WAF Policy Management

Provides an overview of web application firewall (WAF) policies, including their creation, updating, and deletion.

WAF policies encompass the overall configuration of your WAF service, including access rules, rate limiting rules, and protection rules.

You can manage your WAF policies, including their creation, editing, deletion, and moving to another compartment. You also view all your WAF policies in a specified compartment collectively, or get the details of a specific policy.

Creating WAF Policies

Describes the different methods to create a WAF policy.

Use one of the following methods to create a WAF policy.
To create a WAF policy using the Console

Describes how to create a WAF policy using the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Choose a Compartment you have permission to work in under List Scope.
  3. Click Create WAF Policy.

    The Create WAF Policy dialog box appears. Creating a WAF policy consists of the following sections:

    • Basic Information
    • Access Control
    • Rate Limiting
    • Protections
    • Select Enforcement Point
    • Review and Create

    By default, the Basic Information page appears first.

  4. Run each of the following workflows in order. You can return to a previous page by clicking Previous
    Step 1 - Basic Information

    Complete the following:

    • Name: Enter the name of the WAF policy.

    • WAF Policy Compartment: Select the compartment that contains the WAF policy you are creating.

    • Actions: Click to display the Actions list displaying those actions available for adding to your WAF policy. By default, the following pre-configured actions are associated with your WAF policy:

      • Pre-configured Check Action: Skips all remaining rules in the current module.
      • Pre-configured Allow Action: Does not stop the execution of rules. Instead, it generates a log message documenting the result of the running of the rule.
      • Pre-configured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that is returned when this action is run.

      See Actions Management for a complete description and explanation of how to use actions in a WAF policy.

      Click Add Action: Click to display the Add Action dialog box where can create and add more actions to the WAF policy. See Actions Management for information on how to add an action.

    • Show Tagging Options: Click to display the tagging option fields for the WAF policy. See Tagging Resources for more information.

    Note

    Click the link at the bottom of the page to display the Edge Policy dialog box. This dialog box is the start of the legacy WAF creation workflow. See Edge Policies for more information.

    Step 2 - Access Control

    The Access Control option allows you to define explicit actions not only for requests, but also for responses that meet various conditions.

    Complete the following:

    • Enable Access Control: Click to display the Request Control section and the Access Rules list. See Request Control Management for more information about how to use request control rules with your WAF policy.

      The Access Rules list contains those access rules currently associated with the request control in tabular format. Check an existing access control rule and click Change Action to edit it, or Delete to remove it from the list.

      Add Access Rules: Click to display the Add Access Rule dialog box.

      Complete the following:

      • Name: Enter the name of the access rule.

      • Conditions: Specify the prerequisite conditions that need to be met for the rule action to occur. See Understanding Conditions for more information on how to author the conditions for your access rule.

      • Rule Action: Select an existing rule to be followed when the preceding conditions are met, or select Create New Action to add one.

        • Pre-configured Check Action: Skips all remaining rules in the current module.

        • Pre-configured Allow Action: Does not stop the execution of rules. Instead, it generates a log message documenting the result of the running of the rule.

        • Pre-configured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that is returned when this action is run.

          Click Show Header Details to display the HTTP response headers specified in the selected Return HTTP response action.

          Click Show Response Page Body Details to display the HTTP response body specified in the selected "Return HTTP response" action.

        See Actions Management for a complete description and explanation of how to use actions in a WAF policy.

      Click Add Access Rule. The Add Access Rule dialog box closes.

    • Change Option: Check one or more entries in the Access Control list and click Change Action.
    • Delete: Check one or more entries in the Access Control list and click Delete to remove them.
    • Default Action: Select the action to be followed from the Action Name list when requests do not match any rule group that is defined for the policy.
    • Show Response Control Options: Click to display the Response Control section and the Access Rules list. The list contains those access rules currently associated with the response control in tabular format. See Response Control Management for more information about how to use response control rules with your WAF policy.

      Add and manage access rules and actions for response controls the same as for request controls described earlier in this step.

    • Click Next.
    Step - 3 Rate Limiting

    The Rate Limiting option allows you to configure a threshold for the number of requests from a unique IP address for a given period. See Rate Limiting Management for more information about how to use rate limiting with your WAF policy.

    Complete the following:

    • Enable Rate Limiting: Click to display the Rate Limiting Rules list. The list contains those rate limiting rules in tabular format. Check an existing rate limiting rule and click Change Action to edit it, or Delete to remove it from the list.

      Add Rate Limit Rule: Click to display the Add Access Rule dialog box.

      Complete the following:

      • Name: Enter the name of the rate limit rule.

      • Conditions: Specify the prerequisite conditions that need to be met for the rule action to occur. See Understanding Conditions for more information on how to author the conditions for your access rule.

