This section discusses configuring WAF exceptions with regex matching for arguments. NSX Advanced Load Balancer supports Regex for URL matching.

NSX Advanced Load Balancer WAF uses PCRE (Perl Compatible Regular Expressions) as regex. NSX Advanced Load Balancer supports configuring regular expressions for arguments. The match_element field under WAF Policy can be configured to use a regular expression instead of just a keyword.

Configuring Regex Matching for Arguments through CLI

  1. Login to the Controller shell and enter the command to edit the required WAF policy.

  2. Search for match_element_criteria by typing slash (‘/’), followed by the keyword match_element_criteria.

  3. Configure the desired regex in the match_element field as shown below. Under match_element, set the match_case field to SENSITIVE and the match_op field to REGEX_MATCH.

     exclude_list:
        - match_element: ARGS:regex
          match_element_criteria:
            match_case: SENSITIVE
            match_op: REGEX_MATCH
          uri_match_criteria:
            match_case: SENSITIVE
            match_op: REGEX_MATCH
          uri_path: ^/test.php

  4. Hit Esc and enter :wq.

  5. Type save to save the configuration.

    save

Configuration Example

The argument name can have several fixed and dynamic parts. Consider an example of an URL as follows:

https://appname.com/typo/test_doc.php?data[news][1234][body]=Some_long_text_expected

Here, data[news][" and "][body] are the fixed parts and the number [1234] is a dynamic value that varies with each request. An example attack on this application will be as follows:

https://appname.com/typo/test_doc.php?data[news][1234][body]=%3Cscript%3Ealert(1)%3C/script%3E

The regex required for creating an exception for this example would be:

URL Regex:              ^/typo/test_doc.php
Match element Regex:    ARGS:.data\[news\]\[.*\]\[body\]

Use ARGS:.data instead of ARGS:data to make this a valid regular expression.

The WAF Policy configuration would be as follows:

exclude_list:
 - match_element: ARGS:data\[news\]\[.*\]\[body\]
   match_element_criteria:
     match_case: SENSITIVE
     match_op: REGEX_MATCH
   uri_match_criteria:
     match_case: SENSITIVE
     match_op: REGEX_MATCH
   uri_path: ^/typo/test_doc.php

Configuring Regex Matching for Arguments through UI

  1. On the NSX Advanced Load Balancer UI, navigate to Templates > WAF > WAF Policy. Click on the policy to be edited or create a new policy as required.

  2. Under the Rules tab, navigate to the relevant rule under the rule sets. Click the drop-down menu for a rule to expand the configuration options. Click + Add Exception to configure the exception.

  3. Under the EXCEPTIONS field enter the regular expression and select the check box for Regex Match.

  4. Save the configuration.