Snapt One provides a default ruleset which can be used as is and does not need any modifications to function correctly.
We advise against changing any settings unless you are an advanced user as changes can compromise the security of your system and allow exploits. That said though, we have tried to make it as simple as possible to get you started with using the web application firewall module.
You can improve the security of your system and prevent users from attacking common security exploits by following the steps set out below.
Here are some terms you need to understand before getting started.
- Ruleset – Global rules used across all your web accelerator front-ends;
- Rules – Rules in the rule set;
- Triggers – Triggers are counters which accumulate a score when a rule has been triggered by a user – these determine how long before a user gets blocked;
- Exceptions – Exceptions are used to define specific criteria when a rule should not be triggered (usually when there is a keyword being used that should not be triggered);
- Weights – Weights are the scores set to each trigger.
Creating a Ruleset
Rulesets should only be created if there are rules in which you wish to modify, add or remove. In order to do this, we have made it possible to clone the default ruleset to keep current security integrity.
Once you have created the ruleset, you can then click edit it to make any changes that you might need.
Rulesets are global configurations thus only one can be enabled at a time. Simply click on “Enable” to set the ruleset you want to activate.
Edit will allow you to modify the rules within that ruleset.
Once you have clicked edit you will then be able to edit/delete a core rule. If you delete a default rule, you can add it back from the list right at the bottom.
This was added to help reset default rules to their original state or add it back in the case that they were removed by accident.
When editing a core rule you will be able to define matching criteria, what message should be displayed, in which areas the check should be done and what this rule will contribute to total block score.
Creating new Rules
New rules can be created by navigating to the WAF -> WAF Management -> Rule Definitions, from the main menu.
Using Trigger sets on your Front-end Servers
Triggers define when a user should be blocked by setting up what the maximum scores should be before a user is blocked. Each rule hit will add up to make a total score for a specific trigger and when that trigger has hit its maximum score, it will block a users request.
You are able to create different types of triggers to be used for different front-ends. This is especially useful if you have if you a front-end which is being blocked because of a certain behavior being seen as malicious. Simply disable the trigger and link it to your front-end.
If you have a specific keyword being used that is being blocked by a rule, you can then create an exception to ignore it. This is referred to as whitelisting.
Linking trigger to front-end
From your front-end settings, you will now see your trigger available for selection.
This will apply all the settings based on the ruleset rules to your front-end, using the trigger to determine when a user should be blocked.