Global Configuration

Purpose

The Global Configuration allows you to customize the default behavior of vWAF.

Opening

To open Global Configuration, select the menu item Administration > Global Configuration.

Attributes

Attribute

Meaning

allow traffic if we cannot parse the request

Under some rare circumstances it may happen that vWAF cannot parse some special character combinations within a request.

By default, vWAF denies those requests. By enabling this option you can reverse this behavior and let vWAF accept all requests that it cannot parse. For security reasons it is generally not recommended to enable this option, but if desired traffic gets blocked it can be useful temporarily until you fix the problem.

session cookie name

Name of the secure session cookie that vWAF is to generate.

disable all statistics

If this option is enabled, vWAF does not run any statistics (see Application Statistics and Attack Analysis.

This is only recommended if you experience too much load on your server.

Request timelimit (valid integer greater zero required)

By default, vWAF filters both requests and responses. After vWAF has processed the request it passes on the request to the web application and temporarily stores some data about the request. Then it waits for the web application's response.

If the web application does not respond for some reason, vWAF deletes the temporary data and returns an error code. The Request timelimit determines the time in seconds that vWAF waits for the response.

The default value is 30 seconds.

allow unencoded spaces in url

Browsers usually encode spaces properly, but poorly programmed scripts sometimes don't. To allow such a script access to your web application, you can use this option.

For security reasons it is generally not recommended to enable this option. Only use it temporarily if you know that a script sends unencoded spaces, until you have fixed the problem.

allow traffic for unknown hosts

If this option is enabled, vWAF does not block any traffic for hosts that have not yet been added in Application Mapping (see Editing Application Mapping).

For security reasons, we recommend disabling this option and thus blocking traffic for unknown hosts as soon as you have entered your hosts to the configuration.

use X-Forwarded-For header

Optional (only makes sense if vWAF operates behind a reverse proxy or load balancer that sets an X-Forwarded-For header).

If this option is enabled, vWAF uses the X-Forwarded-For header (inserted by the reverse proxy) to determine the IP address of the user.

Do not combine this option with use NS-Client-IP header because vWAF using both headers might result in a conflict.

use NS-Client-IP header

Optional (only makes sense if vWAF operates behind NetScaler, which sets the NS-Client-IP header).

If this option is enabled, vWAF uses the NS-Client-IP header (inserted by NetScaler) to determine the IP address of the user.

Do not combine this option with use X-Forwarded-For header because vWAF using both headers might result in a conflict.

Global Error Page Setup

In this section, you can set up the global default behavior what happens when vWAF denies a request:

  • Return an HTTP error code, which is the standard behavior.
  • Display a custom error page that you have set up.
  • Redirect to any other custom page.

You can also modify this behavior for each application separately in application control. For details, see Setting Up a Custom Error Page.

Enabling full request logging

ATTENTION
Full request logging may log sensitive information such as passwords or personal information. Make sure that this complies with your privacy policy and that you take appropriate measures of controlling as to where the data is saved and who will have access to the data.

Application-specific log files provide information why vWAF denied a request. Sometimes, however, you might like to retrieve even more detailed information. When you enable full request logging, vWAF logs the complete request header and the complete request body (up to a configurable size). You can then later download the request headers and raw body data for further analysis (see Log Files).

For example, you can analyze headers for referrers, or you can analyze a request’s payload to find out which state your web application was in when the request was denied.

To enable full request logging, select the Enable check box.

In Global Configuration you only enable full request logging in principle. However, this does not mean that full request logging is actually active. In order for full request logging to become effective, you must additionally enable it for each application for which you want it to be active. You do this in Application Control on the Application Settings tab (see Editing Applications).

In addition to enabling full request logging, you also need to specify a maximum size of the request body that is logged. If a request body of a logged request is larger than the given Max Body Size, it is automatically truncated to Max Body Size. This prevents the log files from growing too large. The default maximum body size is 1024 KB.