Signatures in WAF Policy

Overview

The final step in WAF processing is a signature check. Core Rule Sets (CRS) can be configured under the Signatures tab. You can configure to run custom rules before CRS or after CRS as well. This article shows how to configure pre-CRS, CRS, and post CRS rules.

Pre-CRS Rules

The custom rules that are applied before the supplied OWASP Core Rule Set (CRS) are called Pre-CRS rules.

To define Pre-CRS rules,

  1. From the Avi UI, navigate to Templates > WAF > WAF Policy and click on Create.
    or
    Edit an existing WAF Policy.
  2. Enter the required details under the Settings tab.
  3. Click on the Signatures tab.
  4. Under Pre-CRS rules, click on Create Group. Pre-CRS Rules
  5. Enter the Group Name. Every rule is configured within a group.
  6. Click on the Create Rule button.
  7. Enter a Name for the rule.
  8. Select a mode:
    i) Policy Mode: When Detection or Enforcement can’t be applied, the policy mode is used. For the policy mode to take effect, the WAF Policy should allow delegation.
    ii) Detection: WAF rules will be processed but HTTP transactions will not be intercepted. Any rule configured to intercept HTTP transactions will be bypassed.
    iii) Enforcement Mode:WAF rules are processed and HTTP transactions intercepted, as per the rules configured.
  9. Enter the Rule in the text box. Pre-CRS Rules
  10. Click on the Create Group button. The Pre-CRS rule is listed as shown below: Pre-CRS Rules
  11. Click on the toggle button to enable the rule.

Exceptions

Exceptions are a common way of tuning a WAF policy to work with an application. These are normally created when an application’s regular traffic matches specific WAF rules. The following are a few other reasons for creating exceptions are:

  • For false-positive mitigation.
  • For applications that do not conform with the System-WAF-Policy.
  • For applications transmitting data that might appear like an attack. For instance, transferring HTML content in query parameters.
  • For applications with special requirements that are not allowed in the policy. For instance, accessing application on its direct IP address.
  • You can use Avi Vantage’s recommendation system to create exceptions or you can even add them manually.

To define an exception manually,

  1. Click on +Add Exception to manually configure exceptions. Click here to know more about exceptions.
  2. Configure exceptions for IP address/subnet, path, or any match element. For example, Subnet- 10.0.0.0/8, Path- /admin , Match Element - REQUEST_BODY.
  3. Configure the following options for Path and Match Element, as required:
    i) Case Sensitive - The case of the characters have to match to create an exception
    ii) Regex Match - The pattern of the string of characters should match to create an exception.

    Note: Exceptions can be created on a group level or a rule level.

    The rule configured with exceptions is as shown below: Pre-CRS Rules

This is another example of where if there is match element like say ARGS:xyz, a request matching the IP and Path will just have ARGS:xyz removed while processing the rule.
Pre-CRS Rules
Here, the rule is processed, but ARGS:xyz is not used in running the rule.

The following steps are for a recommended workflow to configure exceptions:

  1. Using WAF Log Analytics and find possible false-positives.
    • False-positives may occur in large numbers and for different client IP addresses.
    • To understand the context for false-positives, consult the application owner if possible.
  2. In the log, choose the WAF hit entry that you want to add the exception for, and click on + Add Exception.
    • The modal dialog will generate a set of suggested values.
    • These values are pre-computed from the log entry and related findings.
  3. Save the exception to apply it to the policy.

exceptions

CRS Rules

In this section CRS Rules the Avi supplied OWASP CRS policy can be configured. It covers the OWASP Top Ten attack protection.

Note: If the CRS version is updated, all new CRS rules will be in Detection mode. With this, you can update the CRS ruleset without any risk in production. However, these new rules must be moved into Enforcement mode (or inherited policy mode) manually.

All updated rules will continue to remain in the same mode and the existing exclusions will be applied to the rules.

To update CRS Rules,

  1. Under the Signatures tab, scroll down to the CRS Rules section.
    CRS Rules
  2. Click on the required CRS Version to select it.
    CRS Rules
  3. The change log is displayed as shown below. Click on Confirm to update the CRS version.
    CRS Rules

    The updated CRS Rules are as shown below:
    CRS Rules

  4. Click on the toggle buttons to enable/disable a rule listed under the rule set.
  5. Click on Save to update the changes.

Auto Update of CRS Rules

Starting with NSX Advanced Load Balancer 22.1.3, support for auto update of CRS rule is available. The following two checkboxes have been introduced on the NSX Advanced load balancer for CRS auto update:

  • Enable CRS auto-update — The corresponding flag for the CLI is auto_update_crs.
  • Enable all new rules in Detection mode — The corresponding flag for the CLI is updated_crs_rules_in_detection_mode.

Enable CRS auto-update

If the Enable CRS auto-update option is selected, the system tries to keep the CRS version used in this policy up-to-date. If a newer CRS object is available on the Controller, the system initiates the CRS upgrade process for this WAF Policy. It will not update polices if the current CRS version is set as CRS-VERSION-NOT-APPLICABLE.

The Enable CRS auto-update checkbox is available under Templates > WAF > WAF Policy Signatures as shown below.

AUTO CRS Rules

You can login to Avi Controller and use show wafpolicy <policy name> command to check the status of the auto_update_crs flag.


[admin:controller]: > show wafpolicy Test-1 | grep crs
| waf_crs_ref                             | CRS-2022-2                                     |
| auto_update_crs                         | False                                          |
| updated_crs_rules_in_detection_mode     | True                                           |
[admin:controller]: >

Enable all new rules in Detection mode

While updating CRS, by default the new rules are added in the Detection mode. As of NSX Advanced Load Balancer 22.1.3, a CRS update will only treat new rules differently if the Policy is in ENFORCEMENT mode. In this case the update will set new rules into DETECTION mode by adding CRS overrides for the new rules. If the updated_crs_rules_in_ detection_mode flag is not set or if the policy mode is DETECTION, rules will be added without new CRS overrides. The flag is used for the auto_ update crs (CLI) and for the Ul-based CRS update workflows. The Enable all new rules in Detection mode check box is available under Templates > WAF > WAF Policy Signatures as shown in the previous section screenshot.

You can login to Avi Controller and use show wafpolicy <policy name> command to check the status of the updated_crs_rules_in_detection_mode flag.


[admin:controller]: > show wafpolicy Test-1 | grep crs
| waf_crs_ref                             | CRS-2022-2                                     |
| auto_update_crs                         | False                                          |
| updated_crs_rules_in_detection_mode     | True                                           |
[admin:controller]: >

Post-CRS Rules

The custom rules that are applied after the supplied OWASP Core Rule Set (CRS) are configured under Post-CRS rules.

To configure post-CRS rules,

  1. Under the Signatures tab, scroll down to the Post-CRS Rules section.
  2. Create Groups and Rules as discussed in the Pre-CRS Rules section.
  3. Click on Save.