotten his user name or password). If more
login attempts have been made by the same IP, the BruteForce Security Filter blocks the IP again.
The Time Frame field in the Settings tab, as shown above, enables you to define the amount of time
(in seconds) for periodical monitoring of Brute Force attacks. You can also define the amount of Min
OK Replies to Declare Shared IP and whether or not to automatically detect Shared IP addresses. In
addition, you can define Profiles which allow the user to configure thresholds for determining
whether certain IPs present a risk of attempting to carry out a Brute Force attack. The Profiles are
also used to define the threshold to deal with Shared IPs. The Refinements tab allows the user to
define the rules and patterns to apply to a specific page in a Web Application, Tunnel, Host, or
Application Path.
Field Description
Time Frame The amount of time (in seconds) used to measure Brute Force attacks.
Min OK Replies The minimum number of OK replies in order to declare the IP as a Shared IP.
to declare
Shared IP
Shared IP Auto Check this box if you wish for the filter to automatically detect Shared IPs.
Detect
Show Auto Use this setting in order for IP addresses detected as Shared IPs to be displayed
Detected in the Shared IP list. This can be used if the user wishes to treat all IP addresses
Shared IPs as regular IPs.
Shared IPs Lists all IPs that have been detected, declared, and added as Shared IPs (a
Shared IP means that one server with one IP address holds multiple domain
names, therefore, all users connected through the same HTTP proxy server will
have the same IP address). IP addresses that have been detected as Shared IP
addresses (an icon displays in the Tips column of the list) require that the user
Accept them as such. Upon accepting the IP address, the icon is removed, and
the IP is set to the Shared IPs list.
Ignored IPs Lists all IPs that the user wishes the BruteForce Security Filter to bypass without
checking. All IP addresses in the Ignored IPs list will not be checked for
BruteForce attacks (entries in this list should be only those from trusted IPs,
such as administrators or scanners).
You can also add IP address ranges using the * wildcard.
Note: IP address ranges must match the following format:
-- Allowed: 1.2.3.* or 1.2.*.* (wildcard must be followed by another wildcard)
-- Prohibited: *.2.3.4 or 1.2.*.4 (initial wildcard or followed by a number)
Profiles Profiles are created to determine the rules and actions to be executed upon
detection of a Brute Force attack.
<> Use the arrow buttons to move IP addresses to and from the Shared IPs and
Ignored IPs lists. Recommended, for example, for moving an IP address of your
QA department declared as a Shared IP to the Ignored IPs list.
8. In the Shared IPs pane, click the (Add) button to manually add Shared IPs to the list (this
list will display the manually added IPs as well as the IPs detected by the Security Filter and
declared as Shared IPs).
9. In the Ignored IPs pane, you can add, edit or delete IP addresses that the Security Filter will not
check for Brute Force attacks (use this for known IPs, such as administrators or scanners).
10. Select the Profile to use to define thresholds for potential Brute Force attacks.
11. Click Submit and Save and Apply .
Field Description
IP Enter the address of the Shared IP.
Description Enter a description for the Shared IP.
Field Description
IP Enter the address of the Ignored IP.
Description Enter a description for the Ignored IP.
Field Description
Name Enter the unique name of the profile.
Description Enter a description for the profile.
Action Enter the action to perform upon profile activation and time frame for the action.
Options for the Profile Actions are:
• Log Once – The defined threshold has been met and logged once in the
Security Event Logs (in the event of an attack, this is useful to refrain from
multiple log entries).
• Log Event Only – The defined threshold has been met and logged in the
Security Event Logs (each request is logged as a separate event).
• Block and Log Event – the IP has been blocked and an event has been
logged.
Minimum The minimum number of hits before threshold is reached and events are logged.
Threshold Hits
per IP
Minimum Bad The minimum number of bad replies logged after threshold is reached.
Replies after
Threshold
Minimum Bad The minimum number of bad replies for Shared IPs as set within a configured
Replies for time frame.
Shared IPs
within
configured time
frame (%)
….for The amount of time (in seconds) for the action:
• Log Once – the event will be logged once. In the event that the IP has
reached the defined threshold after the set time period, it will be logged
again.
• Log Event Only – Events will be logged for the set time only.
• Block and Log Event – The IP will be blocked for the set time and each
request will be logged as a separate event during that time.
Field Description
Web Application Web application containing the tunnel.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the security filter will be applied.
Application Path Application Path where the security filter will be applied.
Page Allowed relative path/page below the host.
Pathname Auto-generated field.
If no Pattern is In the event that a request from an IP does not match any Pattern (see below),
Detected, treat the user can decide whether or not to treat the reply as a Good Reply or Bad
Reply as: Reply.
• Good Reply—The request from the IP was not supposed to match any of the
patterns defined to intercept Brute Force attacks, therefore, this is a good
reply.
• Bad Reply—The request from the IP should have matched any of the
patterns defined to intercept Brute Force attacks, therefore, this is a bad
reply.
Use Profile Select the Profile to use from the drop-down menu. The selected Profile rules will
be applied to the defined page.
You can use the button to add a Profile from this location.
To add a pattern
Note: Patterns are checked according to the order they appear in the table. You can use the Up/
Down arrows to move patterns up or down in the list.
Default Status
By default, the Database Security Filter is enabled and does not require specifications to be applied.
If the Security Filter is used in conjunction with the WebServices, XML or Parameters Security
Filters, those Security Filters must be sequenced before the Database Security Filter.
At the filter level, you can define global Database Security refinements.
4. In the Settings tab, click the (Add) button to add a rule ID to the Unscreened Rules List at
the Global Level, or select an existing entry and click the (Edit) button to modify.
5. Select the Refinements tab.
6. Click the (Add) button, or select an existing entry and click the (Edit) button to
modify.
7. Select either Excluded Parameters or Excluded Rules.
8. Complete the fields as described in the table below.
9. Click Submit and Save and Apply .
Field Description
Web Application Web application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Application Path Application Path where the Security Filter should be used.
Apply to Other When selected, the Security Filter will evaluate requests to undefined pages
Pages under the Application Path.
Page Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx The
entry must end with either an extension or a forward slash.
Pathname Auto-generated field.
Unscreened Use Add, Edit, Accept, and Delete to specify parameters that should not be
Parameters List screened. Clicking Add or Edit opens a dialog that allows adding or editing refined
parameters by Parameter Name. In the dialog, select the Regular Expression
checkbox if you are adding or editing a regular expression rather than a single
parameter.
For basic steps to use Quick-Click Refinements, see Refining Security Filters, page 88.
Notes
• When using the HTTPMethods Security Filter, be certain to allow the method (Put or Post) that
you are using.
• The specification in the HTTPMethods Security Filter should be made on the appropriate
Application Paths and not necessarily the Application Path where the PUT or POST is first
enabled.
• If you are using the POST method, the Target URL is automatically configured with FilesUpload
and is enabled to evaluate as valid all upload of files using the POST HTTP method.
• The FilesUpload Security Filter evaluates all configured requests irrespective of whether or not
the server is able to process the HTTP method used in the request.
Note:
For this example, assume the FilesUpload Security Filter is set to evaluate requests to upload picture
files (gif, jpg, jpeg, bmp) to a specific application. An event is generated and the request is blocked
when a user uploads a DOC file to the specified Application Path.
In addition, if the Security Filter’s Prevent File Retrieval From the Upload Destination property is
enabled, another event is generated if the user accesses the file once it is uploaded.
Note: The Full Auto Policy Generation mode is not available for this Security Filter.
4. In the Settings tab, click the (Add) button. Enter and extension and click Add or OK.
Table 28: FilesUpload Security Filter options - Enable POST Upload Type
Field Description
Post Acceptor
Reported on Web Application containing the directory where the file is uploaded.
Tunnel Tunnel used to monitor the script where the action is submitted.
Host Host that containing the directory where the action is submitted.
Role Select the role for the role-based security policy.
Application Path The path of the acceptor of the Post action, usually the CGI or script.
Post Destination
Reported on Web Application that contains the script where the action is submitted.
Tunnel Tunnel used to monitor the upload destination.
Host Host used to monitor the destination where the action is submitted.
Role Select the role for the role-based security policy.
Application Path Application Path used to monitor the upload destination.
Parameter Name POST parameter used in the file upload.
Prevent File When selected, generates events when requests access uploaded files.
Retrieval from the
Upload Destination
Prevent Addition When selected, generates events about configurations that may pose a
FilesUpload security risk when giving Post Acceptor permission on the same directory as a
Configuration on Post Destination. It is recommended that this setting be enabled.
Post Destination
Table 29: FilesUpload Security Filter options- Enable PUT Upload Typ
Field Description
Using PUT
Reported on Web Application containing the directory where the file is uploaded.
Tunnel Tunnel used to monitor the script where the action is submitted.
Host Host that containing the directory where the action is submitted.
Role Select the role for the role-based security policy.
Application Path The path of the acceptor of the Post action, usually the CGI or script.
Prevent File When selected, events are generated by requests to access uploaded files.
Retrieval from the
Upload Destination
Note the FilesUpload Security Filter is automatically enabled on the Post Destination directory. The
FilesUpload Security Filter will appear on two paths if the configuration spans two application paths,
Post Acceptor and Post Destination.
GlobalParameters validation is supported for URL, Path, XML, WebServices and Cookie Parameters
providing the proper settings are enabled on those Security Filters. When used in conjunction with
these Security Filters, the Security Filter sequence should be XMLSecurity, WebServices,
GlobalParameters, Parameters, Vulnerabilities, and then Database. Note that parameter checks
cannot be applied to overlap one another.
The GlobalParameters Security Filter provides a two part screening process in the following
sequence:
1. Default Expressions iterative screening for each listed expression.
2. Refinements applied to Application Path requests still deemed valid.
3. The GlobalParameters Security Filter supports use of the Bypass Flag. For information about the
Bypass Flag, see Setting the ByPass Flag and Operating Mode, page 123.
Default Status
Because the GlobalParameters Security Filter is not enabled by default, it must be enabled on the
Application Path using the Security Policies view.
Note:
For example, assume that corporate databases located on server-1 (10.0.0.155) process requests
from Web applications residing on remote servers. Requests may be for different databases in
separate directories. The databases contain an array of fields.
If characters that are not valid for database field values are detected, the requests that contain
them are stopped from reaching the server.
The Security Filter can be configured as follows:
• To restrict parameters to a length of 256 characters and to only allow alphanumeric characters,
periods (.), commas (,), characters (@), and white spaces.
• Refinements setting for the Application Path specify that percent (%) characters should generate
an event.
Note: The GlobalParameters Security Filter supports Validation Bypass for Parameters. A parameter
bypass is a filter-to-filter communication system of validation credentials. In turn, these credentials,
carried by a parameter, can be honored by future Security Filters as a free exemption from
validations.
Type Description
Long A value range where Max/Min values +/-2,147,483,648
Float Double precision float 15 decimal-digits for mantissa and range of:
+/-308 for exponent
Number range is +/-1.7976931348623157E 308
Smallest positive number is: 2.2250738585072014 E -308
Numeric Numeric range value (digits 0-9)
Alpha Alpha length. Values limited to characters a-z and A-Z.
AlphaNum Alpha-numeric length. Values limited to: a-z and A-Z.
Expression Valid regular expressions with limits dissected by the regular expression
which can be either value length or range.
String String length. Characters that may pass depend on the tunnel properties
(by default, only chars that pass text-normalization (codepage and UTF8
normalization).
To prevent buffer overflows without preventing sizable inputs in
parameters, enter the maximum size in kilobytes. For example, if a buffer
overflow error occurs at 10MB (10240 KB), specify a maximum that is
slightly less than this value (10235).
Null Parameter Only empty values permitted (no greater than zero length).
This setting should not be confused with the Allow a Null Value setting
that is supported with other parameter types and allows Null as an
alternate value.
7. Click the (Add) button, or select an existing entry and click the (Edit) button to
modify.
8. Complete the fields using the table below.
9. Click the Refinements tab to open the Configure Page Settings dialog box.
10. Complete the fields using the table below, and click OK.
11. Click Submit and Save and Apply .
Field Description
Value Type Select the expression type.
Minimum Length Enter the lower bound range value or minimum string length.
Not applicable for Expression type parameters.
Maximum Enter the upper bound range value or maximum string length.
Length Not applicable for Expression type parameters.
Allow a Null Select to allow parameters with Null values, for example, “SearchString=” where
Value the second part of the expression is empty.
When disabled, parameters with Null values are considered invalid.
Apply to Listed Select to validate only parameters in Parameters List. When selected, a
Parameters Parameter List area opens for you to build the parameter list.
Apply to All Select to validate every parameter passed through the Security Filter.
Parameters
Always Check Select to always check all parameters and ignore Bypass credentials.
All Parameters
and Ignore
Validation
Bypass
Note: The tunnel’s HTTP Message Size properties will set limits on valid HTTP request and reply
sizes. This includes the URL, HTTP headers, and HTTP body sizes. If the defined parameter values
are sizable, you may need to adjust the associated settings to accommodate special requirements.
Default Status
The HTTPMethods Security Filter is enabled by default for all Application Paths under AppWall.
Initially, only GET and POST methods are defined as valid. Any request containing another HTTP
method results in an event and blocks the request.
Note:
For this example, assume that the HTTPMethods Security Filter has been configured to generate
events for requests using methods other than GET or POST and the following request is received.
DELETE /Database/Accounts.dbf HTTP/1.1
If-Modified-Since: Mon, 22 May 1970 12:00:00 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: Southern
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Because the request uses the DELETE method, an event is generated when the request is received.
Note: The HTTPMethods Security Filter has no relationship to the Web server’s support or lack of
support for HTTP methods. It generates events based on its configuration, not on whether the Web
server is capable of processing the request method.
3. To add a method, click the (Add) button, or click the (Edit) button to modify a
method.
4. On the Configure Page Settings dialog box complete the fields using the table below and click
OK.
5. Click Submit and Save.
6. On the AppWall Management Application toolbar, click Apply .
— Header—Description
— Web Application—Web Application containing the host.
— Tunnel—Tunnel containing the host.
— Host—Host containing the Application Paths where the Security Filter should be used.
— Application Path—Application Path where the Security Filter should be used.
— Role — Role for the role-based security policy
— Page—Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx
The entry must end with either an extension or a forward slash.
— Pathname—Auto-generated field.
— Apply Default Methods—Select to include the default HTTP methods.
— Additional Permitted Methods—Use Add, Edit, Accept, or Delete to build the list.
Notes
• Routing on specifications works in the same manner as the routing for Application Paths.
• Specifications with the greatest number of matching path segments will be given the request.
For example, assuming the following structure on the Web server:
Default Status
By default, the Logging Security Filter is disabled. To enable this Security Filter by Application Path,
in the Security Policies view, select the Application Path and select the Security Filter’s Enabled
option button. Note that the Full Auto Policy Generation mode is not available for this Security Filter.
When enabled, the Logging Security Filter’s default configuration uses the following properties.
Note:
The Logging Security Filter intercepts the two-way HTTP traffic routed to the Application Paths on
which it is enabled. It takes this information, breaks it down into the HTTP elements, and then
formats it according to the specification in the tunnel.
When files reach maximum size, they are backed-up to a file of the same name with the file
extension “bak”.
