Q&A: What are the details that should be provided in the Technical Questionnaire?

Question

• What are the details that should be provided in the Technical Questionnaire?
  • Download the Questionnaire here: Download: WAF Technical Questionnaire for WAF Setup

Environment

• Silverline WAF
  • WAF policy  

Answer

• Provide as many details as possible! Completing the questionnaire allows F5 Silverline SOC to build a Positive Security Model where we define all the 'known' variables that are good / valid.
• The entities or configurations asked for in the questionnaire include:

  • Entities/Configurations	Example(s)	Definition
    Application Encoding Type	UTF-8 ISO-8859-1	Character encoding schemes used by the application.  WAF Setup FAQ: How do I determine application encoding?
    Allowed HTTP Methods	GET POST HEAD	HTTP defines a set of request methods to indicate the desired action to be performed for a given resource
    Allowed Response Codes	400 404 503	HTTP response status codes indicate whether a specific HTTP request has been successfully completed   Q&A: Default HTTP Response Codes Allowed
    Disallow/Acceptable File Types	Disallow: EXE, DLL Acceptable: PHP, DOC, ASPX, etc	File type extensions that you want to block or is/are used by the application   Q&A: Default Illegal File Types
    URLs	Disallowed: /admin/restricted_acess Acceptable URLs: /login, /example	A list of URL(s) that you want to block or is/are used by the application
    Parameters	Username, Password, etc.	A list of Parameter(s) that is/are used by the application
    Cookies	Jsession_id, _utm* (Google analytics cookies), etc	A list of Cookie(s) that are used by the application
    Redirection Protection	https://example.com (include subdomain; meaning https://*.example.com would be acceptable) https://www.anotherexample.com (does not include subdomain)	A list of locations/domains that the application can serve 301/302 redirects
    Blocking Response Page	<html><head><title>Request Rejected</title></head> <body>The requested URL was rejected. Please consult with your administrator. <br><br>Your support ID is: <%TS.request.ID()%> </body></html>	The blocking page that a user would see if their request were to be blocked by the WAF policy Q&A: What is the Default WAF Violation Block Page and HTTP Response Code/Headers for Blocked Requests/Clients?
    Geolocation Blocking	Disallow: Iran, Syria Allow: US, CA	If you want to block/allow specific IP addresses from specific countries in accessing the application Q&A: How can I block traffic from country / countries for a specific proxy?
    Allowlist IP	Allowlist: 192.168.1.1	IP address(es) or subnets that you want to allowlist How To Allowlist IP Addresses For WAF Services

Related Content

• Download: WAF Technical Questionnaire for WAF Setup