Creating a Web Application Firewall Policy

• Console
• CLI
• API

• To create a policy, provide basic, access control, rate limiting, and protection options as needed, and then select an enforcement point. For more information, see Before You Begin.

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. On the Policies page, select a compartment that you have permission to work in.
  3. Click Create WAF policy.

  Set Up Basic Information

  On the Basic information page of the workflow, follow these steps:

  1. Enter a name for the WAF policy, or use the default name.
  2. Select the compartment to contain the WAF policy.
  3. Click the Actions arrow to view the actions to add to the WAF policy. The following preconfigured actions are associated with the WAF policy by default:
     • Preconfigured Check Action: The action doesn't stop the running of rules. Instead, the action generates a log message that documents the result of running the rules.
     • Preconfigured Allow Action: The action, upon matching the rule, skips all remaining rules in the current module.
     • Preconfigured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that's returned when this action is run.
  4. To add another action to the policy, click Add action, and then complete the following options in the Add actions panel. For more information, see Actions for Web Application Firewalls.

     • Name: Enter the name of the action.

     • Type: Specify the action type:

       • Check: Doesn't stop the execution of rules. Instead it generates a log message documenting the result of the rule.

         Allow: Skips all remaining rules in the current module.

         Return HTTP response: Returns a defined HTTP response.

         If you select this type, then provide the following values.

     • Response code: Select the HTTP response.

     • Headers: Enter optional header information:

       • Header name: Enter the name of the header.

       • Header value: Enter the associated value of the header.

       • Click + Another header to display another header row where you can enter a header name and value pair. Click X to delete the associated header row.

     • Response page body: Provides details about an error, including the cause and further instructions, if needed.

       Enter the HTTP response body, for example a JSON error response:

       {"code":"403","message":"Forbidden"}

       You can enable Dynamic text support to add variables in the page body. The following variable is supported:

       RequestID

       The request ID can help you with tracking and managing a request by providing a unique request identifier exposed in HTTP request and response headers.

       When the request ID is enabled, the default header name X-Request-Id is included in the HTTP request header from the load balancer to the backend and HTTP header responses.

       The following example provides an HTTP response body with dynamic text support enabled:

       {"code":"403","message":"Forbidden","RequestId":"${http.request.id}"}

  5. Click Add action.

  6. Click Show tagging to access the tagging options for the WAF policy. For more information, see Tagging Resources.

  7. To work with the legacy Edge Policy options, click the legacy workflow link at the bottom of the page. For more information, see Edge Policies.

  8. Click Next.

  Configure Access Control

  (Optional) Use the Access control options to define explicit actions for requests and responses that meet various conditions. When you enable access control, a list of access rules associated with the request control is displayed. You can add, change, edit, or delete rules. For more information, see Request Controls for a Web Application Firewall Policy.

  If you don't want to enable access control, click Next.

  1. Select Enable access control.
  2. Under Request control, click Add access rule, and provide the following information to define the rule:
     • Name: Enter a name for the access rule.
     • Conditions: Specify the prerequisite conditions that must be met for the rule action to occur. See Understanding Conditions.
     • Rule action: Select an existing rule to follow when the preceding conditions are met, or select Create new action to add one. For a description of the preconfigured rules and instructions for adding rules, see the previous section, "Set Up Basic Information."
  3. Click Add access rule.
  4. Under Default action, from the Action name list, select the action to follow when requests don't match any rule group that's defined for the policy.
  5. Click Show response control options to display the Response control section and the Access rules list. The list contains access rules associated with the response control. Add and manage access rules and actions for response controls the same as for request controls. For more information, see Response Control for a Web Application Firewall Policy.
  6. Click Next.

  Configure Rate Limiting Rules

  If you don't want to enable optional rate limiting, click Next.

  1. Select Enable to configure rate limiting rules.
  2. Under Rate limiting rules, click Add rate limiting rule, and then complete the options as follows:

  • Name: Enter a name for the rate limit rule.

  • Conditions: Specify the prerequisite conditions that need to be met for the rule action to occur. See Understanding Conditions.

  • Rate limiting configuration: Configure the maximum number of requests that can be made from a unique IP address and how long the request can be. The options are:
    • Requests limit: Enter the maximum number of requests that a unique IP address can make during the time value allocated in the Period in seconds box.
    • Period in seconds: Enter the number of seconds in which the maximum number of requests can be made from each unique IP address, as specified in the Requests limit box.
    • Action duration in seconds: Enter the duration in seconds that the action is applied when the request limit is reached.