The header information begins with ##Tunnel_IP##Date## appended to the appropriate file. The
Body information begins with
Original request: GET /images/ logo.gif?egap=internal HTTP/1.1
##10.0.0.01##3-30-2003##
GET /demo/whatis.asp?id=17 HTTP/1.1
Accept: */*
Referer: http://10.0.0.19:81/demo/faq.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 10.0.0.19:81
Connection: Keep-Alive
Cookie: counteKIKI=4
Accept-Encoding: identity
##10.0.0.01##3-30-2003##
GET /demo/whatis.asp?id=16 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/
msword, application/vnd.ms-powerpoint, application/vnd.ms-excel, */*
Referer: http://10.0.0.01:80/demo/faq.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: 10.0.0.01:80
Connection: Keep-Alive
Cookie: counteKIKI=4
Accept-Encoding: identity
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Mon, 31 Mar 2003 08:43:12 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Tue, 25 Jun 2002 10:00:15 GMT
ETag: "6012be1a2f1cc21:970"
Content-Length: 257
<html>
<head>
<title>Demo Query Analyzer</title>
</head>
<frameset rows="35%,65%" border=0>
<frame src="QueyField.asp" scrolling="no" name="up">
<frame src="query.asp?query=SELECT%20*%20FROM%20categories" name="down">
</frameset>
</html>
Field Description
Log File Name The full or relative path to the AppWall folder where the log files are stored.
Log File The maximum log file size. Once a file reaches maximum size, it is written to a
Maximum Size backup file of the same name (overwrites existing) with an added extension of
(KB) “bak” and a new blank log file is created.
Logging request bodies will potentially equal two files, each of the size specified.
“.log”
“.log.bak”
Log Request/ Select to log request/reply headers
Reply Header
Log Request/ Select to log request/reply bodies
Reply Body
Any response message containing numbers not conforming to the Security Filter configuration will
be blocked and an event will be generated.
Default Status
The SafeReply Security Filter is enabled by default with credit cards and Social Security number
screening.
For the purpose of intensive, global data leakage prevention policy enforcement, which also inspects
the content of downloaded files from the secured application, you can configure AppWall to forward
the downloaded content to the DLP server, which supports ICAP protocol, for data leakage
inspection. If policy violation is detected and the file can be modified (for example, MS Excel files),
the ICAP server will modify the file. In cases where the file cannot be modified (for example, pdf
files) the ICAP server will reply with a status code notifying AppWall not to forward the file to the
client and AppWall will redirect the client to a security page.
The system was tested with Symantec for virus inspection in replies, and with WebSense for DLP
policy enforcement.
To enable ICAP-based DLP inspection, configure the Security Policy > Filters > SafeReply >
ICAP server settings.
Additionally, you must verify that the SafeReply security filter is enabled in the relevant application
path.
In the scenario of user authentication, AppWall will also redirect, to the ICAP server, the user and
the role information, as retrieved from the Radius/LDAP authentication servers.
The preview field must be enabled. Make sure that the Safe Reply filter is enabled in the security
policy for the relevant application path.
9. In the Custom Pattern List area, click the (Add) button to add a custom pattern, or select
an existing pattern and click the (Edit) button to modify it. You may also delete a pattern or
use the check box in the Enabled and Expression columns to enable/disable it.
10. In the dialog box that displays, specify the pattern using the table below and click OK.
11. Click Submit and Save.
12. On the AppWall Management Application toolbar, click Apply.
Field Description
Pattern Enter the pattern for which to screen.
Use Regular Select if the pattern is a regular expression. Then use Check to validate the
Expression expression.
2. Click the (Add) button to add a new refinement, or select an existing refinement and click
Field Description
Reported on Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Application Path Application Path where the Security Filter should be used.
Check All Pages When selected, patterns in the Pattern List are exempted on all pages under the
Under the Application Path. This disables the Page and Pathname fields.
Defined
Application Path
Page Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx
The entry must end with either an extension or a forward slash.
Pathname Specify the relative URL to the page.
Pattern List Pattern to which the refinement applies the exemption.
Pattern Type Select the pattern type from the drop-down list. When Custom Pattern or Regular
Expression is selected, a dialog box requires you to select the specific pattern
and associated prefix or suffix.
Pattern Select the custom or regular expression pattern from the drop-down field. This
field is enabled when Custom Pattern or Regular Expression is selected in the
Pattern Type field.
Default Status
By default, the WebServices Security Filter is disabled. Before enabling the Security Filter, you must
define the WebService operations you want to consider valid. No events are generated if the Security
Filter is enabled without a configuration. Note that the Full Auto Policy Generation mode is not
available for this Security Filter.
Note:
• Operation Name—Validates XML and ensures that requests use allowed operations.
• Operation name & Structure—Validates the XML and Operation name, and that the
WebServices message complies with all WSDL requirements, such as enforcing parameter order
and operation sequence.
In addition, the WebServices Security Filter provides the following features that can be enabled or
disabled.
• Include WebServices Parameters in Subsequent Parameter-Related Filter Checks
It is very important to register the parameters and values for validations performed by
subsequent parameter related Security Filters, such as the Parameters Security Filter, for value
validation, and the Database Security Filter for database injection validation.
• Block HTTP requests that are using the GET or POST methods to access these
operations
When selected, allows only SOAP requests. Does not allow non-SOAP Requests that use GET and
POST methods. Non-SOAP requests are sometimes used either to debug or to hack the server.
• Check SOAP action
Validates that requests use the required SOAP action header according to the WSDL file.
The following table describes the features and settings in the WebServices Wizard.
Setting Description
Type WSDL file Full or relative path or browser for to the WSDL file.
location
WSDL file name The relevant file from the imported WSDL files.
Service name The service name from the available services in the WSDL file.
Port Name The name of the available ports in the WSDL file.
Service location The full URL listed in the WSDL file that remote users use to connect to the
selected service.
Denied Operations in the Accepted Operations list evaluate as invalid. These can be
Operation selected and moved to the Allowed Operation list.
Allowed Operations in the Accepted Operations list evaluate as valid. These can be
Operation selected and moved to the Denied Operation list.
Page Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx
The entry must begin with a forward slash (“/”) and end with either an extension
or a forward slash.
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Application Path Application Path where the Security Filter should be used.
Validation Type Select the level of validation to apply:
• XML Only—Validates that the XML is well-formed. Performs no other
validation.
• Operation Name—Validates XML and that the request uses allowed
operations.
• Operation Name & Structure—Validates the XML and operation name, and
that the message complies with all WSDL requirements.
If you enable the WebServices Security Filter’s Forward the Parameters to other Filters property, it
must be sequenced before the other parameter-related Security Filters.
Notes
• This Security Filter only parses requests where the Content-Type header is set to one of the
following: Content-Type=text/xml Content-Type=text/*
• If the Security Filter’s Block Requests with Invalid XML Body is selected, requests containing an
invalid XML body will result in the generation of an event.
Default Status
The XMLSecurity Security Filter is disabled by default. Before enabling this Security Filter, you should
configure it with page names and set it to pass parameters to the sub-sequent Security Filters. No
events are generated unless this is done. Note that the Full Auto Policy Generation mode is not
available for this Security Filter.
Note:
Parameter names are created using the full hierarchy of nested tags and attributes containing each
value. The created parameters are passed for validation by subsequent parameter-related Security
Filters defined in the Application Path.
In this example, assume that the XMLSecurity Security Filter is configured for /imagine/ Secure/
InMessages.asp and that the Security Filter is enabled on the /imagine/ Application Path for the
post-acceptor page (Action URL).
Assume also that the following HTTP request message is received with an XML body:
POST /imagine/Secure/InMessages.asp HTTP/1.1
Content-Type should specify text/xml
POST /imagine/Secure/InMessages.asp HTTP/1.1
Accept: */*
Accept-Language: en
Referer: http://www.Radware.com/imagine/Secure/InMessages.asp
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows)
POST /imagine/Secure/InMessages.asp HTTP/1.1
Accept: */*
Accept-Language: en
Referer: http://www.Radware.com
<?xml .. ?>
<catalog>
<book>
<title>War and Peace</title>
<price currency="USD">20</price> <author>Tolstoy</author>
</book>
<book>
<title>Lord of the Rings</title>
<price currency="USD">23</price>
<author>J. R. R. Tolkien</author>
</book>
</catalog>
catalog.book.title = 'War and Peace'catalog.book.price = '20'
catalog.book.price.currency = 'USD'catalog.book.author = 'Tolstoy'
catalog.book = ''
catalog.book.title = 'Lord of the Rings'catalog.book.price = '23'
catalog.book.price.currency = 'USD'catalog.book.author = 'J. R. R.
Tolkien' catalog.book = ''
catalog = ''
The following table shows the parameter names and corresponding values generated when the
Security Filter’s Parse Attributes as Parameters is enabled.
Name Value
xml//catalog/book/title “War and Peace”
xml//catalog/book/price 20
xml//catalog/book/price/ USD
currency
xml//catalog/book/author “Tolstoy”
xml//catalog/book/title “Lord of the Rings”
xml//catalog/book/price 23
xml//catalog/book/price/ USD
currency
xml//catalog/book/author “J.R.R.Tolkien”
Notes
• The naming of values parsed from the XML tags is performed using the tag structure and a
prefix “xml/”.
• For Attributes: xml/+/ElementTag+//TagAttribute For Elements: xml/+/
ElementTag1+/ElementTag2+/ElementTagn where ElementTag1-n are nested XML tags
such as <catalog><book>0</book></catalog> or <catalog><book /></catalog> , the
TagAttribute is an attribute of an XML tag such as “currency=USD” in <price currency="USD">
Field Description
Parse Attributes Enables the creation of parameters from the attributes of an XML tag. The
as Parameters parameters created will contain the attribute value.
Block Requests Determines if the XML is well-formed. Requests that fail parsing are not
with Invalid XML evaluated by subsequent parameter-related Security Filters and are blocked by
Body the AppWall Gateway.
Pass Requests Determines if the XML is well-formed. Requests that fail parsing are evaluated by
with Invalid XML subsequent parameter-related Security Filters.
Body
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Role Select the role for the role-based security policy.
Application Path Application Path where the Security Filter should be used. This Application Path is
expected in the HTTP POST request.
Page Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx
The entry must begin with a forward slash (“/”) and end with either an extension
or a forward slash.
Field Description
Recurse to Sub- Indicates that the page definition applies to all directories under the Application
Directories Path, provided the request URL does not better match another existing
Application Path.
Included for These are page definitions that will be included in the parsing and XML
XML Security normalization checking, provided there are no “Excluded from Defined Pages”
working against the definition.
Excluded from By default, all pages are excluded. These definitions are only intended to work
Defined Pages contra to page ranges defined in the definitions marked “Included for XML
Security”.
Note: If there are no “Included for XML Security” definitions that include this
definition, it should be deleted.
In order for the XML Security Filter to process a request into parameters, the following criteria must
be met:
• The request must not match a definition specified in the Security Filter’s Excluded from Defined
Pages property.
• The request must fall under one of the definitions specified in the Security Filter’s Included for
XML Security property.
• The request must be a HTTP POST containing XML body.
• The XML must be well-formed. If the XML fails parsing, no event is generated regard-less of
whether Block Requests with Invalid XML Body or Pass Requests with Invalid XML Body is
enabled.
4. Click the (Add) button, or select an existing entry and click the (Edit) button to modify
it.
5. On the Configure Page Settings dialog box, select from the drop-down lists: Web Application >
Tunnel > Host > Application Path.
6. In the Page box, enter a valid page or file extension (*.asp).
7. If you want the definition to apply to sub-directories, click Recurse to Sub-Directories.
8. Select either Included for XML Security or Excluded from Defined Pages and click OK.
9. Click Submit and Save and Apply for your settings to take effect.
Use this Security Filter to detect harmful inputs to an application (cgi, script) such as parameter
values and types, ranges, lengths, parameter orders, and omissions. It can screen for manipulations
to the business logic, such as changes in prices, account numbers, or mailing address.
The Parameters Security Filter should be used in conjunction with the Vulnerabilities Security Filter.
When using the Parameters Security Filter to evaluate Web Services, XML, or HTTP path parameters,
the Session, WebServices, and XMLSecurity Security Filters must be enabled and sequenced prior to
the Parameters Security Filters.
Enable the Auto Refinements option (as described in Auto Policy Generation, page 166) to enable
refinements to be automatically added to the Parameters Security Filter. Refer to Parameters Auto
Policy Generation Refinements, page 172 for information on how to add or remove (lock)
refinements to/from the filter.
The Parameters Security Filter supports RegEx for specifying parameter values and names. This
allows the Security Filter to evaluate ranges, alpha-only, and subsets for parameter values.
You can specify parameter names, types, and value ranges that the Parameters Security Filter will
use to evaluate parameters sent in requests. The following parameter types can be defined for
validating parameters.
Type Description
Long A value range where Max/Min values +/-2,147,483,648
Float Double precision float 15 decimal-digits for mantissa and range of:
+/-308 for exponent
Number range is +/-1.7976931348623157E 308
Smallest positive number is: 2.2250738585072014 E -308
Numeric Numeric range value (digits 0-9)
Alpha Alpha length. Values limited to characters a-z and A-Z.
AlphaNum Alpha-numeric length. Values limited to: a-z and A-Z.
Expression Valid regular expressions with limits dictated by the regular expression
which can be either value length or range.
Type Description
String String length. Characters that may pass depend on the tunnel properties
(by default, only chars that pass text-normalization (codepage and UTF8
normalization).
To prevent buffer overflows without preventing sizable inputs in
parameters, enter the maximum size in kilobytes. For example, if a buffer
overflow error occurs at 10MB (10240 KB), specify a maximum that is
slightly less than this value (10235).
Null Parameter Only empty values permitted (no greater than zero length).
This setting should not be confused with the Allow a Null Value setting
that is supported with other parameter types and allows Null as an
alternate value.
Operating Modes
The Parameters Security Filter provides two validation methods. The validation method you select
determines the Security Filter’s event generation behavior.
Targeted Validation: Checks only the parameters listed and generates an event when a parameter
does not conform to requirements. Allows all other parameters to pass without being checked.
Restricted Parameters with Validation: Allows and checks the parameters listed and generates
an event if it does not conform to requirements. Blocks requests with parameters not on the list.
The method you choose depends on other parameter-related Security Filters in use, the application’s
use of parameters, and the level of parameter monitoring that is required to detect vulnerabilities to
parameter-related threats.
Default Status
By default, the Parameters Security Filter is disabled, no parameters are specified, and the Security
Filter’s internal list of parameter rules is empty. Configure one or more parameters before enabling
the Security Filter. If it is enabled without doing so, events are generated by any request using
parameters.
Note:
For this example, assume an on-line bookstore allows orders of 1 to 5 books in an order. The
Parameter Security Filter is set to evaluate the Books_quantity parameter and generate an event if
the value is not between 1 and 5. The following request results in the generation of an event and
blocking of the request:
GET / myorder.asp?Books_quantity=25 HTTP/1.1
Security Filter Attach Bypass Always Check All Test parameters Bypass Flag
Sequence Parameter Flag Parameters and already validated Status
After Validation Ignore Validation
Bypass
Parameters ON OFF NO Added
GlobalParameters OFF OFF NO Received with flag
Security Filter Attach Bypass Always Check All Test parameters Bypass Flag
Parameter Flag Parameters and already validated Status
After Validation Ignore Validation
Bypass
Parameters ON OFF NO Added
GlobalParameters ON ON YES Received with flag
Note: The Parameters Security Filter checks all parameters that pass the GlobalParameters Security
Filter checks. It does not accept the bypass credentials.
Field Description
Force additional When selected, any parameter that evaluates as valid will not be evaluated by
security subsequent Security Filters unless the parameter specifically overrides the
validation by Bypass Flag.
Parameters When not selected, parameters will be evaluated, if required, by subsequent
Filter Security Filters.
Operating Mode Select one of the following:
Targeted Validation—Only specified parameters are evaluated. An event is
generated if the evaluated parameter is invalid.
