Manual Chapter : Adding File Types to a Security Policy

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Adding File Types to a Security Policy

About adding file types

In a security policy, you can manually specify the file types that are allowed (or disallowed) in traffic to the web application being protected. This is only if you are not using the recommended automatic policy building. When you are using automatic policy building, Application Security Manager™ determines which file types to add, based on legitimate traffic.

When you create a security policy, a wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.

Adding allowed file types

You can manually add allowed file types, which are file types that the security policy accepts in traffic to the web application being protected.
  1. On the Main tab, click Security > Application Security > File Types .
    The Allowed File Types screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create.
    The Add Allowed File Type screen opens.
  4. For File Type, choose a type:
    Option Description
    Explicit Specifies a unique file type, such as JPG or HTML. Type the file type (from 1 to 255 characters) in the adjacent box.
    No Extension Specifies that the web application has a URL with no file type. The system automatically assigns this file type the name no_ext. The slash character (/) is an example of a no_ext file type.
    Wildcard Specifies that the file type is a wildcard expression. Any file type that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as htm*. Type a wildcard expression in the adjacent box.
  5. For the length settings, adjust the values as needed. This is optional.
    Option Specifies
    URL Length The maximum acceptable length, in bytes, for a URL in the context of an HTTP request containing this file type. The default is 100 bytes.
    Request Length The maximum acceptable length, in bytes, for the whole HTTP request that applies to this file type. The default is 5000 bytes.
    Query String Length The maximum acceptable length, in bytes, for the query string portion of a URL that contains the file type. The default is 1000 bytes.
    POST Data Length The maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type. The default is 1000 bytes
  6. By default, the Perform Staging check box is selected. We recommend that you keep it selected unless you are creating a wildcard file type for which you plan to Add All Entities in the Learn Explicit Entities setting. In that case, clear it.
  7. If you are creating a wildcard file type, from the Learn Explicit Entities list, specify whether the system adds explicit file types that match a wildcard to the security policy.
    Option Description
    Never (wildcard only) The system does not add or suggest that you add entities that match the wildcard to the policy. When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option results in a security policy that is easy to manage but may not be as strict.
    Add All Entities The system creates a comprehensive whitelist policy that includes all of the website entities. This option will form a large set of security policy entities, which will produce a granular object-level configuration and high security level, it may take more time to maintain such a policy.
    Note: Do not enable both staging and Add All Entities on the same wildcard entity.
  8. If you want the system to validate responses for this file type, select the Apply Response Signatures check box.
    Selecting this option enables attack signatures (that are designed to inspect server responses) to filter responses.
  9. Click Create.
    The Allowed File Types screen opens and lists the new file type.
  10. To put the security policy changes into effect immediately, click Apply Policy.
The security policy allows the file type that you added. If the file type is in staging, the system informs you when learning suggestions are available or when it is ready to be enforced.

Wildcard syntax

The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.

Wildcard Character Matches
* All characters
? Any single character
[abcde] Exactly one of the characters listed
[!abcde] Any character not listed
[a-e] Exactly one character in the range
[!a-e] Any character not in the range

Adding disallowed file types

For some web applications, you may want to deny requests for certain file types. In this case, you can create a set of disallowed file types. Adding disallowed file types is useful for file types that you know should never appear on your site (such as .exefiles), or for files on your site that you never want users from the outside to reach (such as .bak files).
  1. On the Main tab, click Security > Application Security > File Types > Disallowed File Types .
    The Disallowed File Types screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create.
    The New Disallowed File Type screen opens.
  4. In the File Type (Explicit only) field, type the file type that the security policy does not allow (for example, jpg or exe).
    Note: File types are case-sensitive unless you cleared Security Policy is case sensitive when you created the policy.
  5. Click Create.
    The Disallowed File Types screen opens and lists the new file type.
  6. To put the security policy changes into effect immediately, click Apply Policy.
The system categorizes both disallowed file types, and requested file types not configured in the security policy as illegal file types. When the Application Security Manager™ receives a request with a disallowed file type, the system ignores, learns, logs, or blocks the request depending on the settings you configure for the Illegal File Type violation on the Application Security: Blocking: Settings screen.