Table of Contents

About the Documentation
Documentation and Release Notes
Documentation Conventions
Documentation Feedback
Requesting Technical Support
WebApp Secure Administration
Overview
WebApp Secure Overview
Methodology
Features and Benefits
Key Components
Anatomy and Flow of an HTTP Request / Response
Limitations
Deployment
Appliance Deployment Overview
Placement Between Firewall and Web Servers
Options for Load-Balanced Environments
SSL Traffic Considerations
EC2 Deployment
Deploying Using the Command Line
Deploying Using the Web Interface
Assigning the Instance and IP Using the CLI
Assigning the Instance and IP Using the Web Interface
Verify the Instance is Running
Clustering Overview
High Availability Overview
Installing the Appliance
WebApp Secure Appliance Terminology
First Time Configuration
Initial Appliance Configuration
Changing the Password
Resetting the Password
Configure Network Interfaces
Set the Hostname
Set DNS
Initializing the System
Verify Connectivity
Install the License
Configuring High Availability
High Availability Settings
Configuring Clustering
Performing Initial Updates
Updating the Cluster
About the Configuration Wizard
Using the Configuration Wizard
Using WebApp Secure with Third-Party Load Balancer
Verify the Installation
Configuring WebApp Secure
Web Interface Configuration Overview
Edit Web UI User Preferences
View Online Help and Product Documentation from the Web UI
Basic Configuration Mode
Expert Configuration Mode
Import/Export (Web UI)
Security Engine Configuration
Configure Support for Akamai Dynamic Site Accelerator
Security Engine Incident Monitoring
Security Engine Server Identity and Cloaking
Security Engine Traffic
Security Engine Whitelist Settings
Proxy/Backends
Applications Overview
Create a New Application
Edit Applications
Application Patterns
Application Backend Overrides
Enable SSL to the Client
Pages
NTP Service
Alert Service
Integration with SRX Series Overview
Filters and Terms Configuration Summary for SRX Series Integration
Creating SRX Series Filters and Terms
Configure the SRX Series Integration
Testing the SRX Series Integration Configuration
Role-Based Administrator Access Control
Configuring Role-Based Access Control
Managing the Appliance
Overview
Navigating the CLI
The CLI: The Set Command
The CLI: General and Base Commands
The CLI: Configuration Level Commands
The CLI: System Level Commands
CLI: Config Example
CLI: Config: Setting a Configuration Parameter
CLI: Config: Initializing the Configuration
CLI: Config: Import/Export
CLI: Config: Configure a Proxy Exclusion
System Updates
Statistics
High Availability Network Failure Detection, Actions, and Monitoring
Unblock Web UI Login Ban
Health Check URL
Self-Monitoring
Self-Monitoring Configuration Variables
Managing and Viewing Logs
Log File Destination
Backup and Recovery Overview
Database Backup and Restore
About Security Intelligence
Enable the Spotlight Connector Service
Spotlight Connector Session Cookies and Locations
About Spotlight Secure
Enable Spotlight Secure
The Processors
Processors Overview
Complexity Rating Definitions
Session Cookie Spoofing
Session Cookie Tampering
Hostname Spoofing Attempt
Security Processors
Honeypot Processors: Access Policy Processor
Honeypot Processors: Access Policy Processor: Incidents - Malicious Service Call
Honeypot Processors: Access Policy Processor: Incidents - Service Directory Indexing
Honeypot Processors: Access Policy Processor: Incidents - Service Directory Spider
Honeypot Processors: AJAX Processor
Honeypot Processors: AJAX Processor: Incidents - Malicious Script Execution
Honeypot Processors: AJAX Processor: Incidents - Malicious Script Introspection
Honeypot Processors: Basic Authentication Processor
Honeypot Processors: Basic Authentication Processor: Incidents - Apache Configuration Requested
Honeypot Processors: Basic Authentication Processor: Incidents - Apache Password File Requested
Honeypot Processors: Basic Authentication Processor: Incidents - Invalid Credentials
Honeypot Processors: Basic Authentication Processor: Incidents - Protected Resource Requested
Honeypot Processors: Basic Authentication Processor: Incidents - Password Cracked
