Web Application Firewall

A10 ThunderTM Series and AX Series

Document No.: D-030-01-00-0055
ACOS 2.7.2 4/30/2014
©
4/30/2014 A10 Networks, Inc. - All Rights Reserved
Information in this document is subject to change without notice.

Trademarks
The A10 logo, A10 Lightning, A10 Networks, A10 Thunder, aCloud, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDac-
cess, IDsentrie, IP to ID, Link Director, MultiLink Director, SoftAX, Thunder, the Thunder logo, VirtualN, and vThunder
are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective own-
ers.

Patents Protection
A10’s products (including all AX Series products) are protected by one or more of the following U.S. patents: 8595819,
8595791, 8595383, 8584199, 8464333, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235, 8151322, 8079077,
7979585, 7804956, 7716378, 7665138, 7647635, 7627672, 7596695, 7577833, 7552126, 7392241, 7236491, 7139267,
6748084, 6658114, 6535516, 6363075, 6324286, 5875185, RE44701, 8392563, 8103770, 7831712, 7606912, 7346695,
7287084, 6970933, 6473802, 6374300.

Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.

A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA),
provided later in this document or available separately. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2) sublicense, rent or lease the Software.

Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.

Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.

Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
 A10 Thunder Series and AX Series—Web Application Firewall
Obtaining Technical Assistance

Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.

Corporate Headquarters

A10 Networks, Inc.

3 West Plumeria Dr
San Jose, CA 95134 USA

Tel: +1-408-325-8668 (main)

Tel: +1-888-822-7210 (support – toll-free in USA)
Tel: +1-408-325-8676 (support – direct dial)
Fax: +1-408-325-8666

www.a10networks.com

Collecting System Information

Your A10 Networks device provides a simple method to collect configura-
tion and status information for Technical Support to use when diagnosing
system issues.

To collect system information, use either of the following methods.

USING THE GUI (RECOMMENDED)

1. Log into the GUI.
2. On the main page (Monitor Mode > Overview > Summary), click
. This option downloads a text log file.

3. Email the file as an attachment to [email protected].

Customer Driven Innovation 3 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Obtaining Technical Assistance

USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture out-
put generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a text file.
6. Email the file as an attachment to [email protected].

Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)

4 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
About This Document

About This Book

This document describes features of the A10 Networks Advanced Core

Operating System (ACOS). These features are supported on the following
product lines:
• A10 ThunderTM Series Application Delivery Controller (example mod-
els shown below)
• AX Series Application Delivery Controller

FIGURE 1 Thunder 6630

FIGURE 2 Thunder 5430-11

Customer Driven Innovation 5 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
About This Document

User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.

Basic Setup
• Installation Guides

• System Configuration and Administration Guide

Security Guides
• Management Access Security Guide

• Application Access Management and DDoS Mitigation Guide

• Web Application Firewall Guide

Application Delivery Guides

• Application Delivery and Server Load Balancing Guide

• Global Server Load Balancing Guide

References
• LOM Reference

• GUI Reference

• CLI Reference

• aFleX Reference

• MIB Reference

• aXAPI Reference

Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your device’s Lights Out
Management (LOM) interface, if applicable.

Note: Some guides may display GUI configuration examples. These examples
are subject to change and may not display all the available options.

6 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
About This Document

Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.

Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.

http://www.a10networks.com

A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application
Delivery Community (VirtualADC). The VirtualADC is an interactive
forum where you can find and share product and feature information. To
access the VirtualADC, navigate here:

http://www.a10networks.com/adc/

Customer Driven Innovation 7 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
About This Document

8 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Contents
Obtaining Technical Assistance 3
Collecting System Information.............................................................................................................. 3

About This Book 5

User Documentation............................................................................................................................... 6
Audience.................................................................................................................................................. 7
Documentation Updates ........................................................................................................................ 7
A10 Virtual Application Delivery Community....................................................................................... 7

Overview 13
System Requirements for the WAF..................................................................................................... 14
External Logging ............................................................................................................................. 14
Common Web Attacks.......................................................................................................................... 14
WAF Security Model ............................................................................................................................. 16
Request Protection ......................................................................................................................... 16
Compare Request URI to White List and Black List .................................................................... 16
Scan Request for Threats ........................................................................................................... 18
Response Protection ...................................................................................................................... 22
Mask Sensitive Content ............................................................................................................... 23
Cloak Responses ........................................................................................................................ 24
Send Instrumented Responses ................................................................................................... 25

WAF Operational Modes 27

Overview................................................................................................................................................ 27
Learning Mode ................................................................................................................................ 29
Passive Mode ................................................................................................................................. 31
Active Mode .................................................................................................................................... 33
Setting the WAF Operational Mode..................................................................................................... 35

Configuring the WAF Using the GUI 37

Configuration Overview ....................................................................................................................... 37
Configure a WAF Template ............................................................................................................ 38
Configure General Settings ......................................................................................................... 38
Configure Request Protection ..................................................................................................... 39
Configure Response Protection .................................................................................................. 42
Confirm the Template Configuration ........................................................................................... 44
Bind the WAF Template to the Virtual Port......................................................................................... 44

Customer Driven Innovation 9 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Contents
Configure External Logging (recommended) .....................................................................................47
Create Server Configurations for the Log Servers ......................................................................... 48
Add Server Configurations to Service Group ................................................................................. 48
Configure the Logging Template .................................................................................................... 49
Apply the Log Template to the WAF Template .............................................................................. 49

Configuring the WAF Using the CLI 51

Required Configuration ........................................................................................................................51
Create a WAF Template ................................................................................................................. 51
Bind the WAF Template to the HTTP/HTTPS Virtual Port ............................................................. 52
External Logging Configuration ..........................................................................................................52
Optional Configuration .........................................................................................................................54
Set Deployment Mode .................................................................................................................... 54
Customize WAF Policy Files .......................................................................................................... 55
Configure Security Checks for Requests ....................................................................................... 55
Configure Security Checks for Responses ..................................................................................... 58

WAF Event Logging 61

WAF Event Types and Where They Are Logged.................................................................................61
Log Format.............................................................................................................................................63
WAF Log Examples ...............................................................................................................................65
Basic Log Message ........................................................................................................................ 65
Bot Check ....................................................................................................................................... 66
Learning Mode ............................................................................................................................... 67

WAF Policy Files 69

Pre-Loaded WAF Policies .....................................................................................................................69
Request Protection ......................................................................................................................... 70
Bot Check ................................................................................................................................... 70
XSS Check .................................................................................................................................. 70
SQL Injection Attack Check ........................................................................................................ 70
URI Black List .............................................................................................................................. 71
URI White List ............................................................................................................................. 72
Response Protection ...................................................................................................................... 72
Allowed HTTP Response Codes ................................................................................................. 72

10 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Contents
Customize WAF Policy Files................................................................................................................ 73
Syntax Check .................................................................................................................................. 73
Using the GUI ................................................................................................................................. 74
Using the CLI .................................................................................................................................. 75
Configure Policy Files .................................................................................................................. 75
Syntax Checks ............................................................................................................................ 75
Manage Files ............................................................................................................................... 76
Writing PCRE Expressions ............................................................................................................. 77
General Guidelines ...................................................................................................................... 77
Example Applications .................................................................................................................. 79

Overriding a WAF Template 81

Configure an HTTP Policy Template ................................................................................................... 82
Bind the HTTP Policy Template to the Virtual Port............................................................................ 84

WAF Statistics 85
Displaying WAF Statistics.................................................................................................................... 85
Clearing WAF Statistics ....................................................................................................................... 87

WAF Deployment and Logging Examples 89

Initial Configuration.............................................................................................................................. 89
Logging Configuration ..................................................................................................................... 89
WAF Template Configuration ......................................................................................................... 90
HTTP Virtual Port Configuration ..................................................................................................... 90
Learning................................................................................................................................................. 92
Enable Learning Mode .................................................................................................................... 92
Generate Traffic .......................................................................................................................... 92
View External Log ....................................................................................................................... 92
View WAF Template Settings ...................................................................................................... 93
Generate Allowed URL Paths for the URL Check .......................................................................... 94
Configuration Example ................................................................................................................ 94
Save Template Settings .................................................................................................................. 96
Response Header Filtering .................................................................................................................. 97
Enable Header Response Filtering ................................................................................................. 98
View External Log ........................................................................................................................... 98
SQLIA Check......................................................................................................................................... 99
Enable the SQLIA Check ................................................................................................................ 99
View External Log ........................................................................................................................... 99

Customer Driven Innovation 11 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Contents
Cross-site Scripting Check ..................................................................................................................99
Enable the XSS Check ................................................................................................................... 99
View External Log ........................................................................................................................ 100
Cookie Encryption...............................................................................................................................101

WAF Template Reference 103

WAF CLI Command Reference 111

WAF Template Commands ................................................................................................................. 111
slb template waf ................................................................................................................................... 111
show slb waf ........................................................................................................................................ 118
clear slb waf ......................................................................................................................................... 125
WAF File Management Commands....................................................................................................125
waf check ............................................................................................................................................. 125
waf copy .............................................................................................................................................. 126
waf delete ............................................................................................................................................ 126
waf edit ................................................................................................................................................ 126
waf rename .......................................................................................................................................... 127
show waf-policy ................................................................................................................................... 127
External Logging Commands ............................................................................................................128
slb server ............................................................................................................................................. 128
slb service-group ................................................................................................................................. 130
slb template logging ............................................................................................................................. 132
show template logging ......................................................................................................................... 132
show slb server .................................................................................................................................... 133
show slb service-group ........................................................................................................................ 133

12 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

Overview

The A10 product line provides additional security for your Web servers with
the Web Application Firewall (WAF) feature. The WAF filters communica-
tion between users and Web applications to protect Web servers and sites
from unauthorized access and malicious programs. This new layer of secu-
rity examines incoming user requests, output from Web servers, and access
to Web site content to safeguard against Web attacks and protect sensitive
information hosted on Web servers.

The WAF protects against the following main threats to Web servers:
• Unauthorized access and control of the Web server – There are various
attacks designed to grant an attacker access to and control of a Web
server. If an attack is successful, the unauthorized user can deface exist-
ing Web pages, provide SMTP services to send spam, or launch directed
denial-of-service (DDoS) attacks.
In addition, the attacker can use the compromised server to host content
directly, or act as a proxy for content hosted on another server. This type
of attack can enable unauthorized users to host illegal, online activities
using your Web server resources.
• Unauthorized retrieval of sensitive information – These attacks are
intended to provide unauthorized retrieval or leakage of sensitive infor-
mation from your Web sites or back-end databases.

The WAF is configured via a WAF template, which includes built-in basic
and policy-based security checks for convenient and quick deployment.
Within the WAF template, you can enforce security checks to immediately
provide a foundational level of protection against common threats.

Web sites are further protected from attack through checks that are defined
by customizable WAF policy files. You can configure WAF policy files for
advanced counter-measures to common to attacks such as SQL injection
attacks or bots.

Customer Driven Innovation 13 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
System Requirements for the WAF

System Requirements for the WAF

The WAF is included among the standard set of features, beginning in
ACOS 2.7.1. To use the WAF feature, your ACOS device must be running
2.7.1 or higher.

External Logging
The WAF includes the option for external logging of data plane events and
external or local logging of control plane events. For optimal interoperabil-
ity, the WAF uses the Common Event Format (CEF), an open standard used
by other security appliances and network devices. WAF logging is sup-
ported over UDP and TCP. You can configure external logging to a group of
one or more log servers. You can easily add more log servers if needed, sim-
ply by adding them to the log server group.

(For more information, see “WAF Event Logging” on page 61.)

Common Web Attacks

The WAF protects your Web servers from common threats which can com-
promise the security of Web sites or leak sensitive information. The follow-
ing sections briefly describe common threats and WAF security checks you
can use to counter these attacks. More detail is provided later in this guide.

Buffer Overflow Attacks

A buffer overflow attack occurs when a Web server receives excessively
long pieces of information (for example, URLs, headers, or cookies).

If the system does not have the filters enforced to block these requests, a
buffer overflow can trigger the underlying operating system to slow down
or crash. This form of attack compromises a Web server and can permit
unauthorized users to access sensitive information.

The WAF can prevent buffer overflow attacks by setting an accepted maxi-
mum for aspects of an HTTP request and blocking requests which exceed
the configured limit. This includes normalization of the URL.

Cookie Tampering
Cookie tampering occurs when a user sends a modified cookie to a Web
server in an attempt to access unauthorized content. To protect against
cookie tampering, enable the Cookie Encryption check within the WAF
template.

14 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Common Web Attacks
Forceful Browsing
Forceful browsing occurs when a user bypasses the hyperlinks of a Web site
to access the URLs of a Web site directly. This method is normally used to
gain access to private pages, but can be used in conjunction with other
attacks to compromise a Web server. To protect against forceful browsing,
enable the URL check for your Web site. (See “URL Check” on page 18.)

Web Form Security Attacks

A Web form security attack uses the form of a Web page to issue commands
to a Web site. The Web form may be modified to include hidden fields,
HTML, or injected code to compromise the security of a Web server. A Web
form security attack commonly occurs through the following methods:
• SQL Injection Attacks (SQLIA) – An SQL Injection Attack uses a Web
form or other mechanism to send active SQL commands or SQL special
characters to the Web site’s SQL database. An SQL Injection Attack can
trigger the back-end SQL database to execute SQL commands, allowing
attackers to retrieve sensitive information from the database. The WAF
includes the SQL Injection Check template option and default
“sqlia_defs” policy file to provide immediate protection from SQL
Injection Attacks.
• Cross-Site Scripting (XSS) Attacks – A cross-site scripting (XSS) attack
attempts to use Javascript commands to modify Web page content or
obtain hidden properties from a Web site. XSS can compromise the
security of a Web server or allow an attacker to retrieve sensitive infor-
mation. The WAF includes the XSS Check template option and default
“jscript_defs” policy file to provide immediate protection from XSS
attacks.

Customer Driven Innovation 15 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model

WAF Security Model

The WAF combats common attacks against Web servers with an array of
security checks to filter inbound HTTP requests. In addition to managing
requests, you can apply WAF security checks to modify the responses sent
back to users.
The WAF operates based on both a positive security model and negative
security model to maximize protection.
• Positive security model – The WAF supports several operational modes,
one of which is Learning Mode. In Learning Mode, you send known,
“trusted” traffic (HTTP/HTTPS requests) to the WAF. The WAF auto-
matically sets the values for certain checks based on the traffic.
All operational modes support the White List Check. During the White
List Check, the WAF compares the URI of a user request against the
URI patterns in the White List policy file. If there is match, the WAF
performs additional checks.
(For more information, see “WAF Operational Modes” on page 27.)
• Negative security model – One of the additional checks performed by
the WAF is comparison of the traffic to the patterns in the Black List
policy file. If there is a match, the WAF generates a data event log mes-
sage. If Active Mode is enabled, the WAF also drops the traffic.

Request Protection
The WAF scans request elements for possible threats or malicious content.
Based on the responsive action that is configured for each security check,
the WAF denies the client request completely or sanitizes the request of
malicious content and forwards the sanitized request to the Web server.

The WAF filters inbound traffic through the following security checks.

Compare Request URI to White List and Black List

The WAF examines incoming user requests against the URI White Lists and
Black Lists. These lists define rules to explicitly allow or deny traffic:

White List
The URI White List defines acceptable destination URIs allowed for incom-
ing requests. The White List Check compares the URI of an incoming
request against the rules contained in the URI White List policy file. Con-
nection requests are accepted only if the URI matches a rule in the URI
White List. For more information, see “URI White List” on page 72.

16 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
Black List
A URI Black List is a WAF policy file that lists exclusion criteria for incom-
ing requests. If the URI of an incoming request matches a rule in the URI
Black List, the request is automatically blocked.

The URI Black List works in combination with the URI White List to
restrict accessible URIs on a Web site. If a URI matches acceptance criteria
within the URI White List, a connection is blocked automatically if it meets
a rule in the separate URI Black List. For more information, see “URI Black
List” on page 71.
The following diagram displays the processing order for incoming requests:

FIGURE 1 Screen URI requests

In this illustration, the WAF filters 3 HTTP requests. Of these, request #3

does not meet any criteria in the WAF template’s URI White List and is
blocked.

The remaining requests are compared against the WAF template’s URI
Black List and blocked if they match at least one URI Black List rule. Of
these, request #2 is denied. The final request that is processed for subse-
quent security checks is request #1 only.

Customer Driven Innovation 17 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
URL Check
In addition to the URI White and Black Lists, you can enable the URL
Check to restrict users from accessing various URLs on your Web site
directly. The URL Check restricts access by allowing clients to access only
a specific set of URL paths. Use this check to prevent users from directly
accessing any URLs on your website that you do not want to allow clients to
access directly.

If the URL Check is enforced in the WAF template, users can access Web
pages only by clicking a hyperlink on your protected Web site. This security
option protects against forceful browsing to private pages. In the example
above, the URL Check would achieve the same degree of security if a
hyperlink is only provided to the page “/site_images.jpg”. For more infor-
mation, see “Forceful Browsing” on page 15.

Note: The list of approved URL paths is initially generated as a policy file
during Learning Mode. After which, you can customize the contents of
the URL Check policy file. For a deployment example that includes con-
figuration of the URL Check, see “Generate Allowed URL Paths for the
URL Check” on page 94.

Scan Request for Threats

If a client request passes the URI White and Black List Checks, the WAF
scans aspects of the HTTP request (method, version, URI, query string,
headers, cookies, and content) for threats. If the security check discovers
malicious content, the request is either denied or sanitized of the threat and
forwarded to the Web server. These security checks are described in more
detail below.