Restricted Parameters With Validation—Only specified parameters are
evaluated. An event is generated when:
• An evaluated parameter is invalid.
• A request contains any parameter that is not defined.
4. Click the (Add) button to add a new parameter, or select an existing entry and click
6. In the Parameters List area, click the (Add) button to add a new parameter definition for
the page, or select an existing definition and click the (Edit) button to modify it.
7. To include the order of parameters in the evaluation, select parameters as required and use the
arrow buttons to arrange the required order. Then select the Enforce Parameter Order checkbox.
8. To prevent the page and all its parameters from being modified by Auto Policy Generation, click
the Lock checkbox. A padlock icon is inserted next to the parameters.
9. Click OK.
10. On the AppWall Management Application Console toolbar, click Apply .
Field Description
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Application Path Application Path where the Security Filter should be used.
Apply to Other When selected, the Security Filter evaluates requests made to all pages in the
Pages Application Path that are not defined by another Page parameter. When not
selected, the Security Filter will be used only for requests made to the specified
page.
Page Allowed relative path/page below the host. Allows entry of extensions using the
asterisk character followed by the period and extension, for example: *.xxx The
entry must begin with a forward slash (“/”) and end with either an extension or a
forward slash.
Pathname Auto-generated field.
Parameters List See Setting Path and Cookie Parameters.
Enforce When selected, an event is generated if the order of parameters in the request
Parameter Order does not match the order of parameters in the Parameter List.
Lock Select to prevent Auto Policy Generation from modifying the selected
parameters.
4. To add a parameter, click the (Add) button, or select an existing parameter and click
6. In the Parameters List area, click the (Add) button, or select an existing parameter
Field Description
Name Enter the parameter name or use the browse button to select from a list of
regular expressions.
Use Regular Select this check box if the parameter uses regular expressions.
Expression To test the validity of a regular expression, click Check and supply the required
information.
Field Description
Enable Value When selected, the Security Filter evaluates both the parameter name and value.
Validation When not selected, it evaluates only the parameter name. Clearing this check
box grays out the remaining fields.
Value Type Select the parameter value type from the drop-down list.
Minimum Length For Long, Numeric, and Float types, enter the lower bound of the value range.
For String, Alpha, and AlphaNum types, enter the minimum string length.
Maximum For Long, Numeric, and Float types, enter the upper bound of the value range.
Length For String, Alpha, and AlphaNum types, enter the maximum string length.
Value (Appears when value type selected is Expression.) Specify the expression value.
Expression
Allow a Null Select to allow the value to be null.
Value
Always Check When selected, the parameter is evaluated even if assigned a Bypass Flag.
Required in the When selected, an event is generated if the parameter is not included in a
Request request.
Message
Default Status
By default, the PathBlocking Security Filter is disabled and no paths are specified. When enabled,
the Security Filter configuration must specify path information before generating any events.
Note:
Consider the PathBlocking Security Filter is enabled and configured with the following list of paths.
/mysite/orders/
/mysite/clients/special/Admin.htm
When a request accesses any file under the orders directory, the request generates an event
because the directory has been defined as blocked.
When a request accesses Admin.htm under the special directory, the request generates an event.
However, no event is generated by requests accessing any other file or folder under the /clients/
directory.
4. Click the (Add) button to add a path, or select an existing entry and click the (Edit)
button to modify it
5. Complete the fields using the table below.
Note: When specifying blocked paths for applications that use path parameters. Do not include
the path parameters in the specifications and verify that Analyze Path Parameters is enabled in
the tunnel configuration.
Field Description
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be used.
Application Path Application Path where the Security Filter should be used.
Path Specify a path. Requests made to this path will generate events. To restrict
Security Filter evaluation to a specific file, append the file name to the path.
Example: /mypath/mypage.htm
Pathname Auto-generated field.
Note: To counter a vulnerability, the Automatic Configuration module has Application Paths where
the PathBlocking Security Filter is enabled. Thus the Auto Policy Generation module prevents
“Predictable Resource Location” Attacks on the protected application.
There are four basic conceptual methods for sending the Session State to the client:
• In a cookie
• Form parameters
• In path parameters
• In query parameters.
When using one of methods above for session management, the end-users are trusted to return the
Session State information, unchanged, to the Web Application in future requests. Therefore, it is
extremely important to make sure that such Session State information is not returned to the Web
Application if it has been manipulated, or hijacked by a malicious user.
Caution: By default, cookies are protected by the Session Security Filter; however, URLs and
Parameters are not and must be configured.
Note: As of Alteon version 31.0.1 a separate feature license is required for Parameter Manipulation
Protections in Forms and URLs.
The Session Security Filter prevents remote users from submitting modified parameter values stored
in HTML Forms by the application.
Imagine a malicious user views the source of an order form and starts changing hidden and read-
only values such as price and quantity. If successful, the malicious user receives a shipment of 100
books for the price of one.
The Session Security Filter provides a way to detect when this type of manipulation occurs. It safely
encrypts the original values so that simple editing of parameter values (hidden, read-only and
multiselect values) is detected before the request (form post) reaches its destination.
Encryption of the values that are received from the original reply is checked against the values
submitted in the action request. A request made by the user from the original page (form) is
protected from modification of the hidden and read-only parameter values as well as multiselect
elements (for example, drop-down lists, radio buttons). If the protected parameters have changed
the Session Security Filter will deny the Action-request and a security page will be returned instead.
Parameter Description
Deny Requests This setting blocks the HTTP Request and sends a security page if the cookie is
with Untrusted deemed invalid. When disabled and the cookie is deemed invalid, the Security
Cookies Filter removes the Cookie Header and passes the HTTP request.
Verify Cookie When enabled, the cookie is checked to assure that it is being used by the client
Ownership IP that it was issued to. If it is not, the cookie will be considered invalid.
(Client IP
Binding)
Default Mode: Selecting this mode automatically encrypts all cookies in undefined/disabled
Allow Cookies Application Paths.
Auto Protection
– All Cookies are
Encrypted
Parameter Description
Do not parse When the flag is set, the filter will encrypt protected links even if they appear in
HTTP Replies Application paths that do not have the session filter activated. For example, in
across Application path \Sale\ , all parameters to sale.aspx are requested to be
Application protected. Links to: /Sale/sale.aspx will be protected even if they exist in any
Paths other folder. When enabling this option, there will be performance impact as ALL
text/html responses need to be parsed.
Cookies Secured Values: Sign or Encrypt
Mode Sign: AppWall adds a signature of the original cookie value as sent by the web
server. Cookie value is not hidden, but the value cannot be modified on the client
end. When it is required to secure the cookie and the client side applications
process the cookie value as part of their legitimate functionality, “Sign” mode is
the only option.
Encrypt: AppWall encrypts the original cookie value as sent by the web server.
Cookie value is hidden, and the value cannot be modified on the client end.
If the client side applications does not read the cookie value as part of their
legitimate functionality, you can use this stronger protection mode.
Prefix The prefix of the parameters can be edited to avoid exposure of AppWall devices
in case of an external security page defined using FQDN.
Parameters Values: Sign or Encrypt
Secured Mode Sign: AppWall adds a signature of the original parameter value as sent by the
web server. Parameter value is not hidden, but the value cannot be modified on
the client end. When it is required to secure the parameter and the client side
applications process the parameter value as part of their legitimate functionality,
“Sign” mode is the only option.
Encrypt: AppWall encrypts the original parameter value as sent by the web
server. Parameter value is hidden, and the value cannot be modified on the client
end.
If the client side applications does not read the parameter value as part of their
legitimate functionality, you can use this stronger protection mode.
4. Click the (Add) button to add a new refinement, or select an existing entry and click
Cookies Tab
The list of Cookie refinements provides the user with the ability to add, edit, and delete Cookie
refinements at the Application Path level and at a Global level.
In the event of a refinement added by a user that contradicts an existing refinement a message will
be displayed providing the following information:
• When adding a Host refinement—The Validation and Encryption mode of the host is different
to that of at least one Application Path refinement. This will cause the host configuration to be
overridden by the Application Path configuration.
• When adding an Application Path refinement—The Validation and Encryption mode of the
Application Path is different to that of the host refinement. This will cause the host configuration
to be overridden by the Application Path configuration.
Furthermore, when the dialog above displays the Application Level refinement, any global cookies
defined for the host display (disabled). Host cookie definition will only be added to the Application
Path if the Validation and Encryption mode are the same.
Field Description
Activate Cookies Select the checkbox to activate Cookies Configuration according to the settings
Configuration below.
Work in Default Select this box to operate in the default mode (all Cookies are automatically
Mode encrypted).
Field Description
Application Path The Refinements apply to the cookies in the requests handled by the Application
Path specified.
Host The refinements apply to cookies for requests on any of the Application Paths
under the specified host that have the Session Security Filter enabled.
Field Description
All Listed By enabling the Session Security Filter in All Listed Cookies operational mode,
Cookies you secure only the cookies named in the Cookies list for the Application Path, or
all Application Paths at the host level.
All Except for By enabling the Session Security Filter in All Except for Listed Cookies
Listed Cookies operational mode, you secure all cookies that have not been named in the
Cookies list for the Application Path, or all Application Paths at the host level.
Reported on Web Application containing the host.
Tunnel Tunnel containing the host.
Field Description
Host Host containing the Application Paths where the Security Filter should be applied.
Role Select the role for the role-based security policy.
Application Path Application Path where the Security Filter should be applied.
Expression Icon indicates whether the Cookie Name is a regular expression. To test the
validity of a regular expression, click Check and supply the required information.
Name Displays the name of the Cookie.
Mode Displays the mode defined.
URLs Tab
The list of URL refinements provides the user with the ability to add, edit, and delete URL
refinements at the Application Path and Global level.
Field Description
Activate URLs Select this option to activate the URLs configuration according to the settings
Configuration below. Upon activation URLs in the list (or all but those in the list) will be
protected.
Work in Default Select this box to operate in the default mode (all URLs are unprotected).
Mode
Field Description
All Listed URLs By enabling the Session Security Filter in All Listed URLs operational mode, you
apply protection only to the URLs named in the list of URLs for the Application
Path, or all Application Paths at the host level.
All Except for By enabling the Session Security Filter in All Except for Listed URLs operational
Listed URLs mode, you apply protection to all URLs that have not been named in the URLs list
for the Application Path, or all Application Paths at the host level.
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be applied.
Role Select the role for the role-based security policy.
Application Path Application Path where the Security Filter should be applied.
Expression Icon indicates whether the URL Name is a regular expression. To test the validity
of a regular expression, click Check and supply the required information.
Name Displays the name of the URL.
Parameters Tab
The list of Parameter refinements provides the user with the ability to add, edit, and delete
Parameter refinements at the Application Path level and at a Global level.
Field Description
Activate Select this option to activate the Parameters configuration according to the
Parameters settings below. Upon activation Parameters in the list (or all but those in the list)
Configuration will be protected.
Work in Default Select this option to operate in the default mode (all Parameters are protected).
Mode
Field Description
All Listed By enabling the Session Security Filter in All Listed Parameters operational mode,
Parameters you apply protection only to the Parameters named in the list of Parameters for
the Application Path, or all Application Paths at the Global level.
All Except for By enabling the Session Security Filter in Protect All Except for Listed Parameters
Listed operational mode, you apply protection to all Parameters that have not been
Parameters named in the Parameters list for the Application Path, or all Application Paths at
the Global level.
Web Application Web Application containing the host.
Tunnel Tunnel containing the host.
Host Host containing the Application Paths where the Security Filter should be applied.
Role Select the role for the role-based security policy.
Application Path Application Path where the Security Filter should be applied.
Expression Icon indicates whether the URL Name is a regular expression. To test the validity
of a regular expression, click Check and supply the required information.
Name Displays the name of the Parameter.
4. Click the (Add) button to add an Application Path refinement, or select an existing entry
and click the (Edit) button to add additional refinements to the Application Path.
5. Complete the fields and click OK.
6. Click Submit and Save and, on the AppWall Management Application Console toolbar, click
Apply .
Once sensitive cookies are identified, AppWall will remove the cookies which are modified on the
client side from the list, as these cookies cannot be secured for modification. The modified cookies
will be switched to disabled mode. The non-modified cookies will then be switched from passive to
active mode and will be actively secured.
Default Status
The Vulnerabilities Security Filter is enabled by default.
An HTTP Request is processed through a special algorithm that finds patterns and parameter
expressions in a Request. If an HTTP Request matches the listed parameter and parameter
definitions for that pattern, an event is generated. An event is not generated if the request matches
the pattern but not the parameter definitions.
• To screen requests for documents using temp files, such as a “~WRL0551.tmp” file, create a
custom pattern “~WRL” for the URL detection. Any URL request for a file-name containing this
pattern will generate an event.
• To screen for requests that post an executable prettypark.com file, use “prettypark” as a custom
pattern for Body detection. Any request containing that pattern will generate an event,
including, for example, prettypark.exe or prettypark.bat.
• To screen for a request to view the source code of a page using a Header “Translate: f”, no
pattern is necessary, because this pattern is already defined in the default patterns. The request
will generate an event.
• To screen for a request, such as GET /Accounts.asp?user=Temp&password=Temp&mode=2
HTTP/1.1,create a custom pattern “.asp” and “mode=2&User=Temp&password=Temp”. This
parameter combination with any ASP page request generates an event.
Note: All criteria must be met for the request to generate an event. Parameter order is not
important; patterns/values are not case sensitive.
4. Click the (Add) button to add a new pattern, or select an existing entry and click
Field Description
Scanning Zones The area of an HTTP request message to search. These areas are searched for
the specified pattern if the associated Scanning Zone is enabled in the Security
Filter’s Scanning Zone settings. If a zone is disabled, no patterns are searched
for in that scanning zone.
Active Patterns To add a pattern, right-click in the field and click Add, or select an existing
pattern and click Edit or Delete. Clicking Add or Edit opens a dialog box.
Expected Select the expected location of the pattern.
Location
Pattern Select or enter a pattern to look for or enter a new one.
Parameters Note: All requests are converted to UTF8 before reaching the Security Filters,
therefore the pattern should be the UTF8 equivalent represented in the
simplest ASCII characters. Specify the parameter/value for which to look.
Patterns can be defined by the combination of both Pattern and Parameters. If
parameters are defined, the pattern generates an event when those
parameters appear in the request and match the defined values.
Examples: Parameter Value only: %20& Multiple Parameter Value only: %20&
Parameter assignment syntax: a=1 Parameter Name: UserID
Description A description of the pattern.
Custom Patterns
Use this procedure to configure custom patterns for the vulnerabilities security filter.
3. Click the (Add) button to add a new pattern, or select an existing entry and click
6. In the Custom Patterns - Active patterns Panel click the (Add) button. An Add a Custom
Pattern dialog box opens.
7. Mark the expected location checkboxes as required.
8. Enter a pattern from the drop-down list that includes the following:
.bkup, .old, .bac, .backup, .~01, .~00, .000, /../, .orig, .temp
Note: The Patterns are not case sensitive and should be represented in the simplest ASCII
characters. For example, a specification of a custom pattern “image” would generate an
excessive number of events, as follows.
Description Example
Any request to or /Images/spot.gif (in the HTTP Body code and in the URIs)
containing a URL with
the pattern “image”
Any request with file “help_image.jpg” (in the HTTP Body code)
containing the word
“image”
Any file containing text “Refer to the following image…”(in the HTTP Body text)
with the pattern “image”
Any request with a Host: NewImage (in the HTTP Header)
header containing the
pattern “image”
Any request with a function ShowImage (in the HTTP Body code)
function containing the
pattern “image”
Any request with a <META NAME="keywords" CONTENT="Images, Photos, (in the HTTP
partial word containing Body code)
the pattern “image”
Notes
• By disabling patterns, you exclude the specific validation associated with the pattern for an
Application Path or for all Application Paths, Hosts, Tunnels, and Web Applications of the server
that have the Vulnerabilities Security Filter enabled.
