cyberoam waf user guide - sophos 10.x...cyberoam web application firewall guide page 4 of 56 preface...
TRANSCRIPT
Version 10 Document version 1.0 – 10.6.3.260 - 29/05/2015
Cyberoam WAF User Guide
Cyberoam Web Application Firewall Guide
Page 2 of 56
Important Notice Cyberoam Technologies Pvt. Ltd. has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty of any kind, expressed or implied. Users must take full responsibility for their application of any products. Cyberoam Technologies Pvt. Ltd. assumes no responsibility for any errors that may appear in this document. Cyberoam Technologies Pvt. Ltd. reserves the right, without notice to make changes in product design or specifications. Information is subject to change without notice.
USER’S LICENSE Use of this product and document is subject to acceptance of the terms and conditions of Cyberoam End User License Agreement (EULA) and Warranty Policy for Cyberoam UTM Appliances.
You will find the copy of the EULA at http://www.cyberoam.com/documents/EULA.html and the Warranty Policy for
Cyberoam UTM Appliances at http://kb.cyberoam.com.
RESTRICTED RIGHTS Copyright 1999 - 2015 Cyberoam Technologies Pvt. Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of Cyberoam Technologies Pvt. Ltd.
Corporate Headquarters Cyberoam Technologies Pvt. Ltd. 901, Silicon Tower, Off. C.G. Road, Ahmedabad – 380006, INDIA Phone: +91-79-66065606 Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam Web Application Firewall Guide
Page 3 of 56
Contents
Preface ............................................................................................................................ 4
Introduction .................................................................................................................... 6
Appliance Administrative Interfaces ............................................................................. 7
Web Admin Console ................................................................................................................... 7
Command Line Interface (CLI) Console ................................................................................... 8
Cyberoam Central Console (CCC) ............................................................................................ 8
Web Admin Console ................................................................................................................... 9
Web Admin Language ........................................................................................................... 10 Supported Browsers .............................................................................................................. 11 Login procedure ..................................................................................................................... 12 Log out procedure ................................................................................................................. 13 Menus and Pages .................................................................................................................. 14 Page ...................................................................................................................................... 16 Icon bar .................................................................................................................................. 17 List Navigation Controls......................................................................................................... 18 Tool Tips ................................................................................................................................ 18 Status Bar .............................................................................................................................. 18 Common Operations ............................................................................................................. 19
Terminologies Used ................................................................................................................. 21
Defacement ........................................................................................................................... 21 Buffer Overflow ...................................................................................................................... 21 URL Parameter Tampering ................................................................................................... 21 Cookie Tampering/poisoning ................................................................................................. 21 SQL Injection ......................................................................................................................... 21 Cross Site Scripting ............................................................................................................... 21 Cross-Site Request Forgery .................................................................................................. 22 Session tampering/hijacking/riding ........................................................................................ 22 Forceful browsing .................................................................................................................. 22
Need of WAF ............................................................................................................................. 23
Cyberoamm WAF ...................................................................................................................... 25
Core Concepts and Technologies ......................................................................................... 26 How Cyberoam WAF works .................................................................................................. 27
Deployment Modes ................................................................................................................... 31
1. Server Hosted on Public IP Address ........................................................................... 31 2. Server Hosted on Private IP Address .......................................................................... 32
Configure WAF .......................................................................................................................... 33
Web Servers .......................................................................................................................... 33 Exception ............................................................................................................................... 46 Global Settings ...................................................................................................................... 53 Alerts...................................................................................................................................... 56
Cyberoam Web Application Firewall Guide
Page 4 of 56
Preface
Welcome to Cyberoam’s – Web Application Firewall Guide.
Cyberoam Unified Threat Management appliances offer identity-based comprehensive security to organizations against blended threats - worms, viruses, malware, data loss, identity theft; threats over applications viz. Instant Messengers; threats over secure protocols viz. HTTPS; and more. They also offer wireless security (WLAN) and 3G wireless broadband and analog modem support can be used as either Active or Backup WAN connection for business continuity.
Cyberoam integrates features like stateful inspection firewall, VPN, Gateway Anti-Virus and Anti- Spyware, Gateway Anti-Spam, Intrusion Prevention System, Content & Application Filtering, Web Application Filtering, Data Leakage Prevention, IM Management and Control, Layer 7 visibility, Bandwidth Management, Multiple Link Management, Comprehensive Reporting over a single platform.
Cyberoam has enhanced security by adding an 8th layer (User Identity) to the protocol stack. Advanced inspection provides L8 user-identity and L7 application detail in classifying traffic, enabling Administrators to apply access and bandwidth policies far beyond the controls that traditional UTMs support. It thus offers security to organizations across layer 2 - layer 8, without compromising productivity and connectivity.
Cyberoam UTM appliances accelerate unified security by enabling single-point control of all its security features through a Web 2.0-based GUI. An extensible architecture and an ‘IPv6 Ready’ Gold logo provide Cyberoam the readiness to deliver on future security requirements.
Cyberoam provides increased LAN security by providing separate port for connecting to the publicly accessible servers like Web server, Mail server, FTP server etc. hosted in DMZ which are visible to the external world and still have firewall protection.
Note
Default Web Admin Console username is ‘admin’ and password is ‘admin’
Cyberoam recommends that you change the default password immediately after installation to avoid unauthorized access.
Cyberoam Web Application Firewall Guide
Page 5 of 56
Technical Support
You may direct all questions, comments, or requests concerning the software you purchased, your registration status, or similar issues to Customer care/service department at the following address:
Corporate Office
Cyberoam Technologies Pvt. Ltd.
901, Silicon Tower
Off C.G. Road
Ahmedabad 380006
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.cyberoam.com
Cyberoam contact:
Technical support (Corporate Office): +91-79-66065777
Email: [email protected]
Web site: www.cyberoam.com
Visit www.cyberoam.com for the regional and latest contact information.
Cyberoam Web Application Firewall Guide
Page 6 of 56
Introduction
Application Security is equivalent to preventing exception either in its security policy, or in the underlying system vulnerabilities in its design, development, or deployment. The rapid growth in technology has increased security threats concurrently. Automation lends sophistication to these threats against the Web applications, thereby addressing the need of security during the development. Developers write the Applications with an emphasis on time-to-market over security. Thus, with constant time to market pressure, a highly vulnerable Web infrastructure environment is created. Regardless of a carefully developed and audited application code, chances of vulnerabilities in the application and the framework that it supports still exist. Integrating various technologies to deploy complex architectures makes it susceptible to numerous vulnerabilities.