FIGURE 2 Scan requests

18 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
Bot Check
The Bot Check option uses the “bot_defs” WAF policy file for search
definitions of known bot agents. If the Bot Check is enabled in the WAF
template and a match is found with the “bot_defs” file, the request is
denied automatically.

You can copy the “bot_defs” file and modify the copy to include or
remove bot search terms. For more information about WAF policy files, see
“WAF Policy Files” on page 69.

Form Field Consistency Check

The Form Field Consistency Check verifies that all of the form fields and
their data types that are sent to the client as part of the form are returned
unmodified in subsequent requests from the client. This check helps protect
against hijacked forms to which malicious code may have been added.

Referer Check
The Referer Check validates that the referer header in a request contains
Web form data from the specified Web server, rather than from an outside
Web site. This check helps to protect against CSRF attacks. If a request fails
the Referer Check, the WAF redirects the request to a safe URL. The safe
URL is any URL that you specify during configuration.

When you configure the Referer Check, you specify the domain names from
which you want to allow traffic. When ACOS receives a request addressed
to the virtual port that is using the WAF, the WAF examines the Referer
field of the request.

You can select one of the following options for the Referer Check:
• Enable (full checking) – Select the Enable option to enable full check-
ing. To pass the full check, the request must contain a Referer header
field, and the field must contain at least one of the domain names you
specify during configuration.
• Only-if-present checking – Enable this option to check the referer
header of a request only when a referer header is present. Unlike the full
checking option, the only-if-present option ensures that a request does
not fail the Referer Check automatically because there is no referer
header in the request.

HTTP Protocol Compliance Check

Regardless of deployment mode, the WAF template automatically enforces
a basic, default set of HTTP protocol checks. Enable the HTTP Protocol

Customer Driven Innovation 19 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
Compliance Check to perform the following suite of additional checks for
protocol compliance:
• POST request with Content-Length: 0

Note: The WAF issues sends a warning message to the logging servers if a
POST request (that is not chunked) has a content length of 0.
• Header name with no header value

• Several Content-Length headers

Note: A request containing more than one Content-Length header might indi-
cate that the request is part of an HTTP response-splitting attack.
• Chunked request with Content-Length header

• Body in GET or HEAD requests

• No Host header in HTTP/1.1 request

• Host header contains IP address

• Content length should be a positive number

• Bad HTTP version

• Maximum number of headers

• Bad host header value

• Maximum number of cookies

• Invalid character in Host header

• Header contains NULL character

• Header contains high-ASCII character

• POST with invalid Content-Length header

HTML Cross-Site Scripting (XSS) Check

The HTML XSS Check defends against cross-site scripting (XSS) attacks.
The WAF searches the headers, cookies, and POST bodies of user requests
for possible Javascript commands. If the WAF discovers a potential cross-
site scripting attack, the request is either blocked or sanitized of malicious
content and forwarded for processing. For more information about XSS, see
“Web Form Security Attacks” on page 15.

Note: This check uses the “jscript_defs” WAF policy file for Javascript attack
patterns. If your Web site uses Javascript-based content that accesses or
modifies content on an outside server, A10 Networks recommends modi-

20 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
fying the “jscript_defs” file to generate the appropriate exceptions, so that
this check does not block legitimate activity.

Buffer Overflow Check

The WAF can check various elements in an HTTP request to prevent buffer
overflow. You can specify the check to examine one or more of the follow-
ing aspects of a request:
• Cookie length, name length, and/or value length

• Header length, name length, and/or value length

• Parameter length, name length, and/or value length

• Maximum parameters

• URL length

• POST content size

• Line length

• Query length

HTML SQL Injection Check

The HTML SQL Injection Check scans incoming requests for strings that
resemble SQL commands or SQL special characters. If the WAF discovers a
match, the request is either blocked or sanitized of SQL-code and forwarded
for processing.

Note: The HTML SQL Injection Check scans incoming requests for attack pat-
terns listed in the “sqlia_defs” WAF file. Copy this file and apply the cop-
ied file to the check to customize attack pattern search criteria for the
HTML SQL Injection Check. (See “SQL Injection Attack Check” on
page 70.)

Allowed HTTP Methods Check

The Allowed HTTP Methods Check ensures that HTTP requests contain
only the HTTP methods that are allowed by the WAF template. By default,
only the following methods are allowed: GET, POST

You can allow one or more of the following HTTP methods:

• GET
• POST
• HEAD
• PUT
• OPTIONS

Customer Driven Innovation 21 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
• DELETE
• TRACE
• CONNECT
• PURGE

Maximum Cookies Check

The Maximum Cookies Check ensures that a client request does not contain
more than the maximum allowed number of cookies. By default, the maxi-
mum number of cookies allowed in a request is 20.

Maximum Headers Check

The Maximum Headers Check ensures that a client request does not contain
more than the maximum allowed number of headers. By default, the maxi-
mum number of headers allowed in a request is 20.

Response Protection
The WAF inspects the content of outbound HTTP responses and hides
aspects that can equip an attacker with valuable information. The WAF tem-
plate can further protect Web servers with the following options for HTTP
responses:
• Mask Sensitive Content – Strings in a response are examined for pat-
terns of sensitive content, such as credit card numbers or US social secu-
rity numbers. If the WAF discovers a pattern of potentially sensitive
information, the string is masked with an alternative character.
• Cloak Response Headers – The WAF removes content from HTTP
response headers that can disclose vulnerabilities about the Web server.
• Return Instrumented Responses – If a Web form is included in outbound
responses, the WAF can tag form fields with a nonce value before send-
ing the reply to the outside user. The WAF then checks subsequent
requests for the nonce, to protect against CSRF.

The following sections describe these steps in more detail.

22 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model

Mask Sensitive Content

To protect sensitive content, the WAF masks strings in the communication

between an end-user and Web server using the following options.

FIGURE 3 Mask sensitive content

CCN Mask
The Credit-card Number (CCN) Mask checks Web server responses for
end-user credit card numbers. This check protects user credit card informa-
tion from being intercepted and viewed by unauthorized parties. For exam-
ple, the CCN mask replaces all but the final group of digits in the card
number with “x” characters. A credit card number of 1234-5678-9012-3456
would become “xxxx-xxxx-xxxx-3456”.

To protect user credit card information, you should configure the CCN mask
for each accepted type of credit card.

Note: A10 Networks recommends enabling this check for URLs that access or
transfer credit card information. For example, shopping Web sites with a
check-out page or Web sites that access back-end databases which contain
customer credit card numbers. This check is unnecessary if the Web site
does not have access to or use credit card information.

SSN Mask
Similar to a CCN mask, a Social-security Number (SSN) Check masks Web
server replies for US social security numbers. If enabled, the SSN check
mask searches strings which appear to match the format of US social secu-

Customer Driven Innovation 23 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
rity numbers and replaces all but the last 4 digits of the string with “x” char-
acters.

PCRE Mask
In addition to the preconfigured CCN and SSN checks described above, you
can configure custom masks using Perl Compatible Regular Expressions
(PCRE) syntax. For example, you can configure a mask that checks for
driver’s license numbers. (For more information, see “Writing PCRE
Expressions” on page 77.)

You can configure the portions of matching strings to keep, and which por-
tions to mask. You also can customize the mask character (“X” by default).

Note: You do not need to create a specialized PCRE mask to hide US social
security numbers or credit card information. Instead, simply enable the
SSN or CCN mask options that are provided in the WAF template.

Cloak Responses

The WAF can strip HTTP response headers to “cloak” server information
that can equip a hacker to target an attack on your Web servers. For exam-
ple, the WAF can cloak an HTTP response header to hide what operating
system is running on your servers. Information such as this can enable a
hacker to more narrowly target your servers with attacks that are specific to
the servers’ operating systems. You can cloak server information with the
following WAF template options:
• Filter Response Headers – Checks responses coming from the Web
server and removes headers with server identifying information. For
example:
• Server
• X-Runtime
• X-Powered-By
• X-AspNet-Version
• X-AspNetMvc-Version

• Hide Response Codes – Conceals 4xx and 5xx response codes for out-
bound responses from a Web server and returns a generic error code
instead. This option hides error codes which can provide an attacker
with information to specifically target Web server vulnerabilities.
The WAF sends an error page in response. You can configure the
response error page in the Deny-Action security check section of the
WAF template.

24 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
Send Instrumented Responses

You can configure the WAF to return instrumented responses with form tags
for user-modifiable fields.

Cross Site Request Forgery Check

The Cross Site Request Forgery (CSRF) Check tags the fields of a Web
form sent by a Web site to end-users with a nonce (a unique, unpredictable
number for one-time use). The WAF examines the Web forms sent in user
requests to ensure that the supplied nonce is correct.

Note: You can use the Referer Check to further help prevent CSRF attacks.

FIGURE 4 Instrumented responses

Form Field Consistency Check

The Form Field Consistency Check applies to both requests from clients
and responses from servers. When this check is enabled, the WAF stores
information about the intended format for Web form input fields before
sending the form to clients. The WAF then checks that the response from
clients supply content to the Web form that adheres to the correct format.
For example, checking that a valid entry is used for drop-down menus or
that a radio button is selected versus supplying a string for that form field.

Cookie Encryption
This check protects against cookie tampering by encrypting cookies before
sending server replies to end-users. Clients are then unable to view the con-
tent of encrypted cookies, which clients could otherwise modify to gain ille-
gal access. If the encrypted cookie is modified, then decryption of the

Customer Driven Innovation 25 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Security Model
tampered cookie will fail when it is sent back from the client and the request
will be rejected.

You can enable encryption based on specific cookie names or for all cookies
that match a PCRE expression. The encryption uses a secret string to
decrypt and encrypt cookies that are transferred between the Web server and
client. (For a configuration example, see “WAF Deployment and Logging
Examples” on page 89.)

26 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview

WAF Operational Modes

This chapter describes the WAF operational modes and how to use them to
deploy the WAF.

Overview
The WAF supports the following operational modes:
• Learning – Learning Mode provides a way to initially set the thresholds
for certain WAF checks based on known, valid traffic.
• Passive – Passive Mode provides passive WAF operation. All enabled
WAF checks are applied, but no WAF action is performed upon match-
ing traffic. This mode is useful in staging environments to identify false
positives for filtering.
• Active – This is the standard operational mode. You must use Active
Mode if you want the WAF to sanitize or drop traffic based on the con-
figured WAF policies.

Figure 5 shows a typical work flow for WAF deployment, using these
modes.

Caution: While Learning or Passive Mode is in operation, the WAF does not
block any traffic. Only Active Mode blocks traffic.

Notes:
• Use of the Learning and Passive Modes is recommended during the
deployment process.
• To block traffic, you must deploy the WAF in Active Mode.

• To access WAF data event messages, logging to external servers is

required. See “WAF Event Logging” on page 61.
• When the WAF is deployed in either learning or passive mode, traffic is
not blocked. However, event log messages will list the response action
(deny, allow, or sanitize) that is configured in the WAF template. In
addition, WAF counters will continue to increment as if the WAF is
deployed in active mode.

Customer Driven Innovation 27 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview
FIGURE 5 Typical Deployment Scenario

The following sections provide more details about each mode.

28 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview

Learning Mode
Learning Mode provides a way to dynamically set certain WAF options
based on traffic.

When you enable Learning Mode in a WAF template, ACOS clears the fol-
lowing options:
• Maximum Headers – set to 0

• Maximum Cookies – set to 0

• Buffer Overflow (max-url-len, max-hdrs-len, max-cookie-len, and max-

post-size) – all set to 0
• Allowed HTTP Methods – set to null

• URL Check (closure list) – set to null

Figure 6 shows an example of the Learning Mode.

FIGURE 6 WAF Learning Mode

Customer Driven Innovation 29 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview
1. In Figure 6, a WAF template is configured and is bound to the
HTTP/HTTPS virtual port on the ACOS device. The domain name
mapped to the VIP address by DNS is “www.example.com”.

2. Known, valid traffic is then sent to the WAF. As traffic is received by the
virtual port to which the WAF template is bound, ACOS updates the set-
tings for the WAF parameters listed above.
In this example, the following HTTP request is sent:
GET / HTTP/1.1
Host: www.example.com
Connection: close
User-Agent: Mozilla/5.0
Accept-Encoding: gzip
Accept: text/html
Cache-Control: no-cache

3. When the WAF receives the request, Learning Mode updates the follow-
ing checks in the WAF template:
Buffer Overflow Check:
• Maximum headers = 7
• Max-url-len = 15
• Max-hdrs-len = 23
Allowed HTTP Methods Check = GET
URL Check (not shown in example)
At any time, you can view the current template settings.

4. To “lock in” the WAF template settings, change to a different mode (for
example, Active Mode). You can modify the template settings later, if
needed.

Notes
• Before enabling Learning Mode, make sure the WAF is not receiving
production traffic. Security checks in the WAF template are not enforced
during Learning Mode and the WAF will not deny any requests, even if
a request fails a security check.
• If the setting for a check reaches its maximum configurable value, the
check is set at that value. The setting value does not increase.
• The URL Check file is not created until the mode is changed from
Learning to Passive or Active. You cannot modify the URL check file
while Learning Mode is enabled.
• For an example of Learning Mode, see “WAF Deployment and Logging
Examples” on page 89.

30 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview

Passive Mode
Passive Mode logs traffic that matches a WAF policy file or check, but does
not perform any action on matching traffic. While the WAF is operating in
Passive Mode, you can monitor the data event log messages sent to remote
logging servers, and fine-tune your template settings so that valid traffic is
not mistakenly blocked by the WAF.

Typically, Passive Mode is used in a production network to check for false

positives while real production traffic is running. A false positive occurs
when valid traffic matches a WAF check, and would be dropped during
Active Mode operation.

Figure 7 shows an example of Passive Mode.

FIGURE 7 WAF Passive Mode

Customer Driven Innovation 31 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview
This example shows a “false positive” match on the max-cookies check. In
this example, the WAF template allows a maximum of 3 cookie headers
within a given request.
1. Client sends request to server.

2. Server replies. The reply contains some cookies inserted by the server.

3. The client sends a new request and inserts the cookies sent by the server
in the request.

4. The WAF template allows a maximum of 3 cookies (3 separate cookie

headers) in a given client request. Because the client’s request contains
more than 3 cookies, the request fails the max-cookies check, and a data
event log message is sent to the external log server. However, because
the WAF is operating in Passive Mode, the traffic is allowed.

Notes:
• Because the WAF is operating in Passive Mode, the client request is sent
to the server instead of being dropped. In Active Mode, the request
would be dropped.
• To access WAF data event messages, logging to external servers is
required. See “WAF Event Logging” on page 61.
• During Passive Mode operation, data event logs for matching traffic will
state that the traffic was denied even though the traffic in fact is allowed.
However, all WAF data event messages include the operational mode.

32 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview

Active Mode
Active Mode enforces the policies (definition files) and security checks that
are enabled in the WAF template bound to the virtual port. If the action con-
figured for a specific check is to drop traffic that matches the check, the traf-
fic is dropped.

Figure 8 shows an example of Active Mode.

FIGURE 8 WAF Active Mode

In this example, a client POST request contains SQL code.

1. The client sends a request. The request contains SQL code. The request
is an attempt to inject SQL code onto the server.

2. The WAF SQL Injection Check detects the SQL. Based on the configu-
ration, the WAF rejects (drops) the request.

3. The WAF sends a log message to the log server.

Figure 9 shows a walk-through of the WAF process as it examines the cli-

ent’s request.

Customer Driven Innovation 33 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Overview
FIGURE 9 WAF Active Mode - walk-through

34 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Setting the WAF Operational Mode
1. First, the WAF checks the request URI against the entries in the White
List. In this case, the URI matches. The request passes to the next phase,
the Black List check.

2. The request URI does not match any of the Black List entries, so is
passed to the next phase, the request checks.

3. The request passes the Allowed-HTTP-methods Check. However, the

request fails the SQL Injection Check and is denied.

Setting the WAF Operational Mode

The WAF operational mode is one of the options you can configure within
the WAF template. For configuration information, see either of the follow-
ing chapters:
• “Configuring the WAF Using the GUI” on page 37

• “Configuring the WAF Using the CLI” on page 51

Customer Driven Innovation 35 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Setting the WAF Operational Mode

36 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview

Configuring the WAF Using the GUI

The WAF operates on traffic that is addressed to the virtual IP address (VIP)
and HTTP/HTTPS virtual port of your Web site. To apply WAF protection
to the virtual port, basic configuration is required. Additional, advanced
configuration is optional.

This chapter describes how to configure the WAF using the GUI.

Configuration Overview
This section summarizes the configuration tasks for the WAF. The follow-
ing sections provide detailed steps for each task.
To apply WAF security controls to a virtual port:
1. Configure a WAF template.

2. Bind the WAF template to the virtual port.

3. (Recommended) Configure external logging. ACOS supports logging of

WAF events only to external log servers. WAF events are not logged in
the ACOS device’s local log buffer. (See “Configure External Logging
(recommended)” on page 47.)

Notes:
• External logging is the only mechanism supported for accessing WAF
data plane log messages.
• The WAF comes with predefined WAF policy files. You can modify pol-
icy rules in the URI White and Black Lists, or add search definitions
used for the Bot Check, SQLIA check and so on. For more information,
see “WAF Policy Files” on page 69. A10 Networks highly recommends
modifying WAF policy files to meet your specific security demands.
• Optionally, you can pair the WAF template with an HTTP policy tem-
plate to enforce WAF security checks based on URL, host, or cookie.
(See “Overriding a WAF Template” on page 81.)
• For examples of advanced WAF configuration, see “WAF Deployment
and Logging Examples” on page 89.

