In a security policy, you can manually specify the file types that are allowed (or disallowed) in traffic to the web application being protected. This is only if you are not using the recommended automatic policy building. When you are using automatic policy building, Application Security Manager™ determines which file types to add, based on legitimate traffic.
When you create a security policy, a wildcard file type of *, representing all file types, is added to the file type list. During the enforcement readiness period, the system examines the file types in the traffic and makes learning suggestions that you can review and add the file types to the policy as needed. This way, the security policy includes the file types that are typically used. When you think all the file types are included in the security policy, you can remove the * wildcard from the allowed file types list.
|Explicit||Specifies a unique file type, such as JPG or HTML. Type the file type (from 1 to 255 characters) in the adjacent box.|
|No Extension||Specifies that the web application has a URL with no file type. The system automatically assigns this file type the name no_ext. The slash character (/) is an example of a no_ext file type.|
|Wildcard||Specifies that the file type is a wildcard expression. Any file type that matches the wildcard expression is considered legal. The pure wildcard (*) is automatically added to the security policy so you do not need to add it. But you can add other wildcards such as htm*. Type a wildcard expression in the adjacent box.|
|URL Length||The maximum acceptable length, in bytes, for a URL in the context of an HTTP request containing this file type. The default is 100 bytes.|
|Request Length||The maximum acceptable length, in bytes, for the whole HTTP request that applies to this file type. The default is 5000 bytes.|
|Query String Length||The maximum acceptable length, in bytes, for the query string portion of a URL that contains the file type. The default is 1000 bytes.|
|POST Data Length||The maximum acceptable length, in bytes, for the POST data of an HTTP request that contains the file type. The default is 1000 bytes|
|Never (wildcard only)||The system does not add or suggest that you add entities that match the wildcard to the policy. When false positives occur, the system suggests relaxing the settings of the wildcard entity. This option results in a security policy that is easy to manage but may not be as strict.|
|Add All Entities||The system creates a comprehensive whitelist policy that includes all of the website entities. This option will form a large set of security policy entities, which will produce a granular object-level configuration and high security level, it may take more time to maintain such a policy.|
The syntax for wildcard entities is based on shell-style wildcard characters. This table lists the wildcard characters that you can use in the names of file types, URLs, parameters, or cookies so that the entity name can match multiple objects.
|?||Any single character|
|[abcde]||Exactly one of the characters listed|
|[!abcde]||Any character not listed|
|[a-e]||Exactly one character in the range|
|[!a-e]||Any character not in the range|