How to configure WAF rules to allow requests with a specific cookie

This guide implements a solution to configure security policies to manage requests based on specific cookie values through Edge Firewall and WAF Rules. With this solution, your firewall will manage incoming requests based on specified cookies, enabling granular control using multiple rule sets to the same endpoint, ensuring that legitimate traffic reaches your application.

Implementing security policies based on specific cookie values can be helpful in scenarios such as receiving requests from authenticated users or third-party tools integrated into your infrastructure, demanding particular policies for these scenarios.

To configure WAF rules to allow requests with a specific cookie, you must complete the following three main steps:

• Create a primary WAF Rule Set. This will be your standard WAF instance and will attend to all the requests that aren’t static.
• Create a secondary WAF Rule Set. This will allow for a specific cookie and include a Custom Allowed Rule.
• Define two rules for Rule Engine for Edge Firewall. This will define the criteria and behaviors to process the requests accordingly, combining your WAF rule sets.

Requirements

To implement this solution, you must have:

• An existent edge firewall with the WAF add-on activated.

Creating a primary WAF Rule Set

First, you must create your primary WAF Rule Set that will be used as a standard.

1. Access Azion Console > WAF Rules.
2. Click the + WAF Rule button.
3. Give a unique and descriptive name to identify your new WAF rule set.
   • This example will use My Primary WAF - Standard.
4. Define your Threat Type Configuration, selecting the family threats and sensitivity.
5. Make sure the Active switch is enabled.
6. Click the Save button.

Creating a secondary WAF Rule Set for a specific cookie

Still on the WAF Rules page, you must create a secondary WAF Rule Set including a Custom Allowed Rule. To do so:

1. Click the + WAF Rule button to create the second instance.
2. Give a unique and descriptive name to identify your new WAF rule set.
   • This example will use My secondary WAF - Allow cookie.
3. Define your Threat Type Configuration, selecting the family threats and sensitivity.
4. Make sure the Active switch is enabled.
5. Click the Save button.

To create a Custom Allowed Rule, still in the WAF Rule Set you created:

1. Select the Allowed Rules tab.
2. Click the + Allowed Rule button.
3. In the Rule ID dropdown menu, select a rule.
   • This example will use the 1005 Possible SQL Injection attack: MySQL keyword | found in Body, Path, Query String or Cookies. rule.
   • Read more about all the available internal rules.
4. In Description, explain the reason this rule was allowed.
5. In Path, this example will use / to apply the rule to the whole site.
   • Type a more specific path to attend to your needs, if required.
6. In the Match Zone dropdown menu, select the Conditional Request Header option.
   • In the Header field, type Cookie
   • Select the Value option in Matches on.
7. Click the Save button.

Configuring rules in the Rules Engine for Edge Firewall

In this step, you must instantiate the rules to execute your recently created WAF Rule Sets accordingly.

1. Open the Product menu and select Edge Firewall.
2. Select the existent edge firewall where you want to configure the new rules.
3. Go to the Rules Engine tab.
4. Click the + Rules Engine button.
5. Give a name for the rule and, optionally, a description.
   • This example will use First rule - Standard as a name.
6. In the Criteria field, define the following logic:
   • If Request URI does not match \.(png|jpg|css|js|jpeg|gif|ico|ttf|svg|woff|woff2|ashx|asmx|svc|otf|eot)(\?.*)?$
7. Click the + And button to enable a second Criteria and define the following logic:
   • Request URI does not match [my-allowed-cookie|123].
   • Replace my-allowed-cookie-123 with the value for the cookie you want to allow.
8. In Behavior, select Set WAF Rule Set option. It’ll open two new fields:
   • In Select a WAF Rule, select the primary rule set you created before. In this case, the one called My Primary WAF - Standard.
   • In Select a WAF Mode, select Blocking.
9. Click the Save button.

Now, you must define the rule for the secondary WAF Rule Set.

Still on the Rules Engine tab:

1. Click the + Rules Engine button.
2. Give a name for the rule and, optionally, a description.
   • This example will use Second Rule - Cookies as a name.
3. In the Criteria field, define the following logic:
   • If Header Cookie matches [my-allowed-cookie|123].
   • Replace my-allowed-cookie-123 with the value for the cookie you want to allow.
4. In Behavior, select Set WAF Rule Set option. It’ll open two new fields:
   • In Select a WAF Rule, select the secondary rule set you created before. In this case, the one called My secondary WAF - Allow cookie.
   • In Select a WAF Mode, select Blocking.
5. Click the Save button.

Done. Now, when a request reaches your application, Edge Firewall will check if it includes your specific cookie. If it doesn’t include your specific cookie, it’ll execute your standard rule. If it identifies the specified cookie, the request will be evaluated by the second rule; in this case, it won’t weigh the specific Rule ID and cookie on its evaluation, it’ll still check all other rules.