AWS WAF v2Old PlanNew PlanLegacyAdvancedFeature / Spec.
Rule configuration in the WAF Config is an item that configures each rule type from the WafCharm Console. The rule policy you choose will affect the type of rule configuration available in the WAF Config.
In both rule policies, the [Next] button will be disabled if you have an incomplete configuration. Please double-check all rule configuration fields if you cannot click the [Next] button on the [Rule configuration] page.
After you’ve completed the initial configuration, you can click the [Edit] button on the details page to change or add configurations.
There are two types of rule policies: Advanced and Legacy.
Advanced: This is a new rule structure released with the WafCharm Console. It allows the configuration of rules such as rate-based rules, geo-match rules, and bot rules. This feature is only available for the new plan.
Legacy: A rule structure that has been available from the old WafCharm Dashboard. It allows the configuration of IP address-related rules and is available for both old and new plans.
If you choose to use the Advanced rule policy, the rule configurations below will be available.
If you choose to use the Legacy rule policy, the rule configurations below will be available.
A configuration to control IP address-based rules.
Allows requests from registered IP addresses.
Blocks requests from registered IP addresses.
Select a rule action used by the dynamic denylist rule that is automatically updated via WafCharm features.
IP addresses are added to/deleted from the dynamic denylist using the two features listed below. For more details, please refer to the About Denylist and Allowlist page.
*This feature is only available for the Advanced rule policy. This section is unavailable for the Legacy rule policy.
A configuration to specify which IP addresses to use within the request. The same setting applies to both Allowlist and Denylist.
[Source IP] is selected by default. If you want to use a specific header, please change the configuration with the steps below.
[X-Forwarded-For] is entered by default. Please change the name as needed.
When the IP addresses included in the header are listed, this field is used to determine whether the first (leftmost) or last (rightmost) IP address in the list is to be evaluated.
A configuration to control geo-match rules.
With this configuration, you can add a geo-match rule for specific use cases.
For example, if your web service is only available for users in Japan, you can apply a rule to block requests that are not coming from Japan.
IP addresses determine which country the requests are coming from. Please specify which IP addresses to use within the request.
If you want to use the same setting as [IP address to use] from the IP addresses configuration, please check the [Use the same IP address configuration] checkbox.
If you want to change the IP address to use for the geo-match rule, choose an option from [Source IP] or [Specific header].
Once you have selected and entered all the options, a geo-match rule will be applied to your web ACL once you complete the WAF Config configuration.
If you want to cancel the geo-match rule, uncheck the [Enable geo-match rule] checkbox.
A configuration to control rate-based rules to mitigate bots and DoS.
You can add a rule for a specific use case or customize it to your own needs.
If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.
[Rate calculation key] is an option to specify which key to use when AWS WAF aggregates the requests. If you choose the [IP address] option, the requests from the same IP address will be aggregated and an action is applied if it exceeds the threshold. The [Inspect the IP address in] option has the same function as the [IP address to use] in the IP address configuration (Reference: IP address to use).
If you choose the [Session ID] option, the requests are aggregated based on a key included in session IDs in the query string, header, or Cookie and apply an action if it exceeds the threshold.
For example, if a session ID is included in the query string as [name=key_value] format, select [Query] for the [Use the Session ID in] field and enter [name] for the [Session ID key to use in Query] field. This configuration will allow the rate-based rule to apply restrictions when a large number of requests come from the same session ID.
*You must specify a key used in the session ID (name) to create rate-based rules, but the requests will be aggregated based on the value of the key in session IDs (i.e., key_value).
Please refer to the Rate-based rule aggregation options and keys page in the AWS document for more information about the aggregation keys used in the rate-based rules.
Once you have selected and entered all the options, rate-based rules will be applied to your web ACL once you complete the WAF Config configuration.
If you want to cancel the rate-based rule, click the garbage can icon on the bottom right corner of each rule section to delete the configuration.
A configuration to control bot rules. If you enable bot rules, WafCharm will apply the original bot rules to your web ACL.
The bot rule categories are as follows. You can choose an action for each category.
You can choose from the four actions listed below.
The bot rules will be applied to your web ACL once you complete the WAF Config configuration.
If you enable bot rules, all available categories will be enabled. Categories cannot be individually disabled, so if you want to avoid blocking requests with a specific bot category, please use the Count action. The Count action will only detect the requests when they match a rule but will not block them. If the requests do not match any other rules, then they will eventually be allowed.
A configuration to control WafCharm's original rules that uses regular expressions (regex).
These rules are provided by default, so there is no option to enable/disable them. However, you can choose an action for each rule.
You can choose from the four actions listed below.
A specific rule cannot be disabled. If you want to avoid blocking requests with a specific rule or if there are false positives and need to quickly allow certain requests, please choose a Count action on the rule blocking the requests.
Count action will only detect the requests when they match a rule but will not block them. If the requests do not match any other rules, then the requests will eventually be allowed.
A configuration to control specific conditions to exclude from the rules provided by WafCharm.
WafCharm provides a feature to dynamically update the denylist by re-matching signatures to obtained logs.
In this feature, IP addresses will be added to the denylist if the requests match the signatures. If you have IP addresses that you do not want to be registered in the denylist but still want the requests from those IP addresses to be inspected by other WafCharm rules, you can use the exception option to exclude specific IP addresses from being added to the denylist.
The configuration is applied once you complete the WAF Config configurations.
Challenge and CAPTCHA actions behave differently from actions like Block and Count.
Challenge actions will run a silent challenge when a request matches a rule to verify that the request came from the browser and not a bot. The request is allowed when a client passes the challenge.
CAPTCHA actions will show a CAPTCHA test when a request matches a rule and allows the request if it passes the test. When the CAPTCHA action is applied, the CAPTCHA test provided by AWS will be shown on the page.
Please keep in mind that the CAPTCHA test is provided by AWS, and you will need to determine whether showing it on your web service is acceptable.
Please refer to the AWS documents below for more details on how the rule actions work.
If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.