ALBWafConfig (schema)

WafConfig

Advanced load balancer WafConfig object

Name Description Type Notes

allowed_http_versions Allowed http versions

WAF allowed HTTP Versions.
Enum options - ZERO_NINE, ONE_ZERO, ONE_ONE, TWO_ZERO.
Maximum of 8 items allowed.
array of ALBHTTPVersion

allowed_methods Allowed methods

WAF allowed HTTP methods.
Enum options - HTTP_METHOD_GET, HTTP_METHOD_HEAD,
HTTP_METHOD_PUT, HTTP_METHOD_DELETE, HTTP_METHOD_POST,
HTTP_METHOD_OPTIONS, HTTP_METHOD_TRACE, HTTP_METHOD_CONNECT,
HTTP_METHOD_PATCH, HTTP_METHOD_PROPFIND,
HTTP_METHOD_PROPPATCH, HTTP_METHOD_MKCOL, HTTP_METHOD_COPY,
HTTP_METHOD_MOVE, HTTP_METHOD_LOCK, HTTP_METHOD_UNLOCK.
array of ALBHTTPMethod

allowed_request_content_types Allowed request content types

WAF allowed Content Types.
Maximum of 64 items allowed.
array of string

argument_separator Argument separator

Argument seperator.
Default value when not specified in API or module is
interpreted by ALB Controller as &.
string Default: "&"

client_request_max_body_size Client request max body size

Maximum size for the client request body scanned by WAF.
Allowed values are 1-32768.
Unit is KB.
Default value when not specified in API or module is
interpreted by ALB Controller as 32.
integer Minimum: 1
Maximum: 32768
Default: "32"

cookie_format_version Cookie format version

0 For Netscape Cookies.
1 For version 1 cookies.
Allowed values are 0-1.
Default value when not specified in API or module is
interpreted by ALB Controller as 0.
integer Minimum: 0
Maximum: 1
Default: "0"

ignore_incomplete_request_body_error Ignore incomplete request body error

Ignore request body parsing errors due to partial scanning.
Default value when not specified in API or module is
interpreted by ALB Controller as true.
boolean Default: "True"

max_execution_time Max execution time

The maximum period of time WAF processing is allowed to
take for a single request.
A value of 0 (zero) means no limit and should not be chosen
in production deployments.
It is only used for exceptional situations where crashes of
se_dp processes are acceptable.
The behavior of the system if this time is exceeded depends
on two other configuration settings, the WAF policy mode and
the WAF failure mode.
In WAF policy mode 'Detection', the request is allowed and
flagged for both failure mode 'Closed' and 'Open'.
In enforcement node, 'Closed' means the request is
rejected, 'Open' means the request is allowed and flagged.
Irrespective of these settings, no subsequent WAF rules of
this or other phases will be executed once the maximum
execution time has been exceeded.
Allowed values are 0-5000.
Unit is MILLISECONDS.
Default value when not specified in API or module is
interpreted by ALB Controller as 50.
integer Minimum: 0
Maximum: 5000
Default: "50"

regex_match_limit Regex match limit

Limit CPU utilization for each regular expression match
when processing rules.
Default value when not specified in API or module is
interpreted by ALB Controller as 30000.
integer Default: "30000"

regex_recursion_limit Regex recursion limit

Limit depth of recursion for each regular expression match
when processing rules.
Default value when not specified in API or module is
interpreted by ALB Controller as 10000.
integer Default: "10000"

request_body_default_action Request body default action

WAF default action for Request Body Phase.
Default value when not specified in API or module is
interpreted by ALB Controller as
phase:2,deny,status:403,log,auditlog.
string Default: "phase:2,deny,status:403,log,auditlog"

request_hdr_default_action Request hdr default action

WAF default action for Request Header Phase.
Default value when not specified in API or module is
interpreted by ALB Controller as
phase:1,deny,status:403,log,auditlog.
string Default: "phase:1,deny,status:403,log,auditlog"

response_body_default_action Response body default action

WAF default action for Response Body Phase.
Default value when not specified in API or module is
interpreted by ALB Controller as
phase:4,deny,status:403,log,auditlog.
string Default: "phase:4,deny,status:403,log,auditlog"

