Create WAF Profile

Use the following procedure to create a WAF profile.

Note

If core Rulesets are specified, the core rules cannot be disabled. In order to disable the core rules, remove all core rulesets from the WAF profile so they will not be evaluated.

Procedure

Step 1

Navigate to Manage > Profiles > WAF.

Step 2

Click Create.

Step 3

Specify the following general settings:

  1. Enter a unique Profile Name.

  2. (Optional) Enter a Description. This may help differentiate between profiles with a similar name.

  3. Specify the action:

    • Rule Default - Allow or deny the requests based on the action specified in each triggered rule and log an event.

    • Allow Log - Allow the requests and log an event.

    • Deny Log - Deny the requests and log an event.

  4. Specify whether to generate a Threat HAR file if the WAF profile detects malicious activity. The gateway should have a Pcap profile attached, for this to work.

  5. Specify whether to generate a HTTP Request HAR file if the WAF profile detects malicious activity.

  6. In the RULE SETSsection, in the vertical tab located to the left, click Core Rules. You must specify at least one ruleset from a rules library (Core, Trustwave, Custom):

    • Specify the following:

      • Manual - Specify the core rules version to use.

      • Automatic - Specify the numbers of days from publish date to delay automatic update to the latest core rules version.

    • Identify the rules you want to add to the profile and click Add to Profile. The selections appear in the table located to the right.

  7. In the vertical tab located to the left, click Trustwave Rules.

    • Specify the following:

      • Disabled - Specify whether to disable the use of Trustwave rules.

      • Manual - Specify the Trustwave rules version to use.

      • Automatic - Specify the number of days from publish date to delay automatic update to the latest Trustwave rules version.

    • Identify the rules you want to add to the profile and click Add to Profile. The selections appear in the Profile Selections table located to the right.

  8. In the vertical tab located to the left, click Custom Rules.

    • Specify one of the following options:

      • Disabled - Specify whether to disable the use of custom rules.

      • Manual - Specify the custom rules version to use.

      • Automatic - Specify the number of days from publish date to delay automatic update to the latest custom rules version.

    • Identify the rules you want to add to the profile and click Add to Profile. The selections appear in the Profile Selectionstable located to the right.

Step 4

Scroll to the top of the window and click the Advanced Settings tab:

  1. Under "Rule Suppression", click Add to add one or more rows for rules. Rules can be suppressed for a specific IP or a list of CIDRs:

    • For Source IP/CIDR List, provide a comma-separated list of IPs or CIDRs.

    • For Rule ID List, provide a comma-separated list of rule IDs.

  2. Under "Event Filtering" provide the following information:

    • Type - Rate or Sample

    • Number of Events

    • Time (Seconds)

  3. Under "Rule Event Filtering" click Add to add one or more rows for rules. For every new row you create, enter a valid Rule ID List, Number of Events, Time (Sec), and choose either Type or Sample as the Type.

  4. Under "Core Rule Set", select a value for both the Request Anomaly and Response Anomaly. Note that using a value less than 3 for the "Request Anomaly" results in a huge volume of alerts.

  5. Select the Paranoia Level. Your options range from 1–4.

Step 5

Click Save.

What to do next

Attach the profile to a policy rule set. See Rule Sets and Rule Set Groups for more information.