What's New in This Document

The Script Handler improvements, together with the new script editor and script library, provide intuitive and improved support for Python scripts, allowing you to enhance and expand the functionality of vWAF. The script editor lets you create scripts with various parts (Init, Request and Response), providing syntax checking as you create each script. The script library allows you to manage scripts, per application. You enable the required scripts using the Script Handler. See Implementing Python Scripts

The Admin Server Configuration page allows you to configure the options: HTTP Proxy details (if vWAF uses a proxy), SMTP Mail (to specify the email settings used for sending alerts and reports), and Audit Log configuration (if you have a requirement to send a copy of the vWAF audit log to a specified location such as a central log server). Previously, it was necessary to configure these options using the conf file.

See Admin Server Configuration.

The tool enables you to make and restore backups of your configuration from the command line. The most recent updates to the tool allow you to restore a previous version of vWAF (any version of vWAF database).

See Backup/Restore.

The Cross Origin Resource Sharing (CORS) Handler checks and verifies, based on the handler attributes and rules, whether to grant browser cross origin access to resources protected by vWAF. You configure vWAF to respond to Cross Origin Resource Sharing requests and grant or deny access to resources.

See Cross Origin Resource Sharing Handler

Baseline Protection is improved through enhancements to the Baseline Protection Wizard and Baseline Protection Handler. In addition to values and keys, the Baseline Protection Handler can now also check URL parameters. You can also define keys, headers and arguments to be excluded from your baseline protection rules. Additionally, within the Baseline Protection Handler you can view the inheritance for individual rules (previously, the inheritance value was for the collective set of rules, rather than individual rules). The wizard and handler enhancements streamline configuration of baseline protection.

See Baseline Protection Wizard and Baseline Protection Handler.

The Response Header Security Handler enforces client-side response header security features including X-Fame-Options, X-Content-Type-Options, XSS Protection and Content Security Policy options. These features improve client-side security and prevent attacks such as cross site scripting, attacks based on browser MIME-type vulnerabilities, and embedding content in frames within untrusted and potentially malicious sites.

See Response Header Security Wizard and Response Header Security Handler.

Global IP blacklisting provides a means to temporarily block all traffic for specific IP addresses or specific ranges of IP addresses. The IP Blacklist Wizard guides you through the set-up process, ensuring efficient and accurate configuration of IP blacklisting. The wizard eliminates the complexity and potential issues of configuring IP blacklisting manually. See IP Blacklist Wizard

A new mechanism called application mapping makes vWAF more flexible. In particular, it is now possible to apply different rulesets on the same host. Also it is now possible to set up a “catch-all” application. In many cases, the new mapping makes configuration easier and also increases the performance of vWAF, especially when applying configuration changes. To configure application mapping, a new item labeled Application Mapping has been added to the navigation area. See Application Mapping, Paths, Preconditions.

Application mapping has introduced a new mapping layer, which is now called “prefixes”. What was called a prefix before is now called a “path”. See Application Mapping, Paths, Preconditions and Editing Paths.

You can no longer export the configurations of single paths (formerly prefixes) and handlers individually, but now you can export and import complete rulesets. This makes migration from one system to another much easier. Also you can now export and import application mappings plus event destination groups. See Export and Import.

Application-specific log files provide detailed information why vWAF denied a request. Sometimes, however, you may want to retrieve even more detailed information. When you enable the new “full request logging” feature, vWAF now logs the complete request header and the complete request body (up to a configurable size). You can later download the request headers and raw body data for further analysis. See Global Configuration, Editing Applications, and Log Files.

When viewing the log files, you can now change the width of the columns, and you can hide single columns completely. Also the table header now stays in place when you scroll down. See Log Files.

You can now reset individual handler and precondition attributes to their inherited values. For this purpose, when editing a handler or a precondition, a new option labeled 'reset values' appears in the Inheritance column. See Editing Handlers and Editing Preconditions.

You can now access the LXML etree module from your scripts, which enables you to validate XML documents against a given XML DTD / XML Schema. See Accessible Python Modules and Functions.

The performance of the ICAP Client Handler has been significantly improved. Some rarely needed attributes that slowed this handler down have been removed: The handler now always performs request handling, so the former attribute filter request is no longer needed. The ability to handle responses and the corresponding attribute filter response handler have also been dropped. See ICAP Client Handler.

The optional attributes 'use domain cookie' and 'cookie application share' no longer exist. These settings are not compatible with the newly introduced application mapping feature. See Session Handler and Application Mapping, Paths, Preconditions.

The data collected by the Suggest Rules Wizard is now stored in a separate database for each application rather than in one big database for all applications. The size of these databases has been limited so that if you forget to disable learning mode, no database can grow so big that it causes performance issues. Within the status display of the administration interface, there is a new section labeled Application Status. While vWAF is in learning mode, you see a corresponding message here. A warning appears if the database has grown too big, and you can then terminate or reset learning mode. See Suggest Rules Wizard and Layout of the Administration Interface.

The new Url Selector can be used to further restrict the URLs of a path. See Url Selector.

Some new functions have been added to the REST interface. In particular, there is now a REST interface for the new application mapping feature. This also caused some changes to the Applications REST interface, where hosts and customer_key are no longer included in the data. See REST Interface.

You can now use an empty username plus the cluster password for authentication when using the REST interface on localhost. You no longer need to set up an extra user profile just for this purpose. See Using the REST Interface.

vWAF now supports IIS 8. When installing vWAF, vWAF detects IIS 8 automatically and installs the appropriate enforcer.

If you are using IIS 7 or IIS 8, vWAF installs both a 32-bit version and a 64-bit version of the enforcer so that 32-bit as well as 64-bit application pools can be handled.

With large installations, the administration master can be a performance bottleneck for user interface operations. To improve performance, you can now enable multi-CPU mode for the administration server. See System Configuration, attribute adminMasterXMLuseMultiCPU.

You can now use custom configuration files instead of the default zeusafm.conf and updater.conf files. You can even split your settings and have multiple configuration files in parallel. See Installation.