response_hdr_default_action Response hdr default action

WAF default action for Response Header Phase.
Default value when not specified in API or module is
interpreted by ALB Controller as
phase:3,deny,status:403,log,auditlog.
string Default: "phase:3,deny,status:403,log,auditlog"

restricted_extensions Restricted extensions

WAF Restricted File Extensions.
Maximum of 256 items allowed.
array of string

restricted_headers Restricted headers

WAF Restricted HTTP Headers.
Maximum of 64 items allowed.
array of string

server_response_max_body_size Server response max body size

Maximum size for response body scanned by WAF.
Allowed values are 1-32768.
Unit is KB.
Default value when not specified in API or module is
interpreted by ALB Controller as 128.
integer Minimum: 1
Maximum: 32768
Default: "128"

static_extensions Static extensions

WAF Static File Extensions.
GET and HEAD requests with no query args and one of these
extensions are allowed and not checked by the ruleset.
Maximum of 64 items allowed.
array of string

status_code_for_rejected_requests Status code for rejected requests

HTTP status code used by WAF Positive Security Model when
rejecting a request.
Enum options - HTTP_RESPONSE_CODE_0,
HTTP_RESPONSE_CODE_100, HTTP_RESPONSE_CODE_101,
HTTP_RESPONSE_CODE_200, HTTP_RESPONSE_CODE_201,
HTTP_RESPONSE_CODE_202, HTTP_RESPONSE_CODE_203,
HTTP_RESPONSE_CODE_204, HTTP_RESPONSE_CODE_205,
HTTP_RESPONSE_CODE_206, HTTP_RESPONSE_CODE_300,
HTTP_RESPONSE_CODE_301, HTTP_RESPONSE_CODE_302,
HTTP_RESPONSE_CODE_303, HTTP_RESPONSE_CODE_304,
HTTP_RESPONSE_CODE_305, HTTP_RESPONSE_CODE_307,
HTTP_RESPONSE_CODE_400, HTTP_RESPONSE_CODE_401,
HTTP_RESPONSE_CODE_402...
Default value when not specified in API or module is
interpreted by ALB Controller as HTTP_RESPONSE_CODE_403.
ALBHTTPResponseCodes Default: "HTTP_RESPONSE_CODE_403"

xml_xxe_protection Xml xxe protection

Block or flag XML requests referring to External Entities.
Default value when not specified in API or module is
interpreted by ALB Controller as true.
boolean Default: "True"