Customer Driven Innovation 37 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview

Configure a WAF Template

Use the following steps to configure a WAF template.
1. Navigate to Config Mode > Security > WAF > Template > WAF.

2. Click Add. The WAF template configuration page appears.

Configure General Settings

3. Enter a name for the template.

4. In the Deployment Mode section, select the operational mode for the
WAF template.
• Active – The WAF enforces the checks configured on the template
and sends events to the external log server.
• Passive – The WAF sends events to the external log server only and
does not enforce any security checks.
• Learning – The WAF template “learns” acceptable check parame-
ters based on a stream of legitimate, secure traffic. In Learning
Mode, the WAF continues to send events to the external log server.
For more information, see “WAF Operational Modes” on page 27.

FIGURE 10 WAF Template – General

5. From the Logging Template drop-down list, select the name of a config-
ured logging template to direct WAF logging activity. See “WAF Event
Logging” on page 61.

38 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview
Configure Request Protection

Enable one or more of the following security checks for client requests:

6. Allowed HTTP Methods – Specifies the HTTP methods (GET, POST,

and so on) that are allowed in requests.

7. SQLIA Check – Checks for SQL strings to protect against SQL injec-
tion attacks. This check uses the list of defined SQL commands in the
“sqlia_defs” WAF policy file. For more information, see “SQL Injection
Attack Check” on page 70.
Select Reject to deny the request, or Sanitize to remove the SQL script
and forward the request to the Web server.

8. Bot Check – Select this option to check the user-agent of incoming

requests for known bots. This check uses the list of defined bots in the
“bot_defs” WAF policy file. For more information, see “Bot Check” on
page 70.

9. CSRF Check – Select this option to tag the fields of a web form with a
nonce (a unique FormID). This check protects against cross-site request
forgery (CSRF).

10. URL Check – Select this option to prevent users from accessing the
URLs of your website directly. The URL Check allows users to only
access Web pages by clicking a hyperlink on your protected Web site.

Note: In the current release, the approved URL path list for the URL Check can
be configured only using Learning Mode. For a deployment example that
includes configuration of the URL Check, see “Generate Allowed URL
Paths for the URL Check” on page 94.

11. HTTP Check – Select this option to check that user requests are com-
pliant with HTTP protocols.

12. Form Consistency Check – Select this option to check that the user
input to a Web form field conforms to the intended format for that entry.
For example, it checks that a radio button is selected versus supplying a
string for that form field. WAF also parses HTTP bodies encoded as
multipart/form-data. Extracted form fields are verified against previ-
ously parsed HTML forms.

13. XSS Check – Checks for potential HTML XSS scripts to protect against
cross-site scripting attacks. This check uses the list of defined Javascript

Customer Driven Innovation 39 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview
commands in the “jscript_defs” WAF policy file. (See “XSS Check” on
page 70.)
Select Reject to deny the request, or Sanitize to remove the XSS script
and forward the request to the Web server.

14. Session Check - Select this option to create an ID for a client request
and insert it in a cookie in the response. Future requests from the same
client are validated against the session cookie. If the ID or IP do not
match, then the request will be rejected. The default session ID lifetime
is 600 seconds.

15. Max Cookies – Enter the maximum number of cookies allowed in

requests. This can be 0 to 63. The default is 20.

16. Max Headers – Enter the maximum number of header fields allowed in
requests. This can be 0 to 63. The default is 20.

Configure Buffer Overflow Checks

17. Buffer Overflow – Set the maximum content length allowed in an

HTTP request. This check protects against attempts to cause a buffer
overflow on the Web server. You can set the maximum length to a value
between 0 to 65535.
• Max Cookie Length – Sets the maximum length for cookies,
cookie names, and/or cookie values allowed in a request.
• Max Headers Length – Sets the maximum header length for head-
ers, header names, and/or header values allowed in requests.
• Max Line Length - Sets the maximum length for lines.
• Max Parameters Length - Sets the maximum parameter length
allowed for the total parameters, the parameter names, and/or the
parameter values.
• Max Post Size – Sets the maximum content length allowed in
HTTP POST requests.
• Max Query Length - Sets the maximum length for queries.
• Max URL Length – Sets the maximum URL length allowed in
requests.

Configure the Referer Check

The referer check validates that the referer header in a request contains Web
form data from the specified Web server, rather than from an outside Web
site. This check protects against CSRF attacks.

40 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview
FIGURE 11 WAF Template – Referer Check

18. In the Referer Check section:

a. Select one of the following:
• Enabled – Always validates the referer header. If selected, the
request fails the check if there is no referer header or if the ref-
erer header is invalid.
• Disabled – Configures the WAF to not validate requests based
on the referer header.
• Only-If-Present – Validates the referer header only if a referer
header exists. If the check finds an invalid referer header, the
request fails the check. However, the request does not fail the
check if there is no referer header in the request.
b. Allowed Referer Domains – Enter the fully-qualified domain
names (FQDNs) from which requests are allowed to originate.
c. Safe URL – Enter the URL for redirected requests that do not come
from any of the allowed referer domains you specify.

Customize an Action for Denied Requests

The Deny Action option allows you to specify an action for when the WAF
denies a client’s request. In the text box field, you can customize a response
string or redirection URL for denied requests.

19. Deny Action – Select the type of action to take when the WAF denies a
client’s request:
a. Select a radio button for one of the following options:
• http-resp-403 – Sends a 403 Forbidden response to the client. The
default string returns a generic “Request Denied!” page to the client.
• http-resp-200 – Sends a 200 OK response to the client with the
specified resp-string. The default string returns a generic “Request
Denied!” page to the client.
• http-redirect – Redirects the client to the specified URL.
• reset-conn – Sends a TCP RST to the client to end the connection.
b. In the text box, enter a response string or redirection URL for denied
requests.

Customer Driven Innovation 41 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview
Set the Black List

20. URI Black List – Select the name of a configured WAF policy file. This
option enforces the rules contained within a WAF policy file for the URI
blacklist.The default WAF policy file is “uri_blist_defs”. For more
information about URI blacklists, see “URI Black List” on page 71.

Set the White List

21. URI White List – Select the name of a configured WAF policy file.
Enforces the rules contained within a WAF policy file for the URI
whitelist. The default WAF policy file is “uri_wlist_defs”. For more
information about URI whitelists, see “URI White List” on page 72.

Configure Response Protection

Enable one or more of the following security checks to protect outbound
responses from the Web server.

FIGURE 12 WAF Template – Response Protection

22. CCN Mask – The CNN mask examines strings of outbound replies
from the Web server for patterns of numerical characters that resemble
credit card numbers (CCN). If the WAF identifies a credit card number,
the WAF replaces all but the last four digits of credit card numbers with
“x” characters.

Note: From the CLI, you can view counters for the CCN check. These counters
display the number of masked credit card numbers for various bank pro-
viders.

42 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configuration Overview
23. SSN Mask – This check scans HTTP responses for strings that resemble
US Social Security numbers and masks all but the last four digits of the
string with “x” characters in a response.

24. Filter Response Headers – Select this option to remove the Web
server’s identifying headers in outgoing responses.

25. Hide Response Codes – Enable this option to cloak 4xx and 5xx
response codes for outbound responses from the Web server. This check
uses the “allowed_resp_codes” WAF policy file for a list of
acceptable HTTP response codes. For more information, see “Allowed
HTTP Response Codes” on page 72.

Configure PCRE Mask

The PCRE Mask hides strings that match the specified PCRE pattern.
(See “Writing PCRE Expressions” on page 77.)

26. In the PCRE Mask section, enter the following values:

• PCRE Pattern – Masks patterns in a response that match the speci-
fied PCRE pattern.
• PCRE Mask – Selects a character to masked the matched pattern of
a string. By default, strings are masked with an “X” character.
• Keep Start – Sets the number of unmasked characters at the begin-
ning of the string. This can be 0-65535, the default is 0.
• Keep End – Sets the number of unmasked characters at the end of
the string. This can be 0-65535, the default is 0.

Note: You can configure PCRE patterns to match only on string of fixed length.
For this reason, wild-card characters that can mask excessively long
strings (* and +) are not supported.
If either the asterisk (*) or plus symbol (+) is detected during the syntax
check, the syntax check will automatically fail. To use an expression that
matches an actual “*” or “+” character, use an escape character (\) before
the matched symbol. For example, to search for the actual asterisk (*) or
plus character (+), enter “\*” or “\+”.

Customize Cookie Encryption

Configure the Cookie Encrypt option to protect against cookie tampering.
The encryption uses a secret passphrase to decrypt and encrypt cookies that
are transferred between the Web server and client.

Customer Driven Innovation 43 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Bind the WAF Template to the Virtual Port
27. Cookie Name – Enter the name of a cookie or PCRE expression. This
option encrypts cookies by a specific name or for all cookies that match
a PCRE expression.

28. Passphrase and Confirm Passphrase – Enter a string which will be

used to encrypt and decrypt the cookies.

Note: The encrypted passphrase is stored in the config file.

Confirm the Template Configuration

29. When finished, click OK. The WAF Template appears in the WAF tem-
plate list.

Bind the WAF Template to the Virtual Port

You can bind a WAF template through either of the following methods:
• Method 1 – Bind the WAF template from the configuration page for a
virtual server.
• Method 2 – Bind the WAF template to an HTTP or HTTPS virtual ser-
vice port from the security sub-module.

Method 1:
1. Navigate to Config Mode > SLB > Service > Virtual Server. The Virtual
Server table appears.

2. To edit an existing virtual server, click the name of the virtual server. To
configure a new virtual server, click Add. The virtual server configura-
tion page appears.

3. In the Port section, click Add. The Virtual Server Port creation page
appears.

4. Set the port type to HTTP, or HTTPS.

5. In the WAF drop-down list, select the name of a WAF template.

6. Configure other options as needed. (For example, if you are configuring

a new port, select the service group.)

7. Click OK. The port appears in the Port list of the Port section.

8. Click OK. The Virtual Server table appears.

44 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Bind the WAF Template to the Virtual Port
Method 2:
1. Navigate to Config Mode > Security > WAF > Bind. A table of HTTP
virtual services appears. (A virtual service is the combination of a vir-
tual IP address, or “VIP” and a virtual port with service type HTTP or
HTTPS.)

FIGURE 13 Config Mode > Security > WAF > Bind

2. Click the Bind icon. The WAF binding page appears.

c. In the Name field, select the name of an HTTP or HTTPS virtual
service port from the drop-down list.
d. Select the name of a configured WAF template from the drop-down
list or “create” to access the WAF template configuration page.
e. Select OK.

Customer Driven Innovation 45 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure External Logging (recommended)

Configure External Logging (recommended)

Although optional, A10 Networks strongly recommends configuring exter-
nal logging. It is the only mechanism supported for accessing WAF log mes-
sages.

Logging of WAF events to external logging servers is supported over TCP

or UDP. You can configure logging to a single server or a group of servers.
If you use a group of servers, ACOS balances the log traffic among the serv-
ers for optimal efficiency.

Configuration Overview
To configure web logging:
1. Create a server configuration for each log server. On each server, add a
TCP or UDP port with the port number on which the log server listens
for log messages.

2. Add the log servers to a service group. Make sure to use the round-robin
load-balancing method. (This is the default method.)

3. (Optional) If logging over TCP, configure a TCP-proxy template to cus-

tomize TCP settings for connections between ACOS and log servers.
For example, you can enable use of keepalive probes, to ensure that the
TCP connections with the log servers remain established during idle
periods between logs.

4. Configure a logging template. Add the service group containing the log
servers to the logging template. If you configure a custom TCP-proxy
template, also add that template to the logging template.

5. Apply the logging template to the WAF template.

External logging is activated once you bind the WAF template to a virtual
port.

46 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure External Logging (recommended)

Create Server Configurations for the Log Servers

1. Navigate to Config Mode > SLB > Service > Server.

2. Click Add.

3. Enter a name for the server in the Name field.

4. Enter the server IP address in the IP Address field.

5. Select the IP version, IPv4 or IPv6.

6. In the Port section, configure the protocol port information:

a. Enter the port number in the Port field.
b. Select TCP or UDP from the Protocol drop-down list.
c. Click Add.

7. Click OK. The server appears in the server table.

8. Repeat for each server.

Add Server Configurations to Service Group

9. Navigate to Config Mode > SLB > Service > Service Group.

10. Click Add.

11. Enter a name for the service group in the Name field.

12. Select TCP or UDP from the Type drop-down list.

13. In the Server section, configure the server information:

a. Select the IP version of the server’s IP address, IPv4 or IPv6.
b. Select the server from the Server drop-down list.
c. Enter the UDP port number in the Port field. This must be the same
number specified in the server configuration.
d. Click Add.
e. Repeat for each server.

14. Click OK. The service group appears in the service group table.

Customer Driven Innovation 47 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure External Logging (recommended)

Configure the Logging Template

15. Select Config Mode > SLB > Template > Application > Logging.

16. Click Add.

17. Enter a name for the template.

18. Select the service group that contains the log servers.

19. If you configured a custom TCP-proxy template for logging over TCP,
select the template.

20. Click OK.

Apply the Log Template to the WAF Template

21. Navigate to Config Mode > Security > WAF > Template.

22. Click on the WAF template name.

23. Select the logging template from the Logging Template drop-down list.

24. Click OK.

48 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure External Logging (recommended)

Customer Driven Innovation 49 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure External Logging (recommended)

50 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Required Configuration

Configuring the WAF Using the CLI

The WAF operates on traffic that is addressed to the virtual IP address (VIP)
and HTTP/HTTPS virtual port of your Web site. To apply WAF protection
to the virtual port, basic configuration is required. Additional, advanced
configuration is optional.

This chapter describes how to configure the WAF using the command-line
interface (CLI).

Note: For deployment examples, see “WAF Deployment and Logging Exam-
ples” on page 89.

Required Configuration
The minimum required configuration for the WAF consists of the following
tasks:
1. Create a WAF template.

2. Bind the WAF template to the HTTP/HTTPS virtual port on the VIP.

Note: Configuration of other SLB resources required by the virtual port, such as
real servers and service groups, are not covered here. However, the
deployment examples in the guide include the commands for configuring
these resources. (See “WAF Deployment and Logging Examples” on
page 89.)

Create a WAF Template

To create or modify a WAF template, use the following command at the
global configuration level of the CLI:

slb template waf template-name

For the template-name option, enter the name of an existing WAF template
to modify the template’s configuration, or an unused name to create a new
WAF template. This command enters the CLI configuration level for the
template.

If you plan to use all the default settings for the template (including Active
Mode operation) no further template configuration is required. To custom-
ize template settings, see “Optional Configuration” on page 54.

Customer Driven Innovation 51 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
External Logging Configuration

Bind the WAF Template to the HTTP/HTTPS Virtual Port

The WAF template goes into operation after you bind the template to an
HTTP/HTTPS port.

To bind a template to a virtual port, you must access the configuration level
for the port.
1. From the global configuration level of the CLI, use the following com-
mand to access the configuration level for the virtual server that will
receive HTTP/HTTPS traffic to be secured using the WAF:
slb virtual-server name ipaddr

2. At the configuration level for the virtual server, use the following com-
mand to access the configuration level for the virtual port:
port port-number {http | https}

3. At the configuration level for the virtual port, use the following com-
mand to bind the WAF template to the port:
template waf template-name

External Logging Configuration

Although optional, A10 Networks strongly recommends external logging. It
is the only mechanism supported for accessing WAF data event messages.
To configure external logging for WAF:
1. Create a server configuration for each log server. Add a TCP or UDP
port to each server configuration, with the port number on which the
external log server listens for log messages.
a. Use the following command to add a server and access the configu-
ration level for it:
slb server server-name ipaddr
b. Use the following command to add a TCP or UDP port to the server.
Specify the port number on which the server will listen for log traf-
fic.
port port-num {tcp | udp}

52 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
External Logging Configuration
2. Add the log servers to a service group. Make sure to use the round-robin
load-balancing method. (This is the default method.)
a. Use the following command to add the service group and access the
configuration level for it:
slb service-group group-name {tcp | udp}
b. Use the following command to add each log server and its TCP or
UDP port to the group:
member server-name:portnum

3. (TCP only) If logging over TCP, configure a TCP-proxy template to

customize TCP settings for connections to log servers. For example, you
can enable use of keepalive probes, to ensure that the TCP connections
with the log servers remain established during idle periods between
logs.
a. Use the following command to create the TCP-proxy template and
access the configuration level for it:
slb template tcp-proxy template-name
b. Use the following command to set keep-alive probes:
keepalive-probes num

4. Configure a logging template:

a. Use the following command to create the logging template and
access the configuration level for it:
slb template logging template-name
b. Use the following command to add the service group containing the
log servers to the logging template:
service-group group-name
c. If you configured a TCP-proxy template, use the following com-
mand to add that template to the logging template:
template tcp-proxy template-name

5. Bind the logging template to the WAF template:

a. Use the following command to access the configuration level for the
WAF template:
slb template waf template-name
b. Use the following command to bind the logging template to the
WAF template:
template logging template-name

Customer Driven Innovation 53 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration
Note: External logging is activated once you bind the WAF template that uses
the logging template to an HTTP/HTTPS virtual port.

Optional Configuration
This section provides syntax for the following WAF configuration options:
• Deployment mode

• Custom policy files (definitions)

• Request checks

• Deny action (WAF response sent to client when a request is denied by

the WAF)
• Response checks

Set Deployment Mode

The default operational mode for WAF is active. To change the operational
mode, use the following command at the configuration level for the WAF
template:

deploy-mode {active | learning | passive}

You can deploy WAF in one of the following operational modes:

• active – The WAF enforces the security checks configured on the tem-
plate and sends events to the external log server.
• learning – The WAF template “learns” acceptable check parameters
based on a stream of legitimate, secure traffic. In Learning Mode, the
WAF continues to send events to the external log server.
• passive– The WAF sends events to the external log server only and does
not enforce any security checks.