      You can click +Another rate limiting to display another rate limit configuration row to complete. Click X to delete the associated rate limit configuration row.

  • Rule action: Select an existing rule to be followed when the preceding conditions are met, or select Create new action to add one. For a description of the preconfigured rules and instructions for adding rules, see the previous section, "Set Up Basic Information."

    For more information, see Actions for Web Application Firewalls.

  Configure Protection Rules

  (Optional) Use these options to apply Oracle-managed request protection capabilities to catch malicious traffic. Apply protection rules as needed. For more information, see Protections for Web Application Firewall.

  If you don't want to enable protection rules, click Next.

  1. Select Enable to configure protection rules.
  2. Under Request protection rules, click Add request protection rule, and then complete the options as follows:

     • Name: Enter a name for the protection rule.

     • Conditions: Specify the prerequisite conditions that must be met for the rule action to occur. See Understanding Conditions.
     • Rule action: Select an existing rule to be followed when the preceding conditions are met, or select Create new action to add one. For a description of the preconfigured rules and instructions for adding rules, see the previous section, "Set Up Basic Information."

     • Body inspection: Select Enable body inspection to let the HTTP request body undergo inspection to ensure that request body content conforms to all the specified protection capabilities in the protection rule. For more information, see HTTP Request Body Inspection.

     • Protection capabilities: Lists the protection capabilities assigned to the protection rule. Click Choose protection capabilities to open the Choose protection capabilities dialog box. Browse the available protection capabilities and assign one or more to the protection rule.

       You can filter the capabilities and click the "down" arrow at the right end of each capability to view its version history. Select the protection capabilities that you want to add to the protection rule, and then click Choose protection capabilities.

       For more information, see Protections for Web Application Firewall.

     • Actions: You can apply more actions to one or more selected protection capabilities. Select the protection capabilities that you want to affect, and then select one of the following commands from the Actions menu:
       • View and edit protection capabilities settings: Opens the View and edit protection capability settings dialog box in which you can edit the protection capability settings.
         Note
         
         This setting is global. The settings that you configure in this dialog box apply to all protection capabilities associated with the protection rule, regardless of whether they're selected in the protection capabilities list.
       • Change action: Opens the Change action dialog box in which you can update the action taken by the protection capabilities when triggered.
       • Delete: Removes the protection capabilities from the protection rule.
  3. Click Add request protection rule.
  4. Click Show response protection rules to display a list of response protection rules.
     • To remove a rule, select it, and then click Delete.
     • To add a rule, click Add response protection rule.
     • Add and manage access rules and actions for response protections the same as for request protections described earlier in this section.
  5. Select one or more request protection rules, and then click the Actions menu to apply an action to all the selected rules. You can select one of the following options:
     • View and edit rules settings: Opens the View and edit rules settings dialog box. You can apply the following settings to any request protection rule that has HTTP body inspection enabled:
       • Maximum number of bytes allowed: Specify the number of bytes in each HTTP message body that undergoes inspection. The value ranges from 0 to 8192.
       • Action taken if limit has been exceeded: Select an action from the list that occurs if the size of the message body exceeds the specified maximum number of bytes allowed.

     • Enable body inspection: Enables inspection of the HTTP message body.

     • Disable body inspection: Disables inspection of the HTTP message body.

     • Delete: Removes the selected request protection rules from the policy.

  6. Click Next.

  Select Enforcement Point

  Use these options to enforce web application firewall security on the load balancer. For more information, see Firewalls for Web Application Firewall Policies.

  If you don't want to select an enforcement point, click Next.

  1. Under Add firewalls, select a load balancer contained in the current compartment. Click Change Compartment to select load balancers from a different compartment.

     The load balancer that you select has the firewall security applied.

  2. Click +Additional firewall to display another firewall row in which you can select another load balancer that the firewall is applied to. Click X to delete the associated header row.

  Review and Create the Policy

  Review the WAF policy settings before you complete the creation process. Each section corresponds to options that have been set up for the policy.

  1. Review each section for accuracy and completion. Click Edit in any section you want to make changes.

  2. Click Create WAF policy.

  The Create WAF policy page closes and you're returned to the Policies page. The WAF policy that you created is listed with the other policies.

• Use the oci waf web-app-firewall-policy create command and required parameters to create a web application firewall policy:

  Command

  CopyTry It

  oci waf web-app-firewall-policy create --compartment-id compartment_ocid [OPTIONS]

  For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

• Run the CreateWebAppFirewallPolicy operation to create a web application firewall policy.