Add Application Protection Policy

This page describes how to add an application protection policy.

  1. Go to Device Configuration > Protect > Web Server > Protection Policies and click Add.
  2. Specify the following:
    Specify a unique name for the protection policy.
    Specify a description for the policy.
    Pass Outlook Anywhere
    Enable this to allow external Microsoft Outlook clients to access the Microsoft Exchange Server via theWeb Application Protection. Microsoft Outlook traffic will not be checked or protected by the Web Application Protection.
    Select a mode from the drop-down list:
    • Monitor: HTTP requests are monitored and logged.
    • Reject: HTTP requests are rejected.
    Cookie Signing
    Enable this to protect a web server against manipulated cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie's name, its value and a secret, where the secret is only known by the Web Application Protection. Thus, if a request cannot provide a correct cookie pair, there has been some sort of manipulation and the cookie will be dropped.
    Static URL Hardening
    Enable this to protect against URL rewriting. For that, when a client requests a website, all static URLs of the website are signed. The signing uses a similar procedure as with cookie signing. Additionally the response from the web server is analyzed regarding what links can be validly requested next. Moreover, static hardened URLs can furthermore be bookmarked and visited later.
    Note Static URL hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the URL hardening feature. It does not work for dynamic URLs created by client, for example: JavaScript.
    Note You can find more information about Static URL Hardening and Form Hardening under: Additional Information on Static URL Hardening and Form Hardening
    Entry URLs (only applicable if Static URL Hardening is enabled)
    Specify a URL for static URL hardening:
    Form Hardening
    Enable this to protect against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed when it is submitted the Web Application Protection rejects the request.
    Note Form hardening affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the form hardening feature.
    Note You can find more information about static URL hardening and form hardening under: Additional Information on Static URL Hardening and Form Hardening
    Enable this to protect a web server against viruses.
    Select a mode from the available options.
    • Avira
    • Sophos
    • Dual Scan
    Select from the drop-down list whether to scan only uploads or downloads or both.
    • Uploads
    • Downloads
    • Uploads and Downloads
    Block unscannable content
    Enable this to block files that cannot be scanned. The reason for that may be, among other things, that files are encrypted or corrupt.
    Limit scan size
    Enable this to enter the scan size limit into an additional field. Provide the limitation in megabytes.
    Note Please note that the scan size limit refers to the entire upload volume, not to a single file. If, for example, you limit the scan size to 50 MB and make an upload containing multiple files (45 MB, 5 MB and 10 MB), the last file will not be scanned. Thus a virus being in the last file would not be detected due to the limitation.
    Note If you do not specify a limitation value at all, the limit scan size will be saved with '0' megabytes, which means the limitation is not active and every uploaded/downloaded file will be scanned.
    Block clients with bad reputation
    Enable this to block clients which have a bad reputation according to their classification, based on GeoIPClosed and RBLClosed information. Sophos uses the following classification providers: RBL sources:
    • Commtouch IP Reputation (
    The GeoIP source is Maxmind. The WAF blocks clients that belong to one of the following Maxmind categories:
    • A1: Anonymous proxies or VPN services used by clients to hide their IP address or their original geographical location.
    • A2: Satellite providers are ISPs that use satellites to provide Internet access to users all over the world, often from high risk countries.
    Skip remote lookups for clients with bad reputation (only applicable if Block clients with bad reputation is enabled)
    Enable to use GeoIP-based classification which uses cached information only and is therefore much faster. As reputation lookups include sending requests to remote classification providers, using reputation-based blocking may slow down your system.
    Common Threat Filter
    Enable this to protect your web servers from several threats. You can specify the threat filter categories you want to use in the Threat Filter Categories section below. All requests will be checked against the rule sets of the selected categories. Depending on the results, a notice or a warning will be shown in the live log or the request will be blocked directly.
    Rigid Filtering
    Enable this to tighten several of the selected rules. This may lead to false positives.
    Skip Filter Rules
    Some of the selected threat categories may contain rules that lead to false positives. To avoid false positives induced by a specific rule, add the rule number that you want to skip in this field.
    Protocol Violations
    Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.
    Protocol Anomalies
    Searches for common usage patterns. Lack of such patterns often indicates malicious requests. These patterns include, among other things, HTTP headers like 'Host' and 'User-Agent'.
    Request Limits
    Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.
    HTTP Policy
    Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely-used options protects against attackers aiming at these often less well-supported options.
    Bad Robots
    Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.
    Generic Attacks
    Searches for attempted command executions common to most attacks. After having breached a webserver, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.
    SQL Injection Attacks
    Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
    XSS Attacks
    Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.
    Tight Security
    Performs tight security checks on requests, like checking for prohibited path traversal attempts.
    Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.
    Prevents web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.
    Figure: Add Application Protection Policy
  3. Click Save.