Such Applications are open to theft of intellectual property, resulting in business disruption, damage of brand reputation thereby loosing the customer trust. These vulnerabilities prove to be fatal for business directly affecting the revenue by endangering the sensitive data and critical business operations. In many cases, application security is also a legal requirement—such as complying with the PCI Data Security Standards, for example. Therefore, securing Web infrastructure of an organization requires attention, through knowledge and awareness from various areas of IT including the Web development, operations, infrastructure, and security teams.
Cyberoam’s Web Application Firewall (WAF) aids in securing a Web application infrastructure. Cyberoam WAF is an operational security control, monitoring the HTTP and HTTPS traffic and protecting Web applications from attacks.
Note All the screen shots in this Guide are taken from NG series of Appliances. The feature and functionalities however remains unchanged across all Cyberoam Appliances.
Note
WAF is an subscription based module.
WAF feature is not available in CR10iNG, CR15i, CR15wi, CR25ia, CR25wi, CR35ia, CR35wi CR15iNG and CR15wiNG Cyberoam Appliances.
HA failover and load balancing is not supported in WAF.
Cyberoam Web Application Firewall Guide
Page 7 of 56
Appliance Administrative
Interfaces
Appliance can be accessed and administered through:
1. Web Admin Console
2. Command Line Interface Console
3. Cyberoam Central Console
Administrative Access An administrator can connect and access the Appliance through HTTP, HTTPS, telnet, or SSH services. Depending on the Administrator login account profile used for access, an administrator can access number of Administrative Interfaces and Web Admin Console configuration pages.
Appliance is shipped with two administrator accounts and four administrator profiles.
Administrator Type Login Credentials Console Access Privileges
Super Administrator admin/admin Web Admin Console CLI console
Full privileges for both the consoles. It provides read-write permission for all the configuration performed through either of the consoles.
Default cyberoam/cyber Web Admin console only
Full privileges. It provides read-write permission for all the configuration pages of Web Admin console.
Note We recommend that you change the password of both the users immediately on deployment.
Web Admin Console
Web Admin Console is a web-based application that an Administrator can use to configure, monitor, and manage the Appliance.
You can connect to and access Web Admin Console of the Appliance using HTTP or a HTTPS connection from any management computer using web browser:
1. HTTP login: http://<LAN IP Address of the Appliance>
2. HTTPS login: https://<LAN IP Address of the Appliance>
For more details, refer section Web Admin Console.
Cyberoam Web Application Firewall Guide
Page 8 of 56
Command Line Interface (CLI) Console
Appliance CLI console provides a collection of tools to administer, monitor and control certain Appliance component. The Appliance can be accessed remotely using the following connections:
1. Remote login Utility – TELNET login
To access Appliance from command prompt using remote login utility – Telnet, use command TELNET <LAN IP Address of the Appliance>. Use administrator password to login.
Note Default password of TELNET connection for CLI Console is “admin”.
2. SSH Client (Serial Console)
SSH client securely connects to the Appliance and performs command-line operations. CLI console of the Appliance can be accessed via any of the SSH client using LAN IP Address of the Appliance and providing Administrator credentials for authentication.
Note Start SSH client and create new Connection with the following parameters: Host – <LAN IP Address of the Appliance> Username – admin Password – admin
Use CLI console for troubleshooting and diagnose network problems in details. For more details, refer version specific Console Guide available on http://docs.cyberoam.com/.
Cyberoam Central Console (CCC)
Distributed Cyberoam Appliances can be centrally managed using a single Cyberoam Central Console (CCC) Appliance, enabling high levels of security for Managed Security Service Provider (MSSPs) and large enterprises. To monitor and manage Cyberoam using CCC Appliance you must:
1. Configure CCC Appliance in Cyberoam
2. Integrate Cyberoam Appliance with CCC using: Auto Discovery, Manually
Once you have added the Appliances and organized them into groups, you can configure single Appliance or groups of Appliances.
For more information, please refer CCC Administrator Guide.
Cyberoam Web Application Firewall Guide
Page 9 of 56
Web Admin Console
CyberoamOS uses a Web 2.0 based easy-to-use graphical interface termed as Web Admin Console to configure and manage the Appliance.
You can access the Appliance for HTTP and HTTPS web browser-based administration from any of the interfaces. Appliance when connected and powered up for the first time, it will have a following default Web Admin Console Access configuration for HTTP and HTTPS services.
Services Interface/Zones Default Port
HTTP LAN, WAN TCP Port 80
HTTPS WAN TCP Port 443
The administrator can update the default ports for HTTP and HTTPS services from System >
Administration > Settings.
Cyberoam Web Application Firewall Guide
Page 10 of 56
Web Admin Language
The Web Admin Console supports multiple languages, but by default appears in English. To cater to its non-English customers, apart from English, Chinese-Simplified, Chinese-Traditional, Hindi, Japanese and French languages are also supported. Administrator can choose the preferred GUI language at the time of logging on.
Listed elements of Web Admin Console will be displayed in the configured language:
Dashboard Doclet contents
Navigation menu
Screen elements including field & button labels and tips
Error messages
Cyberoam Web Application Firewall Guide
Page 11 of 56
Supported Browsers
You can connect to the Web Admin Console of the Appliance using HTTP or a secure HTTPS connection from any management computer using one of the following web browsers:
Browser Supported Version
Microsoft Internet Explorer Version 8+
Mozilla Firefox Version 3+
Google Chrome All versions
Safari 5.1.2(7534.52.7)+
Opera 15.0.1147.141+
The minimum screen resolution for the management computer is 1024 X 768 and 32-bit true xx-color.
The Administrator can also specify the description for firewall rule, various policies, services and various custom categories in any of the supported languages.
All the configuration done using Web Admin Console takes effect immediately. To assist you in configuring the Appliance, the Appliance includes a detailed context-sensitive online help.
Cyberoam Web Application Firewall Guide
Page 12 of 56
Login procedure
The log on procedure authenticates the user and creates a session with the Appliance until the user logs-off.
To get to the login window, open the browser and type the LAN IP Address of Cyberoam in the browser’s URL box. A dialog box appears prompting you to enter username and password.
Screen – Login Screen
Screen Element Description
Username
Enter user login name.
If you are logging on for the first time after installation, use the default username.
Password
Specify user account password.
Dots are the placeholders in the password field.
If you are logging on for the first time after installation with the default username, use the default password.
Language
Select the language. The available options are Chinese-Simplified, Chinese-Traditional, English, French, and Hindi.
