This section discusses how to configure WAF Policy.
Navigate to
to locate the default policy.System-WAF-Policy
is the default policy in Avi Load Balancer which is the recommended starting point for all new applications. For example, it contains the Avi Load Balancer OWASP CRS Signatures. For more information, see Signatures CRS rules.For customizing a policy, it is highly recommended to create a new policy instead of editing the default policy
(System-WAF-Policy)
.
When using features like Anomaly Detection, the CRS Group CRS_901_Initialization must be enabled, without which required anomaly thresholds are not configured to the defaults. It is generally recommended to keep this group enabled.
WAF policies that enable Application Learning cannot be shared between applications, as they contain configuration tailored to that specific application.
The following are the steps to create a new policy:
Navigate to
.Click Create.
Note:Create will clone the System-WAF-Policy and use it as the basis for the newly created WAF Policy.
Configure the new WAF Policy under the following tabs:
Settings
Learning
Allowlist
Positive Security
Application Rules
Signatures
Click Save to create the WAF Policy.
Settings Tab
Provide the following details to configure the WAF Policy:
Field |
Description |
Additional Information |
---|---|---|
Name |
Enter a relevant name for the policy. |
|
WAF Profile |
Choose the WAF Profile that should be attached to this policy. The profile contains common reusable settings that complement the WAF Policy. |
For more information, see WAF Profile. |
Policy Mode |
Select one of the following modes:
For more information, see Selecting a WAF Policy Mode. |
It is recommended to use Detection mode when onboarding a new application. For more details, see WAF Mode. For more information on Mode delegation, see Mixed Mode and Enabling Mode Delegation. |
Allow Mode Delegation |
Enable this option to allow WAF rules to overwrite the Policy Mode selected, where specific action (Detection or Enforcement) can be defined for a single rule, irrespective of the action defined for the rule set. |
Allow Mode Delegation check box is only enabled if the Policy Mode selected is Detection, since it is required for Enforcement mode. |
Bypass Static Extension |
Enable this option to bypass WAF for static file extensions. |
For more information on Bypassing, see Bypassing WAF. |
Paranoia Level |
Set the paranoia level for the WAF Policy. This is used to determine the rigidity of the policy and has a direct impact on potential false positive rate. |
For more information, see What are the Paranoia Modes available in WAF? What are the considerations for choosing the mode?. |
Geo DB |
Geo Location Mapping Database used by the WAF Policy. |
Mode Delegation
With Mode Delegation option, the policies can be enabled to operate in the following two modes:
Detection: In Detection mode, if a request matches a rule, the request is flagged with an application log message (marked FLAGGED) and allowed through.
Enforcement: In Enforcement mode, if a request matches a rule, it is blocked by the Service Engine, and an application log message (marked REJECTED) is generated.
If Mode Delegation is enabled, individual WAF rules can override the Policy Mode, resulting in different behavior from the rest of the rules. This is also called mixed mode and is another way of fine-tuning to avoid legitimate requests from being blocked due to Enforcement mode.
A few relevant use cases for enabling Mode Delegation are:
Test new rules: You can configure manually written rules or new CRS rule updates with mixed mode enabled to avoid false positives. You will be able to introduce new rules to operate in Detection mode to ensure that legitimate requests are not rejected.
Partial detection: You can configure a few rules in Enforcement mode, while still retaining the whole WAF Policy in Detection mode.
You can enable Mode Delegation through the following steps:
In the Avi Load Balancer UI, navigate to .
Click Create or edit an existing WAF Policy. Avi Load Balancer supports cloning of the exsiting WAF policy too.
In the Settings tab, under Policy Mode, select the check box for Allow Mode Delegation to enable mixed mode.
To enable Policy Mode for a certain rule.
Navigate to the Signatures tab and select the CRS Version.
Expand the Group that the Rule to be edited is part of.
Click the edit icon for the Rule to be edited.
Under Rule Mode, select the option Use Policy Mode.
Click Save.
Cloning a WAF Policy
Avi Load Balancer supports cloning an existing WAF policy. Cloning a WAF policy copies all the configured objects and attributes from an existing WAF policy to the cloned WAF policy. This is useful when there is a requirement to share the same policy with multiple virtual services.
To use the clone option, click on the three dots next to the existing WAF policy.
Submitting the CLONE option creates a clone copy of the selected WAF policy. You can provide a desired name to the cloned WAF policy before submitting the clone request.
The WAF policy test-cloning (copy) is the cloned version of the WAF policy test-cloning.