For more information, see “WAF Operational Modes” on page 27.

54 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration

Customize WAF Policy Files

Caution: A mis-configured PCRE expression can negatively impact system
performance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will
achieve the desired result.

The WAF is pre-loaded with a set of default policy files which are used for
certain security checks. For example, if you enable bot checking with the
WAF template, the default “bots_def” WAF policy file is used for a list of
known bot names. (See “Bot Check” on page 70.)

Optionally, you can customize WAF policy files and apply these files to
security checks. For example, you can copy the default bots policy file,
modify and import the copied file, then update the corresponding WAF tem-
plate option to use the custom policy file.

For more information, see “WAF Policy Files” on page 69.

Configure Security Checks for Requests

To configure individual WAF security checks for requests, use the following
commands:
• allowed-http-methods “method-list” – Use this com-
mand to specify the HTTP methods (GET, POST, and so on) that are
allowed in requests.
• bot-check – Use this command to check the user-agent of incoming
requests for known bots. This check uses the list of defined bots in the
“bot_defs” WAF policy file. See “Bot Check” on page 70.
• buf-ovf option – Use this command to configure checks for
attempts to cause a buffer overflow on the Web server.
• disable – Disables buffer overflow protection.
• max-cookie-len bytes – Sets the maximum length for cookies
allowed in requests.
• max-cookie-name-len bytes - Sets the maximum length for cookie
names in requests.
• max-cookie-value-len bytes - Sets the maximum length for cookie
values in requests.
• max-hdrs-len bytes – Sets the maximum header length for headers
allowed in requests.

Customer Driven Innovation 55 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration
• max-hdr-name-len bytes - Sets the maximum header name length
allowed in requests.
• max-hdr-value-len bytes - Sets the maximum header value length
allowed in requests.
• max-line-len bytes - Sets the maximum line length allowed in
requests.
• max-parameter-name-len bytes - Sets the maximum parameter
name length allowed in requests.
• max-parameter-total-len bytes - Sets the maximum total number
of parameters allowed in requests.
• max-parameter-value-len bytes - Sets the maximum parameter
value length allowed in requests.
• max-post-size bytes – Sets the maximum content length allowed in
HTTP POST requests.
• max-query-len bytes - Sets the maximum query length allowed in
requests.
• max-url-len bytes – Sets the maximum URL length allowed in
requests.
• csrf-check – Use this command to tag the fields of a web form with
a nonce. This check protects against cross-site request forgery (CSRF).
• deny-action response-type – Use this command to specify
the type of response string sent to a client when WAF denies a request
• http-resp-403 resp-string – Sends a 403 Forbidden response to the
client. The default string returns a generic “Request Denied!” page
to the client.
• http-resp-200 resp-string – Sends a 200 OK response to the client
with the specified resp-string. The default string returns a generic
“Request Denied!” page to the client.
• http-redirect url-string – Sends a 302 Found redirection address to
the client with the URL specified in the redirect-url.
• reset-conn – Terminates the client connection.

• http-check – Use this command to check that user requests are

compliant with HTTP protocols.
• max-cookies num – Specifies the maximum number of cookies
allowed in a request. You can specify 0-63.
• max-hdrs num – Specifies the maximum number of headers allowed
in a request. You can specify 0-63.

56 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration
• max-parameters num – Specifies the maximum number of param-
eters allowed in a request. You can specify 0-63.
• uri-blist-check file-name – Enforces the rules contained
within a WAF policy file for the URI Black List. For more information
see, “URI Black List” on page 71.
• uri-wlist-check file-name – Enforces the rules contained
within a WAF policy file for the URI White List. For more information,
see “URI White List” on page 72.
• form-consistency-check – Use this command to check that the
user input to a form field conforms to the form field tag. WAF also
parses HTTP bodies encoded as multipart/form-data. Extracted form
fields are verified against previously parsed HTML forms.
• referer-check [enable | only-if-present]
safe-referer-domain safe-redirect-url – Use this
command to validate that the referer header in a request contains Web
form data from the specified Web server, rather than from an outside
Web site. This check protects against CSRF attacks.
• enable – always validates the referer header. If selected, the request
fails the referer check if there is no referer header or if the referer
header is invalid.
• only-if-present – validates the referer header only if a referer
header exists. If the check finds an invalid referer header, the
request fails the check. However, the request does not fail the check
if there is no referer header in the request.
• session-check [secs] – This command creates an ID for a cli-
ent request and inserts it in a cookie in the response. Future requests
from the same client are validated against the session cookie. If the ID
or IP do not match, then the request will be rejected. The default lifetime
for the session ID is 600 seconds.
• sqlia-check {reject | sanitize} – Use this command to
check for SQL strings to protect against SQL injection attacks. This
check uses the list of defined SQL commands in the “sqlia_defs” WAF
policy file. See “SQL Injection Attack Check” on page 70.
• reject – denies requests that contain SQL injection attacks.
• sanitize – removes the SQL injection attack and forwards the
request to the Web server.
• url-check – The URL Check allows users to access Web pages only
by clicking a hyperlink on your protected Web site. Select this option to

Customer Driven Innovation 57 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration
prevent users from directly selecting any URLs on your website that you
do not want accessible.

Note: The list of approved URL paths is initially generated as a policy file
during Learning Mode. After which, you can customize the contents of
the URL Check policy file. For a deployment example that includes con-
figuration of the URL Check, see “Generate Allowed URL Paths for the
URL Check” on page 94.
• url-options option – Use this command to to normalize request
URLs. This helps shorten the URLs and prevent buffer overflows from
length URLs
• decode-entities - Decode entities, such as <, from the internal
URL.
• decode-escaped-chars - Decode escaped chars, such as \r or \n,
from the internal URL.
• decode-hex-chars - Decode hexadecimal characters, such as \%xx
and \%u00yy, from the internal URL.
• remove-comments - Remove comments from the internal URL.
• remove-selfref - Remove self-references, such as /./ and /path/../,
from the internal URL.
• remove-spaces - Remove spaces from the internal URL.

• xss-check {disable | reject | sanitize} – Use this

command to check for potential HTML XSS scripts to protect
against cross-site scripting attacks. This check uses the list of
defined Javascript commands in the “jscript_defs” WAF policy file.
See “XSS Check” on page 70.
• reject – denies requests that contain cross-site scripting.
• sanitize – removes the detected XSS script and forwards the request
to the Web server.

Configure Security Checks for Responses

To configure individual WAF security checks for responses, use the follow-
ing commands:
• ccn-mask – Use this command to examine strings of outbound
replies from the Web server for patterns of numerical characters that
resemble credit card numbers (CCN). If the WAF identifies a credit card
number, the WAF replaces all but the last four digits of credit card num-
bers with “x” characters.

58 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration
• filter-resp-hdrs – Use this command to removes the Web
server’s identifying headers in outgoing responses.
• ssn-mask – Use this command to examine server responses for
strings that resemble US Social Security numbers and masks all but the
last four digits of the string with “x” characters in a response.
• cookie-encrypt name secret-passphrase – Uses the
specified secret-passphrase string to encrypt and decrypt cook-
ies in server to client communication. For the cookie name, you can
enter the name of a specific cookie as a string, or a PCRE expression to
encrypt all cookies which match the expression.
• hide-resp-codes – Cloaks 4xx and 5xx response codes for out-
bound responses from the Web server.

Note: Do not enter the secret-encrypted option when configuring this check.
This option is placed into the configuration by the WAF to indicate that
the string is the encrypted form.
• pcre-mask options pcre-pattern – Use this command to
masks patterns in a response that match the specified PCRE pattern.
• For options you can enter the following:
• keep-end num-length – Specifies the number of
unmasked characters at the end of the string. The default is 0.
• keep-start num-length – Sets the number of unmasked
characters at the beginning of the string. The default is 0.
• mask character – Selects a character to mask the matched
pattern of a string. The default is x.
• For pcre-pattern, enter a PCRE expression. (See “Writing PCRE
Expressions” on page 77.)

Note: You can configure PCRE patterns to match only on a fixed-length string.
For this reason, wildcard characters that can mask excessively long
strings (* and +) are not supported.
If either the asterisk (*) or plus symbol (+) is detected during the syntax
check, the syntax check will automatically fail. To use an expression that
matches an actual “*” or “+” character, use an escape character (\) before
the matched symbol. For example, to search for the actual asterisk (*) or
plus character (+), enter “\*” or “\+”

Customer Driven Innovation 59 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Optional Configuration

60 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Event Types and Where They Are Logged

WAF Event Logging

This chapter describes where WAF events are logged and the format used
for WAF log messages.

Note: There is no external logging by default. To configure external logging, see

either of the following sections:
• Using the GUI – “Configure External Logging (recommended)” on
page 47
• Using the CLI – “External Logging Configuration” on page 52

Notes
• After external logging is enabled, WAF messages for configuration
events, as well as data events, are sent only to the external logging serv-
ers.
• Deny actions are not written to the log. To view the configured response
to denied client requests, check the WAF template currently in use.

WAF Event Types and Where They Are Logged

WAF log messages consist of the following basic event types:
• Configuration events – Indicate that a configuration change has
occurred. Typically, this type of WAF event is generated when you con-
figure WAF settings.
• Data events – Indicate that traffic has matched a WAF template check.

By default, only configuration events are logged to the local logging buffer
on ACOS.

Data events are not logged by default. Due to the potentially high volume of
data event messages, they are accessible only by using remote logging serv-
ers. You can configure the WAF to use a single logging server or a group of
servers.

After you enable WAF logging to remote logging servers, WAF configura-
tion events also are sent to the remote servers. In this case, the WAF config-
uration events are no longer sent to the local logging buffer.

Performance by Design 61 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Event Types and Where They Are Logged
Figure 14 shows the WAF logging behavior without external logging. WAF
configuration events are logged locally. WAF data events are not logged.

FIGURE 14 Without external WAF logging

Figure 15 shows the WAF logging behavior after external logging is config-
ured for the WAF template. WAF configuration events and WAF data events
both are logged to the external log server.

FIGURE 15 With external WAF logging

62 of 136 Performance by Design

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Log Format

Log Format
For optimal interoperability, WAF uses the Common Event Format (CEF),
an open standard used by other security appliances and network devices.

WAF log messages can contain the following fields:

Timestamp CEF:version|device-vendor|device-product|
device-version|module|event-type|severity|CEF-extension

Table 1 describes the data fields that can appear in WAF logs

TABLE 1 WAF log data fields

Field Description
Timestamp Date and time that the log was generated, in the fol-
lowing format: Mon Day hh:mm:ss
CEF version CEF version.
device-vendor Vendor name, “A10”.
device-product A10 Thunder or AX model number.
device-version Advanced Core Operating System (ACOS) version.
module System module that generated the log message. For
WAF messages, the module is “WAF”.
event-type WAF feature or policy on which the traffic matched.
Examples:
• bot-check
• buf-ovf
• ccn-mask
• cookie-encrypt
• csrf-check
• deny-action
• filter-resp-hdrs
• form-consistency-check
• hide-resp-codes
• http-check
• pcre-mask
• referer-check
• sqlia-check
• ssn-mask
• uri-blist-check
• uri-wlist-check
• url-check
• xss-check

Performance by Design 63 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Log Format
TABLE 1 WAF log data fields (Continued)
Field Description
severity Severity of the event.
• 1 – Debug
• 2 – Info
• 3 – Notice
• 4 – Warning
• 5 – Error
• 6 – Critical
• 7 – Alert
• 8 – Emergency
CEF-extension Set of any number of key/value pairs, in any order,
that further describe the event that generated the log.
The CEF extension for WAF uses the following ele-
ments:
• src – Source IP of the request or response.
• spt – Source protocol port of the request or
response.
• method – HTTP method used (if applicable).
• req – URL in the request.
• n – Number (n) of bytes of content in the request
• msg – Message associated with the event type.
• cs1 – Name of the template that was in use when
the event was generated.
• act – Action the WAF took in response to the
event:
• deny
• allow
• sanitize
• learn
• md – Deployment mode.

64 of 136 Performance by Design

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Log Examples

WAF Log Examples

The following sections show some examples of WAF log messages.

Basic Log Message

Here is a sample log message:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Updating
allowed HTTP methods" cs1=waf1 act=n md=learn

Table 2 labels each field in the message.

TABLE 2 WAF log example

Field Value
Timestamp Dec 22 17:13:03
CEF version 0
device-vendor A10
device-product AX3200
device-version 2.7.1
module WAF
event-type http-check
severity 2
CEF-extension src=20.20.25.10
spt=32462
dst=20.20.25.130
dpt=80
req="GET /tours/index.html HTTP/1.1"
0 = Bytes of content in the request
msg="Learning: Updating allowed HTTP methods"
cs1=waf1
act=learn
md=learn

Note: For more log examples, see “WAF Deployment and Logging Examples”
on page 89.

Performance by Design 65 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Log Examples

Bot Check
Here is an example of a WAF log that indicates the detection of a bad bot:
Oct 20 18:16:13 CEF:0|A10|AX3200|2.7.1|WAF|bot-check|6|src=20.20.25.10 spt=30842
dst=20.20.25.130 dpt=80 request="GET /tours/index.html HTTP/1.1" 0 msg="Bad bot
detected! User-Agent " cs1=w2 act=deny md=nrm

Here is the same message, formatted to more clearly show each field:
Oct 20 18:16:13
CEF:0
A10
AX3200
2.7.1
WAF
bot-check
6
src=20.20.25.10
spt=30842
dst=20.20.25.130
dpt=80
request="GET /tours/index.html HTTP/1.1" 0
msg="Bad bot detected! User-Agent drip"
cs1=w2
act=deny
md=nrm

This message indicates that an HTTP GET request from 20.20.25.10:30842

to VIP 20.20.25.130:80 contained a bot whose name matches a name in the
bots WAF policy file. The WAF template name is “w2”. Based on the WAF
configuration, the request was denied. The WAF is running in normal mode.

66 of 136 Performance by Design

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Log Examples

Learning Mode
Below are example log messages for when the WAF is deployed in learning
mode:
Oct 19 16:24:43 CEF:0|A10|AX3200|2.7.1|WAF|buf-ovf|2|src=20.20.25.10 spt=1892
dst=20.20.25.130 dpt=80 request="GET /tours/index.html HTTP/1.1" 0 msg="Learning Mode:
Increasing headers length limit from 0 to 172" cs1=w2 act=learn md=lrn

Oct 19 16:25:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=1892

dst=20.20.25.130 dpt=80 request="GET /tours/index.html HTTP/1.1" 0 msg="Learning Mode:
Increasing max_hdrs from 0 to 3" cs1=w2 act=learn md=lrn

The first message indicates that WAF updated the header-length limit based
on traffic observed during Learning Mode. Likewise, the second message
indicates that WAF updated the maximum-headers limit. The act=learn field
indicates that the value was learned. The md=lrn field indicates that Learn-
ing Mode was enabled.

Performance by Design 67 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF Log Examples

68 of 136 Performance by Design

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Pre-Loaded WAF Policies

WAF Policy Files

WAF Policy Files (also referred to as WAF Definitions) give you the ability
to define a set of rules for customized security checks. WAF policy files
enable you to specify security checks for enhanced response- and request-
side protection to protect against security risks, such as SQL injection
attacks or forceful browsing.

Caution: Misconfigured PCRE expressions can negatively impact system per-

formance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will
achieve the desired result.

Pre-Loaded WAF Policies

Default WAF policy files are pre-loaded onto ACOS to allow immediate
protection against common threats. Default WAF policies apply to the fol-
lowing checks:
• XSS Check
• Bot Check
• SQLIA Check
• URI White List
• URI Black List
• Hide Response Codes

If one of these checks is enabled and a WAF policy file is not specified, the
default WAF policy file is applied. These policy files are described in more
detail below.

Note: You cannot rename, edit, or delete default files. However, you can copy a
default WAF policy file and customize its contents to fit your specific
demands.

Table 3 lists pre-loaded WAF policy files

TABLE 3 Pre-Loaded WAF Policy Files

Check Policy File Description
Hide Response Codes allowed_resp_codes Defines a list of permitted HTTP response codes.
Bot Check bot_defs Defines a list of known bots.
XSS Check jscript_defs Defines a set of commonly used javascript commands.
SQLIA Check sqlia_defs Defines common search terms for SQL injection attacks.

Customer Driven Innovation 69 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Pre-Loaded WAF Policies
TABLE 3 Pre-Loaded WAF Policy Files (Continued)
Check Policy File Description
URI Black List uri_blist_defs Lists exclusion criteria for the URI Black List.
See Table 4 on page 71.
URI White List uri_wlist_defs Lists inclusion criteria for the URI White List.
See Table 5 on page 72.

Request Protection
The following checks point to WAF policy files for enhanced protection
against incoming requests. By default, these checks refer to the default
WAF policy files, as described below. Optionally, you can configure these
checks to use customized policy files.

Bot Check
The WAF bot check option uses the “bot_defs” policy file for search
definitions of known bot agents. If bot checking is enabled in the WAF tem-
plate and a match is found with the “bot_defs” policy file, the request is
denied automatically. You can add or modify the “bot_defs” policy file to
include or remove bot search terms.

XSS Check

The “jscript_defs” WAF policy file defines a list of common Javas-

cript commands. The XSS check uses this policy file for examining the con-
tent of URL, cookies, headers, and POST bodies of client requests. This
type of policy file is useful for Web sites that use Javascript-based web con-
tent.

