Configuring Rules in Web Application Firewall

Overview

Web Application Firewall (WAF) uses rules to determine what kinds of traffic are not allowed to access your web server. Each rule is designed to block/intercept a specific type of attack. 

You can manage rules via the Rules drop-down in the grey navigation bar located on the Appliance page for your WAF.

mceclip1.png

 

Rule Sets

WAF uses the OWASP® ModSecurity Core Rule Set. This rule set is updated with each new version release, ensuring that your web server is always protected by the most up-to-date definitions. For more details on OWASP®, please see their website here: https://owasp.org/www-project-modsecurity-core-rule-set/

Rules are grouped together into sets, enabling you to protect your web server from multiple kinds of similar or closely-related attacks with a single click. All rules are enabled by default. If you wish to disable a particular rule set, just select it and click the Enable/Disable button.

Click the View Details button to display more detailed information about each rule set: a description of the rule set as well as each individual rule it contains. From this screen, you can disable individual rules if you prefer.

waf_rules_-_screenshot_2.png

 

Rule Exceptions

You can create rule exceptions for circumstances in which you do not want one or more rules to apply. This might be something as simple as allowing a specific IP address to bypass a certain rule, or you might need to create a more complex condition to allow a connection that meets several criteria.

To get started creating an Exception, click the Add Exception button. First, select your criteria. You can add additional criteria as needed.

HTTP Method The method used to make the request: GET, POST, &c.
URI The URI requested by the source.
Host Port The port on the server which the request arrived on.
Client IP The external/WAN IP address the request originated from.

Finally, select the rule that should be disabled when the above criteria are met. You can disable multiple rules by adding the Disable Rule action multiple times.

For example, you could create a rule that disables the LDAP Injection Attack blocking rule when traffic comes from a specific IP address:

mceclip2.png

You can also create exceptions directly from the Rule Logs page, as detailed below.

Rule Logs

The Rule Logs tab provides information about each rule that triggered in response to a request. In addition to the details displayed in the table, you can click any individual event for more details:

waf_rules_-_screenshot_3.png

You can use the Create Exception button to launch the "create rule exception" dialogue with all the relevant information from the selected event pre-filled. Click Save to create your rule exception.

IP Access

The IP Access tab serves as a simple blacklist or whitelist. Connections from any IP included in the IP Block List area will be rejected immediately. Connections from an IP listed under IP Allow List are admitted through WAF and will not be blocked, regardless of what rules the traffic might meet.

Click Add IP to add an IP address to either section. You may include multiple IP addresses, separated by commas, or include entire subnets in CIDR notation. The Description field is optional and provides the ability to describe the rule so you know what it's for.

mceclip3.png

Application Exclusions

You enable Application Exclusions to eliminate false-positive issues when using certain services on your web server. If any of these applications are in use, we recommend enabling the appropriate exclusion.

Follow
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk