Loading...
Back

Rule configurations in WAF Config (AWS WAF v2)

AWS WAF v2Old PlanNew PlanLegacyAdvancedFeature / Spec.

Overview

Rule configuration in the WAF Config is an item that configures each rule type from the WafCharm Console. The rule policy you choose will affect the type of rule configuration available in the WAF Config.

In both rule policies, the [Next] button will be disabled if you have an incomplete configuration. Please double-check all rule configuration fields if you cannot click the [Next] button on the [Rule configuration] page.

After you’ve completed the initial configuration, you can click the [Edit] button on the details page to change or add configurations.

Differences between the rule policies

There are two types of rule policies: Advanced and Legacy.

Advanced: This is a new rule structure released with the WafCharm Console. It allows the configuration of rules such as rate-based rules, geo-match rules, and bot rules. This feature is only available for the new plan.

Legacy: A rule structure that has been available from the old WafCharm Dashboard. It allows the configuration of IP address-related rules and is available for both old and new plans.

If you choose to use the Advanced rule policy, the rule configurations below will be available.

  • IP addresses
  • Geo-match
  • Rate-based
  • Bot
  • Regular expressions (regex)
  • Exceptions

If you choose to use the Legacy rule policy, the rule configurations below will be available.

  • IP addresses
  • Exceptions

About each rule configuration

IP addresses

A configuration to control IP address-based rules.

Allowlist

Allows requests from registered IP addresses.

How to set up

  1. Enter an IP address in the [Allowlist] field.
  2. Click the [Add] button.

Denylist

Blocks requests from registered IP addresses.

How to set up

  1. Enter an IP address in the [Denylist] field.
  2. Click the [Add] button.

Dynamic Denylist

Select a rule action used by the dynamic denylist rule that is automatically updated via WafCharm features.

IP addresses are added to/deleted from the dynamic denylist using the two features listed below. For more details, please refer to the About Denylist and Allowlist page.

  • Dynamic denylist feature: WafCharm re-evaluates your logs against hundreds of security signatures. Any detected threats are automatically added to the denylist.
  • IP reputation feature: WafCharm integrates with CSC's proprietary IP reputation database to cross-reference and add known malicious IP addresses to the denylist.

*This feature is only available for the Advanced rule policy. This section is unavailable for the Legacy rule policy.

How to set up

  1. Select the rule action to use (Count or Block) from the pull-down menu.
  2. Click the [Add] button.

IP address to use

A configuration to specify which IP addresses to use within the request. The same setting applies to both Allowlist and Denylist.

  • Source IP
    • The rules will inspect the request's source IP (client IP).
  • Specific header (Reference: About the [IP address to use] option for AWS WAF v2)
    • The rules will inspect the IP addresses in the specified header (e.g., X-Forwarded-For).
    • If you choose the [Specific header] option, please choose the position of the IP addresses inside the header from [Position inside header].

How to set up

[Source IP] is selected by default. If you want to use a specific header, please change the configuration with the steps below.

  1. Select [Specific header] under the [Inspect the IP address in].
  2. Enter the header name under the [Header field name] field.

    [X-Forwarded-For] is entered by default. Please change the name as needed.

  3. Select the [Position inside header].

    When the IP addresses included in the header are listed, this field is used to determine whether the first (leftmost) or last (rightmost) IP address in the list is to be evaluated.

Limitations and Notes

  • If IP addresses are not present in the specified header, the request will not match the rules if you choose the [Specific header] option.
    • Please also refer to the Forwarded IP address page in the AWS document for more information about the IP addresses in the specific header.
  • Please separate each IP address with a comma or line break to add multiple IP addresses.
  • Up to 1,000 IP addresses can be registered.
  • IP addresses can be specified using CIDR formats. The allowed CIDR formats are /8 and /16 ~ /32.
  • The IP address rule does not support IPv6.
  • If an IP address is not specified using a CIDR format, it will be treated as /32.
  • The changes take effect immediately upon submission. However, depending on the circumstances, there may be a slight delay before the changes are fully applied.

Geo-match

A configuration to control geo-match rules.

With this configuration, you can add a geo-match rule for specific use cases.

Use cases

  • Block requests from specific countries
    • Applies a rule to block requests from specified countries.
  • Block requests that are not from specific countries
    • Applies a rule to block requests that are not from the specified countries.

For example, if your web service is only available for users in Japan, you can apply a rule to block requests that are not coming from Japan.

How to set up

  1. Check the [Enable geo-match rule] checkbox.
  2. Select the use case.
  3. Select the name of the country from the [Country code] drop-down menu.
  4. Configure options under the [IP addresses to determine the country of origin].

    IP addresses determine which country the requests are coming from. Please specify which IP addresses to use within the request.

    If you want to use the same setting as [IP address to use] from the IP addresses configuration, please check the [Use the same IP address configuration] checkbox.