      • Rate Limit Configuration: Configure the maximum number of requests that can be made from a unique IP address and how long the request can be.

        • Request Limit: Enter the maximum number of requests that a unique IP address can make during the time value allocated in the Period in Seconds box.

        • Period in Seconds: Enter the number of seconds during which the maximum number of requests that can be made from each unique IP address as specified in the Request Limit box.

        • Action Duration in Seconds: Enter the duration in seconds that the action is applied for when the request limit is reached.

        Click +Another Rate Limit to display another rate limit configuration row to complete. Click X to delete the associated rate limit configuration row.

      • Rule Action: Select an existing rule to be followed when the preceding conditions are met, or select Create New Action to add one.

        • Pre-configured Check Action: Skips all remaining rules in the current module.

        • Pre-configured Allow Action: Does not stop the execution of rules. Instead, it generates a log message documenting the result of the running of the rule.

        • Pre-configured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that is returned when this action is run.

          Click Show Header Details to display the HTTP response headers specified in the selected Return HTTP response action.

          Click Show Response Page Body Details to display the HTTP response body specified in the selected Return HTTP response action.

        See Actions Management for a complete description and explanation of how to use actions in a WAF policy.

      Click Add Rate Limit Rule. The Add Rate Limit Rule dialog box closes.

    • Click Next.
    Step 4 - Protections

    The Protections option lets you apply Oracle-managed request protection capabilities to catch malicious traffic. See Protections Management for more information about how to use request protections with your WAF policy.

    Complete the following:

    • Enable Protections: Click to display the Request Protection Rules list. The list contains those request protections rules in tabular format. Check an existing request protection rule and click Delete to remove it from the list.

      Add Request Protection Rule: Click to display the Add Request Protection Rule dialog box. Complete the following:

      • Name: Enter the name of the request protection rule.

      • Conditions: Specify the prerequisite conditions that need to be met for the rule action to occur. See Understanding Conditions for more information on how to author the conditions for your access rule.

      • Action Name: Select an existing rule to be followed when the preceding conditions are met, or select Create New Action to add one.

        • Pre-configured Check Action: Skips all remaining rules in the current module.

        • Pre-configured Allow Action: Does not stop the execution of rules. Instead, it generates a log message documenting the result of the running of the rule.

        • Pre-configured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that is returned when this action is run.

          (Return HTTP Response actions only) Click Show Header Details to display the HTTP response headers specified in the selected Return HTTP response action.

          (Return HTTP Response actions only) Click Show Response Page Body Details to display the HTTP response body specified in the selected Return HTTP response action.

      • The Protection Capabilities list contains those request protection capabilities rules in tabular format. Check an existing rate limiting rule and click Change Action to edit it, or Delete to remove it from the list.

      Click Add Request Protection Rule. The Add Request Protection Rule dialog box closes.

    • Show Response Protection Rules: Click to display the Response Protection Rules list. The list contains those response protections rules in tabular format. Check an existing request protection rule and click Delete to remove it from the list.

      Add Response Protection Rule: Click to display the Add Response Protection Rule dialog box.

      Add and manage access rules and actions for response protections the same as for request protections described earlier in this step.

    • Click Next.
    Step 5 - Select Enforcement Point

    The Select Enforcement Point option allows you to enforce web application firewall security on your load balancer. See Firewall Management for more information about how to use firewalls with your WAF policy.

    Complete the following:

    • Add Firewalls: Select a load balancer contained in your current compartment from the list. Click Change Compartment to select load balancers from a different compartment.

      The load balancer you select has the firewall security applied.

      Click +Additional Firewall to display another firewall row where you can select another load balancer that the firewall is applied. Click X to delete the associated header row.

    • Click Next.

    Step 6 - Review and Create

    The Review and Create step allows you to review all your WAF policy settings together before you complete the creation process. Each section on the page corresponds to one of the earlier steps you completed.

    Review each section for accuracy and completion. Click Edit in any section you want to make changes.

    Click Create WAF Policy.

The Create WAF Policy dialog box closes and you are returned to the WAF Policy page. The WAF policy you created is listed with the other policies.
To create a WAF policy using the CLI

Describes how to create a WAF policy using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy create --compartment-id compartment-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy create --help

See oci waf web-app-firewall-policy create for a complete description of the command.

To create a WAF policy using the API

Describes how to create a WAF policy using the API.

Run the CreateWebAppFirewallPolicy method to create a WAF policy. See CreateWebAppFirewallPolicy for a complete description.

Listing WAF Policies

Describes the different methods to display a list of WAF policies.

Use one of the following methods to display a list of WAF policies.
To list the WAF policies using the Console

Describes how to display a list of WAF policies using the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

The list of WAF policies displayed shows the Name, Policy Type (WAF Policy or Edge Policy), Status, and Created (UTC date timestamp) information for each entry.