Note: If your Web site contains embedded Javascript, A10 Networks recom-
mends enabling the XSS check in the WAF template.

SQL Injection Attack Check

The WAF policy file “sqlia_defs” provides a basic collection of SQL

special characters and keywords that are common to SQL injection attacks.
The terms in this policy file can trigger commands in the back-end SQL
database and allow unauthorized users to obtain sensitive information. If a
request contains a term that matches a search definition in the
“sqlia_defs” policy file, you can configure the WAF to sanitize the
request of the SQL command or deny the request entirely.

70 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Pre-Loaded WAF Policies
URI Black List

A URI Black List specifies exclusion criteria for incoming requests. If the
URI of an incoming request matches a rule in the URI Black List, the
request is automatically blocked.

The URI Black List takes priority over a URI White List. That is, even if a
URI matches acceptance criteria within the URI White List, a connection is
blocked automatically if it meets a rule in the separate URI Black List.

Table 4 lists URI Black List criteria in the default “uri_blist_defs” file.

TABLE 4 URI Black List – Default

Description Attack Pattern
Access attacks access,^[^?]*(?:htac-
cess|access_log)(?:[.][^/?]*)?(?:[~])?(?:[?].*)?$
Apache possible directory index apache_dir,^[^?]*/[?][SM]=[AD]
disclosure vulnerability
Command injection attack cmd_inj,(?:[ /=]|\t|\n)(?:ls|rm|cat)(?:[
;'\"&].*)?$
CodeRed code_red,^[^?]*/default[.]ida[?]N+
Debug attacks debug,debug[.][^/?]*(?:|[?].*)$
Front Page server extensions buffer fp_srvr_ext_bo1,^[^?]*dvwssr[.]dll
overflow-1
Front Page server extensions buffer fp_srvr_ext_bo2,^[^?]*fp30reg[.]dll
overflow-2
Front Page server extensions path fp_srvr_ext_pb,^[^?]*/_vti_bin/shtml[.]
disclosure vulnerability
HTR source disclosure htr_sd,^[^?]*[+][.]htr
Index server buffer overflow idx_srvr_bo,^[^?]*[.]id[aq]
IIS executable file parsing vulnerability-1 iis_exe_fp1,^[^?]*[+]dir
IIS executable file parsing vulnerability-2 iis_exe_fp2,^[^?]*/georgi[.]asp
IIS executable file parsing vulnerability-3 iis_exe_fp3,^[^?]*[.](?:bat|ini|exe)(?:|[?].*)$
Microsoft IIS UNC mapped virtual host iis_unc_mvh,^[^?]*[.]asp/.*
vulnerability
Microsoft IIS UNC path disclosure iis_unc_pd,^[^?]*[.]htx
vulnerability
Nimbda-3 nimda3,^[^?]*Admin[.]dll
Nimbda-4 nimda4,^[^?]*/winnt/
Netscape enterprise server directory nses_dir_idx,^[^?]*/[?]wp-
indexing vulnerability
Netscape enterprise server web nses_web_pub,^[^?]*/publisher
publishing vulnerability
Printer buffer overflow print_bo,^[^?]*/NULL[.]printer

Customer Driven Innovation 71 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Pre-Loaded WAF Policies
TABLE 4 URI Black List – Default
Description Attack Pattern
Password file attacks pwd_file,^[^?]*(?:passwd|pass-
words?)(?:[.][^/?]*)?(?:[?].*)?$
Script exploit script,^[^?]*[.](?:cgi|pl|php|bat)(?:[/?].*)?[|]
System command attacks sys_cmd,system(?: |\t|\n)*[(?:]
Unix core file attacks unix_core,/core(?:/.*)?$
Unix file attacks unix_file,[\\/]etc[\\/](?:passwd|group|hosts)
Webhits source disclosure webhits_sd,^[^?]*null[.]htw

URI White List

You can configure the WAF to check the URIs of incoming requests and
only accept connection attempts that meet specified criteria. A URI White
List check compares the URI of an incoming request with the expressions
contained in the URI Whitelist policy file. Connection requests are accepted
only if the request matches a criterion in the URI White List.

Table 5 lists URI White List criteria in the default “uri_wlist_defs” file.

TABLE 5 URI White List – Default

Description Expression
URL Path Component root,^/$
Common file types static,^[^?]+[.](?:html?|shtml|js|gif|jpg|jpeg|png|
swf|pif|pdf|css|csv)
Common Web site scripts dynamic,^[^?]+[.](?:cgi|aspx?|jsp|php|pl)(?:[?].*)?$

Response Protection
This section describes policy-based security checks for outbound responses
from the Web server.

Allowed HTTP Response Codes

The WAF policy file “allowed_resp_codes” lists acceptable HTTP

response codes in outbound replies from the Web server. If the Hide
Response Codes option is enabled within the WAF template, then response
codes that do not match a value contained in the “allowed_re-
sp_codes” file are cloaked in replies.

72 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files

Customize WAF Policy Files

Caution: Misconfigured PCRE expressions can negatively impact system per-
formance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will
achieve the desired result.
You cannot remove or edit a pre-loaded WAF policy file. However, you can
quickly duplicate an existing file to an unused name and modify the con-
tents.
The following sections describe how to write PCRE patterns for customized
WAF policies. ACOS incorporates aspects of PCRE expressions for writing
WAF policies, but does not support full PCRE functionality.

Syntax Check
After the file is created or modified, a syntax check is automatically per-
formed on the file. If you modify a WAF policy file that is currently bound
to a WAF template and the file does not pass the syntax check, it is automat-
ically restored to the previous version.

Files which do not pass the syntax check cannot be bound to a WAF
template. A policy can fail a syntax check for various reasons, including the
following:
• Invalid PCRE syntax

• Duplicate policies (more than one policy file containing the same PCRE
expressions)
• Pair of brackets missing the escape character sequence; for example:
(a|b) – Incorrect
instead of
(?:a|b) – Correct

Customer Driven Innovation 73 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files

Using the GUI

1. Navigate to Config Mode > Security > WAF > Definition.
A table of configured WAF policy files appears:

Note: You can click on the name of an existing file to edit it in the GUI. You can
delete an existing file by selecting the checkbox located on the left of its
name, then clicking the Delete button.

Note: You can copy the contents of an existing policy file by selecting the
checkbox located on the left of its name, then clicking the Clone button.

2. To create a new WAF policy file:

a. Click Add. The WAF Definition creation page appears.
b. Optionally, select the Copy Available WAF definition checkbox
and select the name of a default WAF Policy File from the drop-
down menu.
c. In the Name field, enter a name for the WAF policy file.
d. In the Definition field, configure a list of policy rules. The entries of
a WAF Policy File are written in the format of a PCRE expression.
e. Click OK.
f. To edit an existing WAF definition file:
g. Click the name of a configured Definition file.
h. In the Definition field, modify the policy file content.
i. Click OK.

3. To edit an existing WAF policy file:

a. Click the name of a configured policy file.
b. In the Definition field, modify the policy file’s content.
c. Click OK.

74 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files

Using the CLI

This section describes procedures to create, edit, or manage WAF policy
files in the CLI.

Configure Policy Files

To configure a WAF policy file using the CLI:

1. Enter the following command at the global configuration level:
waf edit file-name
For the file-name option, enter the name of an existing WAF policy file
to edit the file, or an unused name to create a new WAF policy. Do not
include the “.waf” extension in the file name, this is automatically
applied during creation.
The CLI enters the input mode for the policy file.

Note: You cannot modify default files. If you enter the name of a pre-loaded
WAF policy for file-name, the following message will display:
Editing of default WAF policy file not allowed.

2. Type or copy-and-paste a collection of PCRE expressions for the file. If

you type the script, press the Enter key at the end of each line. For infor-
mation about writing PCRE expressions, see “Writing PCRE Expres-
sions” on page 77.

3. To save the file and complete the input process, press the Escape key,
type “:wq” or “ZZ” and press Enter. Alternatively, use “:q!” to exit with-
out saving the file.

Syntax Checks

After you finish entering the policy text, the CLI performs a syntax check
and displays one of the following messages:
• WAF file-name edited; syntax check passed. –
Indicates the syntax is valid for file-name.
• WAF policy syntax error. Line n: –
Indicates a failed syntax check and reports the line (n) with invalid
syntax.

Customer Driven Innovation 75 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files

Manage Files

The following commands allow you to manage WAF policy files.

Copy Files

Use the following command to copy a WAF policy to a new file name:

waf copy source-name destination-name

For the source-name option, use the name of an existing WAF policy.

For the destination-name option, enter an unused name for the copied file.

Rename Files

Use the following command to rename a WAF policy file:

waf rename old-name new-name

Delete Files

Enter the following command to delete a WAF policy file:

waf delete file-name

Note: You cannot rename, edit, or delete default files. However, you can copy a
default WAF policy file and customize its contents to fit your specific
demands.

76 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files

Writing PCRE Expressions

The following section provides guidelines for writing WAF policy files
which the WAF can use to search for attack patterns or define policy rules.

General Guidelines

This section summarizes common characters used in PCRE expressions and

provides a quick reference to basic PCRE syntax. To learn more about writ-
ing detailed PCRE expressions, consult outside reference material.

Caution: Misconfigured PCRE expressions can negatively impact system per-

formance. Do not apply a PCRE expression to a WAF policy file
unless you are completely certain that the PCRE expression will
achieve the desired result.

PCRE Characters
Table 6 describes frequently used characters in PCRE expressions.

TABLE 6 PCRE Characters

Character Purpose
\ Escape character.
^ Start of a subject or line.
$ End of a subject or line.
. Matches with any type of character.
- Character range. Use this symbol within square brackets.
For example, [a-f] will indicate the range a, b, c, d, e, f.
[ Start of a character class definition.
] End of a character class definition.
| Logical “or” operator.
For example, (yellow | red | orange) will return true if either yel-
low, red, or orange is found.
( Start of a sub-pattern.
) End of a sub-pattern.
* Quantifier for a value of 0 or more.
+ Quantifier for a value of 1 or more.
{ Start of a minimum or maximum quantifier.
} End of a minimum or maximum quantifier.

Customer Driven Innovation 77 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files
Enclose Patterns
You can enclose patterns with any non-alphanumeric character that is not a
backslash \ or whitespace. You can also use special symbols that may other-
wise carry an alternative function as long as the same symbol is used in the
beginning and end of the string.

Table 7 displays a few valid examples of enclosed expressions:

TABLE 7 PCRE Syntax – Enclose Patterns

Character Example
+ +positive+
/ /ahoy/
# #numeric#
% %percentages%
! !eep!

Basic Syntax
WAF policy files consist of PCRE expressions and comment lines. Lines
with PCRE expressions are structured as follows:
name,PCRE expression

The name is a string which you can use to title the line. Follow the descrip-
tion with a comma “,” before writing the PCRE expression. As shown
below:
FromDefaultBlackList,^[^?]*[.]htx

Note: Everything following the comma is included in the PCRE expression. Do

not include whitespace unless this is intended as part of the expression.

Comments
To insert a comment into the policy file enter a pound character ‘#’ before
the comment line.
example_expression,^[^?]*/[?]wp-
# comment
...

Alternatively, you can enter a comment in-line as follows:

(# comment)

The comment string is not recognized in pattern matching.

78 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files
Example Applications

Outlined below are various examples of PCRE expressions.

Attack Patterns
You can create customized WAF policies with search criteria for attack
patterns.
• Use the " | " symbol as a separator in lists of elements. Traffic matches a
policy rule if the traffic matches any of the elements delimited by " | ".
For example, "(apples | oranges)" is read as a single object that can be
triggered when either "apples" or "oranges" is found in traffic.
• Use parentheses to enclose each separate element. For example, the set
of elements "(apples) (oranges)" is read by WAF as two individual
objects: an "apples" object and an "oranges" object.

Example: The following example uses a segment of the “bot_defs” file.

(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|c
hinaclaw|cicc|civa|clipping|collage|collector|copyrightcheck|cosmos|cre
scent|custo|cyberalert|deweb|diagem|digger|digimarc|diibot|directup-
date|disco|dittospyder|download accelerator|download demon|download
wonder)

To add three additional known bots under the names “brewster”, “nook” and
“peanut”, you would modify the policy file similar to the following. The
additions are indicated in bold:
(builtbottough|bunnyslippers|capture|cegbfeieh|cherrypicker|cheesebot|
chinaclaw|cicc|civa|clipping|collage|collector|brewster|nook|
copyrightcheck|cosmos|crescent|custo|cyberalert|deweb|diagem|
digger|digimarc|diibot|directupdate|disco|dittospyder|
download accelerator|download demon|download wonder|peanut)

Customer Driven Innovation 79 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Customize WAF Policy Files
Policy Rules
You can write WAF policy files to list more complicated policy rules. The
following examples illustrate the various rules that you can create as a
PCRE expression.

Example: This example defines a rule for the URI Black List. The rule denies
user requests to access the image server at img.example.com directly:
^http://img[.]example[.]com$

Example: This example defines a rule for the URI Black List. The rule denies
user requests to access CGI (.cgi) or PERL (.pl) scripts directly:
^http://www[.]example[.]com/(?:[0-9A-Za-z][0-9A-Za-z_-]*/)*
[0-9A-Za-z][0-9A-Za-z_.-]*[.](?:cgi|pl)

Example: The following PCRE expression looks for strings that resemble a Cal-
ifornia driver’s license ID number. This policy rule can be used in
conjunction with the PCRE mask option to mask strings that match
the expression:
[A-Za-z][0-9]{7,7}

80 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

Overriding a WAF Template

You can configure ACOS to override the WAF settings applied to the
HTTP/HTTPS virtual port with another set of WAF settings, using an HTTP
policy template. You can configure rules in the HTTP template to match on
URLs, hostnames, or cookie names in traffic.

To configure WAF override:

1. Configure a second WAF template with the alternative settings to use.
See either of the following:
• Using the GUI – “Configure a WAF Template” on page 38
• Using the CLI – “Create a WAF Template” on page 51

2. Configure an HTTP policy template. Within the template:

• Configure match rules. You can match on one or more of the follow-
ing:
• Requested URL
• Requested hostname
• Cookie name within request
• Add (bind) the second WAF template to the HTTP policy template.

3. Bind the HTTP policy template to the virtual port.

Note: For the WAF to operate, it is still required to bind a WAF template
directly to the virtual port, to use as the virtual port’s primary WAF tem-
plate. HTTP policy templates can be used only to override the primary
WAF template with secondary WAF template, based on the match rules in
the HTTP policy template.

Customer Driven Innovation 81 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure an HTTP Policy Template

Configure an HTTP Policy Template

Within an HTTP policy template, you can configure rules that match on
URLs, hostnames, or cookie names. Requests that match a rule in the HTTP
policy template are handled using the alternative WAF template that you
bind to the HTTP policy template.

Match Options
• Equals string – matches only if the URL, hostname, or cookie
name completely matches the specified string.
• Starts-with string – matches only if the URL, hostname, or
cookie name starts with the specified string.
• Contains string – matches if the specified string appears any-
where within the URL, hostname, or cookie name.
• Ends-with string – matches only if the URL, hostname, or
cookie name ends with the specified string.

These match options are always applied in the order shown above, regard-
less of the order in which the rules appear in the configuration. The WAF
template associated with the rule that matches first is used.

If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one of
them, the most-specific match is always used.

USING THE GUI

1. Select Config Mode > Security > WAF > Template > HTTP Policy.

2. Click Add to create a new template. To edit an existing template, click

on the template name instead.

3. Enter a name for the template in the Name field.

4. Configure rules for matching:

a. Select the rule type from the Type drop-down list:
• URL
• Host
• Cookie Name

82 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Configure an HTTP Policy Template
b. Select the match operation from the Match Type drop-down list:
• Starts With
• Ends With
• Contains
• Equals
c. Enter the match pattern in the Match field.
d. From the WAF drop-down list, select the WAF template to which to
bind this HTTP policy template. The WAF template you select will
be used for traffic that matches the rule.
e. Click Add.
f. Repeat for each rule.

5. Click OK.

USING THE CLI

To configure an HTTP policy template, enter the following command at the
global configuration level of the CLI:

[no] slb template http-policy template-name

This command changes the CLI to the configuration level for the template,
where the following commands related to WAF override are available:

url
{equals | starts-with | contains | ends-with}
url-string template waf-template-name

host
{contains | ends-with | equals | starts-with}
host-name template waf-template-name

cookie
{contains | ends-with | equals | starts-with}
cookie-name template waf-template-name

Customer Driven Innovation 83 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Bind the HTTP Policy Template to the Virtual Port

Bind the HTTP Policy Template to the Virtual Port

The HTTP policy does not take effect until you bind it to the HTTP/HTTPS
virtual port.

USING THE GUI

1. Select Config Mode > SLB > Service > Virtual Server.

2. Click on the virtual server name. (If you are configuring a new virtual
server, click Add instead.)

3. If configuring a new virtual server, enter the name and IP address.

4. In the Port section, select the virtual port and click Edit. (If adding a new
port, click Add instead.)

5. If configuring a new virtual port, select the type from the Type drop-
down list, and enter the port number in the Port field.

6. Select the HTTP policy template from the HTTP Policy drop-down list.

7. Click OK to return to the main configuration page for the virtual server.

8. Click OK to finish the virtual server changes.

USING THE CLI

To bind a template to a virtual service port, enter the following command at
the configuration level for the port:

template waf template-name

CLI Example
See “HTTP Virtual Port Configuration” on page 90.

84 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Displaying WAF Statistics

WAF Statistics

The sections of this chapter describe GUI and CLI procedures to display
WAF statistics.