Name	Description	Type	Notes
allowed_http_versions	Allowed http versions WAF allowed HTTP Versions. Enum options - ZERO_NINE, ONE_ZERO, ONE_ONE, TWO_ZERO. Maximum of 8 items allowed.	array of ALBHTTPVersion
allowed_methods	Allowed methods WAF allowed HTTP methods. Enum options - HTTP_METHOD_GET, HTTP_METHOD_HEAD, HTTP_METHOD_PUT, HTTP_METHOD_DELETE, HTTP_METHOD_POST, HTTP_METHOD_OPTIONS, HTTP_METHOD_TRACE, HTTP_METHOD_CONNECT, HTTP_METHOD_PATCH, HTTP_METHOD_PROPFIND, HTTP_METHOD_PROPPATCH, HTTP_METHOD_MKCOL, HTTP_METHOD_COPY, HTTP_METHOD_MOVE, HTTP_METHOD_LOCK, HTTP_METHOD_UNLOCK.	array of ALBHTTPMethod
allowed_request_content_types	Allowed request content types WAF allowed Content Types. Maximum of 64 items allowed.	array of string
argument_separator	Argument separator Argument seperator. Default value when not specified in API or module is interpreted by ALB Controller as &.	string	Default: "&"
client_request_max_body_size	Client request max body size Maximum size for the client request body scanned by WAF. Allowed values are 1-32768. Unit is KB. Default value when not specified in API or module is interpreted by ALB Controller as 32.	integer	Minimum: 1 Maximum: 32768 Default: "32"
cookie_format_version	Cookie format version 0 For Netscape Cookies. 1 For version 1 cookies. Allowed values are 0-1. Default value when not specified in API or module is interpreted by ALB Controller as 0.	integer	Minimum: 0 Maximum: 1 Default: "0"
ignore_incomplete_request_body_error	Ignore incomplete request body error Ignore request body parsing errors due to partial scanning. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"
max_execution_time	Max execution time The maximum period of time WAF processing is allowed to take for a single request. A value of 0 (zero) means no limit and should not be chosen in production deployments. It is only used for exceptional situations where crashes of se_dp processes are acceptable. The behavior of the system if this time is exceeded depends on two other configuration settings, the WAF policy mode and the WAF failure mode. In WAF policy mode 'Detection', the request is allowed and flagged for both failure mode 'Closed' and 'Open'. In enforcement node, 'Closed' means the request is rejected, 'Open' means the request is allowed and flagged. Irrespective of these settings, no subsequent WAF rules of this or other phases will be executed once the maximum execution time has been exceeded. Allowed values are 0-5000. Unit is MILLISECONDS. Default value when not specified in API or module is interpreted by ALB Controller as 50.	integer	Minimum: 0 Maximum: 5000 Default: "50"
regex_match_limit	Regex match limit Limit CPU utilization for each regular expression match when processing rules. Default value when not specified in API or module is interpreted by ALB Controller as 30000.	integer	Default: "30000"
regex_recursion_limit	Regex recursion limit Limit depth of recursion for each regular expression match when processing rules. Default value when not specified in API or module is interpreted by ALB Controller as 10000.	integer	Default: "10000"
request_body_default_action	Request body default action WAF default action for Request Body Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:2,deny,status:403,log,auditlog.	string	Default: "phase:2,deny,status:403,log,auditlog"
request_hdr_default_action	Request hdr default action WAF default action for Request Header Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:1,deny,status:403,log,auditlog.	string	Default: "phase:1,deny,status:403,log,auditlog"
response_body_default_action	Response body default action WAF default action for Response Body Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:4,deny,status:403,log,auditlog.	string	Default: "phase:4,deny,status:403,log,auditlog"
response_hdr_default_action	Response hdr default action WAF default action for Response Header Phase. Default value when not specified in API or module is interpreted by ALB Controller as phase:3,deny,status:403,log,auditlog.	string	Default: "phase:3,deny,status:403,log,auditlog"
restricted_extensions	Restricted extensions WAF Restricted File Extensions. Maximum of 256 items allowed.	array of string
restricted_headers	Restricted headers WAF Restricted HTTP Headers. Maximum of 64 items allowed.	array of string
server_response_max_body_size	Server response max body size Maximum size for response body scanned by WAF. Allowed values are 1-32768. Unit is KB. Default value when not specified in API or module is interpreted by ALB Controller as 128.	integer	Minimum: 1 Maximum: 32768 Default: "128"
static_extensions	Static extensions WAF Static File Extensions. GET and HEAD requests with no query args and one of these extensions are allowed and not checked by the ruleset. Maximum of 64 items allowed.	array of string
status_code_for_rejected_requests	Status code for rejected requests HTTP status code used by WAF Positive Security Model when rejecting a request. Enum options - HTTP_RESPONSE_CODE_0, HTTP_RESPONSE_CODE_100, HTTP_RESPONSE_CODE_101, HTTP_RESPONSE_CODE_200, HTTP_RESPONSE_CODE_201, HTTP_RESPONSE_CODE_202, HTTP_RESPONSE_CODE_203, HTTP_RESPONSE_CODE_204, HTTP_RESPONSE_CODE_205, HTTP_RESPONSE_CODE_206, HTTP_RESPONSE_CODE_300, HTTP_RESPONSE_CODE_301, HTTP_RESPONSE_CODE_302, HTTP_RESPONSE_CODE_303, HTTP_RESPONSE_CODE_304, HTTP_RESPONSE_CODE_305, HTTP_RESPONSE_CODE_307, HTTP_RESPONSE_CODE_400, HTTP_RESPONSE_CODE_401, HTTP_RESPONSE_CODE_402... Default value when not specified in API or module is interpreted by ALB Controller as HTTP_RESPONSE_CODE_403.	ALBHTTPResponseCodes	Default: "HTTP_RESPONSE_CODE_403"
xml_xxe_protection	Xml xxe protection Block or flag XML requests referring to External Entities. Default value when not specified in API or module is interpreted by ALB Controller as true.	boolean	Default: "True"