Limiting WAF managed firewall rules to a subset of a website

We are using the WAF managed firewall rules to protect our website.

Is there a way to setup the firewall so that it only protects part of a website?

For example, say we have two main folders in our website: one called Public for our public facing pages, and one called Private for pages that are protected by authentication.

We only want the managed firewall rules to scan traffic for all of the pages within the Public folder and to allow all traffic on all pages in the Private folder?

I see under the (custom) Firewall rules (unmanaged) that you can setup URI matching to limit pages for these rules. How can I do the same for the managed rules?

I tried setting up a custom Firewall rule that said if the URL contains “/Private/” to allow all traffic, however it did not seem to have an affect on the managed rules.

Thanks

Courtney

You could do this:

Rule: (http.request.uri.path matches “^/private/.*”)
Then: Bypass -> WAF Managed Rules

The rule is the same as:

URI Path     matches regex     ^/private/.*

Short explanation: ^ is the start of the path, /private/ is what needs to follow, and .* matches all possible strings. Therefore, /private/ would be matched, but also /private/foo, /private/bar, etc.

Hope that helps

1 Like

Tom,

Thanks for the RegEx pattern matching string for the URI.

However, in your comment you said to setup the URI path Rule and then “Bypass -> WAF Managed Rules”.

How do I bypass the managed rules for this new custom Firewall rule I am creating for the Private folder?

I don’t want the managed rules for the Private folder, but they need to remain ON for my Public folder.

If I turn off all the managed rules, then they will not be applied to my Public folder which is where we need the WAF protection.

Thanks

Courtney

That’s why you don’t use “Allow” for that pattern, but Bypass -> WAF Managed Rules:

Yup thanks, I had not seen the action named “BYPASS”!!

I thought you were just telling me to bypass all the rules somehow (maybe turning them off)

I was stuck on using the Action “Allow” which is wrong.

Since you steered me in the right direction, I have tried the rule using Bypass -> WAF Managed Rules a couple of times now and I am still getting HTTP 403 blocks (assuming they are a result of the managed rules still firing). Now maybe its just a path pattern matching issue.

Thanks again

Courtney