# AWAF declarative-policy explainer

> Paste a BIG-IP Advanced WAF declarative security policy (JSON) and get a section-by-section, plain-language reading grounded in F5's published schema, with security callouts that read the values: transparent enforcement means monitor-only, plus signature staging, Data Guard off, and cookies missing Secure or HttpOnly. Runs entirely in your browser.

- Tool: https://ronutz.com/en/tools/f5-awaf-declarative-policy-explainer
- Family: Security & WAF

---

## What it does

Paste an F5 AWAF - Advanced WAF (formerly BIG-IP ASM - Application Security Manager) declarative security policy, the JSON `{ "policy": { ... } }` you keep in source control, and the tool reads it back to you section by section in plain language: what each setting is, and, where it matters, what the specific value you set actually means for the policy's security. It is a decode-only explainer, grounded in F5's published declarative-policy schema, and it runs entirely in your browser.

## It reads a policy as a delta on its template

A declarative policy lists only its adjustments on top of a base template, so the single most important rule when reading one is that an absent section means the template's default applies, not that a protection is off. The tool honors that throughout: it explains only what the policy explicitly sets, always carries the reminder that anything not shown is inherited, and never reports a protection as disabled just because it is missing. Every security callout it makes is derived from a value the policy actually sets, never from an absence.

## What it covers

The tool recognizes about fifty-five top-level policy sections, grouped in reading order: identity (`name`, `description`, `template`), enforcement posture (`enforcementMode`, `signature-settings`, passive mode, and the `general` staging and X-Forwarded-For settings), automatic learning (Policy Builder), application context (application language, case sensitivity, server technologies), the traffic surface (URLs, parameters, file types, methods, headers, cookies), the protections (blocking settings, Data Guard, CSRF, brute-force, geolocation blocking, behavioral enforcement, and more), and content profiles (JSON, XML, GraphQL, OpenAPI). Each section is described from F5's own schema text, and anything the tool does not recognize is still acknowledged as present.

## The security callouts

Beyond describing sections, the tool reads the values that decide whether a policy actually protects. It raises a warning when `enforcementMode` is `transparent`, because the policy is then monitor-only and blocks nothing, even violations flagged to block. It notes when attack signatures are in staging (matched but not yet enforcing), when the policy trusts `X-Forwarded-For` for the client IP, when Data Guard is explicitly disabled, and when an enforced cookie is set without the Secure or HttpOnly attribute. Each is a state people routinely miss when skimming a policy by eye.

## Grounding and accuracy

Field descriptions are paraphrased from F5's published declarative-policy schema. F5 publishes the docs for five versions, v16.0, v16.1, v17.0, v17.1, and v17.5; the tool is grounded to the v17.1 schema, which is the latest with a complete published schema (the v17.5 schema page is not yet published). The core sections covered here are stable across the v16.x to v17.x line. Nothing you paste is uploaded or leaves the page; for a production decision, confirm any reading against the declarative-policy schema for your BIG-IP version.

## Standards and references

- [F5 BIG-IP WAF Declarative Policy - index (published versions v16.0, v16.1, v17.0, v17.1, v17.5)](https://clouddocs.f5.com/products/waf-declarative-policy/)
- [F5 BIG-IP Declarative WAF v17.1 Schema (latest complete; v17.5 schema not yet published)](https://clouddocs.f5.com/products/waf-declarative-policy/schema_v17_1.html)
- [F5 BIG-IP Declarative WAF v17.1 Schema Description](https://clouddocs.f5.com/products/waf-declarative-policy/declarative_policy_v17_1.html)