• You can find the pattern ID number by viewing the description of the Security Log event
generated by the Security Filter.
• For security reasons, Vulnerabilities security codes are not listed in the documentation.
Therefore, it is recommended that you keep a description of the pattern for future reference.
• You can use the right-click > Copy commands in the Description text area of the Event Log
Properties dialog box to copy and paste this into a text document, which you can save for future
reference.
• When patterns are disabled, you lower the monitoring level of Application-layer attacks. Exercise
great care when disabling Pattern IDs.
Refinement List
This procedure allows you to refine vulnerability patterns with or without illegal parameter
expressions.
3. To add an ID, click the (Add) button. The Add an ID dialog box appears.
4. Mark the checkbox if you want this to apply to all application paths.
5. If you wish to specify an ID that you are adding, do not mark the checkbox. The Add an ID
dialog box appears.
6. Once you have finished, click Add to add this ID.
7. On the AppWall Management Application toolbar, click Apply .
Web Application
A Web Application is a logical container object that contains and links Tunnels, Hosts, and Application
Paths. This section describes how to work with Web Applications in AppWall Management
Application.
Logical Model
AppWall Management Application uses a logical model of the application environment to apply finely-
tuned security policies.
Object Description
Web Application A logical container object that contains and links Tunnels, Hosts, and
Application Paths.
Tunnel Specifies the Web server IP/port and contains one or more host
assignments, including <Any Host>.
Host Serves as a container for one or more Application Paths. When using
virtual hosting, create a host object for each virtual host on the Web
server. When not using virtual hosting, use the <Any Host> object.
Application Path Specifies path parameters and contains one or more Security Filters.
This object model allows for great flexibility when tailoring security policies to the particular needs of
the application environment. As the example below shows, the Web Application object can be
configured to include Application Paths from various tunnels.
Other sections of this User Guide provide instructions for defining your Web Application environment
settings in AppWall Management Application, managing the security policies used during monitoring
and protection, and maintaining other components and services needed to run the monitoring and
protection processes.
Logical Objects
A Web Application is a logical object, as shown in the previous section, used to link Tunnels, Hosts,
and Application Paths. Each Application Path can have its own set of Security Filters. The object
hierarchy is described below.
Object Description
Tunnel Specifies the Web server IP/port and contains one or more host
assignments, including <Any Host>.
Host Serves as a container for one or more Application Paths. When using
virtual hosting, create a host object for each virtual host on the Web
server. When not using virtual hosting, use the <Any Host> object.
Application Path Specifies path parameters and contains one or more Security Filters.
Note: Disabling a Web Application does not necessarily suspend monitoring and protection of its
Application Paths.
Parameter Description
Available Hosts Select an existing host from the drop-down list or click Add a New Host to
create one.
Security Page The relative path to the security page, which is the page returned to a client
for an invalid (blocked) request.
Application Path List Click Add to configure the Application Path
Application Path Specify the Application Path.
Force to Successive Check to pass requests through all enabled Security Filters so that each
Security Filter request is checked by the next Security Filter whether or not the preceding
Validations Security Filter resulted in the generation of an event
Use Regular Enable this setting if the entry in the Application Path field is a regular
Expression expression.
Notes
• To add a host to a specific tunnel, the host must be created using the Configuration view.
• If you use virtual hosts, you are not required to use <Any Host>.
Hosts
Each host added to the tunnel (in Configuration view, select Tunnel > Host Name) can have its
own properties and security policy. If no hosts are configured under the tunnel, you can use “Any
Host.”
The settings configured from the hosts include:
• Security Page (configured per host)
• SSO and Login Monitoring (set under the host)
• Adding Web roles and setting their properties
Note: Authentication Gateway and SSO settings are visible and functional only when an
Authentication Capacity license is available on the device.
Note: Redirection to the login page is enforced when a “public” (non-authenticated) user attempts
to access a resource prohibited for public users. The AllowList and Path Blocking security filters
enforce Web access policy for the public role. On the other hand, if the user who is attempting to
access the resource has already performed a successful login but is not allowed to access the page
according to his role policy, he is redirected to the security page.
If you enable User Tracking and Authentication under the host, when a user logs into the secured
application, the user session is tracked using an HTTP session cookie. As a result, any security event
generated for any of the user transactions on any of the TCP connections established from the user’s
browser to the application includes the username.
1. From the Internal SSO tab, click to add a new internal SSO server.
2. Select the tunnel and the host that AppWall will use for the SSO Server.
3. Select if a two-factor authentication scheme is to be used.
4. Select the authentication server to validate the credentials.
Selecting None results in credential caching only, without validation.
5. In the Login/logout section, click Uploaded Directories to manage the relevant login pages.
Notes
• The SSO server is a virtual host that AppWall is listening on in a specific tunnel. This host cannot
be used under the same tunnel for other purposes.
• The login page needs to contain a single HTML form with the action pointing to the same page
name, an input field Username, and an input field Password.
• The 2nd factor page needs to contain a single HTML form with the action pointing to the same
page name, and an input field Password.
• The 2nd factor page allows three attempts for entering the correct token. After each failed
attempt, AppWall returns the 2nd factor page with the Attempt Number parameter in the URL.
After the third failed attempt, AppWall redirects according to the Redirect After Failed Login
setting.
• When uploading a forlder, its name must not have spaces.
• See Radware's knowledgebase for more information and a sample login directory.
Parameter Description
URI Enter the URI of the page containing the login form.
Login Form Name The name of the HTML form used for the login.
Action URI The URI to send the login request.
Username Field The name of the HTML input field used for the username.
Password Field The name of the HTML input field used for the password.
5. Complete the configuration of the Successful Login Detection section as described in the
following table:
Parameter Description
Mode Choose the detection mode:
• Bad Reply mode assumes successful authentication unless the provided
patterns are matched.
• Good Reply assumes unsuccessful authentication unless the provided
patterns are matched.
Response Body Pattern A string pattern to match in the response body.
Response Status Code An HTTP status code to match in the response.
Parameter Description
Response Header Name An HTTP header to match in the response.
Response Header value The value inside the HTTP header.
Note: AppWall uses the username provided in the domain controller settings of the SSO server
as the impersonator user with the key distribution center (KDC) for performing Kerberos
Constrained Delegation (KCD). This user must have the required permission in the domain
controller to perform KCD.
Parameter Description
Logout URI Enter a URI used to identify logout from the Web application for SSO
community logout purposes.
This field is optional.
SAML
SAML (Security Assertion Markup Language) is is an XML-based data format used for Web single
sign-on (SSO). SAML is exchanging digitally signed authentication and authorization data between
the Identity Provider (IdP) and the Service Provider (SP). In the context of the discussed solution,
the IdP is functioning as the front-end user authentication authority while the SP is the authorization
(Web access management) and back-end authentication authority.
The authentication flow using SAML with Alteon Authentication Gateway is as follows:
1. The client tries to access a Service Provider (e.g. SharePoint) via the Alteon VIP address.
2. Alteon generates a SAML authentication request (authnrequest).
3. The user is redirected to the external Identity Provider’s (IdP) SSO URL (e.g. ADFS).
4. The client receives a login page from the IdP server.
5. The user authenticates to the IdP.
6. The IdP generates a SAML authentication response (authnresponse).
7. The IdP returns an encoded SAML response (containing JS postback script) to the client browser.
8. The client browser executes the postback and sends a POST request to the SP.
9. The SP validates the SAML response and grants access to the application (SharePoint).
Login Monitoring
If you enable Login Monitoring under the host, when a user logs into the secured application, the
user session is tracked using an HTTP session cookie. As a result, any security event generated for
any of the user transactions on any of the TCP connections established from the user's browser to
the application includes the username.
Parameter Description
URI Enter the URI of the page containing the login form.
Login Form Name The name of the HTML form used for the login.
Action URI The URI to send the login request.
Username Field The name of the HTML input field used for the username.
Password Field The name of the HTML input field used for the password.
2. Complete the configuration of the Successful Login Detection section as described in the
following table:
Parameter Description
Mode Choose detection mode:
• Bad Reply mode assumes successful authentication unless the provided
patterns are matched.
• Good Reply assumes unsuccessful authentication unless the provided
patterns are matched.
Response Body Pattern A string pattern to match in the response body.
Response Status Code An HTTP status code to match in the response.
Response Header Name An HTTP header to match in the response.
Response Header value The value inside the HTTP header.
3. Optionally, in the Failed Login and Logout Handling section, set the Logout URI.
If the logout URI is requested, AppWall removes the HTTP session cookie used to track the user.
4. Optionally, in the HTTP Session Tracking section, configure the relevant cookie name for
correct user tracking in case of an unsuccessful login.
5. Optionally, in the Client Authentication Headers section, configure headers sent to the Web
application containing the username or role.
6. Optionally, in the HTTP Header Modifications section, configure headers or cookies to be
added, removed, or modified on specific URIs
7. In the AppWall Session Management pane, you can configure the cookie name AppWall will use
for monitoring the authentication sessions.
8. Select whether AppWall uses a session cookie or a persistent cookie.
If a session cookie is selected, the session is kept until the user closes the browser or until an
idle session timeout expires. If a persistent session is used, the session is kept for a predefined
time.
If User Tracking is enabled under the host, and two or more Web roles are defined for the Web
application, User Tracking is implemented through LDAP or RADIUS authentication mode rather than
just extracting the username from the field.
After you configure an LDAP or RADIUS server, you can enable the authentication option for that
host.
Field Description
Name Name of the role
Type Set the authentication type.
Values:
• LDAP
• LDAP for Digest
• RADIUS
• Authenticated (Auto-Detection)
Authentication The authentication server configured for the authentication type you selected
Server displays.
Members Add members associated with this Web role.
Note: Two roles appear, a PUBLIC role and a role name AUTHENTICATED-
Radius_Server_Name. Make sure that the Allow List filter is present in the PUBLIC role.
Note: 2 Authentication Factor: In step 6 above, in the SSO configuration page, the checkbox
Use 2 Factor Authentication must be checked and select the 2FA server.
To configure the Authentication Gateway to authenticate web users from Azure MFA with
on-premise Active Directory
1. Create a Radius Server, in Alteon, select Configuration > Security > Authentication server
> Radius.
2. Create your Secure Web application, in Alteon, select Configuration > Security > Web
Security > Secure Web Applications.
3. In the AppWall Console, configure your tunne, select Configuration > Tunnel >
Tunnel_Name. Configure at least two hostnames: One for the authentication and one for the
web server access. The two domains must be the same. For example, the authentication server
could be auth.MyCompany.com and the web server can be MySite.MyCompany.com.
4. Change the Radius server type, in Alteon, select Configuration > Management >
Authentication Servers. In the Radius tab open your Radius Server and change the server
type to Azure.
5. Create a 2 Factor Authentication server, in AppWall, select Configuration > Management >
Authentication Servers. In the 2 Factor Authentication tab create your 2 Factor Authentication
server. Provide a name of your server and configure the First and the Second Factor with the
Radius server previously created.
6. Create an SSO server, in the AppWall console, select Configuration > Management > SSO
Server > Internal SSO.
Create a new SSO Server and provide the relevant information: Tunnel, Virtual Service, Host
(choose the authentication server name. In our example it is auth.MyCompany.com). Check Use
2 Factor Authentication and select your 2FA previously created, the login/logout parameters.
A role has automaticaly been assigned to the SSO Server
7. Create and configure your web application security policy, in AppWall, select Security Policies
> Web Applications > Tunnel_Name and Add a new host in your Tunnel with the name
define above MySite.MyCompany.com.
In the Host MySite.MyCompany.com, select the tab Authentication and provide the relevant
information. For Authentication Type select Internal SSO Server, for Backend Authentication
Type select None, for Authentication Server select auth.MyCompany.com, and the others
parameters can be configured as needed.
Note: Two roles appear; a PUBLIC role and a role name AUTHENTICATED-
Radius_Server_Name. Make sure that the Allow List filter is present in the PUBLIC role.
Security Page
When configuring the security page of a host within a Web application, you can define a locally-
hosted security page. This is in addition to the option of referring to a security page hosted on the
secured Web server.
The Security page can be configured as fully qualified domain name (FQDN) and not just as relative
path to the local web application. Additionally, there is a parameter (_event_transid) providing
information regarding the violating request which is added to the security page as query parameter.
The security page can process these parameters to present some of the information to the client (for
example, transaction ID) or to present different messages depending on the type of violation.
Security Page - User Defined Status Code
The configuration file WebApp.cfg contains information for the status code and the status message
that shows for a security page.
Some users want to give a different status code and message when the AppWall returns an internal
security page.
The user can change the status code and the status message if required.
The default value for the status code is 200 and the default for the status message is OK.
Valid values:200-599
If the transactions ID is embedded into the security page and presented to the client who performed
the security violation, the customer will be able to contact the support department at the protected
application site and provide a transaction ID for the security administrator to identify the exact
security violation event.
The prefix of the parameters detailed above can be edited to avoid exposure of AppWall device in
case of external security page defined using FQDN. Editing the parameter prefix performed in the
EventLog.cfg file in the <SecurityParamPrefix>.
<SecurityParamPrefix>_appwall_event</SecurityParamPrefix>
Additionally, the listed parameters can be added using javacript to the response page. By default
this setting is disabled but can be used for demonstration purposes. Enabling the javascript
performed in Comm.cfg file in the <InternalParams> section, in the InsertEventDataIntoPage
element.
Application Path
The Application Path specifies path parameters on the Web server and one or more Security Filters
that should be applied to a Web Application.
For information on how to add an Application Path to a Web Application, see Adding Hosts, and
Application Paths, page 139 in the previous section.
Each Security Filter provides unique security protection. Use the AllowList Security Filter to specify
which paths or file types can pass without detection. Use the FilesUpload Security Filter to specify
the location where files can be uploaded.
This topic describes the standard procedures for changing Security Filters. For specific details about
each Security Filter, see Working with the Dashboard.
You can run a full automatic configuration of your Security Filters by selecting the Auto Policy
Generation—Full Auto option. This ensures that the relevant security filters are automatically set
with the required mode, according to AppWall.
For further information, see Auto Policy Generation, page 166.
You can also work with Auto Policy Generation— Auto Refinements enabled (for the relevant Filters)
to ensure that refinements are still generated automatically, whatever the mode selected. See also
Working with Auto Policy Traffic Analysis Profiles for information on working with Auto Policy
Generation, which provide a pre-defined configuration.
There is also a predefined list of allowable user-agents. These are search engines bots that AppWall
will not block from accessing the protected application for the purpose of indexing its pages.
Requests with these user-agent header values are not inspected.
Hotlink Protection
Hotlinking or Bandwidth theft is the act of one site embedding content (such as images, audio files,
and videos) hosted on another site. This uses up the ‘bandwidth’ (data transfer allowance) of the
site hosting the file, which can be very expensive for webmasters who pay for hosting by the amount
of data transferred. Usually, this type of attack is performed using a GET method on static pages or
resources (for example, images).
By default, Hotlink protection is disabled.
A list of standard landing pages are provided out-of-the-box in the FactoryDefault.cfg file. An
additional excluded URI can be added and a list of search engine bots user-agents is also listed to be
ignored from inspection.
AppWall protects you from Hotlinking by inspecting the referring header.
