Add an exception

You can configure or specify path exceptions for the web servers. This is only applicable for the HTTP based business application rules.

You can specify path exceptions for web servers and skip security checks.
  1. Click Add new exception.
  2. Specify the path you want to exclude.
  3. Select the operation for path and source network.
  4. Select the source network or create new.
  5. Select the security checks to skip.
    OptionDescription
    Cookie signing Prevents cookie manipulation. Web servers send cookies to browsers. When sending a request to the server, browsers add a second cookie to the first, containing a hash built from the primary cookie’s name, value, and a secret key known only to WAF. If the hash from the second cookie doesn't match the hash calculated from the first cookie, WAF drops the cookie.
    Static URL hardening Prevents URL rewriting and redirection. When responding to browser requests to your websites, signs static URLs similar to cookie signing. Additionally, inspects objects in the web server response and allows requests when the hash calculated from the URL matches the hash that the URL carries.
    Form hardening Protects against web form rewriting. Saves the original form structure and signs it. If WAF finds a change in the form structure at the time of submission, it rejects the request.
    Antivirus Protects a web server against viruses. Also, protects the clients if download scanning is turned on and the web server sends an infected file.
    Block clients with bad reputation Blocks clients with bad reputation based on GeoIPClosed and RBLClosed classification.
  6. Select the categories to skip.
    OptionsDescriptions
    Protocol violations Enforces RFC standard for HTTP. A violation of that usually indicates a malicious intent.
    Protocol anomalies Detects the absence of common usage patterns, for example, HTTP headers like “Host” and “User-Agent”, which indicates malicious requests.
    Request limits Prevents overload of request arguments by applying reasonable limits to their volume and range.
    HTTP policy Won’t allow rarely-used HTTP options, preventing attacks on these less-supported options.
    Bad robots Detects usage patterns of bots and crawlers and denies access, preventing them from discovering vulnerabilities in your web servers.
    Generic attacks Detects attempts to execute commands after a breach, for example, to expand privileges or manipulate data stores.
    SQL injection attacks Checks embedded SQL commands and escape characters in request arguments to prevent malicious execution of SQL queries to database through input data.
    XSS attacks Checks embedded script tags and code in request arguments to prevent cross-site scripting attacks.
    Tight security Detects prohibited path traversal attempts by requests.
    Trojans Detects usage patterns of trojans.
    Note Doesn’t prevent trojan installation. Antivirus engines prevent these.
    Outbound Prevents information leakage from web servers to clients, for example, debug or error information, that can reveal vulnerabilities.
  7. Select the advanced settings.
    OptionDescription
    Never change HTML during static URL hardening or form hardening Skips modification to the defined exception setting. For example, binary data wrongly supplied with a text/html content type by the web server will not be corrupted. On the other hand, web requests may be blocked due to activated URL hardening, HTML rewriting, or form hardening. Those three features use an HTML parser and therefore to some extent depend on the modification of web page content. To prevent undesired blocking, skip URL hardening and form hardening.
    Accept unhardened form data Skips checking the form signature. It is useful because it is possible that form data will not be accepted if the form hardening signature is missing. This happens despite having an exception for form hardening.
  8. Click Save.