Honeypot Processors: Basic Authentication Processor: Incidents - Basic Authentication Brute Force
Honeypot Processors: Cookie Processor
Honeypot Processors: Cookie Processor: Incident - Cookie Parameter Manipulation
Honeypot Processors: File Processor
Honeypot Processors: File Processor: Incident - Suspicious Filename
Honeypot Processors: File Processor: Incident - Suspicious File Exposed
Honeypot Processors: File Processor: Incident - Suspicious Resource Enumeration
Honeypot Processors: Hidden Input Form Processor
Honeypot Processors: Hidden Input Form Processor: Incident - Hidden Parameter Manipulation
Honeypot Processors: Hidden Input Form Processor: Incident - Parameter Type Manipulation
Honeypot Processors: Hidden Link Processor
Honeypot Processors: Hidden Link Processor: Incident - Link Directory Indexing
Honeypot Processors: Hidden Link Processor: Incident - Link Directory Spidering
Honeypot Processors: Hidden Link Processor: Incident - Malicious Resource Request
Honeypot Processors: Query String Processor
Honeypot Processors: Query String Processor: Incident - Query Parameter Manipulation
Honeypot Processors: Robots Processor
Honeypot Processors: Robot Processor: Incident - Malicious Spider Activity
Activity Processors
Activity Processors: Custom Authentication Processor: Incident - Auth Input Parameter Tampering
Activity Processors: Custom Authentication Processor: Incident - Auth Query Parameter Tampering
Activity Processors: Custom Authentication Processor: Incident - Auth Cookie Tampering
Activity Processors: Custom Authentication Processor: Incident - Authentication Brute Force
Activity Processors: Custom Authentication Processor: Incident - Auth Invalid Login
Activity Processors: Cookie Protection Processor
Activity Processors: Cookie Protection Processor: Incident - Application Cookie Manipulation
Activity Processors: Error Processor
Activity Processors: Error Processor: Incident - Illegal Response Status
Activity Processors: Error Processor: Incident - Suspicious Response Status
Activity Processors: Error Processor: Incident - Unexpected Response Status
Activity Processors: Error Processor: Incident - Unknown Common Directory Requested
Activity Processors: Error Processor: Incident - Unknown User Directory Requested
Activity Processors: Error Processor: Incident - Common Directory Enumeration
Activity Processors: Error Processor: Incident - User Directory Enumeration
Activity Processors: Error Processor: Incident - Resource Enumeration
Activity Processors: Header Processor
Activity Processors: Header Processor: Incident - Duplicate Request Header
Activity Processors: Header Processor: Incident - Duplicate Response Header
Activity Processors: Header Processor: Incident - Illegal Request Header
Activity Processors: Header Processor: Incident - Illegal Response Header
Activity Processors: Header Processor: Incident - Missing All Headers
Activity Processors: Header Processor: Incident - Missing Host Header
Activity Processors: Header Processor: Incident - Missing Request Header
Activity Processors: Header Processor: Incident - Missing Response Header
Activity Processors: Header Processor: Incident - Missing User Agent Header
Activity Processors: Header Processor: Incident - Request Header Overflow
Activity Processors: Header Processor: Incident - Unexpected Request Header
Activity Processors: Method Processor
Activity Processors: Method Processor: Incident - Illegal Method Requested
Activity Processors: Method Processor: Incident - Unexpected Method Requested
Activity Processors: Method Processor: Incident - Missing HTTP Protocol
Activity Processors: Method Processor: Incident - Unknown HTTP Protocol
Tracking Processors: Etag Beacon Processor
Tracking Processors: Etag Beacon Processor: Incident - Session Etag Spoofing
Tracking Processors: Client Beacon Processor
Tracking Processors: Client Beacon Processor: Incident - Beacon Parameter Tampering
Tracking Processors: Client Beacon Processor: Incident - Beacon Session Tampering
Tracking Processors: Client Fingerprint Processor
Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Directory Indexing
Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Directory Probing
Tracking Processors: Client Fingerprint Processor: Incident - Fingerprint Manipulation