To list the WAF policies using the CLI

Describes how to display a list of WAF policies using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy list --compartment-id compartment-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy list --help

See oci waf web-app-firewall-policy list for a complete description of the command.

To list the WAF policies using the API

Describes how to display a list of WAF policies using the API.

Run the ListWebAppFirewallPolicies method to list the WAF policies. See ListWebAppFirewallPolicies for a complete description.

Getting WAF Policy Details

Describes the different methods to get the details of a WAF policy.

Use one of the following methods to get the details of a WAF policy.
To get the details of a WAF policy using the Console

Describes how to get the details of a WAF policy using the Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

  4. Select the WAF policy whose details you want to get.
    The WAF Policy Details dialog box appears.

The Details page contains information about the WAF policy, both general information and links to its resources. Some items in the page are read-only, while other items allow you to edit and update the WAF policy's configuration.

To get the details of a WAF policy using the CLI

Describes how to get the details of a WAF Policy using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy get --web-app-firewall-policy-id web-app-firewall-policy-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy get --help

See oci waf web-app-firewall-policy get for a complete description of the command.

To get the details of a WAF policy using the API

Describes how to get the details of a WAF Policy using the API.

Run the GetWebAppFirewallPolicy method to get the details of a WAF policy. See GetWebAppFirewallPolicy for a complete description.

Editing WAF Policies

Describes the different methods to edit a WAF policy.

Use one of the following methods to edit a WAF policy.
Note

You can only edit the name of a WAF policy when using the Console.

To rename a WAF policy using the Console

Describes how to rename a WAF policy using the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

  4. Select the WAF policy you want to rename.

    The WAF Policy Details dialog box appears.

  5. Click Rename.
    Alternatively, click the Actions icon (Action icon) for the WAF policy and click Rename.
    The Rename Policy dialog box appears.
  6. Edit the Name of the WAF policy.
  7. Click Save Changes.

The Rename Policy dialog box closes. The updated name of the WAF policy appears in the Details page and the list of WAF policies.

To edit a WAF policy using the CLI

Describes how to edit a WAF Policy using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy update --web-app-firewall-policy-id web-app-firewall-policy-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy update --help

See oci waf web-app-firewall-policy update for a complete description of the command.

To edit a WAF policy using the API

Describes how to edit a WAF Policy using the API.

Run the UpdateWebAppFirewallPolicy method to edit a WAF policy. See UpdateWebAppFirewallPolicy for a complete description.

Deleting WAF Policies

Describes the different methods to delete a WAF policy.

Use one of the following methods to delete a WAF policy.
To delete a WAF policy using the Console

Describes how to delete a WAF policy using the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

  4. Select the WAF policy you want to delete.

    The WAF Policy Details dialog box appears.

  5. Click Edit.
    Alternatively, click the Actions icon (Action icon) for the WAF policy and click Delete.
  6. Confirm the deletion when prompted.

The list of WAF policies reappears without the WAF policy you deleted.

To delete a WAF policy using the CLI

Describes how to delete a WAF policy using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy delete --web-app-firewall-policy-id web-app-firewall-policy-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy delete --help

See oci waf web-app-firewall-policy delete for a complete description of the command.

To delete a WAF policy using the API

Describes how to delete a WAF policy using the API.

Run the DeleteWebAppFirewallPolicy method to delete a WAF policy. See DeleteWebAppFirewallPolicy for a complete description.

Moving WAF Policies Between Compartments

Describes the different methods to move a WAF policy between compartments.

Use one of the following methods to move a WAF policy between compartments.
To move a WAF policy between compartments using the Console

Describes how to move a WAF policy between compartments using the OCI Console.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

  4. Select the WAF policy you want to move.

    The WAF Policy Details dialog box appears.

  5. Click Move Resource.

    Alternatively, click the Actions icon Action icon for theWAF policy and click Move ???.

    The Move Resource to a Different Compartment dialog box appears.

  6. Select the compartment to which you want to move your WAF policy from the Choose New Compartment list.
  7. Click Move Resource.

The WAF policy now appears in the compartment you moved it to.

To move a WAF policy between compartments using the CLI

Describes how to move a WAF P\policy between compartments using the CLI.

Enter the following command and required parameters:
oci waf web-app-firewall-policy change-compartment --compartment-id compartment-id --web-app-firewall-policy-id web-app-firewall-policy-id

See the CLI online help for a list of optional parameters:

oci waf web-app-firewall-policy change-compartment --help

See oci waf web-app-firewall-policy change-compartment for a complete description of the command.

To move a WAF policy between compartments using the API

Describes how to move a WAF policy between compartments using the API.

Run the ChangeWebAppFirewallPolicyCompartment method to move a WAF Policy between compartments. See ChangeWebAppFirewallPolicyCompartment for a complete description.