Enforcer frameworksF5 BIGIP

Configurational Classes

PII (Personally Identifiable Information) Anonymization

Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify a single person, or to identify an individual in context.

It is important for us to keep personal private information out of our servers. Therefore, by default, we do not send the request body and cookies to HUMAN backend servers, the entire communication is based on headers data.

PII is not a recommended setting. If PII is essential for your organization, contact HUMAN Support.

When PII is enabled, HUMAN does not store a client’s full IP information (Client IP, HTTP Headers). In IPv4 this is done by zeroing 4th IP octet (for example, the IP 1.2.3.4 will be stored as 1.2.3.0). In IPv6 this is done by zeroing the last four (4) octets (for example, the IP 1:2:3:4:1:2:3:4 will be stored as 1:2:3:4:1:2:3:0). Removing the IP’s last octet can result small reduction of detection capability, usually for the models and signatures that are based on IPs.

The HUMAN BigIP module allows you to set a number of configurational classes (data groups) to control which routes are processed in different ways.

Whitelist Routes

Routes added to this class will bypass HUMAN enforcement entirely.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_whitelisted_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to allow, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of whitelisted_routes_class directive is the same as the name you provided in step 2.

Whitelisted Query Parameters

Query parameters added to this class will be excluded from the URL sent to HUMAN for risk evaluation. This is useful for removing sensitive or dynamic parameters from the evaluation.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_whitelisted_query_params. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each URI query parameter you wish to whitelist:
    • Set the String property to the query parameter key name
    • Set the Value property to a regex pattern matching the values to whitelist
    • Click Add
  5. Click Finished.

The Value field uses regex matching. For example, to whitelist all values for a parameter, use .* as the value.

Example: To whitelist the session_id parameter with any value:

  • String: session_id
  • Value: .*

Specific Routes

Routes added to this class will be the only routes that HUMAN enforces. All other routes will bypass enforcement.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_specific_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to enforce, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of specific_routes_class directive is the same as the name you provided in step 2.

Sensitive Routes

Routes added to this class will trigger a server-to-server risk API call regardless of the cookie score. This provides higher security for critical endpoints.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_sensitive_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each sensitive route, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of sensitive_routes_class directive is the same as the name you provided in step 2.

Monitor Routes

Routes added to this class will be processed in monitor mode regardless of the global module_mode setting. This allows you to enable blocking mode globally while keeping specific routes in monitor mode, or vice versa.

The class supports domain/path based configuration for more granular control.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_monitor_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to set to monitor mode:
    • Set the String property to the domain and path (e.g., example.com/api)
    • Click Add
  5. Click Finished.

Monitor routes can be specified with just a path (e.g., /api/v1) or with a domain prefix (e.g., api.example.com/v1).

Login Credentials Extraction

This class defines the endpoint where login credentials should be extracted. The credentials are hashed and sent to HUMAN for breach detection.

Before creating this class, ensure Credential Intelligence is enabled in the pxconfig data group. See Credential Intelligence for details.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to match the value configured in ci_login_credentials_extraction_class (e.g., px_login_credentials).
  3. Set Type to String.
  4. Add the following records with their corresponding values:
String (Key)DescriptionExample Value
pathRegex pattern for the login endpoint path (case-insensitive matching)/login
methodHTTP method for login requests (case-insensitive matching)POST
sent_throughWhere credentials are located: body, header, or query-stringbody
user_fieldField name containing the usernameusername
pass_fieldField name containing the passwordpassword
  1. Click Finished.

Both path and method matching are case-insensitive. The path field supports regular expression patterns.

Example: JSON Body Login

For a login endpoint at /api/auth/login that accepts POST requests with JSON body:

1{
2  "email": "user@example.com",
3  "password": "secretpassword"
4}

Configure the class with these records:

StringValue
path/api/auth/login
methodPOST
sent_throughbody
user_fieldemail
pass_fieldpassword

Example: Form POST Login

For a login form that submits to /login with form-urlencoded data:

StringValue
path/login
methodPOST
sent_throughbody
user_fieldusername
pass_fieldpassword

Supported Content Types for Body Extraction

When sent_through is set to body, the enforcer supports:

  • application/json - JSON request bodies
  • application/x-www-form-urlencoded - Form-encoded request bodies

The enforcer automatically detects the content type based on the Content-Type or Accept request header.

Extraction from Headers

When sent_through is set to header, the user_field and pass_field values specify the header names:

StringValue
path/api/login
methodPOST
sent_throughheader
user_fieldX-Username
pass_fieldX-Password

Extraction from Query String

When sent_through is set to query-string, the user_field and pass_field values specify the query parameter names:

StringValue
path/login
methodGET
sent_throughquery-string
user_fielduser
pass_fieldpass

This would extract credentials from a URL like /login?user=john&pass=secret.