Tracking Processors: Client Classification Processor
Response Processors
Response Processors: Block Processor
Response Processors: Request Captcha Processor
Response Processors: Request Captcha Processor: Incident - Captcha Answer Automation
Response Processors: Request Captcha Processor: Incident - No Captcha Answer Provided
Response Processors: Request Captcha Processor: Incident - Multiple Captcha Request Overflow
Response Processors: Request Captcha Processor: Incident - Unsupported Audio Captcha Requested
Response Processors: Request Captcha Processor: Incident - Bad Captcha Answer
Response Processors: Request Captcha Processor: Incident - Mismatched Captcha Session
Response Processors: Request Captcha Processor: Incident - Expired Captcha Request
Response Processors: Request Captcha Processor: Incident - Captcha Request Tampering
Response Processors: Request Captcha Processor: Incident - Captcha Signature Tampering
Response Processors: Request Captcha Processor: Incident - Captcha Signature Spoofing
Response Processors: Request Captcha Processor: Incident - Captcha Cookie Manipulation
Response Processors: Request Captcha Processor: Incident - Captcha Image Probing
Response Processors: Request Captcha Processor: Incident - Captcha Request Size Limit Exceeded
Response Processors: Request Captcha Processor: Incident - Captcha Disallowed MultiPart
Response Processors: Request Captcha Processor: Incident - Captcha Directory Indexing
Response Processors: Request Captcha Processor: Incident - Captcha Directory Probing
Response Processors: Request Captcha Processor: Incident - Captcha Parameter Manipulation
Response Processors: Request Captcha Processor: Incident - Captcha Request Replay Attack
Response Processors: Request Captcha Processor: Incident - Multiple Captcha Replays
Response Processors: Request Captcha Processor: Incident - Multiple Captcha Disallow Multipart
Response Processors: Request Captcha Processor: Incident - Multiple Captcha Parameter Manipulation
Response Processors: CSRF Processor
Response Processors: CSRF Processor: Incident - CSRF Parameter Tampering
Response Processors: CSRF Processor: Incident - Multiple CSRF Parameter Tampering
Response Processors: CSRF Processor: Incident - CSRF Remote Script Inclusion
Response Processors: CSRF Processor: Incident - HTTP Referers Disabled
Response Processors: Header Injection Processor
Response Processors: Force Logout Processor
Response Processors: Strip Inputs Processor
Response Processors: Slow Connection Processor
Response Processors: Warning Processor
Response Processors: Warning Processor: Incident - Warning Code Tampering
Response Processors: Application Vulnerability Processor
Response Processors: Application Vulnerability Processor: Incident - App Vulnerability Detected
Response Processors: Support Processor
Response Processors: Cloppy Processor
Response Processors: Login Processor
Response Processors: Login Processor: Incident - Site Login Invalid
Response Processors: Login Processor: Incident - Site Login Multiple IP
Response Processors: Login Processor: Incident - Site Login Multiple Usernames
Response Processors: Login Processor: Incident - Site Login User Sharing
Response Processors: Login Processor: Incident - Site Login User Pooling
Response Processors: Login Processor: Incident - Site Login User Brute Force
Response Processors: Login Processor: Incident - Site Login Brute Force
Response Processors: Login Processor: Incident - Site Login Username Scan
Response Processors: Google Map Processor
Response Rule Configuration
Response Overview
Using the Editor
List Of Incident Methods
Reporting
Reporting Overview
Information for Report Types
Scheduling a Report Overview
Schedule a Report
Report History
Report Details
Report Types
Using the Web UI
Web UI Overview
The Dashboard
Attackers
Attacker Profile Page
Incidents
Incident Details
Counter Responses
Sessions
Session Details
Search
Reports
Configuration
System Status
Updates
Appendices
CAPTCHA Template
CAPTCHA Template
Log Formats
Access Log Format
Security Log Format
Audit Log Format
Firewall Log Format
Postgres Log Format
mws Log Format
RBAC Groups and Roles
RBAC Groups and Roles
Index
Index