Custom Rules

Use custom rules to tailor how WAF identifies malicious traffic. This provides added flexibility for threat identification that allows you to target malicious traffic with minimal impact to legitimate traffic. Custom threat identification combined with rapid testing and deployment enables you to quickly address long-term and zero-day vulnerabilities.

The Custom rules capability requires WAF Premier or WAF Standard. If you currently have WAF Essentials or WAF Insights and would like to use custom rules, please contact your CDN account manager to upgrade to the full version.

Custom Rule Sets

A custom rule set defines how threats will be identified through rules. Each rule contains:

A custom rule set may contain up to 10 rules.

Threat Identification

WAF identifies a threat when a request satisfies at least one rule in a custom rule set. A rule is satisfied when a match is found for one or more variable(s)A variable identifies the request element (e.g., request header, query string, or request body) that WAF will analyze. in each condition.

Example #1:

This example assumes that your custom rule set contains the following two rules:

Rule Description

1

This rule contains a single condition with a single variable.

2

This rule contains the following conditions:

  1. The first condition contains a single variable.
  2. The second condition contains two variables.

Assuming the above configuration, WAF identifies a threat under either of the following circumstances:

Certain variables match on key-value pairs. If you match on multiple keys within a single variable, WAF will only need to find one of those matches to satisfy that variable. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.

Conditions

A condition determines how requests will be identified through variables, operators, match values, transformations, and negative matching.

Variables

A variable identifies the request element that WAF will analyze. We support the following request elements:

All variables support the ability to match on the number of times that a request element is found within the request. Set up a variable to match on the number of instances instead of inspecting the element for a specific value or regular expression pattern by marking the Count option.

You may define zero or more keys when setting up variables that match on key-value pairs. WAF must find at least one of the specified keys in the request before that variable will be satisfied. For example, if you set up a request header variable to match for Authorization and Content-Type, then requests that contain either or both of those headers will satisfy that variable.

Operators

An operator determines how WAF will compare a match value against the request element identified by a variable.

Match Value

WAF uses a match value to identify threats.

Example:

This example assumes the following configuration:

Variable: Request header = Authentication

Match value: 1

We will now examine how the Count option affects comparisons for this configuration.

The type of comparison that will be performed is determined by the Operator option.

Match Transformations

WAF can transform the source value before it inspects it. Select one or more of the following transformations to allow WAF to compare the match value against the result of each selected transformation:

Custom Rule Administration

You may create, modify, and delete custom rule sets.

Key information:

To create a custom rule set

  1. Navigate to the Custom Rules page. ClosedHow?From the main menu, navigate to More | WAF | WAF Tier | Security Rule Manager | Custom Rules.

  2. Click Add Custom Rule Profile.
  3. In the Name option, type the unique name by which this custom rule set will be identified. This name should be sufficiently descriptive to identify it when setting up a Security Application Manager configuration.
  4. Each new custom rule set contains a default rule that appears directly below the Name option. Find the Name option for that default rule and set it to a name that identifies the purpose of this rule.
  5. In the Rule ID option, specify a number between 66,000,000 and 66,999,999.
  6. In the Rule message option, type a brief description for this rule.
  7. The default rule contains a default condition. Modify this condition to determine how WAF will identify threats.

    1. From the condition's Variable option, select the request element through which WAF will identify threats.

      Learn more about variables.

    2. Certain variables (e.g., request cookies and request header) match on name and value. If you have selected this type of variable, then perform the following steps:

      1. Click + Add Match.
      2. From the Name option, type the desired name.

        For example, match for requests that contain an Authorization header by setting this option to Authorization.

      3. Optional. Mark the Negative Match option to match for requests that do not contain a matching value for the name defined in the previous step.
      4. If you specified a regular expression in the Name option, then you should mark the Regex Match option.
      5. Optional. Add another match through which this variable can be satisfied by repeating steps a - d.
    3. Optional. Mark the Count option to match by the number of instances that a match is found instead of by inspecting that request element.

      Learn more.

    4. Optional. Click + Add Variable to add another variable through which this request may be satisfied. Repeat steps i - iii.

      If you would like to a use a different match value for this variable, then you should create a new rule. Alternatively, if you would like to require both variables prior to threat identification, then you should add it as a new condition to this rule.

    5. From the Operator option, select an operator that determines how WAF will compare the match value to the request element identified by the above variable.

      Learn more.

    6. In the Match value option, type the value that will be compared against the request element identified by the above variable.
    7. From the Match transformations option, select each transformation that will be applied to the source value.

      Learn more.

    8. Optional. Mark the Negative Match option to match for requests that do not contain a matching value for the value defined in step vi.
  8. Optional. Click + Add Condition to add another condition that must be met prior to threat identification. Repeat step 7 for this new condition.
  9. Optional. Click + Add Rule to add another rule through which WAF may identify threats. Repeat steps 7 and 8.
  10. Click Save.

To modify a custom rule set

  1. Navigate to the Custom Rules page. ClosedHow?From the main menu, navigate to More | WAF | WAF Tier | Security Rule Manager | Custom Rules.

  2. Click on the desired custom rule set.
  3. Make the desired changes.

    Key tasks:

    • Delete variables and matches within a variable by clicking .
    • Delete a condition by clicking Delete Condition.

      A rule must have at least one condition. Therefore, you cannot delete the root condition.

    • Delete a rule by clicking Delete Rule and then clicking Confirm.
  4. Click Save.

To delete a custom rule set

  1. Navigate to the Custom Rules page. ClosedHow?From the main menu, navigate to More | WAF | WAF Tier | Security Rule Manager | Custom Rules.

  2. Click on the desired custom rule set.
  3. Click Delete Custom Rule Profile.
  4. Type DELETE.
  5. Click Delete.