Formas de percepción

Apart from the default policies, you can create customized policies. The new policy is created with default values. You can change the default values by visiting the individual sub-policy pages and changing the values.

To create a customized Security Policy:

1. From the SECURITY POLICIES > Policy Manager page, enter a name of the new policy under

Create New Policy and click Add.

2. The new policy with the default values is created and added to the list of policies under Policy Overview.

3. To modify a policy, go to the desired sub-policy page and select the policy from the Policy Name drop-down list.

4. Change the value of the parameter(s) and click Save Changes to save and activate the new settings.

5. Click Delete to remove a policy. All the policies can be removed except the default policy. By default all services use the default policy. Based on your requirement you can change the policy for a service.

To change the policy for a service

1. From the Basic > Services page, click Edit under Actions. The service page opens.

2. Select the desired policy from the Web Firewall Policy drop-down list under Basic Security.

3. Change the value of the parameter(s) and click the Save Changes button to save and activate the new setting.

Web Site Profiles

The WEBSITES > Web Site Profiles page uses the URL profiles and Parameter profiles created for a service to validate the requests coming for that service. When a new service is added, a Web Site profile is created by default and is “Off” for that service. You can modify the default settings, which overrides the default policies. If the parameter "Use Profile" is set to "Yes", then URL Profiles and Parameter Profiles must be created for validating the requests coming for that service. This falls in accordance with the positive security nodes, which denies any request for which there is no URL or Param Profile.

To edit a Web Site Profile

1. Click Edit against the created Web Site Profile. The Edit Web Site Profile dialog box opens.

2. Specify values for the following fields:

• Use Profile. Select whether to use URL profiles and parameter profiles for validating the requests coming for this service.

• Domain. Enter the domain attribute of the session cookie and click Add.

• Exclude URL Patterns. Enter the list of URL patterns to exclude the URL profile validations and click Add. (Examples: *.html,*.htm,*.jpg, *.gif,*.css,*.js).

• Include URL Patterns. Enter the list of URL patterns to be included in the URL profile validations in spite of being listed in "Exclude URL Patterns" parameter and click Add. • State. Select the state of the Web Site profile for this service from the drop-down list. • Session Cookie Domain. Enter the cookie domain to be used to allow the browser to

send the cookie back to the Barracuda Web Site Firewall.

• Session Cookie Timeout. Enter the time-out for session cookie after the successful login. 0 indicates no time-out, the session lives forever.

3. Click Save Changes to save the above settings.

URL profile

URL Profiles are used to validate the requests coming to the service as per the settings in parameter "State" in the Web Site Profile. You can create many URL profiles for a service.

To add a URL Profile

1. Click Add URL Profile against the created Web Site Profile. The Create URL Profile dialog box opens.

2. Specify values for the following fields:

• URL Profile Name. Enter the name for this URL profile. • Status. Select whether to enable this URL profile.

• URL Match. Enter the matching criterion for URL field in the Request Header. The URL should start with a "/" and can have only one " * " anywhere in the URL. A value of /* means that the ACL applies for all URLs in that domain.

• Extended Match. Enter an expression that consists of a combination of HTTP headers and/or query string parameters. Use '*' to denote "any request", that is, do not apply the Extended Match condition. For more on how to write extended match expressions, refer

Extended Match and Condition Expressions on page 107.

• Extended Match Sequence. Enter an order for matching the extended match rule when a request matches multiple rules with the same Host Match and URL Match.

• State. Select the state for this URL profile from the drop-down list. It can be either be “Active” or “Passive”.

Customized Security for Websites 61

• Allow Content Types. Enter the list of allowable content-types in the POST body for a URL.

• Hidden Parameter Protection. Select the protection for hidden parameters in the forms and URLs from the drop-down list.

• CSRF Prevention. Select the cross-site request forging prevention for the forms and URLs from the drop-down list. This CSRF protection is not applicable when there is no parameter profile.

• Max Parameter Name Length. Enter the maximum length of the parameter name. • Max Upload Files. Enter the maximum number of files that can be of file-upload type in

one request.

3. Click Add to add the above configurations.

4. Click Edit against the created URL Profile to modify the settings.

5. Click Delete against the created URL Profile to delete it.

Parameter profile

Parameter Profiles is used to validate the requests coming for this service as per the settings for the parameter "State" under URL profile. You can create many parameter profiles for a service. To add a Parameter Profile

1. Click Add Param Profile against the created Web Site Profile. The Create Parameter Profile

dialog box opens.

2. Specify values for the following fields:

• Parameter Profile Name. Enter the name for this parameter profile. • Status. Select whether to enable or disable this parameter profile.

• Parameter. Enter the name of the parameter expected in the requests. No name parameter (&noname-param) is also supported. The parameter name with the special characters like &pathinfo and &sessionid and wildcard (*) should be manually specified. • Type. Select the type of parameter to be validated in the requests from the drop-down

list.

• Values. Enter a fixed set of strings to match against the parameter's value, if the parameter "Type" is set to "Global Choice".

• Parameter Class. Select the parameter class to be used from the drop-down list. • Custom Parameter Class. Select the customized parameter class to be used, if the

parameter "Parameter Class" is set to "<Custom>" from the drop-down list. Refer

Creating Custom Parameter Class on page 92 for more information.

• Max Value Length. Enter the maximum allowable length for the value of the parameter. • Required. Select whether this parameter is required to be present always in the request,

or can it be skipped.

• Ignore. Select whether to ignore this parameter completely, that is, not to validate the value of this parameter at all.

• Max Instances. Enter the maximum number of times this parameter is allowed.

• File Upload Extensions. Enter the list of extensions that are allowed in file uploads. '.' is a special extension which indicates no extension, and * indicates any extension is allowed.

3. Click Add to add the above configurations.

4. Click Edit against the created Parameter Profile to modify the settings.