Configuring Web Application Firewall Signature Actions

The Web Application Firewall > Signatures page allows you to configure custom handling or exclusion of certain hosts on a per-signature basis. You can use signature-based exclusions to apply exclusions for all hosts for each signature.

You can also revert back to using the global settings for the signature group to which this signature belongs without losing the configuration details of existing exclusions.

The list of signatures can be sorted by the contents of any column in ascending or descending order by clicking the column heading. In addition, signatures can be divided into pages and filtered by searching for a key word. To display only signatures containing a key word in all fields or a specific field, type the key word in the Search field, select All Fields or a specific field to search, and click Search. Or, click Exclude to display only signatures that do not contain the key word. Click Reset to display all signatures. All matches are highlighted. The default is 50 signatures per page.

On the Web Application Firewall > Settings page, global settings must be set to either Prevent All or Detect All for the Signature Group to which the specific signature belongs. If neither is set, that Signature Group is globally disabled and cannot be modified on a per-signature basis. See Enabling Web Application Firewall and Configuring General Settings .

See the following sections:
Enabling Performance Optimization
Configuring Signature Based Custom Handling and Exclusions
Reverting a Signature to Global Settings
Removing a Host from a Per-Signature Exclusion

Enabling Performance Optimization

The Performance Optimization option allows you to disable some relatively less severe signatures that significantly affect the performance of certain Web applications. These signatures are identified by the Dell SonicWALL signature team and the list is pushed out to SRA appliances. When you select the Enable Performance Optimization check box, these signatures are disabled for Web Application Firewall.

The Web Application Firewall > Signatures page indicates the disabled signatures by displaying them in gray, as shown in Figure 43.

Figure 43. Enabling Performance Optimization

Configuring Signature Based Custom Handling and Exclusions

You can disable inspection for a signature in traffic to an individual host, or for all hosts. You can also change the handling of detected threats for an individual host or for all hosts. If the signature group to which the signature belongs is set globally to Detect All, you can raise the level of protection to Prevent for the configured hosts. If no hosts are configured, the action is applied to the signature itself and acts as a global setting for all hosts. This change will block access to a host when the attack signature is detected. Similarly, you can lower the level of protection to Detect if the associated signature group is globally set to Prevent All.

* 
NOTE: For signature based customization to take effect, the signature group of the modified signature must be globally enabled for either prevention or detection on the Web Application Firewall > Settings page.

To configure one or more hosts with an exclusion from inspection for a signature, or to configure custom handling when Web Application Firewall detects a specific signature for one or more hosts, perform the following steps:

1
On the Web Application Firewall > Signatures page, click the Configure button for the signature that you wish to change. The Edit WAF Signature-based Exclusions screen displays.

2
In the Edit WAF Signature-based Exclusions screen, select one of the following actions from the Action drop-down list:
DISABLE – Disable Web Application Firewall inspections for this signature in traffic from hosts listed in this exclusion
DETECT – Detect and log threats matching this signature from hosts listed in this exclusion, but do not block access to the host
PREVENT – Log and block host access for threats matching this signature from hosts listed in this exclusion
3
To apply this action globally to all hosts, leave the Host field blank. To apply this action to an individual host, type the host entry as it appears in the bookmark or offloaded application into the Host field. This can be a host name or an IP address. To determine the correct host entry for this exclusion, see Determining the Host Entry for Exclusions .

You can configure a path to a particular folder or file along with the host. The protocol, port, and the request parameters are simply ignored in the URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.yourcompany.com/exchange, then all files and folders under exchange are also excluded.

4
If you specified a host, click Add to move the host name into the list box.
5
If you want to apply this action to additional individual hosts, repeat <Blue XRef>3 and <Blue XRef>4 to add more hosts to this exclusion.
6
Click Accept. If the Host list contains host entries, SonicOS SRA verifies that each host entry is valid. If no hosts were specified, a dialog box confirms that this is a global action to be applied to the signature itself.
7
Click OK in the confirmation dialog box.
8
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests will continue to use the old settings until they are terminated.

Reverting a Signature to Global Settings

You can revert to using global signature group settings for a signature that was previously configured with an exclusion, without losing the configuration. This allows you to leave the host names in place in case you need to re-enable the exclusion.

To revert to using global signature group settings for a signature:
1
On the Web Application Firewall > Signatures page, click the Configure button for the signature that you wish to change.
2
In the Edit WAF Signature-based Exclusions screen, select INHERIT GLOBAL from the Action drop-down list.
3
The Host field may be blank if global settings were previously applied to this signature. To revert to global signature settings for all hosts, leave the Host field blank. To apply this action to one or more individual hosts, leave these host entries in the Host field and remove any host entries that are not to be reverted.
4
Click Accept. SonicOS SRA verifies that each host entry is valid.
5
Click OK in the confirmation dialog box.
6
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests will continue to use the old settings until they are terminated.

Removing a Host from a Per-Signature Exclusion

To remove a host from a configured exclusion for a signature, perform the following steps:

1
On the Web Application Firewall > Signatures page, click the Configure button for the signature that you wish to change.
2
Select the host entry in the list box under the Host field, and then click Remove.
3
Repeat Step 2 to remove other listed hosts, if desired.
4
Click Accept. SonicOS SRA verifies that each host entry is valid.
5
Click OK in the confirmation dialog box.
6
Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests will continue to use the old settings until they are terminated.