Web Application settings

Want to add a new web application? Just go to Web Applications and click the New Web Application button.

Name of the web application

Enter a name for the web application. Initially the user who adds the web application is the owner. When editing a web application, you can choose another owner.

Web Application URL (Primary URL of the web application)

Tell us the site's primary URL. Tip - Click the protocol in the entry field to switch between http:// and https://.

Custom Attributes

Enter one or more custom attributes to categorize this web application.

Tags

Select tags to apply to the web application. Users with the applied tags in their scope will have access to it. Click Create to add a new tag.

Secondary URLs of the web application

Tell us the site's secondary URLs. Tip - Click the protocol in the entry field to switch between http:// and https://.

Server Pool

Select the pool profile. A pool profile contains one or more severs added to load balance traffic between multiple original URLs.

Click Edit to modify the selected server pool profile, or click Create to add a new server pool profile.

HTTP Response Timeout

HTTP Response Timeout is the maximum time to wait for an HTTP connection attempt to a server to succeed. If the HTTP request does not respond before the duration set, it will timeout and return an HTTP 503 error code.

Specify between 1 second to 3600 seconds. Default value is 60 seconds.

Persistency

Persistency allows the client to reconnect to the same server previously visited for the web application. This bypasses load balancing.

Specify the cookie name to persist connection to the server previously visited by the client.

Healthcheck

A healthcheck profile contains checks to verify the availability of the server.

Click Edit to modify the selected healthcheck, or click Create to add a new healthcheck.

Failure Response Code

Specify the response code returned when all Web servers in the server pool are down. The default value is 503. For example, a 503 page is displayed when the Web servers are down or the Web site is not reachable.

SSL Certificates

A security certificate is required if your web application uses the https protocol for secure communication between the browser and your web server.

Select the SSL profile, appropriate protocols, security levels, and ciphers. An SSL profile contains details about the required security certificate. List of available ciphers depends on the selected protocols and security levels. Default security filters are Strong, Good and default protocols are TLS1.1 and TLS1.2. Ciphers are used in the order in which they are displayed.

Click Edit to modify the selected SSL certificate profile, or click Create to add a new SSL certificate profile.

Security policy

A security policy determines how our service handles incoming and outgoing traffic for the web application.

Select Block from Actions if you want to enforce any blocking settings present in the security policy. Selecting Block with Custom Response allows you to display a custom message to the user if your security policy blocks a particular section or a page on your web site.

Select Log if you want to only monitor events for this web application.

If you wish to use custom response, select a custom response page that you have created. Click Edit to modify the selected custom response page, or click Create to add a new custom response page.

All security policies you have permission to are available in the Policy dropdown. Click Edit to modify the selected security policy, or click Create to add a new security policy.

HTTP Profile

Select an HTTP profile to filter protocol oriented attributes.

Click Edit to modify the selected HTTP profile, or click Create to add a new HTTP profile.

Custom Rules

Select the combination of rules you would like your application to be protected by. Rules are executed in the order in which they are displayed. Ordering, as well as content, is crucial to prevent rules from colliding.

Tip - Go to Security > Rules to create new custom rules.

ScanTrust

By enabling this option you allow Qualys scanners to scan the web application through the WAF firewall and perform enhanced assessment and reporting. This lets you view WAF-blocked vulnerabilities that are not yet fixed in WAS detections and reports.

Selected WAF clusters

Traffic for your web application will be monitored for security violations by the selected WAF cluster, according to the security policy you assign to the application. You can have clusters protecting more than one SSL site.

Tell me about the WAF cluster status.

active - The cluster has registered sensors and all of them have recently polled.

inactive - The cluster has registered sensors, but none have recently polled (i.e. the last poll date is older than 5 minutes).

degraded - The cluster has registered sensors, but only some have recently polled.

no-sensors - The cluster has no registered appliance.