11. Allow/Deny Rules for URLs
• Control accessto certainportionsto theWeb Applicationbasedon a
set of matchingcriteria
• WithoutchanginganyconfigurationontheWebApplicationitself
• Extendedmatchcanbeused
• Configurableactionsare the same asglobal ACLs
• 4.4 – Allow/Deny Rules
Web Application
Public Private
Payments
Access
Control
18. Website Profiles Overview
• Specific rules tofine-tunethesecuritysettingsof a service
• URLprofiles
• Parametersprofiles
Tommy
Reed
WAF
/cgi-bin/reg.cgi
URL Profile
/cgi-bin/reg.cgi
Request
Parameters Profile
First Name
• Input Field
• Type Alpha
• Max Char 16
Last Name
• Input Field
• Type Alpha
• Max Char 16
/cgi-bin/reg.cgi
Request
Application
Server
Tommy
Reed
• 4.5 – Website Profiles
22. Adaptive Profiling
• Automatically learnsthestructureof aWeb Application
• Basedonrequests and/orresponses
• Available onmodel660+
• Creates the website profile based on thelearnedstructure
• 4.5 – Website Profiles
Tommy
Reed
WAF
/cgi-bin/reg.cgi
URL Profile
/cgi-bin/reg.cgi
Request
Parameters Profile
First Name
• Input Field
• Type Alpha
Last Name
• …
/cgi-bin/reg.cgi
Request
Application
Server
Tommy
Reed
ResponseResponse