Advanced Settings
About
In the WAF management screen of the relevant vService in TR7 ASP, the WAF settings of the service are managed by clicking on the edit icon next to the Advanced Settings text.
Arayüz
Advanced Settings Editing Screen
- Turkish Default WAF Blocking Page
When the client is blocked, the content page to be displayed is selected in Turkish.
- English Default WAF Blocking Page
When the client is blocked, the content page to be displayed is selected in English.
- JSON Default Debug Page
When the client is blocked, the content page to be displayed is selected in JSON format.
- Blocking Status Code
When the client is blocked, the status code to be returned is determined. TR7 ASP uses the default status code 418 for distinction in logs.
- Status Codes Available for Selection When Blocking
| Status Codes | Status | Description |
|---|---|---|
| 100 | Informational | Continue |
| 101 | Informational | Protocol Switch Confirmed |
| 102 | Informational | Method Processing |
| 103 | Informational | Response Headers Returned |
| 200 | Successful | OK |
| 201 | Successful | Resource Created on Server |
| 202 | Successful | Request Acknowledged but Not Yet Processed |
| 203 | Successf | Modified 200 OK Response |
| 204 | Successful | No Content Returned |
| 205 | Successfu | Document View Must Be Reset |
| 206 | Successful | Partial Content Returned |
| 207 | Successful | Multiple Status |
| 208 | Successful | Already Reported |
| 226 | Successful | IM Used |
| 300 | Redirection | Multiple Choice |
| 301 | Redirection | Permanent Redirect |
| 302 | Redirection | Temporary Redirect |
| 303 | Redirection | GET Request Redirect |
| 304 | Redirection | Resources Unchanged |
| 305 | Redirection | Use Server Proxy |
| 306 | Redirection | Change Proxy/No Longer Used |
| 307 | Redirection | Temporary Redirect |
| 308 | Redirection | Permanent Redirect |
| 400 | Client Error | Request Structure Error |
| 401 | Client Error | Invalid Authentication |
| 402 | Client Error | Payment Not Required |
| 403 | Client Error | Page/Resource Forbidden |
| 404 | Client Error | Page/Resource Not Found |
| 405 | Client Error | Request Method Not Supported |
| 406 | Client Error | Non-Matching Accept Header |
| 407 | Client Error | Proxy Authentication Required |
| 408 | Client Error | Request Timeout |
| 409 | Client Error | Conflict Exists |
| 410 | Client Error | Resource Permanently Gone |
| 411 | Client Error | Length Not Specified |
| 412 | Client Error | Preconditions Not Met |
| 413 | Client Error | Request Size Too Large |
| 414 | Client Error | URI Too Long |
| 415 | Client Error | Unsupported Media Type |
| 416 | Client Error | Requested Segment Cannot Be Met |
| 417 | Client Error | Expectation Failed |
| 418 | Client Error | 418 |
| 419 | Client Error | 419 |
| 420 | Client Error | Method Error |
| 421 | Client Error | Misdirected Requestp |
| 422 | Client Error | Unprocessable Entity |
| 423 | Client Error | Resource Locked |
| 424 | Client Error | Dependency Error |
| 425 | Client Error | Too Early |
| 426 | Client Error | Upgrade Required |
- Blocking Page Content Type
The type of content page that the client will see when blocked is selected. By default, it comes as text/html.
- Blocking Page
The content of the page that the client will see when blocked is set. By default, when the client is blocked, they will see a page like the one below.
- Rule Creation Policy
During the Analysis & Learning process and when teaching in WAF logs, it is selected how these processes will be performed.
Analysis & Learning Process
- Page Independent > If not much detail is known about the service for which WAF activation is desired, such as the relevant paths, request methods, variable structures, etc., the page-independent mode is used. Basically, protection is provided based on OWASP without learning paths. The learning process is performed based on the default rule.
- Data-Based > In Data-Based, GET and HEAD HTTP methods are allowed in the default rule. Methods requiring data transmission, like POST, are not permitted. When analysis is done in data-based mode, all pages containing data, such as a parameter in the query, raw body data, XML, Json, etc., sent from the user to the server in a POST request, are learned individually. Requests can be made to the relevant paths within the framework of the learned rules. If an unlearned request like "photo.jpeg" is made, it falls under the default rule. In the default rule, only GET requests are allowed for "photo.jpeg". However, if "photo.jpeg" is requested with query parameters, the request will be blocked by WAF as it is unlearned.
- Comprehensive > In Comprehensive, all HTTP methods are considered unauthorized. Therefore, unless we define a new path in the default rules, all requests are blocked by WAF. When analysis is done in comprehensive mode, each path is learned individually, and suitable rules are created for these paths. Thus, when a request comes to an unlearned path, these requests are blocked by WAF
Learning from WAF Log
- Page Independent > Teaching is done on the default rule.
- Data-Based > If there is a variable in the requested path, a path-based rule is created and teaching is performed. If there is no variable in the requested path, teaching is again done on the default rule.
- Comprehensive > Regardless of whether there is a variable in the requested path, path-based rules are created for each path, and teaching is performed.
- Max. Body Size to Process(kB)
Requests coming outside the specified size are subject to control in the RAW check fields according to the configuration made in "Maximum Parsable Body Limitation".
- Max. Body Size to Log(kB)
Requests coming outside the specified length are not displayed in WAF logs (body tab).
- Wait for Body for a Time
The body content of the request coming to the vService is held for the determined time before entering WAF. Wait for Body for a Time can be used when there is a client sending the request body slowly.
- URL Decoding
- Attack Payload in WAF Info
WAF log information is sent to SIEM according to the Log profile selected in the vService.
- Attack Payload in WAF Info
It is activated in cases where the attack description is required to be sent and the language can be selected.
- Attack Description in WAF Info
It is activated in cases where information regarding the attack content is required to be sent and the language can be selected.
- Analysis
WAF treats requests coming from the selected IP, Cookie or Header information as if it were in learning mode. Requests from users with the specified IP, Cookie or Header can later be used for Analysis & Learning. Thus, learning processes can be continued even after the WAF is put into blocking mode.
- Analysis IP
You can enter the IP addresses of the analyzer from which you want to learn WAF rules, seperated by spaces.
- Analysis Cookie
You can enter the value of the cookie named TR7-ANALYZE, beloging to the analyzer from which you want to learn WAF rules.
- Analysis Header
You can enter the value of the HTTP header named TR7-ANALYZE, beloging to the analyzer from which you want to learn WAF rules.
- Edit
By clicking the Edit button, the changes made are saved.