It can be configured for any group of hosts (using wildcards) or for a specific host.
There is a pre-defined list of legitimate referrer header values (for example, search engines), and
additional ones can be configured.
Hotlinking protection can be configured on a different request but this usually will be defined on
media files.
Configuration options for protection on the following items can be added or removed:
• Media files
• Queries
• Any other Page
To access Hotlinking
1. In the Security Policies view, select Hosts > [A Host].
2. Select the Hotlink tab. The Hotlink configuration options window appears. (Default is disabled.)
You can add/remove Trusted Hosts or Exclude URIs as appropriate.
3. Mark checkboxes as you require to protect: Media files, queries, and any other page.
Directory Listing
Directory listing is a fingerprint attack that exposes the structure and content of an application,
enabling the attacker to properly target his attacks. Prevention of fingerprint attacks is supported as
of AppWall version 5.31. Click Add to add excluded folders (suspicious GET requests with “/” at the
end of their URI). The replies for these requests are inspected to validate that there is no Directory
Listing information contained.
URL Rewrite
To obfuscate the real application structure from a potential attacker, you can configure a URL
Rewrite for the application structure by mapping the externally exposed folder structure to the
actual structure.
URL Rewrite modes include Active, Passive, and Disabled. In addition, you can set a rewrite rule
to Block mode. If the rule is set to Block mode and the rewrite mode is set to Passive, an event is
generated. If the rule is set to Block mode and the rewrite mode is Active, the request to the
destination folder is blocked, which is not expected to be accessed directly but only through rewrite
rule.
The Location and Content-Location HTTP headers are reverse rewritten to enable the proper rewrite
process.
Activity Tracking
Bot activities and attacks targeting Web applications are a complex threat for many site operators.
While simple script-based bots are not much of a challenge to detect and block, advanced bots
dramatically complicate the mitigation process using the following techniques:
• Mimicking user behavior: Several tools use a browser plug-in and are therefore able to mimic
user behavior, including running JavaScript, downloading images and other referenced content,
and following graphic links.
• Dynamic IP: Changing their source IP address allows tools to maintain a low rate of activity per
IP and thus evade IP-based detection systems.
• Anonymity: Tools are operated from behind anonymous proxies, CDNs, or carrier-grade NATs,
in order to keep the identity of attackers unknown.
Application DDoS does not necessarily target specific resources (though it may sometimes be the
case). Configuring AppWall to the Anti-DDoS mode tracks the activity of the users at the domain
level. If applied at the <Any Host> level, activity will be globally tracked (domain agnostic).
Scraping, however, is data-focused and usually targets specific Web pages where relevant
information can be extracted. In the Anti-Scraping mode, tracking is narrowed to the configured
URI(s). The Activity Tracking module counts the HTTP transaction rate to the defined application
scope (domain/page) per user per second. Once reaching the threshold, a security page is returned
instead of the requested resource.
The Activity Tracking module can be set to one of two tracking modes:
• IP-based tracking (available both in Passive and Active modes) is not intrusive.
• Device Fingerprint-based tracking (available only in Active mode) is intrusive.
While IP-based tracking offers the value of non-intrusive activity tracking and detection capabilities,
device fingerprint-based tracking offers IP-agnostic source tracking. AppWall can detect bots
operating in a dynamic IP environment and activity behind an sNAT (source NAT), such as an
enterprise network or proxy. Even if the bot dynamically changes its source IP address, its device
fingerprint does not change. AppWall tracks the device activity and correlates the source security
violations across different sessions over time.
Device Fingerprint technology involves various tools and methodologies to gather IP agnostic
information about the source. It also involves running JavaScript on the client side. Once a
JavaScript is processed, an AJAX request is generated from the client side to AppWall with the
fingerprint information. For demo purposes only, you can configure AppWall to show the Device
Fingerprint with all the gathered information. By default this page is invisible.
When Activity Tracking is set to IP-based tracking, it can be correlated with the IP blocking module.
Once a source IP reaches a configured threshold, the source IP is blocked (either Layer 3 or Layer7).
To avoid scenarios where AppWall is mistakenly detecting search engine bots (e.g. Google, Yahoo)
as malicious bots, there is a mechanisms in AppWall which is detecting legitimate search engine
bots, runs a reverse-DNS lookup process to verify their source and excluded them from the list of
sources which are being tracked.
HSTS/Clickjacking
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect
websites against protocol downgrade attacks and click hijacking. It allows web servers to declare
that web browsers (or other complying user agents) should interact with it using only secure HTTPS
connections, and never via the insecure HTTP protocol.
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into
clicking on a button or link on another page when they were intending to click on the top-level page,
and routing them to another page, most likely owned by another application or domain.
AppWall's HSTS feature allows adding HTTP response headers to different hosts to improve security
in places where the application is lacking the required measures.
For more information, see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Redirect Validation
Remote File Inclusion (RFI) and Local File Inclusion (LFI) are file inclusion vulnerabilities that allow
an attacker to include a file or expose sensitive internal content, usually exploiting a “dynamic file
inclusion” mechanisms implemented in the application. The vulnerability occurs due to the use of
user-supplied input without proper validation.
You can run a full automatic configuration of your Security Filters to practically eliminate any
administrator-level input. In addition, you can automatically discover the full structure of your Web
Application and to automatically assign Security Filters to the relevant directories at the click of a
button. For further information, see the relevant section.
AppWall Protection
The initial step in defining your Security Policy is to determine what exactly AppWall is going to
protect. The defining of what actually needs protecting is of utmost importance, because it enables
you to pinpoint your Security Policy’s exact requirements. For example, if you need to secure and
protect Dynamic pages (that require some user interaction), or if you are protecting types of Static
pages (including pages that hold media files), your defined Security Policy should reflect the settings
you require.
The following table provides some of the possible files/data that may need protecting. Once you
have determined what exactly needs protecting, click on the relevant link to see the possible
Security Policy settings you can apply.
Table 69: What needs Protection?M:\AppWall\AW 7.6.5 (with new webUI)\filtered AW-Alt
32.6.0\Security_Tools.fm
Requiring Protection
Dynamic pages, including:
• Database records
• Pages with parameters
• Pages with cookies
• XML pages
• Login pages
Static pages, including:
• Media files
• Pages without parameters
• HTML files
Administrator related content, which includes:
• Access and login data
• Web application reports and statistics
In addition, the environment in which you can install AppWall is also a major factor in defining your
Security Policy, at least initially. If, for example, you have a Test environment available, you can
apply some of the Security Filters in Passive mode with the Auto Refinements option enabled
where relevant. Once AppWall appears to have learned your application you can move to a
Production environment and the filters to Active mode with Auto Refinements enabled. If you only
have a Production environment in which to work, you should initially enable relevant Filters in
Passive mode with Auto Refinements enabled where relevant before moving to Active mode. For
further information, see Setting the Security Filter Run Mode, page 88.
The following example of a Web Application is designed to provide some guidance as to the security
issues you should consider when defining your own Web Application’s Security Policy. The example
below is a web store, with the URL www.booksetc.com, which AppWall will be protecting. This
imaginary store includes three subfolders; books, shopping and admin.
The /books/ subfolder contains pictures of book covers, with additional HTML descriptions for each
book. These are static files and require minimal protection. Cookies may or may not be relevant for
a site like this.
The /shopping/ subfolder contains a shopping cart script, as well as a login page. These are dynamic
pages that require user input using parameters. There is also a backend database and cookies,
which both need protecting.
The /admin/ subfolder contains the web administrator’s login details and access to web statistics and
reports regarding the site. This is Administrator related content and should be restricted.
See the following section for details on how to actually apply the most effective Security Policy to
each of the above folders.
Refer to the appropriate section for an overview of the AppWall Security Filters. Alternatively, refer
to Working with Security Filters, page 85.
Recommended Filters
The following table provides a basic guideline on what Filters you can apply, according to what you
need to protect.
Dynamic Pages
Dynamic pages include pages that have some interaction with the user, where user input is required.
These pages also include pages that retrieve and send data to a database, pages with parameters,
pages with cookies, and XML pages. In the Example Web Application, dynamic pages are contained
within the /shopping/ folder.
The following steps provide a basic guideline in how to create your Security Policy for dynamic
pages, preferably within a Test environment. Two basic factors, performance and security, are the
main issues that will affect how you define your Security Policy and are therefore expanded upon
where necessary.
Note: When selecting this option, Security Filters are also automatically assigned to each
Application Path according to what AppWall sees as relevant for that particular Application Path.
3. In the Security Policies view select the required Security Filters to apply to the Application Path.
See the steps below for further information on the Security Filters required. By default, when
working in Manual mode rather than with Auto Policy Generation enabled, the Vulnerabilities,
HTTPMethods, Session, Database, and SafeReply Security Filters should be set to Active for the
Application Path.
4. Map out your site to display folders with relevant properties – media files, login pages,
administrator files/folders – in which you can select the Create Application Paths
Automatically option, or by using Auto Discovery (see Auto Discovery, page 174). This enables
you to uncover your Web Application’s complete folder structure as soon as traffic to your Web
Application commences. If you are not running in a Production environment, use an external
Web Crawler to generate traffic. Radware also recommends discussing the application’s structure
with the application’s developers.
5. For each of the key folders you can now apply a Security Policy. Note that this section assumes
that you are not running the Full Auto Configuration option (as described in Auto Policy
Generation, page 166) and that you are manually applying your Security Policy. The following
list is a general list of the options available for dynamic pages.
a. General—For each of the folders you are protecting the Vulnerabilities and HTTPMethods
Security Filters should be activated. These two Filters do not have a significant impact on
performance and are critical for basic security.
b. Scripts and constantly updating pages—If any folder contains scripts, such as shopping
cart scripts, or pages are constantly added and/or updated, it is recommended to activate
the AllowList Filter. This filter does not have a heavy impact on performance and will
enhance security.
c. User input via parameters—If you have user input pages, such as login pages or
feedback forms where users enter a variety of parameters, it is recommended to activate
the Parameters Filter. For login pages, it is recommended to activate the BruteForce Filter,
which prevents illegal attempts to gain passwords, and does not have a big impact on
performance. Activating this filter is not enough; you will also have to specify the login page
to be protected.
Notes
If you have path parameters and want them protected, set the HTTP properties for the tunnel by
selecting Analyze Path Parameters. Path parameters are embedded parameters in the
request message URL (for example, http://www.site.com/ docs;
PathParameterName=PathParameterValue/ register.jsp?id=3.)
If you have the AllowList and/or Parameters Filters activated, it is recommended to enable at
least the Auto Refinements option to simplify and automate the refinement process.
— Database—If you have a database or LDAP server, it is recommended to activate the
Database Filter, which does not have a significant impact on performance. This filter also has
Auto Policy Generation, which should also be activated.
Note that if database values are large (more than a few kilobytes) you can disable the
Database Filter for that particular parameter (manually) to enhance performance.
— Cookies—If you are working with cookies, activate the Session Filter. Note that the Session
Filter does have some impact on performance. As an alternative, if you do not need the
cookies encrypted but want some protection, you can activate the Parameters Filter, making
sure to set the relevant settings (select the ‘Analyze Cookies as Parameters’ checkbox) in
the HTTP Properties for the tunnel.
— XML—If you are working with XML pages, activate the XMLSecurity Filter, which has
minimal impact on performance.
— Enhanced security—If security considerations outweigh performance, it is recommended
to activate the SafeReply Filter, which protects Social Security and credit card numbers. This
filter offers enhanced security but can have some impact on performance.
— Additional protection—There are additional Security Filters that can be activated to
provide additional protection for dynamic pages, as listed below. Each of the filters listed has
minimal impact on performance when activated.
— FilesUpload Filter—If you want to monitor the upload activity of your Web Application
activate this filter. For example, you can set to evaluate requests to upload picture files (gif,
jpg, jpeg, bmp) to a specific application. An event is generated and the request is blocked
when a user uploads a DOC file to the specified Application Path.
— WebServices Filter—If you are working with Web Services, and want to verify and screen
them for invalid operations using a WSDL file, this filter should be activated.
— GlobalParameters Filter—Activate this filter to evaluate parameter values and to evaluate
parameters defined in other parameter-related Security Filters.
— Logging Filter—Activate this filter only in the event of serious problems (such as to debug)
to log request and reply messages, which can assist in troubleshooting and monitoring/
documenting invalid requests. This filter is not recommended for use in high traffic
production scenarios.
6. After determining the security filters required, you can apply the Filter mode using the
Automation Level tab according to your requirements and, more importantly, your environment.
If you are working with the following Filters, Radware recommends you use them in Active
mode.
— SafeReply
— Database
— Session
— Vulnerabilities
— HTTPMethods
If you are working with the following Filters and are in a test environment, you should use them
in Passive mode, together with Auto Policy Generation enabled.
— AllowList
— Parameters
If you are working in a Production environment with these same Filters, it is recommended to
work in Passive mode with Auto Policy Generation enabled. After using refinements and the
event log to ensure that events are being generated only for blocked files, you should move to
Active mode, with Auto Policy Generation still enabled.
7. As a general rule, leave the order of the Security Filters as is (you can move the filters by
selecting the filter and clicking the arrows in the top right corner).
Note: Some filters should be set before other Filters in specific situations. For example, the
XMLSecurity Filter has the option to parse XML attributes as parameters, which are then
analyzed by the Parameters Filter. In this scenario, the XMLSecurity Filter needs to run before
the Parameters Filter and should be set accordingly using the arrow buttons.
8. Once moving from a Test environment to a Production environment and your Security Policy has
been distributed successfully (as described in the section), it is highly recommended to monitor
any refinements generated, with adjustments to the filter settings perhaps being required if, for
example, events are being generated that should not be blocked.
Static Pages
Static pages refers to pages that are largely static, in so much that they are accessed for viewing/
audio purposes only, such as media files or HTML pages. These files may not be updated regularly,
though may come with accompanying text that can change. In the Web Application, page 137, static
pages are contained within the /books/ folder.
The following steps provide a basic guideline in how to create your Security Policy for static pages,
preferably within a Test environment. Two basic factors, performance and security, are the main
issues that will effect how you define your Security Policy.
Note: Any additional Filters activated for folders that contain only static pages may have an
impact on performance.
Note: The login URI should exist within the secured application. AppWall does not store the login
URI.
By default, all policy settings for the Public role do not require authentication, and are accessible to
all users. All non-public role settings are applied to relevant users only after authentication. For
example, if the Public role can access only the /public/ folder and access to all other folders is
prohibited, only authenticated users are able to access those other folders, pending approval by the
configured security policy.
After you have enabled authentication for the host object, every client authentication process is
enforced against the configured authentication server (LDAP), and a new cookie is set by AppWall to
maintain the HTTP session initiated by the authentication process. You can set authentication
information over HTTP headers to be sent to the Web server for processing (for example, add a
username header so that it is added to all future transactions of the current user).
Defenses Properties
This section contains the following topics:
• Landing Pages, page 164
• Bot List, page 165
• Search Engine Referer, page 166
Landing Pages
A landing page, or entry URL, is usually the first page that most users will be browsing to, when
accessing an application. AppWall’s list of landing page file extensions used for several purposes,
including CSRF and Hot–link attack mitigation modules. Both of these modules inspects the ‘referer’
HTTP header of the incoming HTTP request.
Landing pages are often linked to from social media, email campaigns or pay per click (PPC)
campaigns in order to enhance the effectiveness of the advertisements. The general goal of a
landing page is to convert site visitors into sales leads. By analyzing activity generated by the linked
URL, marketers can use click-through rates and Conversion rate to determine the success of an
advertisement.
