Follow

How To Make an Exception on a WAF protected Domain/URL endpoint Using a Cloned WAF Policy

Description

  • The intention of this guide is to provide a process using the proxy configuration to create an exception for matching URLs/Hosts when the WAF policy does not allow it
  • Using a cloned copy of the WAF policy, the SOC can tune/disable the individual attack signature(s) and/or sub-modules 
    • Leveraging the proxy configuration to apply the Cloned WAF policy to the <Domain/URL> to make an exception to the WAF policy 

 

Environment

  • WAF policy
  • WAF Proxy
    • HTTP/HTTPS proxy

 

Procedure

Usually, the process starts with How to Create WAF Violation Assessments or when client/customer reports a support ID/false positive (Q&A: WAF Policy False Positives: Definition, Examples, What to Do)

  • The SOC would then provide the assessment and list out the tuning suggestions
  • Some tuning can be adjusted and allowed for a particular URL but violations related to the following are likely to be adjusted on the entire WAF policy scale
    • HTTP Headers
    • Cookie
    • Path traversal Attack signatures on the URLs
    • Evasion Technique
    • others

The steps below assume the client has reason(s) to tune/allow a violation on a domain or URL and intends to have 2 or more WAF policies on a proxy:

  1. SOC will ask for a name to give to the cloned copy of the WAF policy
  2. Once the WAF policy is cloned and then tuned to allow for the requested behavior, the WAF policy is ready to be applied to the proxy:
    • In the Silverline Portal, go to Config -> Proxy/App Configuration -> Proxy/App Management
    • Then, open up the configuration of your proxy and click on the service profile (left-hand side) with the WAF policy (can be WAF Proxy, HTTPS, and/or HTTP)
  3.  On the Profile Settings section of the Security Policies tab, click on the Add button
  4. In the new profile add the <Host(s)/URI(s)>
    • mceclip0.png
    • Note: URI field uses "start_with" operator, this means that URL or URI will match any other character in the URL or URI after the string value. Ex: /Path2, /Path3
    • See Examples section of this article
  5.  You can drag the URI configuration up and down to re-arrange the order
    • Note:
      Drag specific URLs to the top and generic URLs to the bottom
      as the matching will be based on "starts_with" operator

      For example, a proxy is configured with this follow order
      1. /helloworld/images/
      2. /helloworld/images/jpg
      3. /helloworld/login
      4. *

      * If URL comes in as "/helloworld/images/jpg/image001.jpg"
      URL will match the first configuration "/helloworld/images/" due to the "starts_with" operator
  6. Click Save and Deploy to save and deploy your changes

 

Examples

URI exception

  • the base policy is wordpress_template 
  • the cloned policy is wordpress_template_opposite created with the exception applied
  • the URI is /wp/opposite; where the exception is to be allowed

alt_waf.png

 

Host/Domain exception

  • the base policy is wordpress_template 
  • the cloned policy is wordpress_template_opposite created with the exception applied
  • the Host is opposite.wp.com; where the exception is to be allowed

alt_host.png

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request