Default – English
Log on to
To administer Cyberoam, select ‘Web Admin Console’
To view logs and reports, select “Reports”.
To login into your account, select “My Account”.
Login button Click to log on the Web Admin Console.
Screen – Login screen elements
The Dashboard appears as soon as you log on to the Web Admin Console. It provides a quick and fast overview of all the important parameters of your Appliance.
Cyberoam Web Application Firewall Guide
Page 13 of 56
Log out procedure
To avoid un-authorized users from accessing Cyberoam, log off after you have finished working. This will end the session and exit from Cyberoam.
To log off from the Appliance, click the button located at the top right of any of the Web Admin Console pages.
Cyberoam Web Application Firewall Guide
Page 14 of 56
Menus and Pages
The Navigation bar on the leftmost side provides access to various configuration pages. This menu consists of sub-menus and tabs. On clicking the menu item in the navigation bar, related management functions are displayed as submenu items in the navigation bar itself. On clicking submenu item, all the associated tabs are displayed as the horizontal menu bar on the top of the page. To view a page associated with the tab, click the required tab.
The left navigation bar expands and contracts dynamically when clicked on without navigating to a submenu. When you click on a top-level heading in the left navigation bar, it automatically expands that heading and contracts the heading for the page you are currently on, but it does not navigate away from the current page. To navigate to a new page, first click on the heading, and then click
on the submenu you want navigate to. On hovering the cursor upon the up-scroll icon or the
down-scroll icon , automatically scrolls the navigation bar up or down respectively.
The navigation menu includes following modules:
System – System administration and configuration, firmware maintenance, backup - restore
Objects – Configuration of various policies for hosts, services, schedules and file type
Networks – Network specific configuration viz., Interface speed, MTU and MSS settings, Gateway, DDNS
Identity – Configuration and management of User and user groups
Firewall – Firewall Rule Management
VPN – VPN and SSL VPN access configuration
IPS – IPS policies and signature
Cyberoam Web Application Firewall Guide
Page 15 of 56
Web Filter – Web filtering categories and policies configuration
Application Filter – Application filtering categories and policies configuration
WAF – Web Application Filtering policies configuration. Available in all the models except CR15iNG and CR15wiNG.
IM – IM controls
QoS – Policy management viz., surfing quota, QoS, access time, data transfer
Anti Virus – Antivirus filtering policies configuration
Anti Spam – Anti Spam filtering policies configuration
Traffic Discovery – Traffic monitoring
Logs & Reports – Logs and reports configuration
Note
Use F1 key for page-specific help.
Use F10 key to return to Dashboard.
Each section in this guide shows the menu path to the configuration page. For example, to reach the Zone page, choose the Network menu, then choose Interface sub-menu from the navigation
bar, and then choose Zone tab. Guide mentions this path as Network > Interface > Zone.
Cyberoam Web Application Firewall Guide
Page 16 of 56
Page
A typical page looks as shown in the below given image:
Screen – Page
Cyberoam Web Application Firewall Guide
Page 17 of 56
Icon bar
The Icon bar on the upper rightmost corner of every page provides access to several commonly used functions like:
1. Dashboard – Click to view the Dashboard
2. Wizard – Opens a Network Configuration Wizard for a step-by-step configuration of the network parameters like IP Address, subnet mask and default gateway for your Appliance.
3. Report – Opens a Reports page for viewing various usage reports. Integrated Logging and Reporting solution - iView, to offer wide spectrum of 1000+ unique user identity-based reporting across applications and protocols and provide in-depth network visibility to help organizations take corrective and preventive measures.
This feature is not available for CR15xxxx series of Appliances.
4. Console – Provides immediate access to CLI by initiating a telnet connection with CLI without closing Web Admin console.
5. Logout – Click to log off from the Web Admin Console.
6. More Options – Provides options for further assistance. The available options are as follows:
Support – Opens the customer login page for creating a Technical Support Ticket. It is fast, easy and puts your case right into the Technical Support queue.
About Product – Opens the Appliance registration information page.
Help – Opens the context – sensitive help page.
Reset Dashboard – Resets the Dashboard to factory default settings.
Lock – Locks the Web Admin Console. Web Admin Console is automatically locked if the Appliance is in inactive state for more than 3 minutes. To unlock the Web Admin Console you need to re-login. By default, Lock functionality is disabled. Enable Admin Session Lock
from System > Administration > Settings.
Reboot Appliance – Reboots the Appliance.
Shutdown Appliance – Shut downs the Appliance.
Cyberoam Web Application Firewall Guide
Page 18 of 56
List Navigation Controls
The Web Admin Console pages display information in the form of lists that are spread across the multiple pages. Page Navigation Control Bar on the upper right top corner of the list provides navigation buttons for moving through the list of pages with a large number of entries. It also includes an option to specify the number entries/records displayed per page.
Tool Tips
To view the additional configuration information use tool tip. Tool tip is provided for many
configurable fields. Move the pointer over the icon to view the brief configuration summary.
Status Bar
The Status bar at the bottom of the page displays the action status.
Cyberoam Web Application Firewall Guide
Page 19 of 56
Common Operations
Adding an Entity
You can add a new entity like policy, group, user, rule, ir host by clicking the Add button available on most of the configuration pages. Clicking this button either opens a new page or a pop-up window.
Editing an Entity
All the editable entities are hyperlinked. You can edit any entity by clicking either the hyperlink or the
Edit icon under the Manage column.
Deleting an Entity
You can delete an entity by selecting the checkbox and clicking the Delete button or Delete icon.
To delete multiple entities, select individual entity and click the Delete button.
To delete all the entities, select in the heading column and click the Delete button.
Cyberoam Web Application Firewall Guide
Page 20 of 56
Sorting Lists
To organize a list spread over multiple pages, sort the list in ascending or descending order of a column attribute. You can sort a list by clicking a column heading.
Ascending Order icon in a column heading indicates that the list is sorted in ascending order of the column attribute.
Descending Order icon in a column heading indicates that the list is sorted descending order of the column attribute.
Filtering Lists
To search specific information within the long list spread over multiple pages, filter the lists. Filtering criteria vary depending on a column data and can be a number or an IP address or part of an address, or any text string combination.
To create filter, click the Filter icon in a column heading. When a filter is applied to a column,
the Filter icon changes to .
Configuring Column Settings
By default on every page all columnar information is displayed but on certain pages where a large number of columnar information is available, all the columns cannot be displayed. It is also possible that some content may not be of use to everyone. Using column settings, you can configure to display only those numbers of columns which are important to you.
To configure column settings, click Select Column Settings and select the checkbox against the columns you want to display and clear the checkbox against the columns that you do not want to display. All the default columns are greyed and not selectable.
Cyberoam Web Application Firewall Guide
Page 21 of 56
Terminologies Used
Defacement
Defacement, in Web site security terminology, describes a form of vandalism in which a Web site or Web page is altered or marred by an unauthorized individual or process. Generally, it is done by logging on administrator’s account by means of SQL injections. The information on the Web site or Web page is often replaced with undesirable information. This damages the reputation of the organization, leaving Website’s visitors with an impression that the Website may be insecure and hence turn them off in order to protect its own property.
Buffer Overflow
Buffer overflow is the condition that occurs when the data transferred to a buffer via a program exceeds the storage capacity of that buffer and overflows into adjacent or other buffers, corrupting the data already contained in them.
Unauthorized users overwrite data that control the program execution by launching a buffer overflow attack. They hijack and control the program to execute the malicious code instead of actual process code.
URL Parameter Tampering
Parameter Tampering is a type of Web-based attack in which certain query string parameter values of a Uniform Resource Locator (URL) sent to a Web site are altered in order to obtain unauthorized information. By doing so, unauthorized users can access the database and retrieve and/or modify its contents.
Cookie Tampering/poisoning
Cookie poisoning is modification of a cookie by an unauthorized person to gain access and control of the data within a cookie for malicious motives like theft of bank account details, etc.
SQL Injection
A SQL injection attack is insertion or “injection” of a malicious code (SQL query) in to user input variables, which are coupled with SQL commands and executed. The attacker then forces database to execute the harmful SQL code that could potentially ruin database tables or to retrieve valuable information from database.
Cross Site Scripting
Cross-site scripting attacks are security vulnerability caused due to injection of malicious HTML tags or client side scripting code into HTML form fields of a Web page. On execution, this malicious script can access cookies, session tokens, or other sensitive information retained by the Web browser or may modify the information of the Web page.
Cyberoam Web Application Firewall Guide
Page 22 of 56
Cross-Site Request Forgery
A Cross-Site Request Forgery (CSRF) attack is the one in which a request by malicious Website is sent to a Web application that a user is already authenticated against from a different Website. CSRF takes advantage of the trust that a Website lays in a user’s browser.
Session tampering/hijacking/riding
Session hijacking is a method that takes over a TCP session, which is still in progress between two machines after obtaining or generating an authentication session ID and masquerading as the authorized user.
Forceful browsing
Forced browsing is XSRF attack in which user without a prior knowledge is forced to browse a content to gain access to resources, which are referenced yet are accessible. One of the methods implemented to enforce this attack is by manipulating the URL of the Web page and deleting sections from the end until an unprotected directory is found.
Cyberoam Web Application Firewall Guide
Page 23 of 56
Need of WAF
Prior to touching the subject “Need of WAF”, it is vital to understand the basic difference between a firewall, IPS/IDS, and a WAF. Each of them is a crucial security device, ensuring the protection of organization’s environment and sensitive data in diverse ways. A firewall generally, controls who can access what data at which time. An IPS/IDS detect packets and validates them on the bases of signatures that are often provided by vendors, blocking the invalid or malicious packets. A WAF, besides inspecting the packet will also verify the full request and response at the Application Layer.
User interaction to a Web Application includes HTTP/HTTPS methods, URL’s, session IDs, cookies, etc. Intruders today, uses XSS, XRSF, SQL injection, session hijacking, buffer overflows to attack Web Applications hosted in private data centers or within the organization’s local network. Several organizations depend on the network firewall and IPS/IDS to protect Web application threats. Is this solution adequate? The answer is “No”! Let us see why.
Firewall indeed safeguards the organization from network layer attacks but they permit application layer HTTP and HTTPS traffic to Web servers. Unauthorized users take advantage of this and implant attacks URL tampering, cross-site scripting, forceful browsing, SQL injection into Web traffic with the help of allowed application protocols, which effortlessly bypasses the network firewall. This is because, a traditional network firewall secures the third and fourth of the seven layers of the OSI model and fail to understand protocols and Web Application. Thus, a network firewall fails to control/filter sensitive data embedded in server responses, as it cannot validate user inputs to a Web Application and most of all do not have understanding about session data, limiting its effectiveness against Web application attacks.
IPS/IDS monitor the network traffic by matching the data within packets with data in a signature database. IPS takes an appropriate action if an anomaly is detected in the traffic and is suspected to be a threat. However, they fail to understand logic of Web application protocol and cannot differentiate between normal and malicious Web application request. Thus, it is possible, IPS allows an attack to pass without a detection or prevention if a signature for the attack does not exist within the signature database.
WAF deployment mitigates the risk of potentially vulnerable Web application. WAF unlike Firewall and IPS/IDS, keeps an eye on behavior of the Web request and response and provides protection at layer 7 – application layer of OSI model. They protect Web applications from the most common
Cyberoam Web Application Firewall Guide
Page 24 of 56
and dangerous attacks by meticulously auditing the IP packets or protocols and analyzing the application logics. WAF verifies each request and response present in various Web service layers viz., HTTP, HTTPS. WAFs protect against OWASP Top 10 threats like cross-site scripting, session hijacking, SQL injection, parameter tampering, etc.
Cyberoam Web Application Firewall Guide
Page 25 of 56
Cyberoamm WAF
Cyberoam Web Application Firewall (WAF) provides protection to applications in real time, rather than fixing them in advance or hardening them. Cyberoam WAF sits between the Web Server and the Internet-facing firewall, accepting all the client connection requests. It then analyzes HTTP/HTTPS traffic between a client browser and Web server at layer 7 (a whole session, not packets) and validates the requests received before allowing them to be processed by the Web/application server through a separate connection. This protects applications from attacks aimed at exploiting vulnerabilities found in the applications.
Depending upon various criteria including patterns of known/unknown attacks, protocol standards and anomalous application traffic, the Cyberoam WAF has the capability to enforce security policies. Although the prime focus lays on Layer 7 – the application layer, however it is not exclusively on it. It provides shielding against other form of attacks as well, like cookie tampering, forceful browsing, hidden field tampering etc. These tools typically protect against the classes of "user-induced" vulnerability in configured applications or in custom-developed code that make Web applications open to attacks, such as cross-site scripting, directory traversal and forced URL browsing. A WAF shields, however does not "fix" the underlying vulnerability. WAF reporting can be used to optimize the level of security.