Note: Statistics counters increment from 0 after the most recent reboot or from
when the statistics were most recently cleared.

Displaying WAF Statistics

To display WAF statistics, use either of the following methods.

USING THE GUI

1. Navigate to Monitor Mode > Security > WAF. The WAF statistics page
appears.

2. To display a collection of statistics that are specific for an individual vir-

tual server:
a. From the Virtual Server drop-down menu, click the name of a con-
figured server.
b. From the Port drop-down menu, select the virtual port for which to
display WAF statistics.
By default, WAF statistics for all virtual servers are displayed.

3. Click to update the display with the latest counters. You

also can modify the data refresh rate to automatically update the table:
• 1 minute
• 5 minutes
• 10 minutes
• 30 minutes
By default, automatic refresh is disabled.

Caution: Setting a GUI window to automatically refresh its data will prevent
the web session from timing out. If you set a GUI page to automati-
cally refresh data, do not leave the session unattended if the PC is in
an unsecure location.

Customer Driven Innovation 85 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Displaying WAF Statistics

USING THE CLI

Displaying WAF Statistics

From the privileged EXEC level of the CLI, enter the following command
to display WAF statistics:

show slb waf [stats virtual-server-name portnum]

The stats virtual-server-name portnum option displays WAF statistics only

for the specified HTTP virtual port on the specified virtual server. If this
option is omitted, the command displays statistics for all virtual servers.

Displaying WAF Templates

To display WAF templates, use the following command:

show slb template waf

[
template-name |
default |
[template-name] all-partitions |
[template-name] partition
{shared | partition-name}
]

The default option displays the default WAF template settings.

The all-partitions and partition options display the configured WAF tem-
plates in the specified Application Delivery Partitions (ADPs).

86 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Clearing WAF Statistics

Clearing WAF Statistics

To clear WAF statistics, use either of the following methods.

USING THE GUI

1. Navigate to Monitor Mode > Security > WAF. The WAF statistics page
appears.

2. Click . A dialog box displays.

3. Click OK.

USING THE CLI

To clear WAF statistics, enter the following command at the privileged

EXEC level of the CLI:

clear slb waf stats virtual-server-name portnum

The virtual-server-name and portnum options clear WAF statistics only for
the specified HTTP virtual port on the selected virtual server.

Customer Driven Innovation 87 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Clearing WAF Statistics

88 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Initial Configuration

WAF Deployment and Logging Examples

This chapter provides some examples for WAF deployment. Since logging
is a crucial part of WAF configuration and management of the WAF, the
examples include applicable log messages.

The following examples are provided:

• “Initial Configuration” on page 89

• “Learning” on page 92

• “Response Header Filtering” on page 97

• “SQLIA Check” on page 99

• “Cross-site Scripting Check” on page 99

• “Cookie Encryption” on page 101

Initial Configuration
The commands in this example configure the following resources:
• Logging configuration

• WAF template

• HTTP virtual port

Logging Configuration
The commands in this section configure the resources required for external
logging of WAF events.
To begin, the following commands configure external logging for the WAF.
A single log server is used. Log messages are sent over TCP.

A TCP-proxy template is used to periodically send keepalive probes to the

syslog port on the server. The keepalive probes prevent the TCP session
from aging out during periods of inactivity.

Customer Driven Innovation 89 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Initial Configuration
The following commands create the server configuration and add it to a
TCP service group:
ACOS(config)#slb server waf-log2 10.10.10.22
ACOS(config-real server)#port 514 tcp
ACOS(config-real server)#service-group waf-log tcp
ACOS(config-slb svc group)#member waf-log1:514

The following commands configure the TCP-proxy template, to enable kee-

palive messages:
ACOS(config-logging)#slb template tcp-proxy logtcp
ACOS(config-TCP proxy template)#keepalive-probes 4

The following commands configure the logging template. This includes

binding the TCP-proxy template to the logging template.
ACOS(config-slb svc group)#slb template logging waf-log
ACOS(config-logging)#service-group waf-log tcp
ACOS(config-logging)#template tcp-proxy logtcp

WAF Template Configuration

The following commands create a WAF template and bind the logging tem-
plate to the WAF template:
ACOS(config-logging)#slb template waf waf1
ACOS(config-waf)#template logging waf-log

HTTP Virtual Port Configuration

The following commands configure an HTTP virtual port and bind the WAF
template to the port.

To begin, the following commands create server configurations for the web
servers to be load balanced and protected by the WAF:
ACOS(config-waf)#slb server http1 20.20.25.11
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#slb server http2 20.20.25.12
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit

90 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Initial Configuration
The following commands add the server configurations to a service group:
ACOS(config real server)#slb service-group http tcp
ACOS(config-slb svc group)#member http1:80
ACOS(config-slb svc group)#member http2:80

The following commands configure the virtual server and bind it to the ser-
vice group and WAF template:
ACOS(config-slb svc group)#slb virtual-server http-vip 20.20.25.130
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#service-group http
ACOS(config-slb vserver-vport)#template waf waf1

At this point, the WAF is active.

Log Example
On the external log server, a message such as the following indicates cre-
ation of the WAF template:
May 02 2013 18:03:06 Info [WAF]:CEF:0|A10|AX3200|2.7.1|WAF|config|2|msg="Template
waf1 created"

Note: If external logging is not configured for the WAF, this message appears in
ACOS local log buffer instead.

Customer Driven Innovation 91 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Learning

Learning
The commands in this section use Learning Mode to dynamically set some
WAF options based on traffic.

Note: This example assumes that the VIP using the WAF template is not yet
receiving live traffic but is instead receiving known, valid traffic sent in
order to preset WAF parameters. The following caution explains why.

Caution: While Learning or Passive Mode is in operation, the WAF does not
block any traffic. Only Active Mode blocks traffic.

Enable Learning Mode

The following commands access the configuration level for the WAF tem-
plate, and change the mode to Learning Mode:
ACOS(config-logging)#slb template waf waf1
ACOS(config-waf)#deploy-mode learning
Switching to learning mode will reset all WAF template parameters and may
expose you to attacks if done in a production environment.
Are you sure you wish to proceed? (N/Y): y

Generate Traffic
On a client device, the following requests are generated and sent to the
HTTP virtual port:
curl -v http://20.20.25.130/tours/index.html
curl -v http://20.20.25.130/batblue.html
curl -v http://20.20.25.130/file_set/dir00000/about.html

View External Log

On the external log server, messages such as the following one indicate that
the WAF is setting some of its parameters based on the traffic:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Updating
allowed HTTP methods" cs1=waf1 act=n md=learn

This message indicates that the GET method was observed in the first
request sent to the HTTP virtual port, and that the Allowed HTTP Methods
list was updated with the method.

92 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Learning
Here are some more examples:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|buf-ovf|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Increas-
ing max-url-len from 0 to 17" cs1=waf1 act=n md=learn
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|buf-ovf|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Increas-
ing max-hdrs-len from 0 to 172" cs1=waf1 act=n md=learn
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|http-check|2|src=20.20.25.10 spt=32462
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Learning: Increas-
ing max-hdrs from 0 to 3" cs1=waf1 act=n md=learn
...

View WAF Template Settings

The following command displays the current template settings:

ACOS(config-waf)#show run with-default | section waf
slb template waf waf1
...
allowed-http-methods "GET"
buf-ovf max-url-len 17
buf-ovf max-cookie-len 172
buf-ovf max-hdrs-len 3
...

Customer Driven Innovation 93 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Learning

Generate Allowed URL Paths for the URL Check

An additional WAF parameter you can set during Learning Mode is the
URL Check. The URL Check prevents users from navigating directly to any
URL paths other than the ones explicitly defined by the URL Check policy
file.
To configure the URL Check:
1. Set the WAF to Learning Mode.

2. Enable the URL Check within a WAF template.

3. Send secure traffic to the Web site. This step will generate a WAF policy
file of acceptable URL paths.

4. After the URL Check policy file is complete, change the WAF opera-
tional mode to Active to enforce the URL Check on client requests.

Configuration Example

The following example outlines steps for customizing the URL Check in
learning mode and enforcing the check for your Web site.

Create the URL Check Policy File

1. The following commands set the WAF to learning mode and enable the
URL Check option in the WAF template:
ACOS(config)#slb template waf w1
ACOS(config-waf)#deploy-mode learning
Switching to learning mode will reset all WAF template parameters and may
expose you to attacks if done in a production environment.
Are you sure you wish to proceed? (N/Y): Y
ACOS(config-waf)#url-check

Note: In this example, the WAF template “w1” is bound to a virtual server with
the IP address 192.168.25.130.

2. Send secure traffic from a client. In this example, traffic from the client
is sent to the following addresses:
http://192.168.25.130/tours/index.html
http://192.168.25.130/batblue.html
http://192.168.25.130/file_set/dir00000/about.html

94 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Learning
3. Check the logs on the external log server. The log should contain a mes-
sage such as the following, for each URL path requested:
Dec 22 17:13:03 CEF:0|A10|AX3200|2.7.1|WAF|url-check|2|src=192.168.25.10 spt=32462
dst=192.168.25.130 dpt=80 req="GET /example/index.html HTTP/1.1" 0 msg="Learning:
Updating allowed URLs" cs1=waf1 act=n md=learn

4. The log will contain similar messages for each URL path clients are
allowed to access. The following commands verify that the URL Check
policy file is created and display the contents of the file:
ACOS(config-waf)#show waf-policy
Total WAF policy number: 14
Max WAF policy file size: 32K
Name Syntax Template
------------------------------------------------------------------------
_w1_url_check_ Check Bind
allowed_resp_codes Check Bind
bot_defs Check Bind
jscript_defs Check Bind
...

ACOS(config-waf)#show waf-policy _w1_url_check_

Name: _w1_url_check_
Syntax: Check

In WAF Template:
w1 (for url-check)

Content:
Matches Value
--------------------------------------------------------------------------
1 /tours/
1 /batblue.html
1 /file_set/dir00000/

Customer Driven Innovation 95 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Learning
Apply the URL Check

5. Change the WAF deployment mode. (See “Save Template Settings” on

page 96.) When you change the deployment mode from Learning Mode,
ACOS writes the observed URL paths into a policy file. The URL
Check will start operating.
ACOS(config-waf)#slb template waf w1
ACOS(config-waf)#deploy-mode active

Note: In Passive Mode, requests for other URL paths still are allowed, but they
are logged. The URL path list is enforced only while the URL Check is
enabled and the WAF template is in Active Mode.

6. Optionally, edit the contents of the URL Check policy file to explicitly
define acceptable URI paths.

Note: The contents of the URL Check policy file are first generated in Learning
Mode. After which you can remove or define additional URL paths in the
policy file. You cannot create the URL Check policy file without first
deploying a WAF template in Learning Mode with the URL Check
enabled.

Save Template Settings

To “lock down” WAF template settings configured by Learning Mode,
change the mode. The following command changes to Passive Mode:
ACOS(config-waf)#deploy-mode passive

In Passive Mode, WAF checks are performed but the filter actions are not
applied. Requests to the HTTP virtual port are logged but are sent to the
server without being altered. (For more information, see “WAF Operational
Modes” on page 27.)

96 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Response Header Filtering

Response Header Filtering

Header Response Filtering removes the Web server’s identifying headers in
outgoing responses. This information can be exploited by hackers to send an
attack targeted specifically to your server’s operating system (OS).

Header That Includes OS-identifying Fields

Here is an example of header fields in the HTTP response from a server.
The fields shown in bold provide information about the server OS.
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
< Content-Type: text/html
< Server: hpd
< X-Powered-By: Cavisson
< X-AspNet-Version: 1.0
< X-AspNetMvc-Version: 2.0
< Cache-Control: public, max-age=100
< Age: 52
< Via: AX-CACHE-2.7:130
<
...

Header Without OS-identifying Fields

Here is the same excerpt from the server response, with the OS-identifying
headers removed:
< HTTP/1.1 200 OK
< Transfer-Encoding: chunked
< Content-Type: text/html
< Cache-Control: public, max-age=100
< Age: 0
< Via: AX-CACHE-2.7:130
...

The response received by the client does not contain the OS-identifying
headers.

Customer Driven Innovation 97 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Response Header Filtering

Enable Header Response Filtering

The following commands access the configuration level for the WAF tem-
plate and enable Header Response Filtering:
ACOS(config)#slb template waf waf1
ACOS(config-waf)#filter-resp-hdrs

View External Log

Messages in the external WAF log indicate when header fields are removed
by Header Response Filtering:
Dec 22 16:36:33 CEF:0|A10|AX3200|2.7.1|WAF|filter-resp-hdrs|6|src=20.20.25.10
spt=31027 dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Header
Server filtered" cs1=waf1 act=deny md=active
Dec 22 16:36:33 CEF:0|A10|AX3200|2.7.1|WAF|filter-resp-hdrs|6|src=20.20.25.10
spt=31027 dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Header
X-Powered-By filtered" cs1=waf1 act=deny md=active
Dec 22 16:36:33 CEF:0|A10|AX3200|2.7.1|WAF|filter-resp-hdrs|6|src=20.20.25.10
spt=31027 dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Header
X-AspNet-Version filtered" cs1=waf1 act=allow md=active
Dec 22 16:36:33 CEF:0|A10|AX3200|2.7.1|WAF|filter-resp-hdrs|6|src=20.20.25.10
spt=31027 dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Header
X-AspNetMvc-Version filtered" cs1=waf1 act=deny md=active

98 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
SQLIA Check

SQLIA Check
The SQLIA Check protects against SQL commands hidden in requests sent
to database servers. The check looks for SQL code in form arguments,
URLs, and cookies. In general, these places are not supposed to contain
SQL code.

Enable the SQLIA Check

The following commands access the configuration level for the WAF tem-
plate and enable the SQLIA Check. In this example, the sanitize option is
used. This option removes the SQL and then forwards the request.
ACOS(config)#slb template waf waf1
ACOS(config-waf)#sqlia-check sanitize

View External Log

The following log message indicates that SQL was detected in a request:
Dec 22 17:04:13 CEF:0|A10|AX3200|2.7.1|WAF|sqlia-check|6|src=20.20.25.10 spt=19170
dst=20.20.25.130 dpt=80 req="POST /tours/index.html HTTP/1.1" 7 msg="SQLIA pattern
detected! 1=1-- matches #2 in rule2" cs1=waf1 act=deny md=active

Cross-site Scripting Check

The Cross-site Scripting Check (XSS Check) protects against cross-site
scripting attacks.

Enable the XSS Check

The following commands access the configuration level for the WAF tem-
plate and enable the XSS Check. In this example, the reject option is used.
This option logs the XSS attempt and then drops the request instead of for-
warding it to the server.
ACOS(config)#slb template waf waf1
ACOS(config-waf)#xss-check reject

Customer Driven Innovation 99 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Cross-site Scripting Check

View External Log

The following log message indicates that an XSS attempt was detected and
denied:
Dec 22 17:00:10 CEF:0|A10|AX3200|2.7.1|WAF|xss-check|6|src=20.20.25.10 spt=49251
dst=20.20.25.130 dpt=80 req="GET /tours/index.html HTTP/1.1" 0 msg="Cookie Cook1 con-
tains javascript!" cs1=waf1 act=deny md=active

Since the reject option is used in the configuration, a Deny page such as the
one in “Deny page” on page 100 is sent to the client.

FIGURE 16 Deny page

100 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Cookie Encryption

Cookie Encryption
Cookie Encryption protects against cookie tampering by encrypting cookies
before sending server replies to clients.

You can enable encryption based on specific cookie names or for all cookies
that match a PCRE expression. The encryption uses a secret string to
decrypt and encrypt cookies that are transferred between the Web server and
client.

The following commands access the configuration level for WAF template
“resetti” and configure encryption for all cookies containing “hidden-
cookie” in the name:
ACOS(config)#slb template waf resetti
ACOS(config-waf)#cookie-encrypt ".*hiddencookie" r0cc0
The secret value “r0cc0” is used for encryption. To view the encrypted
value created by the WAF and used in responses, display the configuration:
ACOS(config-waf)#show run with-default | section waf
slb template waf waf1
...
cookie-encrypt ".*hiddencookie" secret-encrypted m3nvbYs/EBg8EIy41dsA5zwQjL-
jV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
...

Note: Do not enter the secret-encrypted option when configuring this check.
This option is placed into the configuration by the WAF to indicate that
the string is the encrypted form.

Customer Driven Innovation 101 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
Cookie Encryption

102 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

WAF Template Reference

WAF templates allow you to easily enforce the following security filters.
Table 8 lists the parameters you can configure.

