Creating a web response profile

How to create a web response profile for Web Application Firewall.

About this task

A web response profile establishes the security policy to apply to response from servers for Web Application Firewall. The configuration requires a profile name and a satisfaction mode.

A key aspect is satisfaction style. The satisfaction style helps determine how to combine the results of a transaction that matches more than one profile. The satisfaction style can be admission or prerequisite. This style controls what to do after profile criteria is passed. A failed profile always results in the failure of the transaction. Most profiles are admission style. A typical use of a prerequisite style would be a broad match to enforce basic items, such as maximum size, followed by more specific matches for stronger criteria.

  • If admission, the server response (the transaction response) is forwarded immediately to the client. No other matching profile is run.
  • If prerequisite, any other profile that matches the response can now run. The response is not necessarily forwarded to the client. A passed profile does not ensure acceptance of the transaction. In those circumstances, any other matching profile is run and the whole transaction passes only when no failure is found. However, if no other matching profiles exist and the response passes this profile, the response is passed to the client.

You can process web responses on whether the content is XML or non-XML.

XML processing
XML processing can be a transform. XML messages have an XML MIME type in the Content-Type field; for example, text/xml.
Non-XML processing
Non-XML processing depends on whether the rule can alter the content. Non-XML messages have a non-XML MIME type in the Content-Type field; for example, www-url-encoded. Altering a non-XML response means being able to access the INPUT and OUTPUT contexts.
Non-XML processing can use a side-effect or binary rule.
  • Use a side-effect rule when the rule cannot alter the content of the response. The rule can run activities such as authenticate and authorization or send a copy of the response content to a third destination.
  • Use a binary rule that submits the payload as a nonparsed binary object when the rule can alter the content of the response. The rule can run activities such as authenticate and authorization, convert to XML, repackage with additional information, or send a copy of the response content to a third destination. You can use the result of this rule as the response payload for further processing.

Procedure

  1. In the search field, enter web response.
  2. In the search results, click Web response profile.
  3. Click Add.
  4. Define the basic properties - Name, administrative state, and comments.
  5. From the Style list, select the satisfaction style.
  6. Optional: Click the Profile tab to define how to handle errors and which content types to accept.
    1. From the Error policy list, select the error policy.
      The error policy defines error handling for responses that violate the response profile. Response-level error handling overrides the one at the service level. To enforce no response-specific policy, retain the default setting.
    2. In the Content-type list field, enter which Content-Type MIME headers to accept.
      None
      Any Content-Type is acceptable.
      Responses without Content-Type
      The Content-Type header set to an empty string.
      Responses without a body
      Not subject to this constraint.
  7. Optional: Click the Codes & versions tab to define protocol-filtering. You can set filters to accept only responses for specific response codes and that are sent with a specific protocol version. The response profile rejects any response with an unsupported response code or protocol version.
    1. From the Response codes list, set which HTTP response codes to support.
    2. From the Response versions list, set which HTTP versions to support.
  8. Optional: Click the Processing tab to define how to process responses and depends on whether the content is XML or non-XML.
    XML processing
    1. From the XML processing list, select how to preprocess XML responses. Preprocessing validates whether the response is well-formed XML or adheres to the SOAP specifications.
    2. From the XML transformation rule list, when processing, select the rule for XML responses.
    Non-XML processing
    1. From the Non-XML processing list, select how to process non-XML responses.
    2. From the Non-XML processing rule list, when processing, select the rule for non-XML responses.
  9. Optional: Click the Name-value tab to define how to filter on header content. The response profile can use a name-value profile to filter by the names and corresponding values of HTTP headers. You can also use a name-value profile to map original values to replacement values. Each HTTP header name-value pair is subjected to the rules in the name-value profile. If no profile is specified, any header is allowed.
    1. From the Header name-value profile list, select the name-value profile.
  10. Optional: Click the Threat protection tab to define threat protection. Threat protection is limited to the allowable size for the response body.
    1. In the Minimum size field, enter the minimum size of the response body.
    2. In the Maximum size field, enter the maximum size of the response body.
  11. Click Apply to save changes to the running configuration.
  12. Click Save to save changes to the persisted configuration.