Diagram – Cyberoam Web Application Firewall (WAF)
Cyberoam WAF implements Positive security model, a comprehensive security method, providing an independent input validation envelope to an application. Positive security follows a methodology “allow only what I know” “moving away from “blocked,” end of the spectrum. The Cyberoam Web Application Firewall enforces a positive security model through Intuitive Website Flow Detector to automatically identify and block all application layer attacks without relying on signature tables or pattern matching techniques. The Web Application Firewall considers defined Web application behavior as “good”. Any deviation is considered “bad”, or malicious, and is blocked accordingly. This provides security against “zero day attacks” and eliminates the need to manually populate and update signature tables. The Intuitive Website Flow Detector automatically adapts to changes in the Website.
Cyberoam Web Application Firewall Guide
Page 26 of 56
Core Concepts and Technologies
Intuitive Website Flow Detector
Cyberoam WAF utilizes Intuitive Website Flow Detector to implement a positive protection model, ensuring usage of the Website and its applications exactly as intended.
For example, consider HTML form with a text field intended to accept a maximum of 50 characters (<input type=”text” maxlength=”50”…>). When the text field is sent back to the server in an HTTP POST or GET request and if it contains beyond 50 characters, it will be blocked by Cyberoam WAF for violating the intended guideline. Similar is true for hidden form fields, URL query strings, cookie values, and other common targets of application manipulation attacks.
Intuitive Website Flow Detector also manages access to Web resources. All the Requests for URI’s, which is not a part of the Web site, are blocked. For example, the URI /admin/ will be blocked, if it is not declared (as an <a href= “/admin/”…> for example) in a Web page somewhere on the site. In other words, an existing resource on the Web server will be blocked, if it is not intended to be accessed over the Web. With this approach, since both known and unknown URI-based worms will never be a legitimate part of any Web site, Cyberoam WAF safeguards the applications from the so-called “zero-day” attacks. This approach is diagonally different from signature recognition technique, which is limited to block the explicitly recognized attacks.
Cyberoam Web Application Firewall Guide
Page 27 of 56
How Cyberoam WAF works
Cyberoam WAF is placed between the Web/application server and the Internet-facing firewall. All the client connection requests received are accepted. Each request is then validated as per intended guidelines. Only if the request is valid, the Web/application server using a separate connection processes it.
Schematic Diagram
As illustrated above, incoming traffic is limited by the Internet-facing network firewall to the standard HTTP/HTTPS. Cyberoam WAF accepts the received client connections request that pass through the network firewall. To ensure that request received from the client conform to the intended guidelines, the HTTP specification, and any user-defined policies, it is evaluated by Cyberoam WAF. Using a separate connection generally a non-standard TCP port, the valid request is forwarded on to the Web/application server. In case the request is invalid it is blocked and never processed by the Web/application server.
Cyberoam WAF uses a sophisticated technology “Intuitive Website Flow Detector” that automatically identifies and enforces intended guidelines in real time. Any modification to Web site is recognized automatically since Intuitive Website Flow Detector works in real time, with no requirement for cumbersome, time-consuming “training”. This ability of Cyberoam WAF enormously
Cyberoam Web Application Firewall Guide
Page 28 of 56
reduces installation, setup, and on-going administration time.
Intuitive Website Flow Detector begins examining the outgoing HTTP/HTTPS responses (typically HTML content, either static or dynamically-generated) to identify the intended guidelines after defining at least one “entry point” URI in the application (“/” by default). HTTP/HTTPS requests from clients (typically Web browsers such as Internet Explorer or Netscape Navigator) subsequently are validated before being forwarded on to the Web server (for example, IIS or Apache).
Intuitive Website Flow Detector ensures each HTTP/HHTPS request follows 3 step validation process:
Step 1. HTTP Specification Validation.
Diagram - HTTP Specification Validation
User sends a request to access Web site (www.abcretaillogin.com). Cyberoam WAF receives and validates the request for the protocol compliance HTTP 1.0/1.1. If the received request is found valid, it is forwarded to the Web Server. Web Server will respond with requested content (www.abcretaillogin.com/index.htm) which contains resources list like (“myaccount.htm”, Image\Imaege1.gif)
Cyberoam Web Application Firewall Guide
Page 29 of 56
Step 2. Intuitive Web Flow detector.
Diagram – Intuitive Web Flow Detector
Once the request is found legitimate and is sent to the Web server, Cyberoam creates rules dynamically (for resources like “myaccount.htm”, Image\Imaege1.gif) depending on the response received from the Web server. Exceptions, if configured, are allowed by Cyberoam and user can access them directly without being interrupted by Intuitive Guide Lines. Only legitimate request is forwarded to the Web server. A request if found to be a non RFC compliant protocol traffic or violating intended usage guidelines,, Cyberoam drops it, creating a rule dynamically for it. An alert notification in the form of email or a network “pop-up” message, and/or HTTP is sent as per the user preference.
Cyberoam Web Application Firewall Guide
Page 30 of 56
Step 3. User Define policies.
Diagram – User Defined Policies
If the user request (www.abcretaillogin.com/probe.htm) is received for which a dynamic rule do not exist in intended usage guidelines, Cyberoam WAF blocks the same and sends an error message (403 forbidden).
In order to allow the request that do not exist within the intended usage guidelines, an exception must be created by defining the user policies to override intended usage guidelines.
Cyberoam Web Application Firewall Guide
Page 31 of 56
Deployment Modes
Cyberoam deployment is usually done within a data center of an organization, which also comprises of other zones viz., LAN zone, DMZ zone, etc. Server farm consisting of several Web servers, are hosted within the DMZ zone. The Administrator needs to publish the Web servers via Cyberoam WAF. One of the following two methods can achieve this:
1. Server hosted on Public IP Address 2. Server hosted on Private IP Address
1. Server Hosted on Public IP Address
Web server might have a public IP directly assigned to actual physical server without any NAT.
A user sends a HTTP/HTTPS request to access a Web server (here the request is to access Web server 61.10.15.18).
Cyberoam WAF receives the request. It validates the request depending on the level of scanning methodology.
If the received request is valid, the request is sent to the respective Web server.
However, if the request fails the validation and is found to be malicious, it will be dropped and thus not sent to Web server.
Alert notifications are sent (depending on user preferences) in the form of email, network “pop-up” message, and/or HTTP.
Cyberoam Web Application Firewall Guide
Page 32 of 56
2. Server Hosted on Private IP Address
In this deployment scenario, a Web server 10.10.10.2 is published via a public IP Address 61.10.15.18 using Cyberoam WAF.