When a user is performing search operation in a search engine, he will click on the link of found
results. By doing that the search engines redirects the user to a web page in our application. The
‘referer’ HTTP header value will be the search engine’s host and not an internal host.
AppWall ignores all HTTP requests to pages with landing page file extension when inspecting HTTP
requests for CSRF and Hot-Link attacks.
Naturally other external websites other than search engines might link to such pages.
Bot List
An Internet bot or web robot is a software running automated tasks over web applications. In many
cases bots are used as a tool to perform an attack campaign against applications, but also used for
productive means, such as search engines bots which crawl through the application and enumerate
the content for keyword search indexing purposes.
In most of the cases, these bots are welcome to access the application as we prefer our site to be
well indexed by search engine and to improve our search engine score.
The Bot List is a list of the different search engine bots' values user-agent header in HTTP
transactions, and a domain suffix of these bots. Once AppWall see a request with a user-agent from
the bot list, AppWall runs a reverse DNS lookup query on the source IP address. If host name
matches the defined suffix, AppWall treats this source as a search engine bot. Additional values can
be added to the list.
The Bot List is used to exclude these bots from the Activity Tracking analysis and as part of Hot-link
attack mitigation. In the Activity Tracking AppWall runs a reverse DNS lookup while in the Hot-link it
will only look at the user-agent header.
You can configure the Fingerprinting page timeout. It is configured, by default, to two seconds. After
that time, even if the end user browser did not reply with the AJAX call with the device fingerprint,
AppWall will forward that client to the application. This setting provides a control on the level of
impact on the end user in latency and risk of false positives.
Note: By design, in a cluster node configuration, when auto-discovery and auto-configuration are
enabled, if one of the nodes is disconnected, the configuration learned by the cluster auto-discovery
feature will not be synced to itself nor the available nodes which are still available. Only a manual
apply will sync the cluster itself.
Note: You can set only one the modes (Full Auto, Auto Enabled, Auto Refinements or Manual)
at any one time.
There are also other occasions where full Auto Policy Generation is not recommended and will not
function normally:
• When the AppWall IP Blocking Feature is in use.
• When a caching system is being utilized in front of the AppWall.
• When a Web site is static.
• When full control over security policies is required.
Therefore, Radware recommends that you use IP Blocking or Auto Policy Generation but not both.
Warning: IP Blocking should not be used when Auto Policy Generation is enabled!
Full Auto
This option automatically determines whether a specific Security Filter in a specific directory needs
to be Enabled or Disabled. It also enables you to discover an application’s structure and to
automatically activate the relevant Security Filters for each Application Path (if the Create
Application Paths Automatically checkbox is selected).
When this option is selected, no user interaction is required, except for recommended periodical
reviews of logs and events to ensure that the Auto policy generation feature is working correctly. In
fact, the administrator requires no knowledge of the protected Web Application and does not need to
be informed of modifications to the application.
Note: When running the Web Application wizard, Creating a Web Application you have the
option to create Application Paths automatically or manually, with Security Filters defined
accordingly. Once the Web Application is created, and with at least one Application Path defined,
continue to Step 2.
3. If you have yet to create a Web Application, create one in the Alteon main application window.
4. In the Security Policies view, select the specific Application Path to display in the right pane. If
you selected to automatically create Application Paths, Auto Policy Generation determines which
Security Filters are relevant for that path and displays them.
Note: If you manually selected Security Filters when creating the Web Application, these filters
display in the Active Protection Level tab under the Settings tab, with the relevant mode you
defined; Active/Disabled/Passive/Patch.
5. Under the Settings tab, in the displayed list of Filters, select the Full Auto option button where
relevant.
6. You can also select the current mode of the filter, which may require the temporary deactivation
of the Full Auto option. For example, if your Web Application has undergone many changes, it
may be advisable to select the Manual option and set the filter as Passive before verifying that
the changes have been learned by AppWall and then setting the filter to Active. In this scenario,
it may also be advisable to switch to Auto Enabled: for further information see Auto Enabled.
Note: In addition, the Full Auto option is not available for all Filters because some, such as
the BruteForce and XMLSecurity Filters, require manual interaction from the user.
Auto Enabled
The Auto Enabled option automatically determines which operational mode the Security Filter
needs to be in, either Passive or Active; Disabled is not available. This option works in tandem with
the Auto Refinements option, meaning that both these options are relevant only to specific
Security Filters (AllowList, Parameters, vulnerabilities, HTTPMethods, and Database Filters) and both
options operate interactively according to the amount of refinements taking place. Note that manual
refinements are not taken into consideration when determining the operational mode for a filter.
When there are a significant number of refinements taking place in a filter, the filter should
automatically be set to Passive mode. When the number of new refinements has considerably
dropped, the Auto Enabled option will switch the filter to Active mode automatically.
It is important to note that the Auto Enabled option works on the Application Path level, and will
only change the mode of a given Filter if there is considerable Web traffic in the Application Path/
directory. For example, if there are few refinements, but at the same time there is very little traffic
going through the particular Application Path, then the Auto Enabled option assumes the
Application Path is mostly inactive, and is unable to define the mode of operation. As soon as traffic
picks up again, checks are automatically made to determine if the operational mode should be
changed for the specific filter.
Auto Refinements
Auto Policy Generation, when working with the Auto Refinements option, automatically adds
refinements to the more complex, hard to configure Filters, specifically the AllowList, Parameters,
and Database Filters, therefore reducing the burden on the administrator while simultaneously
providing a high level of protection. It is not fully automatic as compared to the Full Auto option,
but it allows the user a high degree of control over the enterprise’s Security Policy using the more
vital security filters available in AppWall.
The Auto Refinements option has three types of refinement that it automatically configures the
system with:
• AllowList refinements—Files that Auto Policy Generation believes should be allowed access.
• Parameter refinements—Parameters (per URL) that Auto Policy Generation believes should be
permitted. Auto Policy Generation assumes that all parameters are of type string and
automatically learns to limit them to specific length ranges.
• Database refinements—Add refinements on a very granular level: it adds rules to disregard
on a URL+Parameter level.
• Vulnerabilities refinements—Add refinements on an Application Path level.
• HTTP Methods refinements—Add refinements on an Application Path level.
• Session Auto refinements—Add refinements on an Application Path level.
For information on how to work with Auto Refinements in the AllowList and Parameters Security
Filters (for the Database Security Filter refinements display only and cannot be managed), see
AllowList Auto Policy Generation Refinements, page 93 and Parameters Auto Policy Generation
Refinements, page 172.
2. To move a refinement to the Locked list (in the Auto Configuration Locked tab, see below), right-
click on the refinement and select Locked. The file is moved to the Locked list and can no longer
be accessed by users (after clicking Submit and Save and Apply). The refinement will not be
added again by Auto Policy Generation.
3. To move a locked refinement to the AllowList, click the Auto Configuration Locked tab. Then
right-click on the refinement and select Add As Refinement. The file is moved to the AllowList
tab and is now permitted for access by users (after clicking Submit and Save and Apply).
Notes
• At least one of the Security Filters must be set to Full Auto when selecting the Create
Application Paths Automatically checkbox for this feature to work.
• Application Paths are only created for the current folder. For example, when in the root folder,
selecting the Create Application Paths Automatically checkbox ensures that all Application
Paths can be discovered.
Note: You should review the “Event Log” to verify that there are very few, if any, events
generated for valid requests.
Note: Auto Discovery must be enabled for the Auto Tunnel settings Optimization to function.
Auto Discovery
The Auto Discovery view provides linkage between the Security Policy and Application view. The
Application view contains all URIs, parameters, cookies, path parameters, and query parameters
contained in user requests.
The Auto Discovery view assists in discovering the structure of Web Applications according to the
configured Security Policy and according to Web Application traffic. Upon configuration of the
Security Policy through the Management Application, traffic to the Web Application is registered in
the Auto Discovery tree. The Auto Discovery view receives the information about user traffic using
an HTTP-Message structure. Even requests made to non-existent pages are registered, as are
requests that were rejected, for example, Web server down.
The Auto Discovery tree displays an application view that contains the server, tunnels, hosts, folders
(URIs), files (pages), and parameters (Path and Query). The Auto Discovery tree structure is
combined of the tunnel as the root object, the host, taken from the HTTP Header, and the root URI,
which is the root folder of the application structure.
Auto Discovery detection can be disabled and resumed at the tunnel level, by right-clicking the
tunnel and selecting Suspend/Resume. Note that this only suspends the tunnel from Auto
Discovery and in no way does it compromise your security policy.
In addition, Auto Discovery must be enabled (by selecting Resume) in order for Auto Policy
Generation to work. See Auto Policy Generation, page 166 for further information.
Note: The Auto Discovery module creates a single XML document, where all of the discovered
information is held.
Note: The numbers in brackets represent the number of children (for example, files, folders, or
parameters) under the specific parent.
The table below provides an explanation of the icons displayed in the image above:
Icon Description
Represents the actual Application Path.
Represents the URIs that are inherited from the Application Path (folders mapped
to a specific Application Path).
Represents a URI with unknown mapping to Security Policy Application Paths
(usually due to temporary communication issues)
Represents a URI that is not routed to any available Application Path in the tunnel.
{P} Path Parameter
{C} Cookie
{Q} Query Parameter
5. Click the (Edit) button to edit the security properties of the Application Path, and click OK.
6. Click Next, and click Finish. In the Security Policies view, under the new Web Application, the
defined Application Path is now visible.
Note: For the Site-map Processing to be completed successfully AppWall prerequisite conditions are
required:
Note: To counter a vulnerability, the Automatic Configuration module has Application Paths
where the PathBlocking Security Filter is enabled. Thus the Auto Policy Generation module
prevents “Predictable Resource Location” Attacks on the protected application. See Setting
Security Filters.
The Forensics view generates and displays the logs and reports described in the following table. For
further information on these event logs and reports, see Reviewing the Event Log, page 181.
Events per Application Displays a graphical pie chart depicting event types in a specific Web
Report Application.
Note: AppWall stores events in a local SQL-Lite database. The following are the default files size
limits:
• Security: 250 MB
• System: 50 MB
• Escalation: 10 MB
• Administration: 10 MB
• Initialization Log: 10 MB
Note: If the AppWall Management Application contains more than one AppWall server, the Forensics
view contains a set of logs for each AppWall server.
To access a log
1. In the Forensics view, select the type of log node you want to view: Administration Log,
System Log, Initialization Log, Escalation Log, or Security Log. The expanded node
displays one log, the Default View.
2. Select the Default View to view the log. The log appears in the right pane.
3. Double-click a row to display the event’s properties and description.
Reading a Log
Logs enable you to easily monitor system activity throughout the AppWall server environment.
Even though each log reports different types of events, most logs provide information listed in the
following table
Column Description
Severity The severity level of the event: Lowest, Low, Medium, High, or Critical.
IP Address Security Log: the client IP that generated the event. Administration
Log: the Console machine IP that generated the event.
Available in Administration and Security Log only.
User Name Name of the particular user.
Available in Administration Log only.
Time Limit Maximum time allotted for the escalated security policy.
Available in Escalation Log only.
Is Manual The method of invoking the escalated security policy.
Values: Manual, Automatic.
Available in Escalation Log only.
Action Action taken on the escalated security policy. Possible values are:
Escalation, De-Escalation.
Available in Escalation Log only.
New State The state of the tunnel after the escalated security policy is applied.
Possible values are: Bypass, Passive, Active.
Available in Escalation Log only.
Column Description
Rule Name The name of the escalation rule.
Available in Escalation Log only.
Event Transaction ID This parameter is useful when the relative or the absolute path to the
security page is returned to a client for request which violates the
security policy and is actively blocked.
Therefore, when defining a relative path to the security page, a query
parameter is added to the request. This enables the page to add the
event transaction id to the response for the end client to have a ticket
number when accessing support, and enable easy filtering of the
security event log.
Forensics events can be easily filtered according to all the listed parameters below.
Note: After upgrading from versions 7.6.6 and earlier, filtering events by 'Refined' will include only
new events generated after the upgrade. Filtering events by 'Not Refined" will include all events
from before the upgrade, refined and not. For best results, it is advisable to use this filter together
with a time range filter.
Notes
• To view a security log for a particular Web Application, use the Security Policies view. The
Security Policies view reports security activity for the Tunnels, Hosts, and Application Paths
configured for the application.
• The Security Log tab in the Web Applications > Default Web Application node in the
Security Policies view presents the same information as the Security > Web Applications >
Default Web Application node in the Forensics view.
• The Security Log> Default View displays a composite of all events from all Web Applications
configured for the AppWall server. You can easily compare Security Logs by specific Web
Applications in the Forensics view as well.
For more information about the Security Log, see Reading a Log, page 182. The Forensics view
Reports are particularly helpful in analyzing security activity. For details on Reports, see the
Displaying Graphical Reports of Applications and Security Filters section.
Event Grouping
You can group security event into categories based on source IP address and/or Attack.
If you select to group by Attack, it groups the events by the attack threat (shown in the Events list).
To group events
1. Click Filter to open the Log Filter window.
2. In the Group by field, select IP and\or Attack.
3. Click OK.
The event log is now grouped according to the IP address and/or the attack, as you selected.
You can now click on a group to view all the events within the group and then click the Back button
to go back to the list of groups.
Note: To compare Security Logs visually, see Displaying Graphical Reports of Applications and
Security Filters, page 186.
Note: Only events that display the quick-click icon can be refined. Events without a quick-click
icon have already been refined or have no Quick-Click Refinement configuration.
2. In the right pane, double-click an Event to display its Event Log Properties dialog box.
3. Click Refine to display the Refinements page.
4. On the Refinements page, check the fields specifying the refinement and click OK.The filter is
automatically saved.
5. On the AppWall Management Application toolbar, click Apply .
Note: You can also perform policy refinements in a Cluster node using the Refine! button in
the Forensics view. This refinement is sent to the Cluster Manager server, and then shared
among all AppWall servers in the Cluster.
Groups Objects
Events by Applications Shows the distribution of security breaches occurring on each Web
Application, relative to other Web Applications. The information box
displays the name of the Web Application, the number of events and
the percentage rate of all events by Application.
Events by Filters Shows the distribution of security breaches arrested by each Security
Filter, relative to other Security Filters. The information box displays the
name of the filter, the number of events and the percentage rate of all
events by filter.
Events per Application Contrasts the Security Filters of an application you select, showing the
distribution of invalid requests received for each Security Filter. The
information box displays the name of the filter, the number of events
and the percentage rate of all events per Application.
The Events by Applications report shows the distribution of Invalid Requests grouped by Web
Application. This report enables you to see the proportional number of invalid requests for the entire
Web Application in a graphical pie chart. It can be used to identify which Web Application receives
the most invalid requests (multiple invalid requests may be an indication that the application has
been targeted by a hacker).
Transaction ID
Each http transaction, for which an event (of any type) was generated, will be assigned with an
unique ID. This UID will be added to the event log.
Transaction IDs are added to hidden parameters and are useful in tracing security events. When
violations are identified, the transaction ID is sent back in the response.
Events can be filtered by clicking the Filter button in the Forensics view by the Transaction ID to
identify the event generate for a specific HTTP transaction.
Selecting AppWall in the Dashboard view provides its network statistics in the Dashboard tree.
The following is a rundown of the five tabs of the Dashboard view. Each tab is explained in detail in
the following pages.
• Summary—The Summary tab provides a summary of all information related to AppWall . It
provides the Properties, Administrative Events, Activity, and Violations related to AppWall .
Note: Clicking on the View Details button in any of the different topics opens the relative tab
(only after the user is logged in).
• Properties—The Properties tab includes the Details, Group and Cluster, and Tunnels.
