Adding or Editing a Rule Chain

To add or edit a rule chain

1. On the Web Application Firewall > Rules page, click Add Rule Chain to add a new rule chain. To edit an existing rule chain, click its Edit Rule Chain icon under Configure.

   The New Rule Chain screen or the screen for the existing rule chain displays. Both screens have the same configurable fields in the Rule Chain section.

   

2. On the New Rule Chain page, type a descriptive name for the rule chain in the Name field.
3. Select a threat level from the Severity drop-down menu. You can select HIGH, MEDIUM, or LOW.

4. Select Disabled, Detect Only, or Prevent from the Action drop-down menu.

   • Disabled – The rule chain should not take effect.
   • Detect Only – Allow the traffic but log it.
   • Prevent – Block traffic that matches the rule and log it.

   The Disabled option allows you to temporarily deactivate a rule chain without deleting its configuration.

5. In the Description field, type a short description of what the rule chain matches or other information.
6. Select a category for this threat type from the Category drop-down menu. This field is for informational purposes and does not change the way the rule chain is applied.
7. Under Counter Settings, to enable tracking the rate at which the rule chain is being matched and to configure rate limiting, select Enable Hit Counters. Additional fields are displayed.
8. In the Max Allowed Hits field, enter the number of matches for this rule chain that must occur before the selected action is triggered.
9. In the Reset Hit Counter Period field, enter the number of seconds allowed to reach the Max Allowed Hits number. If Max Allowed Hits is not reached within this period, the selected action is not triggered, and the hits counter is reset to zero.
10. Select Track Per Remote Address to enforce rate limiting against rule chain matches coming from the same IP address. Tracking per remote address uses the remote address as seen by the SMA appliance. This covers the case where different clients sit behind a firewall with NAT enabled, causing them to effectively send packets with the same source IP.
11. Select Track Per Session to enable rate limiting based on an attacker’s browser session. This method sets a cookie for each browser session. Tracking by user session is not as effective as tracking by remote IP if the attacker initiates a new user session for each attack.
12. Click Accept to save the rule chain. A Rule Chain ID is automatically generated.
13. Next add one or more rules to the rule chain.