A user sends a HTTP/HTTPS request for a public IP Address (here the request is sent for IP Address 61.10.15.18) to access a Web server that is hosted on private IP Address (Here private IP Address of Web server is 10.10.10.2).
Cyberoam WAF receives the request. It validates the request depending on the level of scanning methodology.
If the received request is valid, the request is sent to the respective Web server (Using Network Address Translation).
However, if the request fails the validation and is found to be malicious, it will be dropped and thus not sent to Web server.
Alert notifications are sent (depending on user preferences) in the form of email, network “pop-up” message, and/or HTTP.
Cyberoam Web Application Firewall Guide
Page 33 of 56
Configure WAF
Web Servers
Global Settings
Alerts
Web Servers
In order to scan traffic for all your web servers, the appliance must know which IP addresses and HTTP Host names to protect. The appliance protects all the web servers whether hosted privately or publicly. These web servers are protected by the appliance, and are the recipients of traffic that is forwarded or allowed to pass through by the appliance.
The Web Server page provides list of all the web servers configured and you can filter the list based on the web server name. You can also sort the list based on web server name. The page provides option to add a new web server, update settings of the web server, and delete the server.
Note On adding a Web Server, a default Exception and a Firewall Rule is created for the same.
Use WAF > Web Servers to view to Web Server and Exception details.
Web Server
Exceptions
Web Server
Web Server provides interface to add servers that are to be safe-gaurded by WAF. Web Server page displays list of servers and provides a way to manage them.
To configure Web Server, go to WAF > Web Servers > Web Server.
Screen – Web Server
Manage Web Servers
Screen Elements Description
Name Name to identify the Web Server.
Public IP/FQDN The Public IP Address or FQDN to which the Web Server is
Cyberoam Web Application Firewall Guide
Page 34 of 56
added.
Private IP The Private IP Address to which the Web Server is added.
Domains Domains protected by the Web Server.
Public Port Port number through which Web Server communicates.
Table – Web Server
Web Server Parameters
To add or edit Web Server, go to WAF Web Server. Click Add Button to add a new rule or Edit Icon to modify the details of the rule. Web Server Rule Parameters are given below.
Note On adding a Web Server, a default Exception and a Firewall Rule is created for the same.
Screen – Web Server Parameters
Screen Elements Description
Web Server Name Specify name to identify the Web Server.
Zone Specify zone to which the Web Server rule applies.
Cyberoam Web Application Firewall Guide
Page 35 of 56
Web Server Hosted On Select from the available options on which the Web Server is to be hosted.
Available Options:
Public IP/FQDN – If selected, choose from following:
1. IP Address – If selected, choose from available IP Host or add an IP Host.
2. FQDN Host – If selected, choose from available FQDN Host or add a FQDN Host.
Private IP – If selected, choose or add IP Host for each of the following available options:
1. Public IP Address. 2. Private IP Address.
Web Server Protocol Select Web Server Protocol from the following available options:
1. Only HTTP 2. Only HTTPS 3. HTTP & HTTPS
Advanced Settings
The WAF Advanced Settings allows you to customize Web Server configurations. In most cases, the advanced settings on this screen should remain at their default values.
Performance Tuning
Screen – Performance Tuning Parameters
Max Connections Provide the maximum number of client connections that can be served simultaneously.
Minimum number of connections: 50
Maximum number of connections: 9999
By default, the value of maximum number of client connections is 5000.
Max listen queue Listening queue shall be used once the threshold for maximum connections is reached.
Minimum number of connections: 10
Maximum number of connections: 999
By default, the value of maximum number of pending connections allowed in listening queue is 511.
Cyberoam Web Application Firewall Guide
Page 36 of 56
Keep alive timeout Provide the time in seconds for a subsequent request to wait before closing a connection.
Minimum number of Seconds: 5
Maximum number of Seconds: 999
By default, value for Keep Alive timeout is 15 seconds.
Enable Form Validation
Click to enable HTML form elements validation.
By default, form validation is in enable mode.
If enabled, to combat SQL command injection and cross-site scripting attacks, specify the dangerous characters to be filtered transparently from user input for each of the HTML parameters.
Enable Cookie Validation
Click to enable HTTP and HTTPS name/value cookie validation.
By default, cookie validation is in enable mode.
If enabled, select/specify the validation parameters.
Override Global Settings
Screen – Override Global Settings
Click to override the global settings for the respective Web Server.
Default – Disable
Cyberoam Web Application Firewall Guide
Page 37 of 56
If enabled, select/specify the Global Settings parameters.
Table – Web Server Parameters
Cyberoam Web Application Firewall Guide
Page 38 of 56
Web Server Protocol
1. Only HTTP
Screen – Only HTTP
Screen Elements Description
Web Serve HTTP Port Provide a HTTP Port number.
By default, the port number is 80.
Note If the Web Server is hosted on a private IP Address/host then provide a public and a private HTTP Port numbers. In this case, by default, both the public port number and the private port number will be 80.
SSL Offloading Click to enable SSL Offloading.
By default, form validation is in disable mode.
Published HTTPS Port Provide a HTTPS Port number.
By default, the port number is 443.
Note If the Web Server is hosted on a private IP Address/host then provide a public and a private HTTP Port numbers. In this case, by default, both the public port number and the private port number will be 443.
Cyberoam Web Application Firewall Guide
Page 39 of 56
Allow HTTP Traffic Also
Click to enable allow HTTP traffic.
By default, form validation is in disable mode.
Certificate A digital certificate is a document that guarantees the identity of an entity.
WAF uses certificate for secured communication for any request received for the Web Server.
In case of SSL offloading, certificate is exchanged between client and WAF.
Select a Certificate from the available list.
Certificate Authority A certificate signed by a Certificate Authority (CA) identifies the owner of a public key.
Select a Certificate Authority from the available list.
Allow SSLv2 Select Yes to allow SSLv2 client connection.
Default – No
Allow Weak Ciphers Select Yes to allow weak ciphers.
Default – No
Domains to protect Choose domains to be protected from the following available option:
1. All domains hosted on selected Web Server Host.
2. Specific domains hosted on Web Server Host.
In this case, select a domain or add a domain.
Default – All domains hosted on selected Web Server Host.
Back to top
Table – Only HTTP
Cyberoam Web Application Firewall Guide
Page 40 of 56
2. Only HTTPS
Screen – Only HTTPS
Screen Elements Description
Web Server HTTPS Port
Provide a HTTPS Port number.
By default the port number is 443
Note If the Web Server is hosted on a private IP Address/host then provide a public and a private HTTP Port numbers. In this case, by default, both the public port number and the private port number will be 443.