• AppWall Activity—This tab provides the Status Details, Current Activity, and Resource Usage of
AppWall.
• Tunnels—This tab provides the user with tunnel information and the current activity of the
tunnels.
Summary Tab
From the Dashboard view, you can view connection details, general information, security events and
violations for the AppWall as described below.
The Summary tab is divided into the following sections:
• Properties — Provides information such as the name and IP address of the AppWall, as well as
the number of tunnels defined for AppWall.
• Administrative Events—Provides information such as the time frame for administrative
system events, and the number of logged Security Violation, Escalation, and System events.
• Security Violations—Provides information such as the time frame for Security Violation events
that occurred in the system and the number of Security Violation events for each Web
Application configured in AppWall Management Application.
Properties Tab
The Dashboard view Properties tab provides details about the selected AppWall and details of any
associated tunnels.
Tunnels Tab
The Dashboard view Tunnels tab provides details about the tunnels configured for AppWall.
By default, the Graph displays only information about the AppWall active connections. Note that you
must initialize a tunnel before you can view its data in a graph. You can modify the settings to view
other types of data as well:
• Pending connections per tunnel
• Active connections per tunnel
• Connection rate per tunnel
• Transaction rate per tunnel.
— Communication Properties
— HTTP Properties
— Security Properties
— Import Global Configuration
— Create a Unique Web Application Name
7. In the Import to Tunnel dialog box, from the Available Tunnels drop-down list, select an existing
tunnel to be overwritten with the selected properties.
8. In the Backup Target Server dialog box, select if to backup the gateway configuration and enter
a backup directory name, and click >. This is a recommended precautionary backup that will be
available for restore operations.
9. The Policy Distribution Wizard has completed, click Close.
Service Description
Publisher Lets you configure the AppWall servers that are accepted by the
publisher server, including Allow and Deny lists.
CDN Support Lets you configure the CDN support.
IP Blocking Lets you configure the IP address allow/block service. See IP Blocking,
page 196 for further information.
IP Blocking
AppWall provides two basic types of IP Blocking:
• User defined IP addresses—IP addresses manually entered as always blocked or always
allowed.
• Automatic IP blocking—IP addresses blocked based on security history.
Configuring IP Blocking
Use this procedure to configure IP blocking.
To configure IP blocking
1. In the Configuration view, expand Services and select IP Blocking.
2. Complete the fields in the Configuration tab as described in the table below.
Parameter Description
Enable Click to enable or disable IP blocking.
Listening Port If you selected to integrate the IP blocking feature with CheckPoint’s FireWall-
1 application, the listening port for the firewall is pre-filled.
Change the listening port if necessary.
3. Complete the fields in the Penalty Score tab as described in the table below.
Parameter Description
Security Score / IP blocking gives suspect IP addresses security level from Level 1, a low
Penalty Time security threat, to Level 3, a high security threat.
You can edit the amount of time, in minutes, that the firewall blocks IP
addresses that belong to each security level.
4. Complete the fields in the Always Block/Never Block tab as described in the table below.
Parameter Description
Always Block These Note: Use Add, Edit, and Remove to edit the list of IP addresses that
IPs should always be blocked. Each IP address can also have a description of
why it has been blocked.
Never Block These Note: Use Add, Edit, and Remove to edit the list of IP addresses that
IPs should never be blocked. Each IP address can also have a description of
why it is always allowed.
5. Click Submit and Save, and on the AppWall Management Application toolbar click Apply .
Parameter Description
IP The blocked IP address.
Blocked Until The date and time until which the IP address has been blocked.
3. Right-click the IP address in the list if you want to:
— always block this IP address
— never block this IP address
— unblock this IP address.
Field Description
Severity Level The severity level assigned to the event. (read only)
Title A short description of the event. (read only)
Enable Log A check mark appears if logging is currently enabled for this event.
Enable A check mark appears if publishing is currently enabled for this event.
Publishing
You can also activate the event aggregation for the security logs. The "events aggregation"
will aggregate all the identical consecutive events. You can configure the number of events to
see before aggregation. An event is "identical" when the title and the description of the
consecutive events are identical.
Field Description
Name The name of the rule.
Generated By The required generating source and the associated source type of the security
violation to trigger this rule. If the Source Type is “Filters”, the Source is a
specific Security Filter, or all Security Filters.
If the Source Type is “Sub Systems”, the Source is a specific sub system, or all
sub systems. The sub systems are: Administration, Application Path, Application
Session, Certificate Manager, Escalation, Event Log, Filters, IP Blocking, License
Manager, Publisher, Resource Manager, SSL, System Manager, Tunnels, or Web
Applications.
If the Source Type is “System”, this field remains blank. If the Source Type is
“Tunnels”, the Source is a specific tunnel, or all tunnels.
If the Source Type is “Web Applications”, the Source is a specific Web Application,
or all Web Applications. Possible values for Source Type are: Filters, Sub System,
System, Tunnels, Web Applications.
Web Application The Web application to which the rule is associated.
Tunnel The tunnel to which the rule is associated.
Host The host to which the rule is associated.
Application Path The Application Path to which the rule is associated.
Severity Level The new Severity Level setting for events that match the rule.
3. Click Add to add a new rule, or double-click a rule to edit the rule. An Add/Edit Severity Rule
dialog box displays with two tabs, Rule Condition and Rule Actions.
4. In the Rule Condition tab, enter the name and required originating source of the event to trigger
this severity rule. Refer to Table 82 - Severity Rules Tab Fields for details.
5. In the Rule Actions tab, select the new severity level according to the options described in Table
83 - Rule Actions Fields, below.
Field Description
Set Fixed Specify the exact severity level to which you want to apply to the event.
Severity Level
Increase Select the number of steps by which to raise the severity level for this event.
Severity Level There are five severity levels, from “Lowest” to “Critical”.
by
Decrease Select the number of steps by which to decrease the severity level for this event.
Severity Level There are five severity levels, from “Lowest” to “Critical”.
by
Exit on Success Select this option if you want to prevent any further Severity Rules settings
processing of this event by AppWall.
6. When you are finished, click OK.
7. Click Submit and Save in the AppWall Security Management Application Content area.
Field Description
Name The name of the rule.
Severity Level The severity level, or the range of severity levels, that can trigger this rule.
Generated By The required generating source of the security violation to trigger this rule and
its associated source type. If the Source Type is “Filters”, the Source is a specific
Security Filter, or all Security Filters.
If the Source Type is “Sub Systems”, the Source is a specific sub system, or all
sub systems. The sub systems are: Administration, Application Path, Application
Session, Certificate Manager, Escalation, Event Log, Filters, IP Blocking, License
Manager, Publisher, Resource Manager, SSL, System Manager, Tunnels, or Web
Applications.
If the Source Type is “System”, this field remains blank. If the Source Type is
“Tunnels”, the Source is a specific tunnel, or all tunnels.
If the Source Type is “Web Applications”, the Source is a specific Web Application,
or all Web Applications. Possible source types are: Filters, Sub System, System,
Tunnels, Web Applications
Web Application The Web Application to which the target object is associated.
Tunnel The tunnel to which the target object is associated.
Host The host to which the target object is associated.
Application Path The Application Path to which the target object is associated.
3. Click Add to add a new rule, or double-click a rule to edit the rule. An Add/Edit Publishing Rule
dialog box displays with two tabs, Rule Condition and Rule Actions.
4. In the Rule Condition tab, enter the name of the rule, required severity levels, and required
source and target of the event to trigger this publishing rule, as required. Refer to Table 84 -
Managing Publishing Rules for details.
5. In the Rule Actions tab, enter the fields according to Table 85 - Rule Actions Tab Fields, below.
Field Description
Run this When enabled, enter the path to an application that you want to run when this
Program on event triggers.
AppWall
Send a Network Sends an instant message.
Message to
Note: This setting requires NetBEUI and Messenger installed on both the
server and the system that is the target of the message.
Send an SNMP Sends an SMTP trap. An icon appears with the object status. Possible values are:
trap Enable, Disable.
Enable and Disable values are relevant for all fields from “Send an SNMP trap” to
“Send an Email message To”.
Send a SysLog Sends a SysLog notification.
Notification
Send Using an Sends using an ODBC event.
ODBC
Send an Email Sends an email message to the specified recipient
Message To
6. When you are finished, click OK.
7. Click Submit and Save in the AppWall Management Application Console Content area.
Field Description
Enable Enables or disables logging.
File Location A relative path to the location of the log file (read only)
File Size Limit Indicates that the current log file should be archived after reaching this
size in Kb.
Current File Size A read-only field indicating the current size of the log file.
Maintain All Files Archive files are stored indefinitely.
Archive
Limit Archive to __ files Indicate the number of archive files to preserve. Older files will be
removed when a new archive file is created.
Request Data Settings - settings for request data files storage and archive control
Field Description
Request Dir Where requests are stored, for example ./Event/Requests
Request Log Limit Maximum number of requests that can be logged in Bytes
Request File Limit Maximum number of file requests in Kb
Request Folder Limit Maximum number of request folders in Mb
Events
AppWall includes an Events subsystem that allows you to change severity setting names, edit event
map properties, create publishing, escalation, and severity rules, and manage log file settings.
Severity Settings
AppWall assigns one of five severity settings to each event:
• Lowest—such as the system starting up.
• Low—such as system shutting down.
• Medium—such as inability to write data to a file.
• High—such as failure to upload a data file.
• Critical—such as failure to initialize the system or security events.
Notes
• Each of these event types has its own unique log file.
• Unlike for the other event types, for initialization events you cannot define severity rules or
publishing rules, and you cannot change the location or functionality of the initialization event
log.
General Issues
This section provides solutions to general AppWall issues.
Where else should I use the Brute Force Filter other than the login page?
You should use the Brute Force Filter on each page you want to prevent systematic attacks, such as
a credit card guesswork page, or where you want to prevent "Contact us" forms of attack.
Note: Expressions
Escaping RegEx
A number of components use RegEx. This adds a great deal of power in creating patterns.
In order for RegEx to offer this powerful feature, it uses several operators. If these operators, . ^ $*
+ ? { [ \ |, occur in a text string and you do not want them treated as RegEx operators, you must
escape them when RegEx functionality is enabled.
Note:
/2000Archive_(.*)\.5(.*)/
Permission to use, copy, modify, distribute and sell the Regex++ library software and its
documentation for any purpose is hereby granted without fee, provided that the above copyright
notice appear in all copies and that both that copyright notice and this permission notice appear in
supporting documentation. Dr. John Maddock makes no representations about the suit-ability of the
Regex++ library software for any purpose. It is provided “asis” without express or implied warranty.
Literals
All characters are literals except: “.”, “*”, “?”, “+”, “(“, “)”, “{“, “}”, “[“, “]”, “^”, “$” and “\”. These
characters are literals when preceded by a “\”. A literal is a character that matches itself.
Wildcard
The dot character “.” matches any single character.
Repeats
A repeat is an expression that is repeated an arbitrary number of times. An expression followed by
“*” can be repeated any number of times including zero. An expression followed by “+” can be
repeated any number of times. All repeat expressions refer to the shortest possible previous sub-
expression: a single character; a character set, or a sub-expression grouped with “()” for example.
• “ba*” will match “b”, “ba”, and “baaa”
• “ba+” will match “ba” and “baaaa” but not “b”
• “ba?” will match “b” or “ba”
• “ba{2,4}” will match “baa”, “baaa” and “baaaa”
Non-Greedy Repeats
Non-greedy repeats are possible by appending a '?' after the repeat; a non-greedy repeat is one
which will match the shortest possible string.
For example, to match HTML tag pairs one could use something like:
“<\s*tagname[^>]*>(.*?)<\s*/tagname\s*>”
In this case $1 will contain the text between the tag pairs, and will be the shortest possible matching
string.
Parenthesis
Parentheses serve two purposes, to group items together into a sub-expression, and to mark what
generated the match. For example the expression “(ab)*” would match all of the string “ababab.” It
is permissible for sub-expressions to match null strings. If a sub-expression takes no part in a match
- for example if it is part of an alternative that is not taken - then both of the iterators that are
returned for that sub-expression point to the end of the input string, and the matched parameter for
that sub-expression is false. Sub-expressions are indexed from left to right starting from 1, sub-
expression 0 is the whole expression.
Non-Marking Parenthesis
Sometimes you need to group sub-expressions with parenthesis, but don't want the parenthesis to
spit out another marked sub-expression, in this case a non-marking parenthesis (?:expression) can
be used. For example the following expression creates no sub-expressions:
“(?:abc)*”
Alternatives
Alternatives occur when the expression can match either one sub-expression or another, each
alternative is separated by a “|”. Each alternative is the largest possible previous sub-expression;
this is the opposite behavior from repetition operators.
Note:
Sets
A set is a set of characters that can match any single character that is a member of the set. Sets are
delimited by “[“and “]” and can contain literals, character ranges, character classes, collating
elements and equivalence classes. Set declarations that start with “^” contain the compliment of the
elements that follow.
Character literals
“[abc]” will match either of “a”, “b”, or “c.”“[^abc]” will match any character other than “a”, “b”, or
“c.”1.4.9.1Character ranges:“[a-z]” will match any character in the range “a” to “z.”“[^A-Z]” will
match any character other than those in the range “A” to “Z.”
Note: Character ranges are highly locale-dependent: they match any character that collates
between the endpoints of the range. Ranges will only behave according to ASCII rules.
Character classes are denoted using the syntax “[:classname:]” within a set declaration, for
example “[[:space:]]” is the set of all whitespace characters. The available character classes are as
follows:
Class Description
Alnum Any alpha numeric character.
Alpha Any alphabetical character a-z and A-Z. Other characters may also be
included depending upon the locale.
Blank Any blank character, either a space or a tab.
Class Description
Lower Any lower case character a-z. Other characters may also be included
depending upon the locale.
Print Any printable character.
Upper Any upper case character A-Z. Other characters may also be included
depending upon the locale.
Xdigit Any hexadecimal digit character, 0-9, a-f and A-F.
Word Any word character - all alphanumeric characters plus the underscore.
Unicode Any character whose code is greater than 255, this applies to the wide
character traits classes only.
Collating elements take the general form [.tagname.] inside a set declaration, where tagname is
either a single character, or a name of a collating element, for example [[.a.]] is equivalent to [a],
and [[.comma.]] is equivalent to [,]. The library supports all the standard POSIX collating element
names, and in addition the following digraphs: “ae”, “ch”, “ll”, “ss”, “nj”, "dz", “lj”, each in lower,
upper and title case variations. Multi-character collating elements can result in the set matching
more than one character, for example [[.ae.]] would match two characters, but note that [^[.ae.]]
would only match one character.
Equivalence classes take the general form [=tagname=] inside a set declaration, where tagname is
either a single character, or a name of a collating element, and matches any character that is a
member of the same primary equivalence class as the collating element [.tagname.]. An
equivalence class is a set of characters that collate the same, a primary equivalence class is a set of
characters whose primary sort key are all the same (for example strings are typically collated by
character, then by accent, and then by case; the primary sort key then relates to the character, the
secondary to the accentuation, and the tertiary to the case). If there is no equivalence class
corresponding to tagname, then [=tagname=] is exactly the same as [.tagname.].
To include a literal “-” in a set declaration then: make it the first character after the opening “[” or
“[^”, the endpoint of a range, or a collating element. To include a literal “[“or “]” or “^” in a set then
make them the endpoint of a range, a collating element, or precede with an escape character.
Line Anchors
An anchor is something that matches the null string at the start or end of a line: “^” matches the
null string at the start of a line, “$” matches the null string at the end of a line.
