WAF Protection Rules

Protection rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. Recommendations aid in the optimization of your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information.

Using the Console

To apply an action to a protection rule
  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF Policy you want to configure rule settings for. The WAF Policy overview appears.
  3. Click Protection Rules.
  4. Click the Rules tab.
  5. Find the protection rule you want to apply an action to.

    Tip

    You can use the Rule ID or Rule Action filters to locate a protection rule.
  6. Click the Actions icon (three dots) and select one of the following options:
    • Detect: Matching requests generate an alert and the request is proxied.
    • Block: Matching requests are blocked.
    • Off: The rule is disabled.
    • Exclusions: Exclusions are set to specify the types of request that are to be bypassed by the protection rule(s). If a request matches any of the set exclusions, the protection rule(s) will not be executed for that request.
      1. In the Exclusions dialog box, enter the following criteria:
        • Exclusion: Select request cookie values, request cookie names, request parameters, or request parameter names.
        • Value: Enter the value for the selected exclusion.
      2. Click Save Changes.

The protection rule action is added to the list to be published.

To edit rule settings
  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF Policy you want to configure rule settings for. The WAF Policy overview appears.
  3. Click Protection Rules.
  4. Click the Settings tab.
  5. Click Edit Rule Settings.
  6. In the Edit Rule Settings dialog box, enter the following:
    • Block Action: The action taken on malicious requests blocked by WAF.
    • Block Response Code: Provides information indicating why the request was blocked.
    • Max Number of Arguments: The maximum number of arguments allowed in the request. The recommended setting is 255.
    • Max Length of Argument: The maximum argument length allowed in the request. The recommended setting is 400.
    • Max Total Argument Length: The maximum argument length for all arguments in the request. The recommended setting is 64000.
    • Recommendations Period: The period in days to analyze for recommended actions.
    • Allowed HTTP Methods: The list of allowed HTTP protocol methods.
  7. Click Save Changes.

The accepted protection rules are added to the list to be published.

To accept recommendations

Recommendations will begin appearing once sufficient traffic has gone through the WAF to profile the right security posture.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF Policy you want to configure rule settings for. The WAF Policy overview appears.
  3. Click Protection Rules.
  4. Click the Recommendations tab.
  5. Select the protection rules you want to accept.

    Tip

    You can use the Recommended Action filter to locate a recommendation by Detect or Block.
  6. Click Accept Recommendations.

The accepted protection rules are added to the list to be published.

To publish changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes. Pending changes do not persist across browser sessions. Once you publish changes, it cannot be edited until changes propagate to the edge nodes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Click Publish All.
  4. In the Publish Changes dialog box, click Publish All.
To discard changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Select the check box for the change you want to discard.
  4. Click Discard.
  5. In the Discard Change dialog box, click Discard.

Listing and Accepting Protection Rule Recommendations

Use the following operations to get the list of recommended rules:

{
   "name": "SQL authentication bypass attempts",
   "action": "OFF",
   "description": "Detects basic SQL authentication bypass attempts.",
   "exclusions": [],
   "key": "981244",
   "tags": "SQL Injections, Recommended"
   },

   {

   "modSecurityRuleIds": [
      "950001",
      "959070",
      "959071",
      "959072",
      "950908",
      "959073"
				],

   "name": "Common SQL Injections",
   "action": "OFF",
   "description": "detects common SQL injection attacks",
   "exclusions": [],
   "key": "950001",
   "tags": "SQL Injections, WASCTC, OWASP, A1, PCI, Recommended"

   },
			
Using the key values from the output of the GET call above, you can accept one or more of the recommendations using the following operation passing an array of the keys: Body:
[
   “981244”,
   "950001”
]

Protection Rule Specific Settings

Several protection rule settings are settings for specific protection rules.

Setting Rule ID Rule Name
Allowed HTTP Methods 911100 Restrict HTTP Request Methods
Max Total Argument Length 960341 Total Arguments Limits
Max Number of Arguments 960335 Number of Arguments Limits
Max Length of Argument 960208 Values Limits

The term "Arguments" refers to either query parameters or body parameters in a PUT/POST request. For instance, if the Max Number of Arguments is 2 and RuleID 960335 is set to BLOCK, any of the following requests would be blocked:

GET /myapp/path?query=one&query=two&query=three
POST /myapp/path with Body {"arg1":"one","arg2":"two","arg3":"three"}
POST /myapp/path?query=one&query=two with Body {"arg1":"one"}

Max Length of Argument is the length of either a name or the value of the argument. Total Argument Length refers to the sum of the name and value length.

Exclusions

Sometimes a protection rule can trigger a false positive. You can configure an exception if the request(s) generating the false positive have a particular argument or cookie that can be used to identify that request be excluded from the action normally taken on the rule. Exclusions have to be created through the API. The following exclusion parameters can be used:

Name Value
REQUEST_COOKIES Cookie Value
REQUEST_COOKIES_NAMES Cookie Name (value is irrelevant)
ARGS Argument (Query Parameter or POST/PUT data)
ARGS_NAMES Query Parameter Name (value is irrelevant)

Example

In this example, a block is applied to WAF Rule 911100 (Restrict HTTP Request Methods) with an exception to allow requests with an argument that contains “passthrough”.

PUT / waasPolicies /<policy_ocid>/wafConfig/protectionRules

With the body:


[
 {
	"key":"911100",
	"action":"BLOCK",
 	"exclusions": 
	 [
		{
		 "target":"REQUEST_COOKIES",
		 "exclusions":["yourcompany.com", "Wed, 21 Oct 2015 07:28:00 GMT", "12345", "219ffwef9w0f"]
		},
		{
				"target":"REQUEST_COOKIES_NAMES",
				"exclusions":["OAMAuthnCookie", "JSESSIONID", "HCM-PSJSESSIONID"]
		},
		{
		 "target":"ARGS",
		 "exclusions":["passthrough"]
 		}
 	 ]
 }
]

This will return a 202 Accepted HTTP status, which means the policy will enter an UPDATING state until changes are provisioned to the edge nodes.