Loading...
Back

About rule priorities of Managed Rules Plus

AWS WAF v2New PlanFeature / Spec.Managed Rule Plus

To maintain compatibility with the Advanced Rule Policy offered by WafCharm, Managed Rules Plus (abbreviated as MR Plus) assumes the following rule priority structure.

  1. User rules (priority: 0–99)
    These are rules applied by you that are not part of CSC Managed Rules or applied by MR Plus. This includes AWS Managed Rules.
    Due to system behavior, user rules may automatically move out of this range under certain conditions. If that happens, we kindly ask that you move the rules back to the 0–99 range manually.
    When this might occur:
    • When registering a new WAF Config
      • If any rules exist in this range during the initial registration, they will be temporarily moved to priority 1000 or higher. The 0–99 range can be used again after WAF Config registration is complete. Please adjust the rule priorities after registration is finished.
    • When using the [Change Rule Priority] button
      • If CSC Managed Rules are assigned a priority value lower than 1000, you will be prompted to use the [Change Rule Priority] button. Clicking this button will also move any rules currently in the 0–99 range to priority 1000 or higher.
  2. MR Plus' Bypass rules (priority: 111)
    This rule group contains rules that allow certain requests, such as Allowlist rules that allow specific IP addresses, and exclude those requests from evaluation by subsequent rules.
  3. MR Plus' Scoping rules (priority: 301)
    This rule group includes rules that restrict incoming requests, such as Denylist rules that block specific IP addresses.
  4. User rules (priority: 1000 or higher)
    These are rules applied by you that are not part of CSC Managed Rules or applied by MR Plus. This includes AWS Managed Rules. User rules may be positioned before or after the CSC Managed Rules.
  5. CSC Managed Rules (priority: 1000 or higher)
  6. User rules (priority: 1000 or higher)

    These are rules applied by you that are not part of CSC Managed Rules or applied by MR Plus. This includes AWS Managed Rules. User rules may be positioned before or after the CSC Managed Rules.

If CSC Managed Rules are assigned a priority lower than 1000, or in other cases where adjustment is required, a message will appear in WAF Config prompting you to review the rule priorities. When this happens, please use one of the following methods to adjust them.

Method 1: Click the [Change Rule Priority] button

If CSC Managed Rules are currently configured with a priority lower than 1000 on the target web ACL, the [Change Rule Priority] button will appear in the [CSC MR Configuration] tab of the WAF Config's edit screen. You can adjust the priorities by following the steps below.

  1. Click the target WAF Config.
  2. Click the [CSC MR Configuration] tab.
  3. Click [Edit].
  4. Click the [Change Rule Priority] button.

This action adds 1000 to the priority values of all user rules at the time of execution.
Example: If a rule was at priority 100, it becomes 1100. If you had rules at 100 and 200, they become 1100 and 1200.

Please note that this includes rules originally set to priority 0–99.

If your rules are intended to allow requests before the IP-based block rules (denylist), moving them to priority 1000 or higher may cause unexpected behavior. In that case, please move the affected rules back to the 0–99 range after the adjustment.

If you're using IP-based allow rules, we recommend using the Allowlist feature provided by MR Plus.

Method 2: Use the AWS Management Console or AWS CLI

Rule priorities can also be adjusted manually through the AWS Management Console or the AWS CLI. For details, refer to the blog post:
If the Status in Advanced Rule Policy Shows 'Apply Failed' Error Due to Priority

Note: The blog references Advanced Rule Policy, but the steps are the same.
Note: This method can also be used if you already have user rules in the 0–99 range and prefer not to use the [Change Rule Priority] button.

