WAF Protection Rules
Protection rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. Recommendations aid in the optimization of your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset. See Supported Protection Rules for additional information.
Edge policy has approximately 680 rules. Because of Edge policy maturity, multiple versions of the core ruleset (CRS) are included.We continuously update and optimize existing rules, in addition to creating rules. Because of vulnerability concerns, we can't provide the mitigation pattern for rules.
WAF policies are kept up to date with CRS and CVEs releasing new and updated definitions on a quarterly basis. Rule definitions in use aren't updated since they could cause unexpected behavior. New definitions are always pushed in an off state.
You can enable a maximum of 100 rules per WAF policy.
For more information, see Supported Protection Rules.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Listing and Accepting Protection Rule Recommendations
{
"name": "SQL authentication bypass attempts",
"action": "OFF",
"description": "Detects basic SQL authentication bypass attempts.",
"exclusions": [],
"key": "981244",
"tags": "SQL Injections, Recommended"
},
{
"modSecurityRuleIds": [
"950001",
"959070",
"959071",
"959072",
"950908",
"959073"
],
"name": "Common SQL Injections",
"action": "OFF",
"description": "detects common SQL injection attacks",
"exclusions": [],
"key": "950001",
"tags": "SQL Injections, WASCTC, OWASP, A1, PCI, Recommended"
},
[
"981244",
"950001"
]Protection Rule Specific Settings
Several protection rule settings are settings for specific protection rules.
| Setting | Rule ID | Rule Name |
|---|---|---|
| Allowed HTTP Methods | 911100 | Restrict HTTP Request Methods |
| Max Total Argument Length | 960341 | Total Arguments Limits |
| Max Number of Arguments | 960335 | Number of Arguments Limits |
| Max Length of Argument | 960208 | Values Limits |
The term "Arguments" refers to either query parameters or body parameters in a PUT/POST request. For instance, if the Max Number of Arguments is 2 and RuleID 960335 is set to BLOCK, any of the following requests would be blocked:
GET /myapp/path?query=one&query=two&query=threePOST /myapp/path with Body {"arg1":"one","arg2":"two","arg3":"three"}POST /myapp/path?query=one&query=two with Body {"arg1":"one"}Max Length of Argument is the length of either a name or the value of the argument. Total Argument Length refers to the sum of the name and value length.
Exclusions
Configure an exception in the Web Application Firewall service.
Sometimes a protection rule can trigger a false positive. You can configure an exception if the request(s) generating the false positive have a particular argument or cookie that can be used to identify that request be excluded from the action normally taken on the rule. The following exclusion parameters can be used:
|
Name |
Description |
|---|---|
|
Request Parameters |
List of parameter values (by parameter name) from form-urlencoded, XML, JSON, AMP, or POST payloads to exclude from inspecting. |
|
Request Cookies |
List of HTTP request cookie values (by cookie name) to exclude from inspecting. |