Policy configuration
Before you configure Web Application Firewall (WAF) policies, you must first create a WAF policy.
Create a WAF policy
- On the left-hand navigation panel, click Configuration.
- Select Policies from the list of available features.
- Click the Create Policy button.
- Provide a Policy Name, and then ensure you select a WAF profile.
- Select the checkmark to apply the WAF Profile to the policy.
- Optionally, you can enable the usage of the Semicolon Field Separator in URL Queries and Post form bodies, which simply indicate that a semicolon ( ; ) is separation multiple fields.
- The counter measures section provides a list of common protection types and methods for users to select from. Expand each bot protection techniquesmeasure to configure the required values. Each bot protection techniquesmeasure can be set to one of the following statuses.
- Bypass / None – No action will be taken.
- Block – Once the threshold limit has been reached, the violating traffic will be blocked.
- Log – One or more requests or violations will not be blocked, but details will be logged for review.
- Block and Log – One or more requests are blocked and the details are stored.
- Certain counter measures offer learning and relaxation rules.
- Relaxation Rules – You can manually enter the values that allow traffic matching the criteria through. If Learning was enabled, you can click + (plus) to an entry to apply it directly to the Relaxation Rules.
- Learning – Learning must be enabled for each bot protection techniquesmeasure before data can begin to be captured. Once traffic is actively being monitored, a list of blocked rules will be returned that you can review for accuracy.
- To configure the Relaxation Rules, click Add, and then complete the fields that appear in the pop-up window.
-
Click Commit.
- Name – Provide a name for the configured Relaxation Rule.
- Enabled – Set to either ON or OFF.
- Is Name Regex – Set to either ON or OFF.
- URL – Provide the URL that is allowed.
- Location – Select from the drop-down menu either
- Cookie
- Form Field,
- Header.
- Value Type – Select from the drop-down menu either
1. Keyword
1. Special String,
1. Wildchar.
- Is Value Expression Regex – Set to either ON or OFF?
- Value Expression – Provide the value expression for the rule.
- To enable Learning, select the ON/OFF option for your desired configuration.
- Click Save.
Configure responder policies
The Responder Policies section provides more flexibility to customers, but does require more detailed and in-depth knowledge of your traffic configurations to properly use and incorporate. When properly used however, the Responder Policies can inspect on any of the fields (values) and operands and then run a selected action.
- From the Policy Configuration screen, select the Responder Policies tab.
- Click the Start button to add a Responder Policy.
- Provide a Name for the Policy.
- Select the Action type from the drop-down menu.
- Drop
- Log
- Redirect To
- Respond With
- The Response field will be determined by the Action you selected.
- Drop. Response is N/A as the traffic are dropped.
- Log. Response is N/A as the traffic are stored in your log file.
- Redirect To. Provide the URL to be redirected. The URL must start with a backslash (/).
- Respond With. Provide the text to display for the response.
- Select the arrow next to the Matches section to configure exact specifications for your policy. Complete the following fields
- Field. Select the field type from the drop-down list of options.
- Operand. Select the operand type for the field from the drop-down menu.
- Value. Provide the value associated to the Field and Operand combination.
- To select more Match criteria, click the Plus icon.
- To add more Responder Policies, click the Plus icon. Doing so increases the responder policy number in the upper left hand side of each configured policy. Also, if you are using multiple rules, all of the rules have to pass / match before the associated action can be taken.
- Click Save.
Network controls
The Network Controls section of the Policy allows for Geographical (GEO) blocking of traffic by country type. If however, you want to block an entire country, but allow a specific IP address through, you can configure the Network Controls to do so. Click the Add button to indicate if an IP / CIDR address should be blocked or allowed. Click the Commit button when done.
The Network Controls section of the Policy allows for Geographical (GEO) blocking of traffic by country type. If however, you want to block a country but allow a specific IP address through, you can configure the Network Controls to do so.
- From the Policy Configuration screen, select the Network Controls tab.
- Click the Add button to configure an IP address that you want to either block, or allow through
- Provide an IP Address, and then select Not Blocked (allow the IP Address through) or Blocked (prevent all traffic from the IP Address). Click the Commit button when finished
- To select an entire country to block traffic from, click in the Blocked Countries drop-down menu. Select all of the countries that you want to block traffic from. Click out of the drop-down menu when you are finished making your selections
- To allow list an IP Address from a blocked country, first select the Country to block, and then add the IP address from that country to allow through, and select the Not Blocked option. The allow list action happens before a block action is applied.
