In this section the NSX supplied OWASP CRS policy can be configured. It covers the OWASP Top Ten attack protection.

If the CRS version is updated, all new CRS rules will be in Detection mode. With this, you can update the CRS ruleset without any risk in production. However, these new rules must be moved into Enforcement mode (or inherited policy mode) manually.

All updated rules will continue to remain in the same mode and the existing exclusions will be applied to the rules.

To update CRS Rules do the following:

  1. Under the Signatures tab, scroll down to the CRS Rules section.

  2. Click on the required CRS Version to select it.

  3. The change log is displayed as shown below. Click on OK to confirm and update the CRS version.

Post and Pre-CRS Rules

The final step in WAF processing is a signature check. Core Rule Sets (CRS) can be configured under the Signatures tab. You can configure to execute custom rules before CRS or after CRS as well. For more information refer to the below section.