NGINX App Protect WAF Release 3.7
December 15, 2021
Protection of large requests - To increase the protection of resources at both the NGINX Plus and upstream application tiers, NGINX App Protect WAF 3.7 contains a change in the default policy behavior that will block requests that are larger than 10 MB in size even if the Violation Rating is less than 4. In previous versions, requests greater than 10 MB would be allowed. When these requests are blocked, a
VIOL_REQUEST_MAX_LENGTHviolation will be logged.
New http-protocols violation - Check maximum number of cookies. NGINX App Protect WAF policies can now configure and enforce the maximum cookies allowed in a request.
CentOS 7.4+ / RHEL 7.4+ / Amazon Linux 2
- 4700 Fixed - Schema validation fails with unresolved $ref and missing type.
- 4672 Fixed - Some signatures are not matched under specific conditions.
- 4676 Fixed - Not all the payload gets validated on specific scenario.
- 4681 Fixed - Attack detection is not triggered as expected.
- 4682 Fixed - Attack signature may not match as expected.
- 4683 Fixed - Fixing issue with input normalization.
- 4697 Fixed - An error message that relates to a missing bot anomaly appears endlessly on the
- 4933 Fixed - Enforcer timeout when consuming very large configurations.
- 5096 Fixed - signatureOverrides were not allowed to be defined on cookies.
- 5112 Fixed - Violation Rating score is higher than expected in some of the cases.
This version introduces a new value
outcome_reason field in the security log. This new value is for future compatibility and it should be ignored for now.
This documentation applies to the following versions of NGINX App Protect WAF: 3.7.