Enforcer frameworksF5 BIGIP

Configurational Classes

PII (Personally Identifiable Information) Anonymization

Personally Identifiable Information (PII) is information that can be used on its own or with other information to identify a single person, or to identify an individual in context.

It is important for us to keep personal private information out of our servers. Therefore, by default, we do not send the request body and cookies to HUMAN backend servers, the entire communication is based on headers data.

PII is not a recommended setting. If PII is essential for your organization, contact HUMAN Support.

When PII is enabled, HUMAN does not store a client’s full IP information (Client IP, HTTP Headers). In IPv4 this is done by zeroing 4th IP octet (for example, the IP 1.2.3.4 will be stored as 1.2.3.0). In IPv6 this is done by zeroing the last four (4) octets (for example, the IP 1:2:3:4:1:2:3:4 will be stored as 1:2:3:4:1:2:3:0). Removing the IP’s last octet can result small reduction of detection capability, usually for the models and signatures that are based on IPs.

The HUMAN BigIP module allows you to set a number of configurational classes (data groups) to control which routes are processed in different ways.

Whitelist Routes

Routes added to this class will bypass HUMAN enforcement entirely.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_whitelisted_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to allow, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of whitelisted_routes_class directive is the same as the name you provided in step 2.

Whitelisted Query Parameters

Query parameters added to this class will be excluded from the URL sent to HUMAN for risk evaluation. This is useful for removing sensitive or dynamic parameters from the evaluation.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_whitelisted_query_params. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each URI query parameter you wish to whitelist:
    • Set the String property to the query parameter key name
    • Set the Value property to a regex pattern matching the values to whitelist
    • Click Add
  5. Click Finished.

The Value field uses regex matching. For example, to whitelist all values for a parameter, use .* as the value.

Example: To whitelist the session_id parameter with any value:

  • String: session_id
  • Value: .*

Specific Routes

Routes added to this class will be the only routes that HUMAN enforces. All other routes will bypass enforcement.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_specific_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to enforce, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of specific_routes_class directive is the same as the name you provided in step 2.

Sensitive Routes

Routes added to this class will trigger a server-to-server risk API call regardless of the cookie score. This provides higher security for critical endpoints.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_sensitive_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each sensitive route, set the String property of String Record to the prefix of the route and click Add.
  5. Click Finished.
  6. On the iRule, make sure the value of sensitive_routes_class directive is the same as the name you provided in step 2.

Monitor Routes

Routes added to this class will be processed in monitor mode regardless of the global module_mode setting. This allows you to enable blocking mode globally while keeping specific routes in monitor mode, or vice versa.

The class supports domain/path based configuration for more granular control.

  1. On Local Traffic > iRules > Data Group List create a new Data Group.
  2. Set the Name to px_<APP_ID>_monitor_routes. Make sure to replace <APP_ID> with your HUMAN app id.
  3. Set Type to String.
  4. For each route you wish to set to monitor mode:
    • Set the String property to the domain and path (e.g., example.com/api)
    • Click Add
  5. Click Finished.

Monitor routes can be specified with just a path (e.g., /api/v1) or with a domain prefix (e.g., api.example.com/v1).