Configuring Security Rules in the Portal

Note

Security rules are available in the customer portal to accounts with Instart Web Security. If you have not purchased this service, the config screen described here does not appear in the navigation pane. If you are interested in adding this to your account, please contact sales@instart.com to learn more.

Security rules control traffic and limit security risks. Note that security rules are applied across all properties by default.

Select a property and click Config -> Security Rules to display the Security Rules page:

The page displays a list of existing security rules, and allows you to create new rules, edit and reorder existing rules. Click any rule to view details and edit.

Rule Order

Rule order matters for some security rules. Specifically:

  • order matters for Custom security rules:
    • Rules with the action WARN are applied in the order listed. The last matching custom rule will be the rule that is applied.
    • Rules with the action BLOCK are applied when triggered and the rule evaluation stops. This is important to understand if you have a general BLOCK policy, but want to set to WARN for some narrower case. The BLOCK rule must come after the WARN rule or the WARN policy for the narrower case will never take effect.
  • order matters for WAF Control rules that are set to Bypass WAF. If the last matching WAF control rule is not set to Bypass WAF, the WAF will not be bypassed, even if a preceding matching WAF Control rule is configured to do so.

Order does not matter for Rate limit rules or for WAF Control rules that affect any of the WAF categories.

Rules can be reordered by clicking Reorder Custom Rules and dragging rows up or down as needed.  Click Apply to save any changes to the rule order.

Creating new rules

Click New Security Rule to create a new rule. The portal displays the Add Security Rule dialog box:

Each new rule should have a Rule description to make it easier to identify and distinguish it from other rules.

Each new rule can have a Event Severity assigned. Possible values are High, Medium, Low, or Info.

Rules can be one of three types:

  • a Custom rule, which allows to you to specify conditions to match against requests and, if matched, either block – respond to the request with an HTTP status code of 403 (Forbidden) – or warn – respond normally to the request, but log it as a security event.
  • a Rate limit rule, which allows you to specify thresholds on requests and stop responding if the thresholds are reached. The thresholds can be number of requests within a time period (in seconds). You can also specify a duration (in seconds) to continue holding back responses.
  • a WAF control rule, which can be used to specify conditions under which the WAF (web application firewall) can be set to block or warn on WAF rule categories, or bypass the WAF entirely.

    Note

    WAF Control rules are not the same thing as WAF rules. WAF rules themselves cannot be created or edited in the portal. WAF Control rules allow you to define conditions under which you want to have the WAF bypassed entirely, or to selectively set it to block or warn for categories of WAF rules.

    Also note that the WAF Control rules only apply to requests that are passed to the origin, not to any content cached on the Instart service. This is because the WAF only protects the origin. That is, only cache miss requests and requests for objects that are not cacheable will trigger the WAF and, thereby, the WAF Control rule.

To define a custom rule:

  1. Click Config > Security Rules in the navigation panel to display the Security Rules page.
  2. Click New Security Rule to open the rule builder.
  3. Provide a Rule description and a Event severity for the rule.
  4. Select Custom rule for Rule Type.

  5. Under the Conditions tab, select a Rule criteria from the pulldown list. The choices are in two groups, those related to the request itself, and those related to the client making the request.
    The request-related criteria are

    • Request method
    • Domain
    • Request path
    • Request query
    • Request header
    • Request cookie

The client-related criteria are

    • ASN
    • Country
    • Browser
    • Client IP
    • Device
    • Network list
    • Bot signal

    Each of these choices then supplies the appropriate fields to define the conditions for the selected criteria.

    For example, if you select Request method, you can select equals or does not equal and then select a specific value from the Method pulldown list:


    If you select Request Header, you also will see an additional required field, Header name, below the criteria pulldown, and a field for specifying the value of this header:


    Likewise, for Request cookie you need to specify Cookie name and a value for the cookie:

    You can add additional criteria by clicking the + at the right. If you do, you get a second line to add another rule criterion:


    Once you specify more than one condition, you get an additional pulldown for the boolean operation to apply in the rule: And or Or. Note that this selection applies to all criteria.