Note: This table is a reference. For configuration procedures, see either of the
following:
• “Configuring the WAF Using the GUI” on page 37
• “Configuring the WAF Using the CLI” on page 51

Customer Driven Innovation 103 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options

Parameter Description and Syntax Supported Values
Template Name Name of the WAF template in the ACOS configura- String
tion. Default: Not set
[no] slb template waf template-name
Config Mode > Security > WAF > Template > WAF
Deployment Mode
Deployment Sets the operational mode for the WAF template. You can select one of the following:
Mode [no] deploy-mode • Active – Standard operational
{active | learning | passive} mode. You must use Active Mode if
Config Mode > Security > WAF > Template > WAF you want the WAF to sanitize or
drop traffic based on the configured
WAF policies.
(For more information, see “WAF Operational
• Learning – Provides a way to ini-
Modes” on page 27.)
tially set the thresholds for certain
WAF checks based on known, valid
traffic.
• Passive – Provides passive WAF
operation. All enabled WAF checks
are applied, but no WAF action is
performed upon matching traffic.
This mode is useful in staging envi-
ronments to identify false positives
for filtering.
Default: Active Mode
Request Checks
URI White List Enforces the rules contained within a WAF policy Name of a WAF policy file
file for the URI White List. For more information Default: uri_wlist_defs
about URI White Lists, see “URI White List” on
page 72.
[no] uri-wlist-check file-name
Config Mode > Security > WAF > Template > WAF
URI Black List Enforces the rules contained within a WAF policy Name of a WAF policy file
file for the URI Black List. For more information Default: uri_blist_defs
about URI Black Lists, see “URI Black List” on
page 71.
[no] uri-blist-check file-name
Config Mode > Security > WAF > Template > WAF

104 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
Deny Action WAF response sent to the client if traffic is denied One of the following:
by the WAF template. • http-resp-403 – Sends a 403 Forbid-
[no] deny-action options den response to the client. The
resp-string default string returns a generic
Config Mode > Security > WAF > Template > WAF “Request Denied!” page to the cli-
ent.
• http-resp-200 – Sends a 200 OK
response to the client with the speci-
fied resp-string. The default string
returns a generic “Request Denied!”
page to the client.
• http-redirect – Redirects the client
to the specified URL.
• reset-conn – Sends a TCP RST to
the client to end the connection.
Default: http-resp-403
Allowed HTTP Checks requests to ensure they contain only the Valid HTTP method names:
Methods HTTP methods that are allowed by this option. • GET
[no] allowed-http-methods • POST
method-name
• HEAD
Config Mode > Security > WAF > Template > WAF
• PUT
• OPTIONS
• DELETE
• TRACE
• CONNECT
• PURGE
Default: GET, POST
Bot Check Checks the user-agent of incoming requests for Enabled or Disabled
known bots. This check uses the list of defined bots Definition – Name of a configured
in the specified WAF policy file. WAF policy file
(See “Bot Check” on page 70.)
Default: Disabled
[no] bot-check
Config Mode > Security > WAF > Template > WAF

Customer Driven Innovation 105 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
Buffer Overflow Checks for attempts to cause a buffer overflow on Enabled or Disabled
the Web server. The maximum accepted URL length
• Max Cookie Length – Sets the maximum length can be set between 0 to 16127. The
for cookies, cookie names, and/or cookie values maximum accepted length for all other
allowed in a request. limits can be set between 0 to 65535.
• Max Headers Length – Sets the maximum Default: Enabled
header length for headers, header names, and/or If enabled, the following default val-
header values allowed in requests. ues apply:
• Max Line Length - Sets the maximum length for • Max Cookie Length – 4,096
lines.
• Max Cookie Name Length - 64
• Max Parameters Length - Sets the maximum
• Max Cookie Value Length - 4,096
parameter length allowed for the total parameters,
the parameter names, and/or the parameter val- • Max Header Length – 4,096
ues. • Max Header Name Length - 64
• Max Post Size – Sets the maximum content • Max Header Value Length - 4,096
length allowed in HTTP POST requests. • Max Line Length - 1,024
• Max Query Length - Sets the maximum length • Max Parameter Name Length - 256
for queries.
• Max Parameter Total - 4,096
• Max URL Length – Sets the maximum URL
length allowed in requests. • Max Parameter Value Length -
4,096
[no] buf-ovf
{disable | max-cookie-len | • Max Query Length - 1,024
max-cookie-name-len | • Max URL Length – 1,024
max-cookie-value-len | • Max POST content size – 20,480
max-hdrs-len | max-hdr-name-len
max-hdr-value-len | max-line-len |
max-parameter-name-len |
max-parameter-total-len |
max-parameter-value-len |
max-post-size | max-query-len |
max-url-len} [bytes]
[no] max-parameters
Config Mode > Security > WAF > Template > WAF
Cookie Encrypt Uses the specified Secret string to encrypt and Cookie Name – String or PCRE
decrypt cookies in server to client communication. expression
For Cookie Name, you can enter the name of a spe- Secret – String
cific cookie as a string, or a PCRE expression to
Default: Not set
encrypt all cookies which match the expression.
[no] cookie-encrypt
{cookie-name | pcre-pattern}
Config Mode > Security > WAF > Template > WAF

106 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
Cross-Site Tags fields of a web form to protect against cross- Enabled or Disabled
Forgery (CSRF) site request forgery (CSRF). Default: Disabled
Check [no] csrf-check
Config Mode > Security > WAF > Template > WAF
Form Checks that user input to form fields is consistent Enabled or Disabled
Consistency with the intended format. Default: Disabled
Check [no] form-consistency-check
Config Mode > Security > WAF > Template > WAF
HTTP Check Checks that user requests are compliant with HTTP Enabled or Disabled
protocols. Default: Disabled
[no] http-check
Config Mode > Security > WAF > Template > WAF
Session Check Checks that user requests match a unique session ID Enabled or Disabled
created for them. Default: Disabled
[no] session-check [secs]
Config Mode > Security > WAF > Template > WAF
Max Cookies Specifies the maximum number of cookies a request 0-63
can contain. Default: 20
[no] max-cookies num
Config Mode > Security > WAF > Template > WAF
Max Headers Specifies the maximum number of headers a request 0-63
can contain. Default: 20
[no] max-hdrs num
Config Mode > Security > WAF > Template > WAF
Max Parameters Specifies the maximum number of parameters a 0-63
request can contain. Default: 20
[no] max-parameters num
Config Mode > Security > WAF > Template > WAF

Customer Driven Innovation 107 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
Referer Check Validates that the referer header in a request con- One of the following:
tains Web form data from the specified Web server, • Enabled
rather than from an outside Web site. This check
• Disabled
protects against CSRF attacks.
• Only-If-Present
• Enabled – Always validates the referer header. If
selected, the request fails the check if there is no If this check is activated, you can set
referer header or if the referer header is invalid. the following additional options:
• Disabled – Configures WAF to not validate • Allowed Referer Domains – String
requests based on the referer header. • Safe URL – String
• Only-If-Present – Validates the referer header Default: Disabled
only if a referer header exists. If the check finds
an invalid referer header, the request fails the
check. However, the request does not fail the
check if there is no referer header in the request.
[no] referer-check
{enable | only-if-present}
Config Mode > Security > WAF > Template > WAF
SQL Injection Checks for SQL strings to protect against SQL One of the following:
Attack Check injection attacks. This check uses the list of defined • Reject
SQL commands in the “sqlia_defs” WAF policy
• Disabled
file. See “SQL Injection Attack Check” on page 70.
• Sanitize
[no] sqlia-check
{reject | sanitize} Definition – Name of a configured
WAF policy file
Config Mode > Security > WAF > Template > WAF
Default: Disabled
Cross-site Checks for potential HTML XSS scripts to protect One of the following:
Scripting (XSS) against cross-site scripting attacks. This check uses • Reject
Check the list of defined Javascript commands in the
• Disabled
“jscript_defs” WAF policy file. See “XSS Check”
on page 70. • Sanitize
[no] xss-check Default: Disabled
{reject | sanitize}
Config Mode > Security > WAF > Template > WAF
URL Check Select this option to prevent users from accessing Enabled or Disabled
the URLs of your website directly. The URL Check Default: Disabled
allows users to only access Web pages by clicking a
hyperlink on your protected Web site.
Note: In the current release, the approved URL path
list for the URL Check can be configured only using
Learning Mode. For a deployment example that
includes configuration of the URL Check, see
“Generate Allowed URL Paths for the URL Check”
on page 94.
[no] url-check
Config Mode > Security > WAF > Template > WAF

108 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
URL Options Use this command to to normalize request URLs. Enabled or Disabled
This helps shorten the URLs and prevent buffer Default: Disabled
overflows from length URLs
• decode-entities
• decode-escaped-chars
• decode-hex-chars
• remove-comments
• remove-selfref
• remove-spaces
Request Checks
CCN Mask Replaces all but the last four digits of credit card Enabled or Disabled
numbers with an “x” character. Default: Disabled
[no] ccn-mask
Config Mode > Security > WAF > Template > WAF
SSN Mask Replaces all but the last four digits of US Social Enabled or Disabled
Security numbers with an “x” character. Default: Disabled
[no] ssn-mask
Config Mode > Security > WAF > Template > WAF
PCRE Mask Cloaks patterns in a response that match the speci- You can specify the following options:
fied PCRE pattern. • PCRE Pattern – Valid string
• PCRE Pattern – Specifies the pattern to search for • Mask – Single character
in responses.
• Keep Start – 0-65535
• Mask – Selects a character to mask the matched
• Keep End – 0-65535
pattern of a string.
Default:
• Keep Start – Sets the number of unmasked char-
acters at the beginning of the string. • PCRE Pattern – Not set
• Keep End – Specifies the number of unmasked • Mask – x
characters at the end of the string. • Keep Start – 0
[no] pcre-scrub pcre-pattern • Keep End – 0
[keep-end num-length |
keep-start num-length |
mask character ]
Config Mode > Security > WAF > Template > WAF
Filter Response Removes the Web server’s identifying headers in Enabled or Disabled
Headers responses. By default, this check uses the Definition – Name of a configured
“allowed_resp_codes” WAF policy file for a list of WAF policy file
acceptable HTTP response codes.
Default: Disabled
[no] filter-resp-hdrs
If enabled, the default policy file
Config Mode > Security > WAF > Template > WAF is “allowed_resp_codes”

Customer Driven Innovation 109 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

TABLE 8 WAF Template Options (Continued)

Parameter Description and Syntax Supported Values
Hide Response “Cloaks” your Web servers by hiding response Enabled or Disabled
Codes codes from them instead of forwarding them to the Default: Disabled
client.
[no] hide-resp-codes
[waf-template]
Config Mode > Security > WAF > Template > WAF
Template for External Logging
Logging Applies a configured logging template to the WAF Name of a logging template
Template template. See “WAF Event Logging” on page 61. Default: None selected
[no] template logging template-name
Config Mode > Security > WAF > Template > WAF

110 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands

WAF CLI Command Reference

This chapter lists the CLI commands for WAF. The commands are orga-
nized into the following sections:
• “WAF Template Commands” on page 111

• “WAF File Management Commands” on page 125

• “External Logging Commands” on page 128

WAF Template Commands

The commands in this section configure WAF template parameters.

slb template waf

Description Configure a WAF template.

Syntax [no] slb template waf template-name

Parameter Description
template-name Name of the template.

This command changes the CLI to the configuration level for the specified
WAF template, where the following commands are available.

Command Description
[no] allowed-
http-methods
method-list Specifies the HTTP methods that requests are
allowed to contain. method list; for example:
allowed-http-methods “GET POST”
[no] bot-check
waf-policy Checks user requests for bot activity. This check
uses the specified WAF policy file for a list of
search terms. For more information see, “Bot
Check” on page 70.

Customer Driven Innovation 111 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
[no] buf-ovf
option Checks for attempts to cause a buffer overflow
on the Web server.
disable – Disables buffer overflow protection.
max-cookie-len bytes – Sets the maxi-
mum length for cookies allowed in a request.
max-cookie-name-len bytes – Sets the
maximum length for cookie names allowed in a
request.
max-cookie-value-len bytes – Sets the
maximum length for cookie values allowed in a
request.
max-hdrs-len bytes – Sets the maximum
header length for headers allowed in requests.
max-hdr-name-len bytes – Sets the max-
imum header name length for headers allowed in
requests.
max-hdr-value-len bytes – Sets the
maximum header value length for headers
allowed in requests.
max-line-len bytes – Sets the maximum
line length allowed in a request.
max-post-size bytes – Sets the maximum
content length allowed in HTTP POST requests.
max-query-len bytes – Sets the maximum
query length allowed in a request.
max-url-len bytes – Sets the maximum
URL length allowed in requests.
[no] ccn-mask Replaces all but the last four digits of credit card
numbers with “x” characters.
[no] cookie-
encrypt
cookie-name
secret-value Encrypts the specified cookie using the specified
secret value. The cookie-name can be the name
of a specific cookie or a PCRE pattern (see
“Writing PCRE Expressions” on page 77).

112 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
Note: Do not enter the secret-encrypted option when configuring this check.
This option is placed into the configuration by the WAF to indicate that
the string is the encrypted form.
[no] csrf-check Tags fields of a web form to protect against
cross-site request forgery (CSRF).
[no] deny-
action options
resp-string Specifies the action performed by the WAF after
a client request is denied:
http-resp-403
{default | resp-string} – Sends a
403 Forbidden response to the client. The default
string returns a generic “Request Denied!” page
to the client.
http-resp-200
{default | resp-string} – Sends a
200 OK response to the client with the specified
resp-string. The default string returns a generic
“Request Denied!” page to the client.
http-redirect url-string – Sends a
302 Found redirection address to the client with
the URL specified in the url-string.
reset-conn – Terminates the client connec-
tion.
[no] deploy-
mode option Sets the operational mode for the WAF template.
active – Standard operational mode. You must
use Active Mode if you want the WAF to sanitize
or drop traffic based on the configured WAF pol-
icies.
learning – Provides a way to initially set the
thresholds for certain WAF checks based on
known, valid traffic.
passive – Provides passive WAF operation.
All enabled WAF checks are applied, but no
WAF action is performed upon matching traffic.
This mode is useful in staging environments to
identify false positives for filtering.
(For more information, see “WAF Operational
Modes” on page 27.)

Customer Driven Innovation 113 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
[no] filter-
resp-hdrs Removes the Web server’s identifying headers in
responses.
[no] form-
consistency-
check Verifies that user input to form fields is consist-
ent with the intended format.
[no] hide-resp-
codes Cloaks 4xx and 5xx response codes for outbound
responses from the Web server.
[no] http-check Verifies that user requests are compliant with
HTTP protocols.
[no] max-
cookies num Specifies the maximum number of cookies
allowed in a request. You can specify 0-63.
[no] max-hdrs
num Specifies the maximum number of headers
allowed in a request. You can specify 0-63.
[no] max-
parameters num Specifies the maximum number of parameters
allowed in a request. You can specify 0-63.
[no] pcre-mask
options
pcre-pattern Masks patterns in a response that match the spec-
ified PCRE pattern.
keep-end num-length – Specifies the
number of unmasked characters at the end of the
string. The default is 0.
keep-start num-length – Sets the num-
ber of unmasked characters at the beginning of
the string. The default is 0.
mask character – Selects a character to
mask the matched pattern of a string. The default
is x.
[no] referer-
check option Validates that the referer header in a request con-
tains Web form data from the specified Web
server, rather than from an outside Web site. This
check protects against CSRF attacks.
enable safe-referer-domain
safe-url – Always validates the referer

114 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
header. If selected, the request fails the check if
there is no referer header or if the referer header
is invalid.
only-if-present
safe-referer-domain safe-url – Val-
idates the referer header only if a referer header
exists. If the check finds an invalid referer
header, the request fails the check. However, the
request does not fail the check if there is no ref-
erer header in the request.
[no] session-
check [secs] Creates an ID for a client request. Future requests
from the same client are validated against the
session cookie. The default lifetime for the ses-
sion ID is 600 seconds.
[no] sqlia-
check option Checks for SQL strings to protect against SQL
injection attacks.
reject – Denies the request.
sanitize – Removes suspected SQL injection
scripts from requests.
[no] ssn-mask Scans content for strings that resemble US Social
Security numbers and replaces all but the last
four characters of the string with “x” characters.
[no] template
logging
template-name Applies a configured logging template to the
WAF template.
[no] uri-blist-
check
file-name Enforces the rules contained within a WAF pol-
icy file for the URI Black List. For more infor-
mation see, “URI Black List” on page 71.
[no] uri-wlist-
check
file-name Enforces the rules contained within a WAF pol-
icy file for the URI White List. For more infor-
mation, see “URI White List” on page 72.
[no] url-check Enables the URL Check. This check allows users
to access Web pages by clicking hyperlinks
within the Web site only and does not allow users
to access the URLs of a Web site directly.

Customer Driven Innovation 115 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
An approved list of URL paths can be initially
configured only when the WAF is deployed in
Learning Mode. For a deployment example that
includes configuration of the URL Check, see
“Generate Allowed URL Paths for the URL
Check” on page 94.
[no] url-
options options Use this command to to normalize request URLs.
This helps shorten the URLs and prevent buffer
overflows from length URLs.
decode-entities - Decode entities, such as
&lt;, from the internal URL.
decode-escaped-chars - Decode escaped
chars, such as \r or \n, from the internal URL.
decode-hex-chars - Decode hexadecimal
characters, such as \%xx and \%u00yy, from the
internal URL.
remove-comments - Remove comments from
the internal URL.
remove-selfref - Remove self-references,
such as /./ and /path/../, from the internal URL.
remove-spaces - Remove spaces from the
internal URL.
[no] xss-check
option Checks for potential HTML XSS scripts to pro-
tect against cross-site scripting attacks.
reject – Rejects requests with XSS patterns.
sanitize – Removes suspected cross-site
scripts from requests.

Default This command has the following default settings:

• allowed-http-methods – GET and POST

• bot-check – Disabled

• buf-ovf – Enabled
• Max Cookie Length – 4,096
• Max Cookie Name Length - 64
• Max Cookie Value Length - 4,096
• Max Header Length – 4,096
• Max Header Name Length - 64
• Max Header Value Length - 4,096

116 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
• Max Line Length - 1,024
• Max Parameter Name Length - 256
• Max Parameter Total - 4,096
• Max Parameter Value Length - 4,096
• Max Query Length - 1,024
• Max URL Length – 1,024
• Max POST content size – 20,480

• ccn-mask – Disabled

• cookie-encrypt – Disabled

• csrf-check – Disabled

• deny-action – http-resp-403

• deploy-mode – Active

• filter-resp-hdrs – Disabled

• form-consistency-check – Disabled

• hide-resp-codes – Disabled

• http-check – Disabled

• max-cookies – 20

• max-hdrs – 20

• max-parameters - 20

• pcre-mask – Disabled

• referer-check – Disabled

• session-check - Disabled

• sqlia-check – Disabled

• ssn-mask – Disabled

• template logging – Not set

• uri-blacklist – uri_blist_defs policy file

• uri-whitelist – uri_wlist_defs policy file

• url-check – Disabled

• xss-check – Disabled

Mode Global configuration mode

Introduced in Release 2.7.1

Customer Driven Innovation 117 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands

show slb waf

Description Show WAF statistics.

