What's New in This Document

This section provides a summary of the information added to the guide for each major vWAF release.

Major changes for version 4.10

Feature Description of changes

Python 3 Upgrade

The Application Firewall has been rewritten in Python 3.

Major changes for version 4.9

Feature Description of changes

Script Handler and improved Python script support

The Script Handler improvements, together with the new script editor and script library, provide intuitive and improved support for Python scripts, allowing you to enhance and expand the functionality of vWAF. The script editor lets you create scripts with various parts (Init, Request and Response), providing syntax checking as you create each script. The script library allows you to manage scripts, per application. You enable the required scripts using the Script Handler. See Implementing Python Scripts

.

Admin Server Configuration

The Admin Server Configuration page allows you to configure the options: HTTP Proxy details (if vWAF uses a proxy), SMTP Mail (to specify the email settings used for sending alerts and reports), and Audit Log configuration (if you have a requirement to send a copy of the vWAF audit log to a specified location such as a central log server). Previously, it was necessary to configure these options using the conf file.

See Admin Server Configuration.

New Backup/Restore tool

The tool enables you to make and restore backups of your configuration from the command line. The most recent updates to the tool allow you to restore a previous version of vWAF (any version of vWAF database).

See Backup/Restore.

Cross Origin Resource Sharing (CORS) Handler

The Cross Origin Resource Sharing (CORS) Handler checks and verifies, based on the handler attributes and rules, whether to grant browser cross origin access to resources protected by vWAF. You configure vWAF to respond to Cross Origin Resource Sharing requests and grant or deny access to resources.

See Cross Origin Resource Sharing Handler

Baseline Protection improvements

Baseline Protection is improved through enhancements to the Baseline Protection Wizard and Baseline Protection Handler. In addition to values and keys, the Baseline Protection Handler can now also check URL parameters. You can also define keys, headers and arguments to be excluded from your baseline protection rules. Additionally, within the Baseline Protection Handler you can view the inheritance for individual rules (previously, the inheritance value was for the collective set of rules, rather than individual rules). The wizard and handler enhancements streamline configuration of baseline protection.

See Baseline Protection Wizard and Baseline Protection Handler.

Response Header Security Wizard and Handler

The Response Header Security Handler enforces client-side response header security features including X-Fame-Options, X-Content-Type-Options, XSS Protection and Content Security Policy options. These features improve client-side security and prevent attacks such as cross site scripting, attacks based on browser MIME-type vulnerabilities, and embedding content in frames within untrusted and potentially malicious sites.

See Response Header Security Wizard and Response Header Security Handler.

IP Blacklist Wizard

Global IP blacklisting provides a means to temporarily block all traffic for specific IP addresses or specific ranges of IP addresses. The IP Blacklist Wizard guides you through the set-up process, ensuring efficient and accurate configuration of IP blacklisting. The wizard eliminates the complexity and potential issues of configuring IP blacklisting manually. See IP Blacklist Wizard

.

Application mapping

A new mechanism called application mapping makes vWAF more flexible. In particular, it is now possible to apply different rulesets on the same host. Also it is now possible to set up a “catch-all” application. In many cases, the new mapping makes configuration easier and also increases the performance of vWAF, especially when applying configuration changes. To configure application mapping, a new item labeled Application Mapping has been added to the navigation area. See Application Mapping, Paths, Preconditions.

New prefixes—old prefixes now called paths

Application mapping has introduced a new mapping layer, which is now called “prefixes”. What was called a prefix before is now called a “path”. See Application Mapping, Paths, Preconditions and Editing Paths.

Export and import of complete rulesets

You can no longer export the configurations of single paths (formerly prefixes) and handlers individually, but now you can export and import complete rulesets. This makes migration from one system to another much easier. Also you can now export and import application mappings plus event destination groups. See Export and Import.

Full request logging

Application-specific log files provide detailed information why vWAF denied a request. Sometimes, however, you may want to retrieve even more detailed information. When you enable the new “full request logging” feature, vWAF now logs the complete request header and the complete request body (up to a configurable size). You can later download the request headers and raw body data for further analysis. See Global Configuration, Editing Applications, and Log Files.

Log file viewer enhanced

When viewing the log files, you can now change the width of the columns, and you can hide single columns completely. Also the table header now stays in place when you scroll down. See Log Files.

Option to reset handler and precondition attributes to their inherited values

You can now reset individual handler and precondition attributes to their inherited values. For this purpose, when editing a handler or a precondition, a new option labeled 'reset values' appears in the Inheritance column. See Editing Handlers and Editing Preconditions.

Script Handler can validate XML

You can now access the LXML etree module from your scripts, which enables you to validate XML documents against a given XML DTD / XML Schema. See Accessible Python Modules and Functions.

ICAP Client Handler improved

The performance of the ICAP Client Handler has been significantly improved. Some rarely needed attributes that slowed this handler down have been removed: The handler now always performs request handling, so the former attribute filter request is no longer needed. The ability to handle responses and the corresponding attribute filter response handler have also been dropped. See ICAP Client Handler.

Session Handler attributes removed

The optional attributes 'use domain cookie' and 'cookie application share' no longer exist. These settings are not compatible with the newly introduced application mapping feature. See Session Handler and Application Mapping, Paths, Preconditions.

Suggest Rules Wizard improved

The data collected by the Suggest Rules Wizard is now stored in a separate database for each application rather than in one big database for all applications. The size of these databases has been limited so that if you forget to disable learning mode, no database can grow so big that it causes performance issues. Within the status display of the administration interface, there is a new section labeled Application Status. While vWAF is in learning mode, you see a corresponding message here. A warning appears if the database has grown too big, and you can then terminate or reset learning mode. See Suggest Rules Wizard and Layout of the Administration Interface.