Back References
A back reference is a reference to a previous sub-expression that has already been matched, the
reference is to what the sub-expression matched, not to the expression itself. A back reference
consists of the escape character “\” followed by a digit “1” to “9”. For example, “\1” refers to the first
sub-expression and “\2” to the second. The expression “(.*)\1” matches any string that is repeated
about its mid-point, for example, “abcabc” or “xyzxyz”. A back reference to a sub-expression that
did not participate in any match, matches the null string: NB this is different to some other regular
expression matchers.
Characters by Code
These characters consist of the escape character followed by the digit “0” followed by the octal
character code. For example “\023” represents the character whose octal code is 23. Where
ambiguity could occur use parentheses to break the expression up: “\0103” represents the
character whose code is 103, “(\010)3” represents the character 10 followed by “3”. To match
characters by their hexadecimal code, use \x followed by a string of hexadecimal digits, optionally
enclosed inside {}, for example \xf0 or \x{aff}, notice the latter example is a Unicode character.
Word Operators
“\w” matches any single character that is a member of the “word” character class, this is identical to
the expression “[[:word:]].”“\W” matches any single character that is not a member of the “word”
character class, this is identical to the expression “[^[:word:]].”“\<“matches the null string at the
start of a word. “\>” matches the null string at the end of the word. “\b” matches the null string at
either the start or the end of a word. “\B” matches a null string within a word.
The start of the sequence passed to the matching algorithms is considered to be a potential start of
a word. The end of the sequence passed to the matching algorithms is considered to be a potential
end of a word.
Buffer Operators
“\`” matches the start of a buffer.“\A” matches the start of the buffer.“\'” matches the end of a
buffer.“\z” matches the end of a buffer. “\Z” matches the end of a buffer, or possibly one or more
new line characters followed by the end of the buffer.
Escape Operator
The escape character “\” has several meanings.
• Inside a set declaration the escape character is a normal character.
• The escape operator may introduce an operator for example: back references, or a word
operator.
• The escape operator may make the following character normal, for example “\*” represents a
literal “*” rather than the repeat operator.
Flag Description
Allow High ASCII Enabled. This enables language coding even in fields that should be only
characters English, for example, Header names, Parameter names, URIs, and so on.
Code Description
The following lists the code page options available in AppWall.
Code Description
cp037: EBCDIC Codepage 037
cp424: IBM Hebrew (cp424)
cp437: MS-DOS Codepage 437 (US)
cp500: EBCDIC Codepage 500
cp737: MS-DOS Codepage 737 (Greek IBM de facto standard)
cp775: MS-DOS Codepage 775 (BaltRim)
cp850: MS-DOS Codepage 850 (Multilingual Latin 1)
cp852: MS-DOS Codepage 852 (Multilingual Latin 2)
cp853: MS-DOS Codepage 853 (Multilingual Latin 3)
cp855: MS-DOS Codepage 855 (Russia) - obsolete
cp856: IBM Hebrew (cp856)
cp857: MS-DOS Codepage 857 (Multilingual Latin 5)
cp860: MS-DOS Codepage 860 (Portugal)
cp861: MS-DOS Codepage 861 (Iceland)
cp862: MS-DOS Codepage 862 (Israel)
cp863: MS-DOS Codepage 863 (Canada (French))
cp864: MS-DOS Codepage 864 (Arabic) without BOX DRAWINGS below 20
cp865: MS-DOS Codepage 865 (Norway)
cp866: MS-DOS Codepage 866 (Russia)
cp869: MS-DOS Codepage 869 (Greece)
cp874: MS-DOS Codepage 874 (Thai)
cp875: EBCDIC Codepage 875 (Greek)
cp932: MS-DOS Codepage 932 (Japanese)
cp932_Gaiji:: MS-DOS Codepage 932 (Japanese) with Gaiji support (rows 95 to 114)
0xF040 - 0xF9FC
cp936: Microsoft Windows Codepage 936 (EUC-Japanese)
cp949: Microsoft Windows Codepage 949 (Korean)
cp949_1: Modified Microsoft Windows Codepage 949_1 (Korean)
cp950:: Microsoft Codepage 950 Traditional Chinese (MS version of BIG5)
cp1026: EBCDIC Codepage 1026 (Turkish)
cp1047: EBCDIC Codepage 1047
cp1250: Microsoft Windows Codepage 1250 (EE)
cp1251: Microsoft Windows Codepage 1251 (Cyrl)
cp1252: Microsoft Windows Codepage 1252 (ANSI)
cp1253: Microsoft Windows Codepage 1253 (Greek)
cp1254: Microsoft Windows Codepage 1254 (Turk)
Code Description
cp1255: Microsoft Windows Codepage 1255 (Hebr)
cp1256: Microsoft Windows Codepage 1256 (Arab)
cp1257: Microsoft Windows Codepage 1257 (BaltRim)
cp1258: Microsoft Windows Codepage 1258 (Viet)
cp2022_jp ISO-2022-JP: Multi-Byte Japanese, RFC 1468 Codepage (jis, jis_encoding,
csjisencoding)
cp8859_1: ISOIEC 8859_1: 1998 Latin Alphabet No. 1
cp8859_2: ISOIEC 8859_2: 1999 Latin Alphabet No. 2
cp8859_3: ISOIEC 8859_3: 1999 Latin Alphabet No. 3
cp8859_4: ISOIEC 8859_4: 1998 Latin Alphabet No. 4
cp8859_5: ISOIEC 8859_5: 1999 Latin Cyrillic Alphabet
cp8859_6: ISOIEC 8859_6: 1999 Latin Arabic Alphabet
cp8859_7: ISOIEC 8859_7: 1987 Latin Greek Alphabet
cp8859_8: ISOIEC 8859_8: 1999 Latin Hebrew Alphabet
cp8859_9: ISOIEC 8859_9: 1999 Latin Alphabet No. 5
cp8859_10: ISOIEC 8859_10: 1998 Latin Alphabet No. 6
cp8859_13: ISOIEC 8859_13: 1998 Latin Alphabet No. 7 (Baltic Rim)
cp8859_14: ISOIEC 8859_14: 1998 Latin Alphabet No. 8 (Celtic)
cp8859_15: ISOIEC 8859_15: 1999 Latin Alphabet No. 9
cp8859_16: ISOIEC 8859_16: Latin alphabet No. 10
cp10000: Macintosh Roman
cp10006: Macintosh Greek
cp10007: Macintosh Cyrillic
cp10029: Macintosh Latin 2
cp10079: Macintosh Iceland
cp10081: Macintosh Turkish
cpkoi8_r: koi8-r (Russian U*IX encoding, also used by RELCOM)
cpbig5BIG5: Single/Dual-Byte Traditional Chinese
cpbig5_2003:: Extended (and modified) BIG5 Traditional Chinese
cpgb2312:: Single/Dual-Byte Chinese National Standard, Codepage (EUC-CN, EUCCN,
CSGB2312, CN-GB)
cpgbk: Single/Dual-Byte Simplified Chinese Codepage (CN-GBK)
distributed to you together with code samples in source code format (the “Code Samples”) that
are meant to illustrate and teach you how to configure, monitor and/or control the Software
and/or any other Radware Products, the Commercial License above further includes a limited,
nonexclusive, nontransferable license to copy and modify the Code Samples and create
derivative works based thereon solely for the SDK Purpose and solely on computers within your
organization. The SDK shall be considered part of the term “Software” for all purposes of this
License Agreement. You agree that you will not sell, assign, license, sublicense, transfer, pledge,
lease, rent or share your rights under this License Agreement nor will you distribute copies of
the Software or any parts thereof. Rights not specifically granted herein, are specifically
prohibited.
2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which you download the Software, as inferred from any time-
limited evaluation license keys that you are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (“Evaluation Use”) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
discretion (the “Evaluation Period”). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, you agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and you agree to pay Radware any amounts due for any
applicable license fees at Radware's then-current list prices.
3. Lab/Development License. Notwithstanding anything to the contrary in this License
Agreement, if the Software is provided to you for use in your lab or for development
purposes, as indicated in your purchase order, sales receipt, the part number description for the
Software, the Web page from which you download the Software, or otherwise, then You may use
the Software only in your lab and only in connection with Radware Products that you purchased
or will purchase (in case of a lab license) or for internal testing and development purposes (in
case of a development license) but not for any production use purposes.
4. Subscription Software. If you licensed the Software on a subscription basis, your rights to use
the Software are limited to the subscription period. You have the option to extend your
subscription. If you extend your subscription, you may continue using the Software until the end
of your extended subscription period. If you do not extend your subscription, after the expiration
of your subscription, you are legally obligated to discontinue your use of the Software and
completely remove the Software from your system.
5. Feedback. Any feedback concerning the Software including, without limitation, identifying
potential errors and improvements, recommended changes or suggestions (“Feedback”),
provided by you to Radware will be owned exclusively by Radware and considered Radware's
confidential information. By providing Feedback to Radware, you hereby assign to Radware all of
your right, title and interest in any such Feedback, including all intellectual property rights
therein. With regard to any rights in such Feedback that cannot, under applicable law, be
assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants
Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable,
sub-licensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make,
have made, distribute, sell, offer for sale, display, perform, create derivative works of and
otherwise exploit the Feedback without restriction. The provisions of this Section 5 will survive
the termination or expiration of this Agreement.
6. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble,
disassemble, decompile, reverse engineer or otherwise attempt to derive source code (or the
underlying ideas, algorithms, structure or organization) from the Software, in whole or in part,
except and only to the extent: (i) applicable law expressly permits any such action despite this
limitation, in which case you agree to provide Radware at least ninety (90) days advance written
notice of your belief that such action is warranted and permitted and to provide Radware with an
opportunity to evaluate if the law's requirements necessitate such action, or (ii) required to
debug changes to any third party LGPL-libraries linked to by the Software; or (c) create,
develop, license, install, use, or deploy any software or services to circumvent, enable, modify
or provide access, permissions or rights which violate the technical restrictions of the Software;
(d) in the event the Software is provided as an embedded or bundled component of another
Radware Product, you shall not use the Software other than as part of the combined Product and
for the purposes for which the combined Product is intended; (e) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (f) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding the
foregoing, if you provide hosting or cloud computing services to your customers, you are entitled
to use and include the Software in your IT infrastructure on which you provide your services. It
is hereby clarified that the prohibitions on modifying, or creating derivative works based on, any
Software provided by Radware, apply whether the Software is provided in a machine or in a
human readable form. Human readable Software to which this prohibition applies includes
(without limitation) “Radware AppShape++ Script Files” that contain “Special License Terms”. It
is acknowledged that examples provided in a human readable form may be modified by a user.
7. Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
8. No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided “AS IS” by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. Radware does not make any
representation or warranty, nor does Radware assume any responsibility or liability or provide
any license or technical maintenance and support for any operating systems, databases,
migration tools or any other software component provided by a third party supplier and with
which the Software is meant to interoperate.
This disclaimer of warranty constitutes an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radware's authorized service
personnel.
9. Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no
event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors,
contractors, subsidiaries, or parent organizations (together, the “Radware Parties”), be liable for
any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating
to the use of, or the inability to use, the Software, or to your relationship with, Radware or any
of the Radware Parties (including, without limitation, loss or disclosure of data or information,
and/or loss of profit, revenue, business opportunity or business advantage, and/or business
interruption), whether based upon a claim or action of contract, warranty, negligence, strict
liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of
the possibility of such damages. If any Radware Party is found to be liable to You or to any third-
party under any applicable law despite the explicit disclaimers and limitations under these
terms, then any liability of such Radware Party, will be limited exclusively to refund of any
license or registration or subscription fees paid by you to Radware.
10. Third Party Software. The Software includes software portions developed and owned by third
parties (the “Third Party Software”). Third Party Software shall be deemed part of the Software
for all intents and purposes of this License Agreement; provided, however, that in the event that
a Third Party Software is a software for which the source code is made available under an open
source software license agreement, then, to the extent there is any discrepancy or inconsistency
between the terms of this License Agreement and the terms of any such open source license
agreement (including, for example, license rights in the open source license agreement that are
broader than the license rights set forth in Section 1 above and/or no limitation in the open
source license agreement on the actions set forth in Section 6 above), the terms of any such
open source license agreement will govern and prevail. The terms of open source license
agreements and copyright notices under which Third Party Software is being licensed to
Radware or a link thereto, are included with the Software documentation or in the header or
readme files of the Software. Third Party licensors and suppliers retain all right, title and interest
in and to the Third Party Software and all copies thereof, including all copyright and other
intellectual property associated therewith. In addition to the use limitations applicable to Third
Party Software pursuant to Section 6 above, you agree and undertake not to use the Third Party
Software as a general SQL server, as a stand-alone application or with applications other than
the Software under this License Agreement.
11. Term and Termination. This License Agreement is effective upon the first to occur of your
opening the package of the Product, purchasing, downloading, installing, copying or using the
Software or any portion thereof, and shall continue until terminated. However, sections 5-15
shall survive any termination of this License Agreement. The Licenses granted under this License
Agreement are not transferable and will terminate upon: (i) termination of this License
Agreement, or (ii) transfer of the Software, or (iii) in the event the Software is provided as an
embedded or bundled component of another Radware Product, when the Software is unbundled
from such Product or otherwise used other than as part of such Product. If the Software is
licensed on subscription basis, this Agreement will automatically terminate upon the termination
of your subscription period if it is not extended.
12. Export. The Software or any part thereof may be subject to export or import controls under
applicable export/import control laws and regulations including such laws and regulations of the
United States and/or Israel. You agree to comply with such laws and regulations, and, agree not
to knowingly export, re-export, import or re-import, or transfer products without first obtaining
all required Government authorizations or licenses therefor. Furthermore, You hereby covenant
and agree to ensure that your use of the Software is in compliance with all other foreign,
federal, state, and local laws and regulations, including without limitation all laws and
regulations relating to privacy rights, and data protection. You shall have in place a privacy
policy and obtain all of the permissions, authorizations and consents required by applicable law
for use of cookies and processing of users' data (including without limitation pursuant to
Directives 95/46/EC, 2002/58/EC and 2009/136/EC of the EU if applicable) for the purpose of
provision of any services.
13. US Government. To the extent you are the U.S. government or any agency or instrumentality
thereof, you acknowledge and agree that the Software is a “commercial computer software” and
“commercial computer software documentation” pursuant to applicable regulations and your use
of the Software is subject to the terms of this License Agreement.
14. Federal Acquisition Regulation (FAR)/Data Rights Notice. Radware's commercial
computer software is created solely at private expense and is subject to Radware's commercial
license rights.
15. Governing Law. This License Agreement shall be construed and governed in accordance with
the laws of the State of Israel.
16. Miscellaneous. If a judicial determination is made that any of the provisions contained in this
License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or
provisions shall be rendered void or invalid only to the extent that such judicial determination
finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder
of this License Agreement shall remain operative and in full force and effect. In any event a
party breaches or threatens to commit a breach of this License Agreement, the other party will,
in addition to any other remedies available to, be entitled to injunction relief. This License
Agreement constitutes the entire agreement between the parties hereto and supersedes all prior
agreements between the parties hereto with respect to the subject matter hereof. The failure of
any party hereto to require the performance of any provisions of this License Agreement shall in
no manner affect the right to enforce the same. No waiver by any party hereto of any provisions
or of any breach of any provisions of this License Agreement shall be deemed or construed
either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of
any other provision or breach of any other provision of this License Agreement.
IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE YOU MUST REMOVE THE
SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMEDIATELY CEASE USING THE
SOFTWARE.
COPYRIGHT © 2020, Radware Ltd. All Rights Reserved.