Syntax show slb waf stats virtual-server-name portnum

Option Description
stats
virtual-server-
name
portnum Displays WAF statistics for the specified virtual
port on the specified virtual server.

Mode All

Introduced in Release 2.7.1

Example The following example shows WAF statistics:

ACOS#show slb waf stats vip1 80
:0
---------------------------------------------------------------
Requests 344
Requests denied 93
Bad Bot Check
- Success 251
- Failed 6
Buffer Overflow Check
- URL too long 4
- Request line too long 2
- Query too long 7
- Cookie too long 1
- Total Cookies too long 0
- Cookie Name too long 3
- Cookie Value too long 14
- Headers too long 4
- Header Name too long 9
- Header Value too long 9
- POST body too long 2
- Parameter name too long 8
- Parameter value too long 7
- Parameter total too long 3
- Too much data to parse 10

118 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
- Too many parameters 0
- Too many cookies 5
- Too many headers 6
- Too many MIME entities 2
Allowed HTTP Methods Check
- Success 0
- Failed 14
HTTP Protocol Check
- Success 251
- Failed 2
Referer Check
- Success 251
- Failed 2
- No Referer (Redirect) 15
URI Whitelist Check
- Success (Match) 330
- Failed 14
URI Blacklist Check
- Success 321
- Failed (Match) 7
URL Check
- Learned 11
- Success 33
- Failed 1
Form Consistency Check
- Success 0
- Failed 0
Form CSRF Tag Check
- Success 0
- Failed 0
CCN Mask
- Amex 4
- Diners 9
- Visa 19347
- MasterCard 84883
- Discover 2
- JCB 0
SSN Mask
- US SSN's masked 246
PCRE Mask
- PCRE's masked 0

Customer Driven Innovation 119 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
Cookie Encryption
- Encrypt Success 0
- Encrypt Failed 0
- Encrypt Limit Exceeded 0
- Encrypt Skipped 0
- Decrypt Success 0
- Decrypt Failed 0
SQLIA Check
- URL Success 0
- URL Sanitized 0
- URL Rejected 8
- POST Success 0
- POST Sanitized 0
- POST Rejected 0
XSS Check
- Cookie Success 2
- Cookie Sanitized 1
- Cookie Failed 0
- URL Success 0
- URL Sanitized 0
- URL Failed 0
- POST Success 0
- POST Sanitized 0
- POST Failed 0
Resp code hidden 5
Resp hdrs filtered 3
Learning updates 9

The number at the top of the output (vip1 80 in this example) indicates the
name of the virtual server and port number. Table 9 describes the rest of
fields in the command output.

TABLE 9 show slb waf fields

Field Description
Requests Total number of HTTP requests.
Requests denied Total number of deny responses to HTTP requests.
Bad Bot Check Counters for bot checking:
• Success – Total number of requests that included a bot.
• Failed – Total number of requests that were screened for
bots and did not match.

120 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
TABLE 9 show slb waf fields (Continued)
Field Description
Buffer Overflow Counters for buffer overflow checks:
Check • URL too long – Total number of requests that included
URL headers which exceeded the configured limit.
• Request line too long - Total number of request lines that
exceeded the configured limit.
• Query too long - Total number of request queries that
exceeded the configured limit.
• Cookie too long – Total number of requests that included
cookies which exceeded the configured limit.
• Total Cookies too long - Total number of cookies that
exceeded the configured limit.
• Cookie Name too long - Total number of cookie names
that exceeded the configured limit.
• Cookie Value too long - Total number of cookie values
that exceeded the configured limit.
• Headers too long – Total number of requests that included
headers which exceeded the configured limit.
• Header Name too long - Total number of header names
that exceeded the configured limit.
• Header Value too long - Total number of header values
that exceeded the configured limit.
• POST body too long – Total number of POST requests
with content length which exceeded the configured limit.
• Parameter name too long - Total number of parameter
names that exceeded the configured limit.
• Parameter value too long - Total number of parameter val-
ues that exceeded the configured limit.
• Parameter total too long - Total number of requests that
exceeded the configured limit of allowed parameters.
• Too much data to parse - Total number of request that
were denied because they exceeded the configured data
limit.
• Too many parameters - Total number of requests that were
denied because they exceeded the configured parameter
limit.
• Too many cookies – Total number of requests that were
denied because they exceeded the configured cookie limit.
• Too many headers – Total number of requests that were
denied because they exceeded the configured header limit.
• Too many MIME entities - Total number of requests that
were denied because they contained too many MIME enti-
ties.

Customer Driven Innovation 121 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
TABLE 9 show slb waf fields (Continued)
Field Description
Allowed HTTP Counters for allowed HTTP methods:
Methods Check • Success – Total number of requests that contained only a
method that is present in the Allowed HTTP Methods list.
• Failed – Total number of requests that contained a method
that is not in the Allowed HTTP Methods list.
HTTP Protocol Counters for responses that adhere to HTTP protocol:
Check • Success – Number of requests that followed valid HTTP
protocol.
• Failed – Total number of requests that did not adhere to
HTTP protocol.
Referer Check Counters for referer header validation for incoming requests:
• Success – Number of requests that passed the referer
header check.
• Failed – Number of requests that did not pass the referer
header check.
• No Referer (Redirect) – Number of requests that did not
contain a referer header.
URI White List URI White List counters:
Check • Success (Match) – Number of requests that matched crite-
ria in the URI White List and were accepted.
• Failed – Number of requests that did not match criteria in
the URI White List and were denied.
URI Black List URI Black List counters:
Check • Success – Number of requests that did not match criteria
in the URI Black List and were accepted.
• Failed (Match) – Number of requests that matched criteria
in the URI Black List and were denied.
URL Check URL Check counters:
• Learned – Number of URL paths learned during Learning
Mode and added to the URL Check list.
• Success – Number of requests that matched the URL
Check list and were accepted.
• Failed – Number of requests that did not match the URL
Check list and were denied.
Form Counters for Web form consistency:
Consistency • Success – Number of requests that passed the Web form
Check consistency check.
• Failed – Number of requests which did not match the orig-
inal structure of the Web form and were denied.

122 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
TABLE 9 show slb waf fields (Continued)
Field Description
Form CSRF Tag Counters for the CSRF check on Web form field tags in
Check outbound responses:
• Success – Number of requests that passed the check.
• Failed – Number of requests which did not match the
nonce for the Web form and denied.
CCN Mask Counters for credit card numbers masked in requests. This
counter is separated into the following credit card types:
• Amex
• Diners
• Visa
• MasterCard
• Discover
• JCB
SSN Mask Counters for US social security number checks:
• US SSN’s masked – Total number of SSN numbers that
the WAF discovered and masked.
PCRE Mask Counters for custom PCRE pattern checks:
• PCRE’s masked – Total number of custom PCRE string
matches the WAF discovered and masked.
Cookie Counters for cookie encryption:
Encryption • Encrypt Success – Number of times a cookie was success-
fully encrypted with the specified secret string.
• Encrypt Failed – Number of times encryption of a cookie
failed.
• Encrypt Limit Exceeded – Number of times cookies were
not encrypted because of the a configured limit.
• Encrypt Skipped – Number of cookies that skipped
encryption because the remove-cookies option is enforced
in the RAM caching template.
• Decrypt Success – Number of cookies in clients’ requests
that were successfully decrypted with the configured
secret string.
• Decrypt Failed – Number of client requests that were
rejected because they could not be decrypted.

Customer Driven Innovation 123 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF Template Commands
TABLE 9 show slb waf fields (Continued)
Field Description
SQLIA Check Counters for the SQL Inject Attack (SQLIA) check:
• URL Success – Number of requests that passed the
SQLIA check for the URL.
• URL Sanitized – Total number of requests that the URL
component was sanitized of an SQL attack pattern and
accepted.
• URL Failed – Number of requests that contained an
SQLIA in the URL.
• POST Success – Number of requests that passed the
SQLIA check for the POST body.
• POST Sanitized – Total number of requests that the POST
body component was sanitized of an SQL attack pattern
and accepted.
• POST Rejected – Total number of requests that were
denied because they contained an SQL injection attack in
the POST body of a request.
XSS Check Counters for cross-site scripting (XSS) attacks:
• Cookie Success – Number of requests that passed the
cookie inspection portion of the XSS check.
• Cookie Sanitized – Number of requests that contained an
XSS attack in the cookie, was sanitized, and accepted.
• Cookie Failed – Number of requests that contained a n
XSS attack in the cookie and was denied.
• URL Success – Number of requests that passed the URL
inspection portion of the XSS check.
• URL Sanitized – Number of requests that contained an
XSS attack in the URL, was sanitized, and accepted.
• URL Failed – Number of requests that contained a n XSS
attack in the URL and was denied.
• POST Success – Number of requests that passed the
POST body inspection portion of the XSS check.
• POST Sanitized – Number of requests that contained an
XSS attack in the POST body, was sanitized, and
accepted.
• POST Failed – Number of requests that contained a n XSS
attack in the POST body and was denied.
Response Code Total number of response codes hidden from server replies
Hidden before the replies were forwarded.
Response Total number of response headers that WAF sanitized and
headers filtered forwarded.
Learning updates Number of additional rules generated from the WAF learning
mechanisms when the WAF is operating in Learning Mode.

124 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF File Management Commands

clear slb waf

Description Clear WAF statistics.

Syntax clear slb waf stats virtual-server-name portnum

Option Description
stats
virtual-server-
name
portnum Displays WAF statistics only for the specified
HTTP virtual port on the specified virtual server.

Mode Privileged EXEC and all configuration levels

Introduced in Release 2.7.1

WAF File Management Commands

The commands in this section manage WAF policy files.

waf check
Description Validate a WAF policy file’s syntax.

Syntax waf check file-name

Option Description
file-name Name of a configured WAF policy file.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

Customer Driven Innovation 125 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF File Management Commands

waf copy
Description Copy a WAF policy file to a different file name.

Syntax waf copy source-name destination-name

Option Description
source-name Name of a configured WAF policy file.
dest-name Name of the new, copied WAF policy file.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

waf delete
Description Delete a WAF policy file.

Syntax waf delete file-name

Option Description
file-name Name the WAF policy file to be deleted.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

waf edit
Description Edit or create a WAF policy file from within the CLI.

Syntax waf edit file-name

Option Description
file-name Name of a the configured WAF policy file to
modify or an unused name to create a new file.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

126 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - WAF File Management Commands

waf rename
Description Renames a WAF policy file.

Syntax waf rename old-name new-name

Option Description
old-name Current name of the WAF policy file.
new-name New name of the WAF policy file.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

show waf-policy
Description Displays WAF policy files.

Syntax show waf-policy [def-file-name]

[all-partitions |
partition {shared | partition-name}]

Option Description
def-file-name Returns a list of WAF policy files with names
that partially match the specified string.
all-partitions Returns a list of WAF policy files for all L3V/
RBA partitions.
partition
{shared |
partition-name} Returns a list of WAF policy files for the shared
partition or the specified private partition.

Mode Privileged EXEC and all configuration levels

Usage 2.7.1

Customer Driven Innovation 127 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands
Example The following command lists all WAF policy files, for all partitions:
ACOS(config-waf)#show waf-policy all-partitions
Total WAF policy number: 10
Max WAF policy file size: 32K
Name Syntax Template
------------------------------------------------------------------------
allowed_resp_codes Check Bind
bot_defs Check Bind
jscript_defs Check Bind
sqlia_defs Check Bind
uri_blist_defs Check Bind
uri_wlist_defs Check Bind

External Logging Commands

The commands in this section configure external logging for WAF.

slb server
Description Configure a server for external logging.

Syntax [no] slb server server-name ipaddr

Parameter Description
server-name Server name, 1-31 characters.
ipaddr IP address of the server in either IPv4 or IPv6
format. The address is required only if you are
creating a new server.

This command changes the CLI to the configuration level for the specified
service-group, where the following command is available:

128 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands
Command Description
[no] health-
check
[monitor-name] Enables health monitoring of the server. The
monitor-name specifies the name of a configured
health monitor.
If you omit this command or you enter it without
the monitor-name option, the default Layer 3
(ICMP) health monitor is used.
[no] port
port-num
{tcp | udp} Specifies the TCP or UDP port on which the
server listens for log traffic.
disable | enable – Disables or re-ena-
bles the port.
[no] health-check [monitor-name]
[follow-port port-num]– Enables
health monitoring for a server.. The monitor-
name option specifies the name of a configured
health monitor.
The follow-port port-num option specifies
another real port upon which to base this port’s
health status. Both the real port and the port to
use for the real port’s health status must be the
same type, TCP or UDP. By default, this option
is not set.
If you omit the health-check command or you
enter it without the monitor-name option, the
default UDP health monitor is used. (See below.)
stats-data-disable | stats-data-
enable – Disables or enables statistical data
collection for the port.

Default There is no default logging server configuration. For health monitoring

defaults, see below.

Mode Configuration mode

Usage The normal form of the slb server command creates a new or edits an exist-
ing real server. The CLI changes to the configuration level for the server.

The “no” form of this command removes an existing real server.

Customer Driven Innovation 129 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands
The IP address of the server can be in either IPv4 or IPv6 format. The A10
Thunder Series and AX Series supports both address formats.

Default Health Monitoring

The following health monitors are enabled by default.
• ICMP – Server health check. Every 5 seconds, ACOS sends an ICMP
echo request (ping) addressed to the server’s IP address. The server
passes the health check if it sends an echo reply to ACOS. If the server
does not reply after the fourth attempt (the first attempt followed by 3
retries), ACOS sets the server state to DOWN.
• TCP – Every 5 seconds, ACOS sends a connection request (TCP SYN)
to the specified TCP port on the server. The port passes the health check
if it replies to ACOS by sending a TCP SYN ACK. If the port does not
reply after the fourth attempt, ACOS sets the port state to DOWN.
• UDP – Protocol port health check. Every 5 seconds, ACOS sends a
packet with a valid UDP header and a garbage payload to the UDP port.
The port passes the health check if the server either does not reply, or
replies with any type of packet except an ICMP Error message.

slb service-group
Description Configure a service group, which is a pool of one or more servers.

Syntax [no] slb service-group group-name {udp | tcp}

Parameter Description
group-name Name of the group, 1-31 characters.
tcp | udp Transport protocol to use for sending logs to the
servers.

This command changes the CLI to the configuration level for the specified
service-group, where the following command is available:

Note: The other configuration commands at this level are not applicable to log-
ging.

130 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands
Command Description
[no] member
server-
name:portnum
[disable |
enable]
[priority num]
[stats-data-
disable |
stats-data-
enable] Adds the external log server and TCP or UDP
port to the service group.
server-name:portnum – Server name,
and protocol port number on the server.
disable | enable – Disables or re-ena-
bles the server and port, for this service group
only.
priority num – Sets the preference for this
server and port, 1-16.
stats-data-disable | stats-data-
enable – Disables or enables statistical data
collection for the service-group member.

Default There are no service groups configured by default.

Mode Configuration mode

Usage The normal form of this command creates a new or edits an existing service
group. The CLI changes to the configuration level for the service group.

Customer Driven Innovation 131 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands

slb template logging

Description Configure external logging over TCP.

Syntax [no] slb template logging template-name

Parameter Description
template-name
Name of the template.

This command changes the CLI to the configuration level for the specified
logging template, where the following command is available. (The other
commands are common to all CLI configuration levels.)

Command Description
[no] service-
group group-
name
Specifies the name of the service group that con-
tains the log servers.

Default The configuration does not have a default logging template.

Mode Configuration mode

show template logging

Description Displays the configuration of a logging template.

Syntax show template logging template-name

Mode All

132 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands

show slb server

Description Show information about real servers.

Syntax show slb server

[[server-name [port-num] detail] config]

Option Description
server-name
[[port-num]
detail] Shows information only for the specified server
or port. If you omit this option, information is
shown for all real servers and ports.
The detail option shows statistics for the speci-
fied server or port. This option also displays the
name of the server or port template bound to the
server or port.
config Shows the SLB configuration of the real servers.

Mode All

show slb service-group

Description Show SLB service-group information.

Syntax show slb service-group [group-name] [config]

Option Description
group-name Shows information only for the specified service
group. If you omit this option, information is
shown for all service groups configured on the
A10 Thunder Series and AX Series device.
config Shows the SLB configuration of the service
groups.

Mode All

Customer Driven Innovation 133 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall
WAF CLI Command Reference - External Logging Commands

134 of 136 Customer Driven Innovation

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 A10 Thunder Series and AX Series—Web Application Firewall

Customer Driven Innovation 135 of 136

Document No.: D-030-01-00-0055 - ACOS 2.7.2 4/30/2014
 Customer Driven Innovation

Corporate Headquarters

A10 Networks, Inc.

3 West Plumeria
San Jose, CA 95134

Tel: +1-408-325-8668 (main)

Tel: +1-888-822-7210 (support – toll-free in USA)
Tel: +1-408-325-8676 (support – direct dial)
Fax: +1-408-325-8666

www.a10networks.com

© 4/30/2014 A10 Networks Corporation. All rights reserved.

136