If the CRS version is updated, all new CRS rules will be in Detection mode. With this, you can update the CRS ruleset without any risk in production. However, these new rules must be moved into Enforcement mode (or Use Policy Mode) manually.
This feature works only if you have the NSX Advanced Load Balancer Enterprise License for Cloud Services.
For Controllers setup in the ENTERPRISE_WITH_CLOUD_SERVICES tier, the WAF Signatures Service automatically pushes new rules to Controllers where this service is enabled.
For Controllers without this setup, you can opt-in to receive notifications with download links when new rules become available. Once downloaded, the rules can be manually uploaded to the NSX Advanced Load Balancer Controller.
All updated rules will continue to remain in the same mode and the existing Exceptions will be applied to the rules.
To update CRS Rules do the following:
Navigate to
.Click the Edit icon for the WAF Policy.
Under the Signatures tab, scroll down to the CRS Rules section.
Note:The Reset Overrides button resets all rule mode changes back to inherited mode. It is very useful after a CRS update, when new rules have been tested and are now ready to be part of the WAF policy mode.
Select the required CRS Version from the drop-down menu.
The Change Log is displayed as shown below. Click OK to confirm and update the CRS version.
The final step in WAF processing is a Signature check. CRS can be configured under the Signatures tab. You can configure to execute custom rules before CRS (Pre-CRS rules) or after CRS (Post-CRS rules).
When using features like Anomaly Detection, the CRS Group CRS_901_Initialization must be enabled, without which required anomaly thresholds are not configured to the defaults. It is generally recommended to keep this group enabled.
Auto Update of CRS Rules
Starting with NSX Advanced Load Balancer 22.1.3, support for auto-update of CRS rule is available. The following two check boxes have been introduced in the NSX Advanced Load Balancer for CRS auto-update.
Enable CRS auto-update - The corresponding flag for the CLI is auto_update_crs.
Enable all new rules in Detection mode - The corresponding flag for the CLI is updated_crs_rules_in_detection_mode.
Enable CRS Auto-update
If the Enable CRS auto-update option is selected, the system keeps the CRS version used in this policy up-to-date. If a newer CRS object is available on the Controller, the system initiates the CRS upgrade process for this WAF Policy. It will not update polices if the current CRS version is set as CRS-VERSION-NOT-APPLICABLE. The Enable CRS auto-update check box is available under as shown below.
You can login to NSX Advanced Load Balancer Controller and use show wafpolicy <policy name>
command to check the status of the auto_update_crs flag.
[admin:controller]: > show wafpolicy Test-1 | grep crs | waf_crs_ref | CRS-2022-2 | | auto_update_crs | False | | updated_crs_rules_in_detection_mode | True | [admin:controller]: >
Enable All New Rules in Detection Mode
While updating CRS, new rules are added in Detection mode by default. As of NSX Advanced Load Balancer 22.1.3, a CRS update will only treat new rules differently if the policy is in Enforcement mode.
In this case, the update will set new rules into Detection mode by adding CRS overrides for the new rules. If the updated_crs_rules_in_ detection_mode flag is not set or if the policy mode is Detection, rules will be added without new CRS overrides. The flag is used for the auto_ update crs (CLI) and for the Ul-based CRS update workflows.
The Enable all new rules in Detection mode check box is available under as shown in the screenshot in the Enable CRS Auto-update section.
You can login to the NSX Advanced Load Balancer Controller and use show wafpolicy <policy name>
command to check the status of the updated_crs_rules_in_detection_mode flag.
[admin:controller]: > show wafpolicy Test-1 | grep crs | waf_crs_ref | CRS-2022-2 | | auto_update_crs | False | | updated_crs_rules_in_detection_mode | True | [admin:controller]: >