Managed Rules

Use managed rules to:

Preventing False Positives (Ignore List)

The characteristics of certain cookies, headers, and query string arguments may resemble malicious traffic. This may result in WAF incorrectly identifying a request as a threat. Avoid this situation by identifying the cookies, headers, and query string arguments that should be ignored when WAF performs threat assessment.

Key information:

File Size and Query String Limits (Advanced)

You may define query string argument and file size limitations that cannot be exceeded by valid requests.

The modification of these advanced settings is strongly discouraged.

Type Description

File size

The Multiple File Upload Limit option defines the total file size, in bytes, for a POST request that is a multipart message.

The recommended maximum value is 6,291,456 bytes.

For the purpose of this setting, file size is calculated from the body (i.e., message or payload) of POST requests with a Content-Type header that is set to multipart/form-data.

Define the maximum file size for all other requests through an access rule.
Learn more.

Query string value/parameters

A variety of restrictions may be placed on either a request's query string value or parameters.

The Total Argument Length option defines the maximum number of characters for the query string value in the request URL.

The Max # of Arguments /Request option defines the maximum number of parameters that a query string may contain.

The Single Argument Length option defines the maximum number of characters for any single query string parameter value in the request URL.

The Argument Name Length option defines the maximum number of characters for any single query string parameter name in the request URL.

JSON Inspection

Determines whether JSON payloads will be inspected.

Rule Set

The ECRS rule set, which is primarily based off of OWASP CRS 3.x rules, identifies malicious traffic and provides generic protection against a variety of unknown vulnerabilities. This rule set does not solely rely on signatures to check for known vulnerabilities. Rather, it analyzes all HTTP data for malicious payloads.

In addition to defining a threshold, this rule set allows you to balance protection against false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. via the Paranoia Level option. Paranoia levels are explained below.

Before leveraging a new rule set to secure production traffic, it is strongly recommended to fine-tune its configuration to account for your traffic profile.
Learn more.

Automatically verify that your web applications are compatible with our latest threat detection policies by enabling the Automatically opt-in to the latest ECRS ruleset option. This mode is only recommended for auditing new rule sets. You should set your Security Application Manager configuration's Audit Managed Rule option to a managed rule that has opted-in to automatic updates to the latest rule set. This type of setup provides you with the opportunity to minimize false positives before enforcing our latest threat detection policies on your production traffic.

The ECRS rule set consists of a set of threat detection policies. Each threat detection policy contains a set of rules that define how threats to site traffic will be detected.

Key information:

Policy and Rule Updates

Periodic updates to the policies and rules in a rule set are necessary to address the dynamic nature of threats to site traffic. Due to this changing landscape of threats, it is critical to keep up with the latest rule set updates. Using the latest rule set version maximizes the degree to which HTTP/HTTPS traffic is protected.

Identify a rule set's version by the date on which it was released.

Syntax:

Rule Set NameDate

Example:

ECRS 2019-02-11

Threat Detection Policies

A brief description for each available threat detection policy is provided below.

The set of available policies varies according to the selected rule set.

Balance security with optimal data delivery performance by disabling policies that do not apply to your site's traffic. For example, the Typo3 attacks policy should be disabled if your site does not use that CMS.

The ability to monitor outbound traffic is currently unsupported. Therefore, none of the following policies are applicable to outbound traffic.

Rule Exceptions

An effective strategy for reducing false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. is to create rule exceptions. A rule exception identifies one or more rules that will be ignored for a set of requests. Identify requests using any of the following criteria:

Another strategy for reducing false positives is to reduce the Paranoia Level option. The recommended level is 1.

Tips for setting up rule exceptions:

Managed Rule Administration

You may create, modify, and delete managed rules.

Key information:

To create a managed rule

  1. Navigate to the Managed Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Managed Rules.

  2. Click Add Managed Rule.
  3. In the Name option, type the unique name by which this managed rule will be identified. This name should be sufficiently descriptive to identify it when setting up a Security Application Manager configuration.
  4. In the Response Header Name option, verify the name of the response header that will be included with blocked requests. This name only consist of alphanumeric characters and dashes.
  5. Determine whether WAF will ignore specific cookies, request headers, or query string arguments when assessing whether a request is a threat.

    1. From the Ignore List option, choose to ignore specific cookies, request headers, or query string arguments.
    2. Specify the name for each cookie, request header, or query string argument that should be ignored on a separate line.
    3. Repeat the above steps if you need to create additional ignore lists.
  6. Advanced Users Only

    Customize file size and query string limits by expanding More Details and then making the necessary adjustments.

  7. Enable the desired threat detection rules and define the threat identification threshold.

    1. Click the Policies tab. In the Ruleset option, select the type and date for the rule set that may be used to monitor traffic for threats. The Policies section will be refreshed to reflect the selected rule set.

      Automatically verify that your web applications are compatible with our latest threat detection policies by enabling the Automatically opt-in to the latest ECRS ruleset option. This mode is only recommended for auditing new rule sets. You should set your Security Application Manager configuration's Audit Managed Rule option to a managed rule that has opted-in to automatic updates to the latest rule set. This type of setup provides you with the opportunity to minimize false positives before enforcing our latest threat detection policies on your production traffic.

    2. Set the Threshold option to a level (e.g., 5) that balances security with risk tolerance. Requests that are scored at or higher than the specified value will be identified as malicious traffic.

      Learn more.

      This option only applies to policies other than Custom EC Rules and policies that start with Adv.

    3. Set the Paranoia Level option to a level (e.g., 1) that balances security with risk tolerance.

      This is an advanced setting. The recommended paranoia level is 1. Setting this option to a higher value will increase the number of false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall..

      Learn more.

    4. Review all enabled policies and rules to ensure that the legitimate traffic is not targeted by mistake.
  8. Optional. Add one or more rule exceptions.

  9. Click Save.

To modify a managed rule

A common reason for updating a managed rule is to reduce false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. by adding a rule exception. A rule exception identifies one or more rules that should be ignored for a specific set of requests. Typically, rule exceptions are identified via analysis within the Threats Dashboard.

  1. Navigate to the Managed Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Managed Rules.

  2. Click on the desired managed rule.
  3. Make the desired changes.
  4. Click Save.

To delete a managed rule

  1. Navigate to the Managed Rules page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Rule Manager | Managed Rules.

  2. Click on the desired managed rule.
  3. Click Delete Managed Rule.
  4. Type DELETE.
  5. Click Delete.