Configuring Signature Based Custom Handling and Exclusions

You can disable inspection for a signature in traffic to an individual host, or for all hosts. You can also change the handling of detected threats for an individual host or for all hosts. If the signature group to which the signature belongs is set globally to Detect All, you can raise the level of protection to Prevent for the configured hosts. If no hosts are configured, the action is applied to the signature itself and acts as a global setting for all hosts. This change blocks access to a host when the attack signature is detected. Similarly, you can lower the level of protection to Detect if the associated signature group is globally set to Prevent All.

To configure one or more hosts with an exclusion from inspection for a signature, or to configure custom handling when Web Application Firewall detects a specific signature for one or more hosts

1. On the Web Application Firewall > Signatures page, click Configure for the signature that you wish to change. The Edit WAF Signature-based Exclusions screen displays.

   

2. In the Edit WAF Signature-based Exclusions screen, select one of the following actions from the Action drop-down menu:

   • DISABLE – Disable Web Application Firewall inspections for this signature in traffic from hosts listed in this exclusion
   • DETECT – Detect and log threats matching this signature from hosts listed in this exclusion, but do not block access to the host
   • PREVENT – Log and block host access for threats matching this signature from hosts listed in this exclusion
   • Inherit Global – Allows to inherit the global settings and inspect on any threats involved.
3. To apply this action globally to all hosts, leave the Host field blank. To apply this action to an individual host, type the host entry as it appears in the bookmark or offloaded application into the Host field. This can be a host name or an IP address.
4. You can configure a path to a particular folder or file along with the host. The protocol, port, and the request parameters are simply ignored in the URL. If a path is configured, then the exclusion is recursively applied to all subfolders and files. For instance, if Host is set to webmail.yourcompany.com/exchange, then all files and folders under exchange are also excluded.
5. If you specified a host, click Add to move the host name into the list box.
6. Click Accept. If the Host list contains host entries, Secure Mobile Access verifies that each host entry is valid. If no hosts were specified, a dialog box confirms that this is a global action to be applied to the signature itself.
7. Click OK in the confirmation dialog box.
8. Click Accept on the Web Application Firewall > Signatures page to apply the updated settings. New settings are applied to any new HTTP connections and requests. The existing HTTP connections and requests continues to use the old settings until they are terminated.