Set up preconfigured WAF rules

Use these instructions to set up and tune Google Cloud Armor preconfigured web application firewall (WAF) rules to help protect your application against attacks. If you are not familiar with preconfigured WAF rules, see the overview.

Set up a preconfigured WAF rule

This section provides template preconfigured WAF rules that you can copy into the Google Cloud console and customize to fit your use case. In each example gcloud command, you configure a security policy with name POLICY_NAME and priority PRIORITY.

The first example sets up a rule with a rule name RULE_NAME and a sensitivity level of SENSITIVITY, which enables all signatures with sensitivity less than or equal to SENSITIVITY. For more information about rule sensitivity, see Choose a sensitivity level.

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY})" \
    --action deny-403

The second example is similar to the first, but it opts out rule signatures SIGNATURE_1 and SIGNATURE_2. This means that these two signatures aren't evaluated when the WAF rule is evaluated:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY, 'opt_out_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': SENSITIVITY, 'opt_out_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']})" \
    --action deny-403

The third example is similar to the second, but instead of opting out two signatures, you opt in two rule signatures. Note that you can only opt in rule signatures when you set the sensitivity level to 0:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': 0, 'opt_in_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('RULE_NAME', {'sensitivity': 0, 'opt_in_rule_ids': ['SIGNATURE_1', 'SIGNATURE_2']})" \
    --action deny-403

In all of the previous examples, you use only one expression per rule. While you can combine expressions using the || logical operator, we recommend that you use only one expression per rule as a best practice to avoid exceeding the maximum expression size.

Examples

The examples in this section highlight important aspects of creating and tuning preconfigured WAF rules, including sensitivity level and signature exceptions. In all of the gcloud example commands, you create a security policy with the name POLICY_NAME at priority PRIORITY.

Create a rule at a given sensitivity level

In this example, you want use all signatures in the sqli-v33-stable WAF rule with a sensitivity level less than 4. Therefore, you create the rule at sensitivity level 3, which includes all signatures with a sensitivity level less than or equal to three:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('sqli-v33-stable', {'sensitivity': 3})" \
    --action deny-403

Create a rule that opts out one or more signatures

In this example, you want use almost all of the signatures at sensitivity level 1 and 2 in the xss-v33-stable WAF rule, but you want to exclude the signature owasp-crs-v030301-id941370-xss, which checks for JavaScript global variables. Therefore, you create the rule at sensitivity level 2 and use the opt_out_rule_ids argument to opt out of the owasp-crs-v030301-id941370-xss signature:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2, 'opt_out_rule_ids': ['owasp-crs-v030301-id941370-xss']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2, 'opt_out_rule_ids': ['owasp-crs-v030301-id941370-xss']})" \
    --action deny-403

If you want to exclude two or more signatures from a rule, provide a comma-separated list of signatures with the opt_out_rule_ids argument, like the following example:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2, 'opt_out_rule_ids': ['owasp-crs-v030301-id941370-xss', 'owasp-crs-v030301-id941380-xss']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 2, 'opt_out_rule_ids': ['owasp-crs-v030301-id941370-xss', 'owasp-crs-v030301-id941380-xss']})" \
    --action deny-403

Create a rule that opts in one or more signatures

In this example, you want use only the signature owasp-crs-v030001-id941150-xss from the xss-v33-stable WAF rule. The signature checks for disallowed HTML attributes, and is at sensitivity level 2. Therefore, you create the rule at sensitivity level 0 and use the opt_in_rule_ids argument to opt in the owasp-crs-v030001-id941150-xss signature. Note that you can only opt in rule signatures when you set the sensitivity level to 0:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 0, 'opt_in_rule_ids': ['owasp-crs-v030301-id941150-xss']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 0, 'opt_in_rule_ids': ['owasp-crs-v030301-id941150-xss']})" \
    --action deny-403

If you want to include two or more signatures from a rule, provide a comma-separated list of signatures with the opt_in_rule_ids argument, like the following example:

Console

Select Advanced mode, then use the following example expression in the Match field:

evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 0, 'opt_in_rule_ids': ['owasp-crs-v030301-id941150-xss', 'owasp-crs-v030301-id941320-xss']})

gcloud

gcloud compute security-policies rules create PRIORITY \
    --security-policy POLICY_NAME  \
    --expression "evaluatePreconfiguredWaf('xss-v33-stable', {'sensitivity': 0, 'opt_in_rule_ids': ['owasp-crs-v030301-id941150-xss', 'owasp-crs-v030301-id941320-xss']})" \
    --action deny-403

What's next

For more information about WAF rule tuning, see Tune Google Cloud Armor preconfigured WAF rules