    If you want to change the IP address to use for the geo-match rule, choose an option from [Source IP] or [Specific header].

Once you have selected and entered all the options, a geo-match rule will be applied to your web ACL once you complete the WAF Config configuration.

If you want to cancel the geo-match rule, uncheck the [Enable geo-match rule] checkbox.

Limitations and Notes

  • Only country-specific rules can be created from the WafCharm Console.
    • If you want to apply a geo-match rule with granular conditions using regions, please create a rule from the AWS management console or request customization from the WafCharm support team.
  • The geo-match rule provided by AWS WAF determines the country/region of origin based on IP addresses.
    • If the country/region of origin cannot be determined by AWS WAF on inspection or does not match the specified rule, the request will not match the rule (blocked by the rule).
    • For more details about how AWS WAF determines the country/region of origin, please refer to the Geographic match rule statement page in the AWS document.

Rate-based

A configuration to control rate-based rules to mitigate bots and DoS. You can add a rule for a specific use case or customize it to your own needs.

Use cases

  • Mitigate rapidly increasing requests from bots
    • Apply a rule to aggregate requests based on a specified key and block when a request exceeds a specific threshold within 1 or 2 minutes.
    • Window size (1 or 2 minutes) and threshold (default value: 10,000) can be adjusted.
  • Ensure the access is from a web browser instead of a bot
    • Apply a rule to aggregate requests based on a specified key and apply Challenge or CAPTCHA action when a request exceeds a specific threshold within 5 or 10 minutes.
    • Window size (5 or 10 minutes) and threshold (default value: 10,000) can be adjusted.
      • Immunity time for Challenge and CAPTCHA actions will be set to 300, which is AWS WAF's default value.
        • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.
  • Custom
    • You can create a more flexible rate-based rule compared to the ready-made use cases.
    • Apply a rule to aggregate requests based on a specified key and apply an action when a request exceeds a specific threshold within a certain time frame.
    • Windows size (1, 2, 5, or 10 minutes), threshold (default value: 10,000), and action (Block, Challenge, and CAPTCHA) can be adjusted.
    • Immunity time for Challenge and CAPTCHA actions will be set to 300, which is AWS WAF's default value.
      • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.

Configurable fields

The following settings can be configured from the rate-based rule screen. The specific values may vary depending on the use case you choose.

  • Rate calculation key
    • This is an option to specify which key to use when AWS WAF aggregates the requests.
    • If you choose the [IP address] option, the requests from the same IP address will be aggregated and an action is applied if it exceeds the threshold. The [Inspect the IP address in] option has the same function as the [IP address to use] in the IP address configuration (Reference: IP address to use).
    • If you choose the [Session ID] option, the requests are aggregated based on a key included in session IDs in the query string, header, or Cookie and apply an action if it exceeds the threshold.
      • For example, if a session ID is included in the query string as [name=key_value] format, select [Query] for the [Use the Session ID in] field and enter [name] for the [Session ID key to use in Query] field. This configuration will allow the rate-based rule to apply restrictions when a large number of requests come from the same session ID.
        Note: You must specify a key used in the session ID (name) to create rate-based rules, but the requests will be aggregated based on the value of the key in session IDs (i.e., key_value).
    • If you choose the [JA4 Fingerprint] option, the requests from the same JA4 Fingerprints will be aggregated and the specified action is applied when the threshold is exceeded.
      • The fallback action is set to NO MATCH and cannot be changed.
    • Please refer to the Rate-based rule aggregation options and keys page in the AWS document for more information about the aggregation keys used in the rate-based rules.
  • Evaluation window
    • Specify the time window to evaluate. For example, for a rule that triggers when 100 requests occur within 5 minutes, select "5 minutes" as the window size.
  • Rate limit
    • Specify the number of requests to evaluate. For example, for a rule that triggers when 100 requests occur within 5 minutes, set the rate limit to "100".
  • Action
    • Specify the action to apply when a request matches the rate-based rule.
    • The Count action can be selected for both rules. If you want to observe how a rule behaves before applying an action like Block or CAPTCHA, or if you'd like to avoid false positives, consider switching the action to Count.

How to set up

  1. Click [Add a rule].
  2. Select a use case from the [Use case] drop-down menu.
  3. Configure [Rate calculation key] options.
  4. Select or enter the [Evaluation window], [Rate limit], and [Action].

Once you have selected and entered all the options, rate-based rules will be applied to your web ACL once you complete the WAF Config configuration.

If you want to cancel the rate-based rule, click the garbage can icon on the bottom right corner of each rule section to delete the configuration.