- Click Save.
Alert threshold
The Alert Thresholds section allows you to configure a threshold value, that once reached, will send alerts for the violations occurring for a configured rule. To configure an Alert Threshold, click the Add button. Select the Dimension from the drop-down menu, and then configure the corresponding fields.
To further clarify, alerts will not be sent until the Occurrence count has been exceeded within the time frame specified. For example, if the occurrence rate was 3, and the timeframe was 60 seconds, alerts would not be sent until a fourth violation occurred within the 60-second timeframe.
A pop-up help window appears with an explanation of a selected Dimension from the drop-down menu.
The Alert Threshold section allows you to define a threshold that must be reached before Alerts are sent for violations that are relevant to your configured rules. Alert Thresholds are set by Dimension, a KEY, and a designated Count or amount. The threshold alerts can be synced to SLACK, with a link provided directly to the alert page of the Portal, and being sent out in email format. The alert notifications will also be displayed on the UI Portal under the bell (notifications) icon. It is important to note that Alert Thresholds are also set on the WAF Profile section, per bot protection techniquesmeasure.
- From the Policy Configuration screen, select the Alert Thresholds tab.
- Click Add.
-
Select the Dimension from the list of drop-down menu options. Each dimension selection provides a brief explanation at the top of the pop-out window.
- More fields are determined by the Dimension type you select.
- Complete any additional fields that appear based on the Dimension type selected.
- Select the number of Occurrences. This determines the threshold limit that must be reached for a violation to occur, and a notification to be sent.
- The Timeframe by default stays at 60 seconds.
- Click the Commit button when you are finished customizing the Application Security Threshold.
- Click the Save button when you are done adding Alert Thresholds
Trusted sources
The Trusted Sources section helps to configure a list of IPs that can be reliably used for learning traffic data and generate recommendations for relaxation. If Trusted Sources are not configured, traffic from all the sources will be used for learning and not providing appropriate recommendations for relaxation.
- Click Add to configure a new Trusted Source. Select whether the Trusted Source is going to be Enabled or not, and then provide the IP Address/CIDR. The Description field is an optional field that can be filled using free text.
- Click Commit when you are done.
- Click Save.
Assets
The Assets tab displays any asset that this policy is currently assigned to. If there are any associated assets, you can remove them which will cause each asset to undergo a provisioning process in which rules and configurations might be temporarily disabled.
If no Assets are associated with your policy, the Associated Assets drop-down menu displays “0 Selected”. Select an Asset to associate with your policy.
To remove an associated Asset, hover over the drop-down menu and click the Minus button next to the Asset you want to remove, or, click in the drop-down menu and click a highlighted Asset to remove it.
bot protection techniques measure
The counter measures section provides a list of common protection types and methods for users to select from.
-
Expand each bot protection techniquesmeasure to configure the required values. Each bot protection techniquesmeasure can be set to one of the following statuses.
- Bypass / None – No action is taken.
- Block – Once the threshold limit has been reached, the violating traffic are blocked.
- Log – One or more requests or violations are not blocked, but details are logged for review.
- Block and Log – One or more requests are blocked and the details are logged.
-
Certain counter measures offer Learning and Relaxation Rules.
- Relaxation Rules – You can manually enter the values that allow traffic matching the criteria through. If Learning was enabled, you can click the + (plus) Icon next to an entry to apply it directly to the Relaxation Rules.
- Learning – Learning must be enabled for each bot protection techniquesmeasure before data can begin to be captured. Once traffic is actively being monitored, a list of blocked rules will be returned that you can review for accuracy.
- To configure the Relaxation Rules, click the Add button, and then complete the fields that appear in the pop-up window. Click Commit when finished.
- Name – Provide a name for the configured Relaxation Rule.
- Enabled – Set to either ON or OFF.
- Is Name Regex – Set to either ON or OFF.
- URL – Provide the URL that is allowed.
- Location – Select from the drop-down menu either
- Cookie
- Form Field,
- Header.
- Value Type – Select from the drop-down menu either
- Keyword
- Special String,
- Wildchar.
- Is Value Expression Regex – Set to either ON or OFF
- Value Expression – Provide the value expression for the rule.
- To enabled Learning, select the OFF / ON option for your desired configuration.
- Click Save.
