{{ secondMenu.name }}
When traffic passes through CDN or proxy. The corresponding X-Forwarded-For fields will be inserted into the HTTP header to record the real source IP address for the server. Select Enable, as shown below.
Header Field: Specify the HTTP header to which the X-Forwarded-For field inserts. Four fields can be identified: X-Forwarded-For, Cdn-Src-Ip, Clientip, and Other. You can also customize the configuration.
X-Forwarded-For: If the access is via CDN, or if a proxy device or loading balancing device is deployed on the network, enter the trusted real CDN IP or proxy IP address for logging and IP blocking.
To record the logging types, as shown below.
Status Code: Range from 200 to 599. The conditions to log the response status code are as follows:
a)Attack is from the request side.
b)The detected attack action is allowed.
When the Enable option on the Logging Options page is unchecked, this function remains valid if Log response status code is selected, and the policy that references the current template enables logging.
A cookie is a small text file stored on the client machine by the website when a client browses a website. Normally, it records the user ID, password, webpages browsed, dwell time, and other information on the client. When the same client re-accesses the website, the website can get relevant data by reading cookies and respond accordingly. When the client accesses the server, some important data will be kept in the cookie, which others may use, resulting in data leakage.
A cookie is used for the attack in two ways: stealing cookies and tampering with the cookie. The first way is to forge a legal identity to cheat the server, while the second way is to use the logic flaw in the server's implementation.
Cookie-based attack protection detects whether the cookie has been stolen or tampered with based on the attributes of cookie and client data. This function can be used to protect all cookies or some cookie attributes.
The cookie's attribute values and client communication can determine whether the cookie has been stolen or tampered with. The configuration is shown in the figure below.
If Yes is selected for Replace Cookie Value When Defacement Occurs, the cookie value will be replaced with *. In Select Which Cookie Attributes to Protect, select Protect all cookie attributes, Protect all cookie attributes except the following, or Protect the following cookie attributes only.
Custom Parameter Protection: It is similar to the proactive protection function, except that parameters are customized. Regular expression matching is used. Specifically, when conditions of regular expressions are met, the matched action of reject will be triggered.
It is to prevent CC attacks against websites. The configuration is as follows:
Source IP-Based Protection: When Enable is selected for Access Restriction, if the access count of a source IP address exceeds the threshold, subsequent access from this IP address will be denied.
Referer-Based Protection: When Enable is selected for Access Restriction, if the accumulative access count of the same URL in the Referer exceeds the threshold, access from any source IP address with the same Referer URL will be denied.
URL-Based Protection: When Enable is selected for Access Restriction, if the access count of a source IP address to the same destination URL exceeds the threshold, subsequent access from this IP address will be denied.
Custom Rule: Customize the CC protection rule.
Cross-Site Request Forgery, or "one-click attack" or "session riding", is commonly abbreviated as CSRF or XSRF. It is an attack that compels end-users to perform unintentional operations on Web applications they have logged in to. By configuring CSRF protection, you can effectively prevent such attacks. The configuration interface is as follows.
After configuring the domain name to be protected and adding the pages to be protected and the source pages allowed access, target pages are accessible only to the allowed Referrer, thus preventing CSRF attacks.
It is to protect users' key resources from being forcibly browsed by illegal clients. The configuration is as follows:
Access to the home page of a domain (www.sangfor.com.cn) is only allowed from www.sangfor.com/bbs/index.html. Other access methods are disallowed.
Semantic Web engine allows algorithm detection against command injection, PHP code injection, Java code injection, XXE attack, WebShell upload, SQL injection, XSS attack, and backdoor scanning. Without rule detection, the detection rate is increased. See the figure below.
| Engine type |
Note |
| Command injection prevention |
Detect command injection attacks more effectively. If you are strict with security but accept particular false positives, High Detection is recommended. If you prioritize business stability, High Accuracy is recommended. |
| PHP code injection prevention |
Detect PHP code injection attacks to unknown vulnerabilities more effectively with little dependence on rules. If you prioritize business stability, High Accuracy is recommended. |
| Java code injection prevention |
Detects Java expressions more effectively to reduce false negatives. |
| XXE attack prevention |
By performing grammar analysis and detection, the XXE security detection engine reduces false negatives and false positives to increase the Athena NGFW device's block rate and security detection ability. |
| WebShell upload prevention |
Reduce false negatives caused by buffer truncation. If you are strict with security but accept certain false positives, High Detection is recommended. If you prioritize business stability, High Accuracy is recommended. |
| SQL injection prevention |
The SQL injection prevention engine is to improve the defense of the Athena NGFW device by enhancing its anti-bypass ability and reducing the false-positive rate. This function is enabled by default with High Accuracy selected and non-injection detection disabled, which applies to the scenarios with intensive SQL businesses. In light load scenarios, select High Detection and enable non-injection detection. |
| XSS attack prevention |
The XSS attack prevention engine improves detection against XSS attacks and decreases the false positive rate. This function is enabled by default with High Accuracy selected, which applies to the scenarios where a lot of front-end pages are edited in the background. In scenarios with high-security requirements, High Detection is recommended. |
| Backdoor prevention |
The backdoor prevention engine improves detection against the backdoor scanning attacks. This function is enabled by default with High Accuracy selected. In scenarios with high-security requirements, High Detection is recommended. |
Table 22:Description of Semantic Web Engine
Self-learning prevention is to identify abnormal traffic and establish a baseline composed of feature models for the customer's business traffic, thereby detecting traffic that is different from the business. For abnormal traffic it detects, it also attempts to identify known attacks. Characteristics that distinguish unknown malicious behavior from known attack behavior. This feature is turned off by default.
XML Parse engine-powered detection improves detection against XML attacks. The body part of the HTTP message is detected to identify the attack that bypasses authentication with WebShell transmitted through XML protocol.
JSON parse engine-powered detection improves detection against JSON attacks. The body part of the HTTP message is detected to identify the attack that bypasses authentication with WebShell transmitted through JSON protocol.
URL parse engine-powered detection improves detection against URL encoding attacks. The body part of the HTTP message is detected to identify the attack that bypasses authentication with WebShell transmitted through URL encoding.
{{ $t('index.defaultHeader.chromeBrowserTip') }}