Add exception

(only available for the HTTP based business application rules) This page describes how to specify path exceptions for the web servers.

  1. Click Add new exception.
  2. Specify exception details.
    Path Specify the path which you want to exclude.
    Operation Select the operation among AND or OR for Path and Source.
    Source Specify the source networks where the client request comes from and which are to be exempted from the selected check(s).
  3. Choose checks to skip.
    Cookie signing Click to skip cookie signing. Cookie signing protects a web server against manipulated cookies. When the web server sets a cookie, a second cookie is added to the first cookie containing a hash built of the primary cookie’s name, its value and a secret, where the secret is only known by the WAF. Thus, if a request cannot provide a correct cookie pair, there has been some sort of manipulation and the cookie will be dropped.
    Static URL hardening Protects against URL rewriting. When a client requests a website, all static URLs of the website are signed. The signing uses a similar procedure as with cookie signing. Additionally the response from the web server is analyzed in respect to the links that can be validly requested next.
    Form hardening Click to skip form hardening. Form hardening protects against web form rewriting. Form hardening saves the original structure of a web form and signs it. Therefore, if the structure of a form has changed when it is submitted the WAF rejects the request.
    Anti-virus Select this option to protect a web server against viruses.
    Block clients with bad reputation Based on GeoIPClosed and RBLClosed information you can block clients which have a bad reputation according to their classification.
  4. Choose categories to skip.
    Protocol violations Enforces adherence to the RFC standard specification of the HTTP protocol. Violating these standards usually indicates malicious intent.
    Protocol anomalies Searches for common usage patterns. Lack of such patterns often indicates malicious requests. These patterns include, among other things, HTTP headers like “Host” and “User-Agent”.
    Request limits Enforces reasonable limits on the amount and ranges of request arguments. Overloading request arguments is a typical attack vector.
    HTTP policy Narrows down the allowed usage of the HTTP protocol. Web browsers typically use only a limited subset of all possible HTTP options. Disallowing the rarely used options protects against attackers aiming at these often less well supported options.
    Bad robots Checks for usage patterns characteristic of bots and crawlers. By denying them access, possible vulnerabilities on your web servers are less likely to be discovered.
    Generic attacks Searches for attempted command executions common to most attacks. After having breached a web server, an attacker usually tries to execute commands on the server like expanding privileges or manipulating data stores. By searching for these post-breach execution attempts, attacks can be detected that might otherwise have gone unnoticed, for example because they targeted a vulnerable service by the means of legitimate access.
    SQL injection attacks Checks for embedded SQL commands and escape characters in request arguments. Most attacks on web servers target input fields that can be used to direct embedded SQL commands to the database.
    XSS attacks Checks for embedded script tags and code in request arguments. Typical cross-site scripting attacks aim at injecting script code into input fields on a target web server, often in a legitimate way.
    Tight security Performs tight security checks on requests, like checking for prohibited path traversal attempts.
    Trojans Checks for usage patterns characteristic of trojans, thus searching for requests indicating trojan activity. It does not, however, prevent the installation of such trojans as this is covered by the antivirus scanners.
    Outbound Prevents web servers from leaking information to the client. This includes, among other things, error messages sent by servers which attackers can use to gather sensitive information or detect specific vulnerabilities.
  5. Specify advanced settings.
    Never change HTML during static URL hardening or form hardening If selected, no data matching the defined exception settings will be modified by the WAF engine. With this option, e.g., binary data wrongly supplied with a text/html content type by the web server will not be corrupted. On the other hand, web requests may be blocked due to activated URL hardening, HTML rewriting, or form hardening. Those three features use an HTML parser and therefore to some extent depend on the modification of web page content. To prevent undesired blocking, skip URL hardening and/or form hardening for requests affected by blocking; you might need to do this in another/new exception to reflect dependencies between web servers and/or web pages.
    Accept unhardened form data Even though having an exception for form hardening, it is possible that form data will not be accepted if the form hardening signature is missing. With this option, unhardened form data will be accepted anyway.
  6. Click Save.