Signatures
The Signatures section allows you to designate specific, configurable rules to simplify the task of protecting your websites against known attacks. A signature represents a pattern that is a component of a known attack on an operating system, web server, website, XML-based web service, or other resource.
Standard signatures
The Standard Signatures section displays a preconfigured set of literal and Perl Compatible Regular Expressions (PCRE) keywords and special strings used to protect against common web vulnerabilities. These configured signatures cannot be edited as they are our default configurations.
- Select the Signatures tab, and then select the Standard Signatures option.
- The Configured Signatures section displays any Signatures that have been selected or added to the WAF Profile Policy you are currently viewing or creating.
- For a new policy, this section is empty.
- In the Signatures Pool section, you see the list of pre-configured signatures that we have created for you. You can use the arrows or page number options to view more signatures, or use the Filter option if you are looking for a specific signature.
- The filter option searches for your criteria across each field (ID, Category, Description, References), and return the results accordingly.
- Click the View icon to see a simplified overview of the Signature Pool, or click the Add to Add the Signature Pool to your Configured Signatures section.
- Click the Save button once you have added your desired signatures
Custom signatures
The Custom Signatures section allows you to craft custom signatures to protect against attacks and vulnerabilities.
- Select Custom Signatures.
- Click Add.
- Select the Action type for the signature.
- Block & Log
- Log
- None
- Provide the category type for the signature.
- Provide a description for the custom signature
- Optionally, you can configure the Request Rules and/or the Response Rules.
- Request Rules inspect only on the request, and Response Rules inspect only on the response.
- For the Request Rules, click the Start button, and then select the Area type from the drop-down menu. This determines the additional fields that you will be required to complete.
- You can click the Plus Icon to add another row or entry, or the Minus Icon to remove the selected row
- For the Response Rules, click Start, and then select the Area type from the drop-down menu. This determines the additional fields that you will be required to complete.
- You can click the Plus Icon to add another row or entry, or the Minus Icon to remove the selected row.
- To cancel the creation of Request or Response Rules, click Allow X next to Response Rules to remove them from your custom signature.
- Click the Commit button when you are finished configuring your signature.
- Click the Save button when you have finished configuring your WAF Profile Policy
Associate CWAAP profile to an asset
Once you have created your CWAAP profile, the next step is to apply it to an asset so that your configuration can go into effect.
- From the Configuration section on the left-hand navigation menu, select Assets.
- Select the Pencil Icon for the Asset that you want to add the policy to. If you do not have an Asset already created, please see our Guides on how to Create an Asset.
- Select the Policies tab.
- From the drop-down menu, select your newly created Policy name. a. If you do not see the policy name listed, please refresh and try again as the provisioning period can take a few minutes.
- Click the Save button.
Once your CWAAP policy has been applied to a policy, please allow a few minutes for provisioning to occur.
Edit a WAF policy
Once a Policy has been created, you can easily edit any of the existing configurations. However, changes to a Policy that has been associated to an Asset causes a provisioning period to occur which can have a temporary impact on your traffic configuration.
- From the Configuration section on the left-hand navigation menu, select Policies.
- Click the Pencil Icon next to the policy you want to edit.
- Navigate through each of the Policy Configuration tabs to make changes, and click the Save button after making changes on any/all tabs.
Delete a WAF policy
If you need to remove a CWAAP Policy from an Asset, there are several ways in which you can accomplish this.
Note:
- From the Configuration section on the left-hand navigation menu, select Policies.
- Click the Pencil Icon next to the policy you want to delete.
- Click Delete.
Disassociate assets from a WAF policy
From the Policy, you can disassociate the Assets that the policy is assigned to, or disable the WAF Profile.
- From the Configuration section on the left-hand navigation menu, select Policies.
- Click Pencil Icon to edit the policy.
- On the WAF Profile tab, clear the box under the “Apply WAF Profile to Policy?” section to Ignore. This disables the WAF profile.
OR
- From the Policy Configuration screen, select the Assets tab.
- Select the Minus Icon to remove the selected Asset.
- Click Save.
Edit an asset
From the Asset section, you can edit a selected Asset and remove the Policy.
- From the Configuration section on the left-hand navigation menu, select Assets.
- Click the Pencil Icon next to the asset you want to edit.
- Select Policies tab.
- Hover over the drop-down menu and click Minus Icon to remove the associated Policy.
- Click Save.