    Note

    If you apply the match conditions contains and does not contain, note that any special characters will need to escaped with a preceding percent (%) character. The following characters need to be escaped:

    ( ) . % + - * ? [ ^ $

    For example, if your string is content/acme-anvil-division/, you need to enter it in the field as content/acme%-anvil%-division/.

    By this means, you have full flexibility in creating complex custom conditions for security rules.

    At any point along the way, you can delete a condition by clicking the X at its right.

  1. Click the Action tab to choose the Action for your rule: Warn (respond normally to the request, but log it as a security event) or Block (respond to the request with an HTTP status code 403 - Forbidden):

  2. Click Save.

To define a rate limit rule:

  1. Click Config > Security Rules in the navigation panel to display the Security Rules page.
  2. Click New Security Rule to open the rule builder.
  3. Provide a Rule description and a Event severity for the rule.
  4. Select Rate limit rule for Rule type.

    When you choose Rate limit, two additional fields appear at the top of the Conditions section a request rate for a specified span of time in seconds:

  5. Under the Conditions tab, select a Rule criteria from the pulldown list. The choices are the same as for custom rules; see above.

  6. Click the Action tab to enter the Action for your rule: choose to Warn or Block, and enter a Block duration (required), the span of time in seconds for which requests will be blocked (or logged, if Warn is chosen) after exceeding the limit set on the Conditions tab:
  7. Click Save.

To define a WAF Control rule:

  1. Click Config > Security Rules in the navigation panel to display the Security Rules page.
  2. Click New Security Rule to open the rule builder.
  3. Provide a Rule description and a Event severity for the rule.
  4. Select WAF Control for the Rule type.

  5. Under the Conditions tab, select a Rule criteria from the pulldown list. The choices are the same as for custom rules; see above.

  6. Click the Actions tab. You will see a list of seven categories of WAF rules:

    By default these are all set to Warn. You can set any or all of the listed categories to Block. For example, you might want to set the WAF to block requests that trigger any of the WAF's SQL injection rules:

    If you click Bypass WAF, any requests that trigger this WAF Control rule will not be routed through the WAF at all.

    Click Save.

List of Rule Criteria possibilities

Criterion nameMatch conditional(s)Possible values
Request Methodequals | does not equalValid HTTP method (from pulldown list)
Domainequals | does not equal
contains | does not contain
Valid string or substring
Request Pathequals | does not equal
contains | does not contain
Valid string or substring
Request Queryequals | does not equal
exists | does not exist
contains | does not contain
Valid string or substring
Request HeaderHeader name (required) and
equals | does not equal
exists | does not exist
contains | does not contain
Valid request header name and value
For example
accept-encoding:gzip, deflate, br
Cookies

Cookie name (required) and
equals | does not equal
exists | does not exist
contains | does not contain

Valid response header name and value
For example
vary:Accept-Encoding,Cookie,Authorization
ASNequals | does not equalValid string or substring of an officially registered autonomous system number
Countryequals | does not equalValid country name (from pulldown list)
Browserequals | does not equalValid browser name (from pulldown list)
Client IPequals | does not equalValid IPv4 address
Network Listequals | does not equalValid network list name (from pulldown list)


Editing an existing rule

At any point you can edit an existing rule or delete it entirely.

To edit an existing rule:

  1. From the rule list page, click the rule you want to change, and an Edit Security Rule dialog box appears:

    Editing an existing Security rule

    The fields are all the same as those provided in the Create a New Security Rule dialog box.

  2. Edit any of the fields, add additional criteria to the Conditions section, and delete criteria, as desired.
  3. Once you have changed the rule to your satisfaction, click Save Rule.

To delete an existing rule:

To delete an existing rule, open it for editing from the rule list page and click Delete Rule at the bottom.