## Related reading

- [Advanced WAF Content Profiles: Parsing JSON, XML, GraphQL, and GWT Safely](https://ronutz.com/en/learn/awaf-content-profiles.md): A content profile tells Advanced WAF how to parse a structured payload, JSON, XML, GraphQL, GWT, or plain text, so it can apply attack signatures to individual fields and enforce structural limits that stop parser abuse and denial-of-service. Here is what each profile type does, the defense attributes that matter, and the best practices and caveats.
- [Advanced WAF Session Tracking: Finding and Stopping the Client Behind the Requests](https://ronutz.com/en/learn/awaf-session-tracking.md): Session tracking lets Advanced WAF identify the user, session, device, or IP behind a stream of requests, and act on that identity, logging, delaying blocking, or blocking everything, once a client crosses a violation threshold. Here is how session awareness works, the three actions, and why username tracking beats session-ID tracking.
- [Automatic Learning in Production: How an Attacker Poisons a WAF Policy](https://ronutz.com/en/learn/awaf-automatic-learning-poisoning.md): Left in Automatic learning mode against untrusted traffic, the BIG-IP Advanced WAF Policy Builder will accept and enforce a suggestion once its learning score reaches 100%, and some suggestions disable violations or widen entities. An attacker who floods legitimate-looking traffic from enough sources can push a relaxation to 100% and drill a hole. F5's design resists this with source, session, and time thresholds, but the safe posture is Manual learning by default and building only from trusted traffic.
- [Blocking vs Transparent: What Advanced WAF Enforcement Mode Really Does](https://ronutz.com/en/learn/awaf-enforcement-mode-blocking-vs-transparent.md): A WAF policy's enforcementMode decides whether it protects or merely watches. In blocking mode, requests that trigger a block-configured violation are rejected. In transparent mode, nothing is blocked even when a violation fires, so the policy is monitor-only. Confusing the two is one of the most common WAF mistakes.
- [Client-Side Signals and Challenges: How Advanced WAF Tells a Browser from a Bot](https://ronutz.com/en/learn/awaf-client-side-signals-and-challenges.md): To separate real browsers from automation, Advanced WAF injects JavaScript into responses and reads what comes back, a client-side integrity check, a capabilities probe, a device fingerprint, and, as a last resort, a CAPTCHA. Here is what each artifact collects, the order they escalate in, and the caveats that break them.
- [Data Guard: Masking Sensitive Data in Responses](https://ronutz.com/en/learn/awaf-data-guard-response-masking.md): Data Guard is Advanced WAF's response-side protection. It scans server responses for sensitive information, such as credit-card numbers, US Social Security numbers, and custom patterns, and masks it before it reaches the client. Unlike most WAF checks, which inspect the request, Data Guard guards what leaks out.
- [F5 DataSafe: Client-Side Application-Layer Encryption, and Its Sharp Edges](https://ronutz.com/en/learn/f5-datasafe-application-layer-encryption.md): DataSafe is F5's fraud-protection layer that encrypts sensitive fields inside the browser, before an in-browser Trojan or key logger can read them. It injects JavaScript that encrypts data client-side with a per-session public key, decrypted on the BIG-IP with the private key. Here is how it works, what each feature does, and the caveats that catch people.
- [How a BIG-IP Advanced WAF Declarative Policy Is Structured](https://ronutz.com/en/learn/awaf-declarative-policy-structure.md): A declarative WAF policy is a JSON file that describes a security policy as a set of adjustments on top of a base template. The key to reading one is the template-and-adjustments model: anything the policy does not mention keeps the template's default, so an absent section means default, not disabled.
- [L7 Behavioral DoS (BaDoS): How Advanced WAF Learns Normal and Mitigates the Rest](https://ronutz.com/en/learn/awaf-l7-behavioral-dos.md): L7 Behavioral DoS is Advanced WAF's machine-learning defense against application-layer DDoS. It learns a baseline of normal traffic, watches server stress, and when the server strains it builds dynamic signatures and isolates bad-actor IPs, mitigating with escalating measures. Here is how it works, the two detection modes, and the caveats that matter.
- [Nested Policies in Advanced WAF: Parent/Child Inheritance and Policy Microservices](https://ronutz.com/en/learn/awaf-nested-policies.md): Advanced WAF gives you two ways to layer policy configuration rather than write one flat policy: parent and child policies, where children inherit mandatory elements from a parent, and security policy microservices, where a single policy carries nested sub-configurations matched by hostname and URL. Here is how each works and when to use it.
- [Signature Staging and the Enforcement Readiness Period](https://ronutz.com/en/learn/awaf-signature-staging-and-enforcement-readiness.md): Staging is how Advanced WAF lets a new or updated attack signature match and log without blocking, so you can review it before it can reject traffic. Combined with the enforcement readiness period, it means a policy can be in blocking mode and still not block a staged signature. Here is how to read that state.