Certificate A digital certificate is a document that guarantees the identity of an entity.
WAF uses certificate for secured communication for any request received for the Web Server.
Select a Certificate from the available list.
Certificate Authority A certificate signed by a Certificate Authority (CA) identifies the owner of a public key.
Select a Certificate Authority from the available list.
Allow SSLv2 Select Yes to allow SSLv2 client connection.
Default – No
Allow Weak Ciphers Select Yes to allow weak ciphers.
Default – No
Domains to protect Choose domains to be protected from the following available option:
1. All domains hosted on selected Web Server Host.
Cyberoam Web Application Firewall Guide
Page 41 of 56
2. Specific domains hosted on Web Server Host.
In this case, select a domain or add a domain.
Default – All domains hosted on selected Web Server Host.
Back to top
Table – Only HTTPS
3. HTTP & HTTPS
Screen – HTTP & HTTPS
Screen Elements Description
Web Server HTTP Port Provide a HTTP Port number.
By default, the port number is 80.
Note If the Web Server is hosted on a private IP Address/host then provide a public and a private HTTP Port numbers. In this case, by default, both the public port number and the private port number will be 80.
Web Server HTTPS Port
Provide a HTTPS Port number.
By default the port number is 443
Note If the Web Server is hosted on a private IP Address/host then provide a public and a private HTTP Port numbers. In this case, by default, both the public port number and the private port
Cyberoam Web Application Firewall Guide
Page 42 of 56
number will be 443.
Certificate A digital certificate is a document that guarantees the identity of an entity.
WAF uses certificate for secured communication for any request received for the Web Server.
Select a Certificate from the available list.
Certificate Authority A certificate signed by a Certificate Authority (CA) identifies the owner of a public key.
Select a Certificate Authority from the available list.
Allow SSLv2 Select Yes to allow SSLv2 client connection.
Default – No
Allow Weak Ciphers Select Yes to allow weak ciphers.
Default – No
Domains to protect Choose domains to be protected from the following available option:
1. All domains hosted on selected Web Server Host.
2. Specific domains hosted on Web Server Host.
In this case, select a domain or add a domain.
Default – All domains hosted on selected Web Server Host.
Back to top
Table – HTTP & HTTPS
Cyberoam Web Application Firewall Guide
Page 43 of 56
Enable Form Validation
Screen – Form Validation
Screen Elements Description
Text Specify the characters that require to be filtered transparently.
By default, the value of this field is <, >, ", ', ;, (, ).
Select one of the following actions in case the input is one of the specified characters:
1. Alert
2. Block
By default, an alert is generated.
Text-Area Specify the characters that require to be filtered transparently.
By default, the value of this field is <, >, ", ', ;, (, ).
Select one of the following actions in case the input is one of the specified characters:
1. Alert
2. Block
By default, the alert is generated.
Password Specify the characters that require to be filtered transparently.
By default, the value of this field is <, >, ", ', ;, (, )..
Select one of the following actions in case the input is one of the specified characters:
1. Alert
2. Block
Cyberoam Web Application Firewall Guide
Page 44 of 56
By default, the alert is generated.
Form Clean-up Click to enable HTML form clean-up.
By default, form clean-up is in enable mode.
If enabled, specify the number of days and hours. HTML forms older than the specified duration shall be cleaned up/ purged.
Minimum number of days: 0
Maximum number of days: 365
Minimum number of Hours: 0
Maximum number of Hours: 23
Default – 15 Days and 0 hours
Back to top
Table – Form Validation
Enable Cookie Validation
Screen – Cookie Validation
Screen Elements Description
Enable Strict Cookie Validation
Click to enable blocking of the request that contains a tampered cookie, thereby avoiding it to be forwarded on to the Web Server.
When a request containing a tampered cookie is received and cookie validation is in disable mode, then the tampered cookie will be stripped - off from request and the request will be forwarded to Web Server.
Default – Disable
Enable Transition Click to allow cookie attributes and values that cannot be
Cyberoam Web Application Firewall Guide
Page 45 of 56
Period validated.
It will be effective from the time cookie validation is enabled.
Default – Enable
Minimum number of days: 0
Maximum number of days: 365
Minimum number of Hours: 0
Maximum number of Hours: 23
Default – 6 Days and 0 hours
Enable Cookie Cleanup
Click to enable HTTP - HTTPS cookie cleanup.
Default – Enable
If enabled, specify the number of days and hours. HTTP- HTTPS cookies older than the specified duration will be removed.
Minimum number of days: 0
Maximum number of days: 365
Minimum number of Hours: 0
Maximum number of Hours: 23
Default – 15 Days and 0 hours
Back to top
Table – Cookie Validation
Cyberoam Web Application Firewall Guide
Page 46 of 56
Exception
Exceptions are the parameters on which WAF configuration are not applicable. They can be added only for configured Web Servers.
To configure an Exception, go to WAF > Web Server > Exception.
Screen – Exceptions
View the list of Exception
Screen Elements Description
Add Button Add new Exception.
Exception Name Displays the name of Exception.
Exception Type Displays the Type of Exception.
Web Server Displays the name of the Web Server for which the exception is created.
URL/Directory/URI Displays URL/Directory/URI path.
Edit Icon Edit exception.
Delete Icon Delete Web Server.
Delete Button Delete Web Server.
Table – Exceptions
Add Exception Parameters
To add an Exception, go to WAF Web Server Exception and click Add.
Cyberoam Web Application Firewall Guide
Page 47 of 56
Screen – Add Exceptions
Screen Elements Description
Exception Name Provide name to exception.
Exception Type Select the type of the exception from the available options.
The available options are as follows:
1. Entry Point 2. Unprotected Directories 3. Filter Exception 4. Cookie Exception 5. Form Exception
Web Server Select the Web Server for which the exception is created.
URL / Directory /URI Provide URL / Directory / URI path
URL / Directory Properties
Select the properties to be applied on URL / Directory from following options:
Available Options:
HTTPS – Select if entry point/directory is to be accessed via an encrypted connection.
Ignore Case – Select if the entry point / directory validation should not be case sensitive.
RegEx – Select if the URL / Directory is a regular expression.
Edit Icon Edit exception
Delete Icon Delete Web Server.
Delete Button Delete Web Server.
Table – Add Exceptions
Cyberoam Web Application Firewall Guide
Page 48 of 56
Edit Exception Parameters
To add an Exception, go to WAF Web Server Exception and click the Edit icon in
the Manage column against the Exception to be modified.
