Working with templated rules

Templated rules are partially pre-constructed rules that can help you protect against Common Vulnerabilities and Exposures (CVE) and gain visibility into registrations, logins, and API requests. For example, you can enable the GraphQL API Query templated rule to track GraphQL API requests.

Limitations and considerations

When working with templated rules, keep the following things in mind:

  • The Templated Rules page is only included with the Premier and Professional platforms. It is not included as part of the Essential platform.

  • The Signals page is only included with the Essential platform. It is not included as part of the Premier and Professional platforms.

  • Depending on the type of templated rule, the Essential platform includes a different level of support:

    TypeSupport
    API protection rulesSome API protection signals are not supported.
    ATO protection rulesAll ATO protection signals are not supported.
    Virtual patching rulesVirtual patching rules are only supported in BLOCK mode. Threshold blocking is not supported.
  • To use the GraphQL API Query templated rule, your agents must be on version 4.33.0 or above.

Types of templated rules

There are three types of templated rules:

  • API protection rules: tags requests made to your API, allowing you to detect patterns such as repeated API requests from an unexpected user agent. API Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.

  • ATO protection rules: enable you to quickly create rules to identify account takeover (ATO) attacks, such as failed password reset attempts. With the exception of the Login and Registration groups of signals, ATO Protection signals are informational, so only certain requests tagged with these signals will appear in the requests page of the console. See Storage categories for additional details.

  • Virtual patching rules block or log requests matching specific vulnerabilities. These can be configured to send an alert after a threshold of matching requests.

Enabling and editing templated rules

  1. From the Site Rules menu, select Templated Rules.
  2. Click View to the right of the rule you want to enable or edit.
  3. Click Configure in the upper-right corner to enable or edit the rule.
  4. In the Value fields, enter values specific to your application, such as paths, response codes, and headers. It is possible to add, edit, and remove conditions in the rule as necessary for your application.
  5. Click Update Site Rule.

Enabling threshold blocking

When configuring Failed Logins or Failed Registrations, you have the additional option to block either subsequent Login Attempts or Registration Attempts respectively.

The duration for the block is customizable. Either the site default (normally 1 day), 10 minutes, 1 hour, 6 hours, or 24 hours.

Working with virtual patching rules

Virtual patching rules are partially pre-constructed rules that allow you to block, tag, and log requests that match CVEs. The rules can be configured to send an alert when a threshold of matching requests is reached.

New virtual patching rules are announced through an optional email subscription. You can subscribe to virtual patching announcements in your account settings.

Working with virtual patching rules from the Templated Rules page

For Premier and Professional platforms, you can view, enable, and edit virtual patching rules from the Templated Rules page.

Working with virtual patching rules from the Signals page

For Essential platform, you can view, enable, and edit virtual patching rules from the Signals page.

View virtual patching rules from the Signals page

To view virtual patching rules, follow these steps:

  1. Log in to the Next-Gen WAF console.
  2. Click the Signals tab.
  3. In the Category filter section, select CVE. The virtual patching rules are listed.

Enable virtual patching rules from the Signals page

To enable a virtual patching rule, follow these steps:

  1. On the Signals page, click View in the row of the virtual patching rule that you want to enable.

  2. Click the Configuration tab.

  3. Click the Alerts tab.

  4. Click Add alert.

    Enable the CVE-2022-26134 virtual patching rule.

  5. Fill out the alert configuration fields as follows:

    • In the Signal area, verify that the virtual patching rule that you want to enable is selected.
    • In the Action area, select Block requests immediately.
    • In the Status area, set the switch to Enabled.
  6. Click Save alert. The virtual patching rule is enabled.

  7. Click the Detections tab.

  8. Click Add detection.

    Add detection for the CVE-2022-26134 virtual patching rule.

  9. Verify the switch is set to Enabled.

  10. Click Create detection. Requests that match the virtual patching rule are assigned the tag associated with the rule.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.