Limitations and Notes

  • Please refer to the Notes on Challenge and CAPTCHA for more information on these actions.
    • Immunity time will be set to 300, which is AWS WAF's default value.
    • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.
  • The minimum threshold for the rate-based rules is 10.
    • If the threshold is empty or set to a value less than 10, the value will automatically be fixed to 10.
    • AWS WAF specifies the minimum value and cannot be changed.
  • You can configure up to 4 rate-based rules from the WafCharm Console.
    • The maximum number of rate-based rules that can be applied in one web ACL is 10. This quota cannot be changed.
    • If you want to apply more than 5 rate-based rules, please use the AWS management console from the fifth rule.
  • If you want to use the aggregation key other than the IP address or session ID, please create a rule from the AWS management console or request customization from the WafCharm support team.
  • Depending on your region, some settings may not be supported due to AWS WAF limitations.

Bot

A configuration to control bot rules. If you enable bot rules, WafCharm will apply the original bot rules to your web ACL.

The bot rule categories are as follows. You can choose an action for each category.

  • Advertising
  • AI
  • ContentFetcher
  • HTTP Libraries
  • Monitoring
  • Scrapers
  • SearchEngine
  • Security
  • SEO
  • SNS

You can choose from the four actions listed below.

  • Block
  • Count
  • CAPTCHA
  • Challenge

How to set up

  1. Check the [Enable Bot Rules] checkbox.
  2. Choose an action for each category under [Bot Category].

The bot rules will be applied to your web ACL once you complete the WAF Config configuration.

If you enable bot rules, all available categories will be enabled. Categories cannot be individually disabled, so if you want to avoid blocking requests with a specific bot category, please use the Count action. The Count action will only detect the requests when they match a rule but will not block them. If the requests do not match any other rules, then they will eventually be allowed.

Limitations and Notes

  • Please refer to the Notes on Challenge and CAPTCHA for more information on these actions.
    • Immunity time will be set to 300, which is AWS WAF's default value.
    • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.

Regular expressions (regex)

A configuration to control WafCharm's original rules that uses regular expressions (regex).

These rules are provided by default, so there is no option to enable/disable them. However, you can choose an action for each rule.

You can choose from the four actions listed below.

  • Block
  • Count
  • CAPTCHA
  • Challenge

A specific rule cannot be disabled. If you want to avoid blocking requests with a specific rule or if there are false positives and need to quickly allow certain requests, please choose a Count action on the rule blocking the requests.

Count action will only detect the requests when they match a rule but will not block them. If the requests do not match any other rules, then the requests will eventually be allowed.

How to set up

  1. Choose an action for each rule under [Rule name].

Limitations and Notes

  • Please refer to the Notes on Challenge and CAPTCHA for more information on these actions.
    • Immunity time will be set to 300, which is AWS WAF's default value.
    • If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.
  • Rule actions specified on the WafCharm Console take precedence.
    • If you change the rule action of WafCharm rules on the AWS management console, the rule actions will be overridden by the actions specified in the WafCharm Console. If you want to change WafCharm rules' actions, please use the WafCharm Console.
    • Please note that we cannot guarantee the operation if you change any settings (e.g., conditions) other than the rule action of the rules provided by WafCharm.
  • WafCharm's regex rules are intended to detect attacks or suspicious requests, so rule action Allow is not provided as an option.

Exceptions

A configuration to control specific conditions to exclude from the rules provided by WafCharm.

IP addresses

WafCharm provides a feature to dynamically update the denylist by re-matching signatures to obtained logs.

In this feature, IP addresses will be added to the denylist if the requests match the signatures. If you have IP addresses that you do not want to be registered in the denylist but still want the requests from those IP addresses to be inspected by other WafCharm rules, you can use the exception option to exclude specific IP addresses from being added to the denylist.

How to set up

  1. Enter an IP address in the [Exception IP List] field.

The configuration is applied once you complete the WAF Config configurations.

Limitations and Notes

  • Please separate each IP address with a comma or line break to add multiple IP addresses.
  • Up to 1,000 IP addresses can be registered.
  • IP addresses can be specified using CIDR formats. Allowed CIDR formats are: /1 ~ /32.
  • The IP address rule does not support IPv6.
  • If an IP address is not specified using a CIDR format, it will be treated as /32.

Notes on Challenge and CAPTCHA

Challenge and CAPTCHA actions behave differently from actions like Block and Count.

Challenge actions will run a silent challenge when a request matches a rule to verify that the request came from the browser and not a bot. The request is allowed when a client passes the challenge.

CAPTCHA actions will show a CAPTCHA test when a request matches a rule and allows the request if it passes the test. When the CAPTCHA action is applied, the CAPTCHA test provided by AWS will be shown on the page.

Please keep in mind that the CAPTCHA test is provided by AWS, and you will need to determine whether showing it on your web service is acceptable.

Please refer to the AWS documents below for more details on how the rule actions work.

  • Rule action
  • CAPTCHA and Challenge in AWS WAF
  • How the AWS WAFCAPTCHA and Challenge rule actions work

If you want to change the immunity time from the default value (300), please create a rule from the AWS management console or request customization from the WafCharm support team.