Screen – Add Exceptions
Screen Elements Description
Exception Name Provide name to exception.
Exception Type Select the type of the exception from the available options.
The available options are as follows:
1. Entry Point 2. Unprotected Directories 3. Filter Exception 4. Cookie Exception 5. Form Exception
Table – Add Exceptions
Exception Type
1. Entry Point
Screen – Entry Point
Cyberoam Web Application Firewall Guide
Page 49 of 56
Screen Elements Description
Web Server Select the Web Server for which the exception is to be created.
URL/Directory Provide a URL/Directory path.
URL/Directory Properties
Select the properties to be applied on URL / Directory from following options:
Available Options:
HTTPS – Select if entry point/directory is to be accessed via an encrypted connection.
Ignore Case – Select if the entry point / directory validation should not be case sensitive.
RegEx – Select if the URL / Directory is a regular expression.
Back to top
Table – Entry Point
2. Unprotected Directories
Screen – Unprotected Directories
Screen Elements Description
Web Server Select the Web Server for which the exception is to be created.
URL/Directory Provide a URL/Directory path.
URL/Directory Properties
Select the properties to be applied on URL / Directory from following options:
Available Options:
HTTPS – Select if entry point/directory is to be accessed via an encrypted connection.
Ignore Case – Select if the entry point / directory validation should not be case sensitive.
Cyberoam Web Application Firewall Guide
Page 50 of 56
RegEx – Select if the URL / Directory is a regular expression.
Back to top
Table – Unprotected Directories
3. Filter Exception
Screen – Filter Exception
Screen Elements Description
Web Server Select the Web Server for which the exception is to be created.
URI Provide a URI path.
Form Name Specify the name of the form.
Field Name Specify the name of the field
Field Type Select the field type from the available options.
The following are the available options:
Any
Checkbox
Hidden
Radio Button
Select
Text
Text-Area
Characters Specify the characters for which the exception id to be created.
Back to top
Table – Filter Exception
Cyberoam Web Application Firewall Guide
Page 51 of 56
4. Cookie Exception
Screen – Cookie Exception
Screen Elements Description
Web Server Select the Web Server for which the exception is to be created.
URI Provide a URI path.
Field Name Specify the name of the field.
Back to top
Table – Cookie Exception
5. Form Exception
Screen – Form Exception
Screen Elements Description
Web Server Select the Web Server for which the exception is to be created.
Cyberoam Web Application Firewall Guide
Page 52 of 56
URI Provide a URI path.
Form Name Specify the name of the form.
Field Name Specify the name of the field.
Field Type Select the field type from the available options.
The following are the available options:
Any
Checkbox
Hidden
Radio Button
Select
Text
Text-Area
Characters Specify the characters for which the exception id to be created.
Back to top, Continue with Alerts
Table – Form Exception
Cyberoam Web Application Firewall Guide
Page 53 of 56
Global Settings
Global Settings are configurations that are applied on all the Web Servers by default. To alter these configuration, modify the Advanced Settings of the Web Server.
To view Global Settings, go to WAF > Global Settings > Global Settings.
Screen – Global Settings
Global Settings Parameters
Screen Elements Description
Global Settings
Hide Server Identity Click to avoid disclosing Web Server’s identity thereby
Cyberoam Web Application Firewall Guide
Page 54 of 56
preventing banner – grabbing.
By default, the server identity is hidden.
Passive Mode Click to enable passive mode for the Web Server to operate in “report-only” mode.
All the requests that are received will be forwarded on to the Web Server.
Disable the passive mode of Web Server to identify report and block malicious activities.
By default, the Web Server will not be in passive mode.
Enable JavaScript Processing
On enabling, client-side JavaScript can be interpreted to extract the Intended Use Guidelines
By default, JavaScript processing is in enable mode.
If disabled, JavaScript cannot be interpreted.
Enable Strict HTTPS On enabling, the access to HTTPS resources via an encrypted connection is enforced. HTTP resources will not be accessible.
By default, strict HTTPS is in enable mode.
If disabled, both HTTP and HTTPS resources can be accessed.
Send Client IP Header Click to send the client’s IP Address in a custom HTTP Header to the Web Server. Example: WAF-Client-IP.
By default, client IP Header will be sent to the Web Server.
Allow Incomplete URLs
Click to allow incomplete URL’s.
For example, If intended URL is “http://www.domain.com/test/”, but the user enters “http://www.domain.com/test” (no trailing slash) in their browser's address bar, both will be allowed.
By default, incomplete URL’s will not be allowed.
Enable Case-sensitive URL validation
On enabling, the URL will be validated in a case-sensitive manner.
Default - Enable
If disabled, the URL will not be validated for its case- sensitiveness.
Enable Transform Click to enable ensuring HTTP error code 500 from the Web server gets transformed into a HTTP 202 Accepted response
Cyberoam Web Application Firewall Guide
Page 55 of 56
Error 500 code.
Default – Disable
Error URLs
400 Bad Request Click to enable and provide a fully qualified URL.
If an HTTP error code 400 Bad Request occurs then it will be redirected to the provided fully qualified URL.
403 Forbidden Click to enable and provide a fully qualified URL.
If an HTTP error code 403 Forbidden occurs then it will be redirected to the provided fully qualified URL
405 Method not allowed
Click to enable and provide a fully qualified URL.
If an HTTP error code 405 Method not allowed occurs then it will be redirected to the provided fully qualified URL
Allowed HTTP Methods
HTTP Methods Specify the allowed HTTP Methods.
The HTTP methods shipped with the Appliance are POST, GET and HEAD.
Back to top
Table – Global Settings
Cyberoam Web Application Firewall Guide
Page 56 of 56
Alerts
Based on the WAF configuration, certain system-generated events trigger alerts. These alerts are reports of actions taken on the request received.
To view Alerts, go to WAF > Alerts > Alerts.
Parameters
Screen – Alerts
Screen Elements Description
Date & Time Date and Time when the alert was generated.
Action Displays action taken on the received request.
Source IP/Name Displays Source IP Address or Name of the request.
Reason Displays reason of the action taken.
Web Server Name Displays name of the Web Server.
Status Code Displays response status code of HTTP/HTTPS protocol.
Add Exception Click Add Icon to add an exception.
Table – Alerts
Add Exception
Screen Elements Description
Exception Name Provide name to exception.
Exception Type Select the Exception Type from the available options.
The available options are as follows:
1. Entry Point 2. Unprotected Directories 3. Filter Exception 4. Cookie Exception 5. Form Exception
Table – Add Exception