Access Rules

An access rule identifies legitimate traffic and threats by:

Basic Access Controls

Control access to your content by creating whitelists, accesslists, and blacklists for the following categories:

Type Description

ASN

Identifies requests according to the autonomous system (AS) from which the request originated. Specify each desired AS by its autonomous system number (ASN).

Cookie

Identifies requests by searching for a cookie name that matches the specified regular expression.

Certain common characters (e.g., ?.+) have special meaning in a regular expression. Use a backslash to escape a special character.

Country

Identifies requests by the country from which the request originated. Specify each desired country using a country code.

Country access controls take precedence over country subdivision access controls.

For example, if you define US within a whitelist, then state-specific access controls will be ignored for requests that originate within the United States.

Example:

The following value identifies requests from the United States.

US

Country Subdivision (ISO3166-2)

Identifies requests by a country's subdivision (e.g., state or province). Specify each desired subdivision using an ISO-3166-2 code.

Country access controls take precedence over country subdivision access controls.

For example, if you define US within a whitelist, then state-specific access controls will be ignored for requests that originate within the United States.

Syntax:

Country Code-Subdivision Code

Example:

The following value identifies requests from California:

US-CA

IP Address

Identifies requests by the requester’s IPv4 and/or IPv6 address. Specify each desired IP address using standard IPv4/IPv6 and CIDR notation.

Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22).

Limit

You may specify up to 1,000 IP addresses or IP blocks per access rule. Whitelist, accesslist, and blacklist entries count towards this limit.

WAF Premier and WAF Standard customers are allowed to create up to 2 access rules that may contain up to 10,000 IP addresses or IP blocks. Once this limit is reached, all other access rules are limited to a maximum of 1,000 IP addresses or IP blocks. If you would like to create another access rule with more than 1,000 IP addresses or IP blocks, then you will first need to either delete a high-capacity access rule or reduce the number of IP addresses or IP blocks defined within it to less than 1,000.

Referrer

Identifies requests by referrer. A successful match is found when the specified regular expression matches any portion of the Referer request header value.

The Referer request header identifies the URL of the resource (e.g., web page) from which the request was initiated. The specified regular expression may match any portion of the entire URL including the protocol and hostname.

URL

Identifies requests by searching for a value that matches the specified regular expression within the request URI.

Do not include a protocol or a hostname (e.g., http://cdn.mydomain.com) when defining a regular expression for this access control.

Certain common characters (e.g., ?.+) have special meaning in a regular expression. Use a backslash to escape a special character (e.g., main\.html\?user=Joe).

Example

All of the entries in the following sample access control list will match the sample request:

/marketing/.*

.*images.*

.*/ad[0-9]*\.png

Sample request:

http://www.mydomain.com/marketing/images/ad001.png

User Agent

Identifies requests by the user agent that acted on behalf of a user to submit the request. A successful match is found when the specified regular expression matches any portion of the User-Agent request header value.

Whitelists

The purpose of a whitelist is to identify legitimate traffic.

Accesslists

The purpose of an accesslist is to identify traffic that may access your content upon passing a threat assessment. If one or more accesslists have been defined, WAF will only inspect requests that satisfy at least one criterion in each defined accesslist. All other traffic, unless it has been whitelisted, will be blocked.

Blacklists

The purpose of a blacklist is to describe unwanted traffic.

Key information:

Additional Access Controls

Unlike the access controls described above, the following access controls are limited to identifying malicious traffic:

HTTP Methods

Define the set of valid and invalid HTTP request methodIndicates the type of action that a server should perform on the asset identified in the request URL. Common HTTP request methods are GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, and CONNECT.s via the Allowed HTTP Methods option.

Media Types (aka Content Types)

Define the set of valid media typesIdentifies/classifies the data contained in a file. (aka content types or MIME types) via the Allowed Request Content Types option.

Key information:

File Extensions

Define the set of invalid file extensions via the Extension Blacklist option.

Key information:

File Size

Define the maximum file size, in bytes, for a POST request via the Single File Upload Limit option

The recommended maximum value is 6,291,456 bytes.

Define the maximum file size for a request that is part of a multipart message through a managed rule.
Learn more.

Request Headers

Define the set of invalid request headers via the Header Blacklist option.

Key information:

Access Rule Administration

You may create, modify, and delete access rules.

Key information:

To create an access rule

  1. Navigate to the Access Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Access Rules.

  2. Click Add Access Rule.
  3. In the Name option, type the unique name by which this access rule will be identified. This name should be sufficiently descriptive to identify it when setting up a Security Application Manager configuration.
  4. Define the desired whitelists, accesslists, and blacklists.

    1. From the Add an Access Control option, select the desired category (IP, Country, Referrer, etc.).
    2. Click Add Whitelist, Add Blacklist, or Add Accesslist.
    3. Specify each unique value on a separate line.

      All entries within a URL, referrer, cookie, or user agent whitelist, accesslist, and blacklist are regular expressions.

    4. Repeat steps ii and iii if you need to add another type of access control for this category.
    5. Repeat steps i - iv to add whitelists, accesslists, and blacklists for other categories.
  5. Define which HTTP methods and media types are allowed and which file extensions and request headers are disallowed.

    1. Click Advanced Settings to expand that section.
    2. From the Allowed HTTP Methods section, verify that only the HTTP methods that should be allowedRequests that use a disallowed HTTP method are deemed a threat. are marked. If the desired HTTP method is not listed, then you may manually define it in the Other HTTP Methods option.
    3. From the Allowed Request Content Types option, verify that the list only contains the media types that should be allowedRequests that use a disallowed media type are deemed a threat.. If the desired media type is not listed, then type it on a separate line.
    4. From the Extension Blacklist option, verify that all of the listed file extensions should be blockedA request is blocked when its file extension matches a value defined in this option.. If the desired file extension is not listed, then type it on a separate line.
    5. From the Header Blacklist option, verify that all of the listed request headers should be blockedA request is blocked when it contains a header whose name matches a value defined in this option.. If the desired request header is not listed, then type it on a separate line.
    6. In the Response Header Name option, set the name of the response header that will be included with blocked requests. This name only consist of alphanumeric characters and dashes.
  6. Click Save.

To modify an access rule

  1. Navigate to the Access Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Access Rules.

  2. Click on the desired access rule.
  3. Make the desired changes.
  4. Click Save.

To delete an access rule

You cannot delete an access rule that is associated with a Security Application Manager configuration. Please either modify the Security Application Manager configuration to point to a different access rule or delete that Security Application Manager configuration.

  1. Check your Security Application Manager configurations to verify that the desired access rule is not in use.
  2. Navigate to the Access Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Access Rules.

  3. Click Delete Access Rule.
  4. Type DELETE.
  5. Click Delete.