Use custom rules to tailor how WAF identifies malicious traffic. This provides added flexibility for threat identification that allows you to target malicious traffic with minimal impact to legitimate traffic. Custom threat identification combined with rapid testing and deployment enables you to quickly address long-term and zero-day vulnerabilities.
The Custom rules capability requires WAF Premier or WAF Standard. If you currently have WAF Essentials or WAF Insights and would like to use custom rules, please contact your CDN account manager to upgrade to the full version.
A custom rule set defines how threats will be identified through rules. Each rule contains:
A rule ID and message that will be associated with threats identified by this rule.
Assigning a unique ID and message to each rule makes it easy to identify threats detected as a result of a specific rule.
A rule ID must be a number between 66,000,000 and 66,999,999.
A custom rule set may contain up to 10 rules.
WAF identifies a threat when a request satisfies at least one rule in a custom rule set. A rule is satisfied when a match is found for one or more variable(s)A variable identifies the request element (e.g., request header, query string, or request body) that WAF will analyze. in each condition.
Example #1:
This example assumes that your custom rule set contains the following two rules:
Rule | Description |
---|---|
1 |
This rule contains a single condition with a single variable. |
2 |
This rule contains the following conditions:
|
Assuming the above configuration, WAF identifies a threat under either of the following circumstances:
A match is found for the variable defined in the second rule's first condition.
AND
A match is found for either of the variables defined in the second rule's second condition.
Certain variables match on key-value pairs. If you match on multiple keys within a single variable, WAF will only need to find one of those matches to satisfy that variable. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.
A condition determines how requests will be identified through variables, operators, match values, transformations, and negative matching.
A variable identifies the request element that WAF will analyze. We support the following request elements:
ASN: Identifies requests by the Autonomous System Number (ASN) associated with the client's IP address.
Specify a regular expression to match for multiple ASNs.
Example:
Use the following pattern to match for requests from 15133 and 14153:
15133|14153
Country: Identifies requests by the country from which the request originated. Specify the desired country using a country code.
Specify a regular expression to match for multiple country codes.
Example:
Use the following pattern to match for requests from the United States, Canada, and Mexico:
US|CA|MX
IP address: Identify requests by the requester's IPv4 and/or IPv6 address. Specify a comma-delimited list of the desired IP address(es) using standard IPv4/IPv6 and CIDR notation. Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22). Do not specify more than 1,000 IP addresses or IP blocks.
Identifying requests by IP address is only supported when a condition contains a single variable.
Request body parsed: Match against all or specific key-value pair(s) in the request body.
Specific Key-Value Pair: Define the name of the desired key within this variable and specify the desired value or pattern within the Match value option.
Setting up a request body parsed variable also allows you to define whether WAF uses a regular expression, a negative match, or both when comparing the value assigned to the variable against key names. Use a negative match to find requests whose payload does not contain the specified key.
WAF only inspects the first 8 KB of the request body. You may restrict the request body for valid requests to 8 KB (8,192 bytes) through a managed rule.
Example:
Match against the following request body by setting the the Match value option to blue. Require that this value be assigned to the sky key by also setting the request body parsed variable to sky.
{ "id": "srZf45oP34p", "sky": "blue" }
Request body raw: Match against the URL-encoded request body.
WAF only inspects the first 8 KB of the request body. You may restrict the request body for valid requests to 8 KB (8,192 bytes) through a managed rule.
Request cookies: Match against all or specific cookies.
Specific Cookies: Define the name of the desired cookie within this variable and specify the desired cookie value or pattern within the Match value option.
Setting up a cookie variable also allows you to define whether WAF uses a regular expression, a negative match, or both when comparing the value assigned to the variable against cookies. Use a negative match to find requests whose payload does not contain the specified cookie.
Request header: Match against all or specific request headers.
Specific Request Headers: Define the name of the desired request header within this variable and specify the desired header value or pattern within the Match value option.
Setting up a request header variable also allows you to define whether WAF uses a regular expression, a negative match, or both when comparing the value assigned to the variable against request headers. Use a negative match to find requests whose payload does not contain the specified request header.
Request query: Match against the request's query string. Specify the desired value or pattern within the Match value option.
Request URI: Match against the request's URL path and query string. Define a URL path that starts directly after the hostname. Exclude the protocol and hostname when defining this property.
Sample values:
/marketing?id=123456
/800001/mycustomerorigin
Request URL path: Match against the request's URL path. Define a URL path that starts directly after the hostname. Exclude the protocol, hostname, and query string when defining this property.
Sample values:
/marketing
/800001/mycustomerorigin
All variables support the ability to match on the number of times that a request element is found within the request. Set up a variable to match on the number of instances instead of inspecting the element for a specific value or regular expression pattern by marking the Count option.
You may define zero or more keys when setting up variables that match on key-value pairs. WAF must find at least one of the specified keys in the request before that variable will be satisfied. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.
An operator determines how WAF will compare a match value against the request element identified by a variable.
Value match: A match is found when the request element occurs the exact number of times defined in the match value.
The Value match operator should only be used when the Count option has been enabled.
WAF uses a match value to identify threats.
Example:
This example assumes the following configuration:
Variable: Request header = Authentication
Match value: 1
We will now examine how the Count option affects comparisons for this configuration.
The type of comparison that will be performed is determined by the Operator option.
WAF can transform the source value before it inspects it. Select one or more of the following transformations to allow WAF to compare the match value against the result of each selected transformation:
You may create, modify, and delete custom rule sets.
Key information:
To create a custom rule set
Navigate to the Custom Rules page.
The default rule contains a default condition. Modify this condition to determine how WAF will identify threats.
From the condition's Variable option, select the request element through which WAF will identify threats.
Certain variables (e.g., request cookies and request header) match on name and value. If you have selected this type of variable, then perform the following steps:
From the Name option, type the desired name.
For example, match for requests that contain an Authorization header by setting this option to Authorization.
Optional. Mark the Count option to match by the number of instances that a match is found instead of by inspecting that request element.
Optional. Click + Add Variable to add another variable through which this request may be satisfied. Repeat steps i - iii.
If you would like to a use a different match value for this variable, then you should create a new rule. Alternatively, if you would like to require both variables prior to threat identification, then you should add it as a new condition to this rule.
From the Operator option, select an operator that determines how WAF will compare the match value to the request element identified by the above variable.
From the Match transformations option, select each transformation that will be applied to the source value.
To modify a custom rule set
Navigate to the Custom Rules page.
Make the desired changes.
Key tasks:
Delete a condition by clicking Delete Condition.
A rule must have at least one condition. Therefore, you cannot delete the root condition.
To delete a custom rule set
Navigate to the Custom Rules page.