WAF_Rule_Chain

Configuring Rule Chains

You can add, edit, delete and clone rule chains. Example rule chains (with Rule Chain ID greater than 15000) are available in the management interface for administrators to use as reference. These cannot be edited or deleted. You can view the rules associated with the rule chain by clicking its Edit Rule Chain icon under Configure.

For ease of configuration, you can clone example rule chains or regular rule chains. Cloning a rule chain clones all rules associated with the chain. After cloning the rule chain, you can edit it by clicking its Edit Rule Chain icon under Configure.

Adding or Editing a Rule Chain

To add or edit a rule chain, perform the following steps:

1. On the Web Application Firewall > Rules page, click the Add Rule Chain button to add a new rule chain.

To edit an existing rule chain, click its Edit Rule Chain icon

under Configure.

The New Rule Chain screen or the screen for the existing rule chain displays. Both screens have the same configurable fields in the Rule Chain section.

On the New Rule Chain page, type a descriptive name for the rule chain in the Name field.

3. Select a threat level from the Severity drop-down list. You can select HIGH, MEDIUM, or LOW.

4. Select Prevent, Detect Only, or Disabled from the Action drop-down list.

• Prevent – Block traffic that matches the rule and log it.

• Detect – Allow the traffic, but log it.

• Disabled – The rule chain should not take effect.

The Disabled option allows you to temporarily deactivate a rule chain without deleting its configuration.

5. In the Description field, type a short description of what the rule chain will match or other information.

6. Select a category for this threat type from the Category drop-down list. This field is for informational purposes, and does not change the way the rule chain is applied.

7. Under Counter Settings, to enable tracking the rate at which the rule chain is being matched and to configure rate limiting, select the Enable Hit Counters check box. Additional fields are displayed.

8. In the Max Allowed Hits field, enter the number of matches for this rule chain that must occur before the selected action is triggered.

9. In the Reset Hit Counter Period field, enter the number of seconds allowed to reach the Max Allowed Hits number. If Max Allowed Hits is not reached within this time period, the selected action is not triggered and the hits counter is reset to zero.

10. Select the Track Per Remote Address check box to enforce rate limiting against rule chain matches coming from the same IP address. Tracking per remote address uses the remote address as seen by the SRA appliance. This covers the case where different clients sit behind a firewall with NAT enabled, causing them to effectively send packets with the same source IP.

11. Select the Track Per Session check box to enable rate limiting based on an attacker’s browser session. This method sets a cookie for each browser session. Tracking by user session is not as effective as tracking by remote IP if the attacker initiates a new user session for each attack.

12. Click Accept to save the rule chain. A Rule Chain ID is automatically generated.

13. Next, add one or more rules to the rule chain. See Configuring Rules in a Rule Chain for detailed information.

Cloning a Rule Chain

To clone a rule chain:

1. On the Web Application Firewall > Rules page, click its Clone Rule Chain icon

under Configure.

2. Click OK in the confirmation dialog box.

You can now edit the rule chain to customize it. See Adding or Editing a Rule Chain.

Deleting a Rule Chain

Note Deleting a rule chain also deletes all the associated rules.

To delete a rule chain:

1. On the Web Application Firewall > Rules page, click the Delete Rule Chain icon

under Configure for the rule chain you want to delete.

2. Click OK in the confirmation dialog box.

3. Click Accept.

Correcting Misconfigured Rule Chains

Misconfigured rule chains are not automatically detected at the time of configuration. When a misconfiguration occurs, the administrator must log in and fix or delete the bad rules.

Note If any rules or rule chains are misconfigured, the appliance will not enforce any custom rules or rule chains.

It is difficult to detect a false positive from a misconfigured rule chain unless a user runs into it and reports it to the administrator. If the rule chain has been set to PREVENT, then the user will see the Web Application Firewall block page (as configured on the Web Application Firewall > Settings page). If not, there will be a log message indicating that the “threat” has been detected.

Consider a scenario in which the administrator inadvertently creates a custom rule chain that blocks access to all portals of the SRA appliance. For example, the admin may have wanted to enforce a rule for an Application Offloading portal. However, he or she forgot to add another rule to narrow the criteria for the match to requests for that portal, host or URL. If the first rule was too broad, then this will mean a denial of service for the appliance. Specifically, the administrator creates a rule chain to deny using the GET HTTP method for a specific URL, which expects a POST request.

For this, the administrator needs to create two rules:

1. The first rule is to match GET requests.