Exceptions are a common way of tuning a WAF Policy to work with an application. The following section lists common use cases for creating Exceptions. It also explains how to configure Exceptions, the recommended workflow, and the Match Elements and XML Exceptions that can be configured as part of it.

These are created when the regular traffic of the application matches specific WAF rules. The following are a few other reasons for creating Exceptions:

  • For false positive mitigation.

  • For applications transmitting data that might appear like an attack. For instance, transferring HTML content in query parameters.

  • For applications with special requirements that are not allowed in the WAF Policy. For instance, accessing an application using its IP address.

  • You can use NSX Advanced Load Balancer Recommendation system to create Exceptions or add them manually. For more information, see Accessing Recommendations.

To define an Exception manually.

  • Click +Add Exception to manually configure Exceptions.

  • Configure Exceptions for IP address or subnet, path, or any match element. For example,

Subnet- 10.0.0.0/8, Path- /application , Match Element - REQUEST_BODY
  • Configure the following options for Path and Match Element, as required:

    • Case Sensitive - The case of the characters have to match.

    • Regex Match - The pattern of the string of characters have to match.

Note:

Exceptions can be created on a CRS group or rule level.

The rule configured with Exception PATH - /application is as shown below:



Supported Match Elements

Exceptions can be created for the following match elements:

ARGS, ARGS_GET, ARGS_POST, ARGS_NAMES, FILESQUERY_STRING, REQUEST_BASENAME, REQUEST_BODY, REQUEST_URI, REQUEST_URI_RAW, REQUEST_COOKIES, REQUEST_HEADERS, RESPONSE_HEADERS, XML.

For example, creating an Exception for ARGS:password at a WAF rule level implies that the rule will not examine the password HTTP parameter (sent in URL or request body - as JSON, XML or HTML form). The rule will continue checking other parts of a HTTP request that are not specified as Exceptions.