Notes on rule priorities

  • For rules other than those provided by MR Plus (such as Bypass and Scoping), please use priorities 0–99 or 1000 or higher. We cannot guarantee correct behavior if other priority values are used. This may lead to issues such as failure to register WAF Config or errors during updates from MR Plus. Please ensure that all rule priorities fall within the supported ranges.
  • If you had applied your own rules to the web ACL before starting MR Plus, those rules will be temporarily placed after the Denylist rule (which blocks requests based on IP addresses) during the initial setup. If any of those rules are designed to allow specific traffic under certain conditions, they may not behave as expected during this transition. Once the initial registration is complete, you can move those rules to the 0–99 priority range. Please adjust the priorities after completing the setup.
  • If you use the [Change Rule Priority] button, 1000 will be added to the current priority value.
    • Example:
      • A rule with priority 100 will become 1100.
      • Rules with priorities 100 and 200 will become 1100 and 1200, respectively.
  • Clicking the [Change Rule Priority] button will not reorder your rules; it will simply add 1000 to each rule's current priority value. If you have any rules that should remain in the 0–99 range, please manually reset their priorities after using the button.
  • The values 111 and 301 are reserved by MR Plus. If user-defined rules are assigned these priorities, errors may occur, which could prevent updates from MR Plus or block changes to priority values. If this happens, please either:
    • Follow the steps in Method 2: Use AWS management console or AWS CLI, or
    • Contact WafCharm Support for assistance.
  • Editing MR Plus-provided rules or rule groups (e.g., Bypass and Scoping) in the AWS Management Console is not supported. Please refrain from modifying them directly. If you do edit these rules in the AWS Console, your changes will not be retained, as MR Plus will automatically restore them to the expected state.
    • To add or remove IP addresses from Allowlist or Denylist rules, please use the [Rule Configuration] tab in the WafCharm Console.
    • IP addresses added by the Dynamic Denylist feature cannot be deleted manually. However, if you register an IP address under [Exception IP List] in the [Exceptions] tab, it will be excluded and will not be blocked by the Denylist rule.

How to check the rule priority status

You can check whether the rule priorities in your web ACL using MR Plus are in the expected state from the WAF Config details page.

  1. Open the WafCharm Console.
  2. Click [WAF] in the left-hand menu.
  3. Click the target WAF Config.
  4. Click the [CSC MR Configuration] tab.
    MR Plus automatically retrieves the current rule usage when you open the tab. If you want to refresh the information, click the [Check Usage Status] button within the tab.

How to adjust the rule priorities

If the rule priorities are not in the expected state, a message prompting you to check them will appear in the [Rule Priority] section under the [CSC MR Configuration] tab in WAF Config. When this happens, please adjust the priorities using one of the following methods.

Method 1: Click the [Change Rule Priority] button

If CSC Managed Rules are currently configured with a priority lower than 1000 on the target web ACL, the [Change Rule Priority] button will appear in the [CSC MR Configuration] tab of the WAF Config's edit screen. You can adjust the priorities by following the steps below.

  1. Click the target WAF Config.
  2. Click the [CSC MR Configuration] tab.
  3. Click [Edit].
  4. Click the [Change Rule Priority] button.

This action adds 1000 to the priority values of all user rules at the time of execution.
Example: If a rule was at priority 100, it becomes 1100. If you had rules at 100 and 200, they become 1100 and 1200.

Please note that this includes rules originally set to priority 0–99.

If your rules are intended to allow requests before the IP-based block rules (denylist), moving them to priority 1000 or higher may cause unexpected behavior. In that case, please move the affected rules back to the 0–99 range after the adjustment.

If you're using IP-based allow rules, we recommend using the Allowlist feature provided by MR Plus.

Method 2: Use the AWS Management Console or AWS CLI

Rule priorities can also be adjusted manually through the AWS Management Console or the AWS CLI. For details, refer to the blog post:
If the Status in Advanced Rule Policy Shows 'Apply Failed' Error Due to Priority

Note: The blog references Advanced Rule Policy, but the steps are the same.
Note: This method can also be used if you already have user rules in the 0–99 range and prefer not to use the [Change Rule Priority] button.

Please keep in mind that when you use "Method 1: Click the [Change Rule Priority] button," 1000 will be added to the current priority values of user-defined rules, such as AWS Managed Rules, and CSC Managed Rules. The relative order of these rules will remain unchanged, but they will be moved to 1000 onward.

Example:

  1. User Rule A (priority: 1)
  2. CSC Managed Rules (priority: 1000)
  3. User Rule B (priority: 1001)

If you click the [Change Rule Priority] button in this state, the priorities will be updated as follows:

  1. User Rule A (priority: 1001)
  2. CSC Managed Rules (priority: 2000)
  3. User Rule B (priority: 2001)

If User Rule A is a rule that should be evaluated before other rules (such as Denylist rules), please manually adjust its priority again to a value between 0 and 99 after it has been moved to priority 1001.