New Precondition

The new Url Selector can be used to further restrict the URLs of a path. See Url Selector.

REST interface updated

Some new functions have been added to the REST interface. In particular, there is now a REST interface for the new application mapping feature. This also caused some changes to the Applications REST interface, where hosts and customer_key are no longer included in the data. See REST Interface.

REST login with cluster password

You can now use an empty username plus the cluster password for authentication when using the REST interface on localhost. You no longer need to set up an extra user profile just for this purpose. See Using the REST Interface.

IIS 8 support

vWAF now supports IIS 8. When installing vWAF, vWAF detects IIS 8 automatically and installs the appropriate enforcer.

Support for both 32-bit and 64-bit application pools

If you are using IIS 7 or IIS 8, vWAF installs both a 32-bit version and a 64-bit version of the enforcer so that 32-bit as well as 64-bit application pools can be handled.

Multi-CPU mode for administration server

With large installations, the administration master can be a performance bottleneck for user interface operations. To improve performance, you can now enable multi-CPU mode for the administration server. See System Configuration, attribute adminMasterXMLuseMultiCPU.

Custom configuration files

You can now use custom configuration files instead of the default zeusafm.conf and updater.conf files. You can even split your settings and have multiple configuration files in parallel. See Installation.

Riverbed Serial Number for support

On the Overview tab in Cluster & License Management, you can now find a new Riverbed Serial Number. It is calculated automatically from your existing licenses. You need it when contacting support.

Major changes for version 4.7

Feature Description of changes

Ability to parse request bodies encoded in JSON

An increasing number of web applications send JSON-encoded data instead of URL-encoded data—in particular web applications that talk directly to a REST service. In addition to parsing URL-encoded request bodies, vWAF can now also parse request bodies encoded in JSON. For this purpose, two new attributes have been added to the Content Type Handler. In return, the former attribute allow content type list has been removed from the handler. The settings of this attribute are now covered by the new attributes—in particular by the attribute content type parser mapping and its setting pass through (do not parse). Existing rulesets are converted automatically, so you don’t need to change any existing configuration. See Content Type Handler.

Option to exclude ranges of IP addresses from the global IP blacklist

You can now exclude particular ranges of IP addresses from the global IP blacklist. This can be useful, for example, if you use external scanners that scan your web application at regular intervals. See Global IP Blacklisting.

New event source

The new Seen Enforcer Event Source can trigger an alert when either a new enforcer has been added to the configuration or when an enforcer is inactive. See Seen Enforcer Event Source.

Option to add comments and descriptions to paths (former prefixes)

For your internal purposes, you now have a built-in feature to document why you’ve set up a specific path. See Editing Paths.

Option to hide particular rulesets

Over time, the number of stored rulesets grows, which can make the History list in Version Control quite lengthy. To shorten this list and to make it clearer, you can now hide those rulesets that you likely won’t need any more. See Version Control.

Cluster / decider node filters

You can now filter the view of shown cluster nodes according to the categories running, degraded, and disabled. This can be helpful if you have an installation with a large cluster. See Managing Deciders.

Function descriptions restructured

We have restructured the descriptions of the Python functions that can be used by the Script Handler. Now there is an overview of all functions from which you can easily jump to each description. See Accessible Python Modules and Functions.

Major changes for version 4.6

Feature Description of changes

REST interface

The REST interface has been largely expanded. You can now handle all major administration tasks via this interface. See REST Interface

.

SNMP interface

You can now handle various administration tasks also via SNMP. See

SNMP Interface.

Major changes for version 4.5

Feature Description of changes

IPv6 support

In addition to IPv4 addresses you can now specify IPv6 addresses in all handlers, event sources, and other places where IP addresses are entered.

Custom error pages and error IDs

You can now set up your own error page or redirect to a particular URL when vWAF denies a request. On your error page, you can display a unique error ID, which vWAF creates for each denied request and also writes to the log files. With the help of this error ID you can easily track the cause of an error down to the handler that caused it. See Setting Up a Custom Error Page and Log Files.

New Application Creation Wizard

The new Application Creation Wizard assists you in setting up new applications step by step. See Editing Applications and Application Creation Wizard.

Updated Baseline Protection Wizard

The Baseline Protection Wizard has received some additional pages and settings. See Baseline Protection Wizard.

New event source

The new Global Blacklist IP Added Event Source triggers an event each time a new IP address is written to the global IP blacklist. See Global Blacklist IP Added Event Source.

New attribute for the Invalid Args Handler

The new attribute max allowed arguments can be set to protect you from attacks that exploit interpretation errors of scripting languages, such as hash collision attacks. See Invalid Args Handler.

Option to log removed cookies

A new attribute for the Cookie Jar Handler lets you configure vWAF so that it adds an entry to the application-specific log file each time it removes a cookie. See Cookie Jar Handler.

New attribute for the HTTP Method Selector

The new attribute method_SVN includes all methods that are used in combination with Subversion servers. See HTTP Method Selector.

New default user group “PCI Auditor”

There is a new default user group PCI Auditor, designed for persons who conduct Payment Card Industry (PCI) audits. See Organizational Integration.

Reduced URL logging renamed

“Reduced URL logging” is now called “Reduced Argument Logging”. See Editing Applications.

ModSecurity Wizard and Handlers dropped

The following wizards and handlers are no longer available: ModSecurity Ruleset Import Wizard, ModSecurity Handler, and ModSecurity Emulation Handler.