Scan protection rules

Configure scan protection rules

1. In the ESA console, select Websites, and in the Actions column of the target website, click WAF.

2. On the website details page, select Security > WAF > Scan Protection Rules.

3. On the Scan Protection Rules tab, click Create Rule Set.

   • Enter a Ruleset Name.

   • If requests match...: Set the criteria for incoming requests. These rules apply only to requests that match the specified criteria. Available matching fields are described in Components of a rule expression.

   • Trigger the protection type…: Select the protection type to activate for matching requests.

     Note

     Configure at least one of the High-frequency Scanning Blocking or Directory Traversal Blocking rules.

     • Configure a high-frequency scanning blocking rule

       Adds an attack source to the blacklist when it triggers managed rules for the protected object multiple times within a short period. All requests from this source are then blocked or monitored for a specified duration.

       Parameter	Description
       Block Object	Attack source type to track: Cookie Value Of: Tracks attack frequency by a specific cookie value. Header: Tracks attack frequency by a specific request header. Client IP: Tracks attack frequency by client IP address. Session: Tracks attack frequency by client session. URI Query String Parameter: Tracks attack frequency by a specific query string parameter.
       Time Range (Seconds)	Time window for detecting requests. Valid values: 5 to 1,800. Unit: seconds.
       Trigger Threshold (Times)	Maximum times a tracked object can trigger basic protection rules within the time window. Valid values: 3 to 50,000.
       Triggered Rules	Maximum distinct basic protection rules a tracked object can trigger within the time window. Valid values: 1 to 50.
       Blocking Duration (Seconds)	Duration to block the matched object. Valid values: 60 to 86,400. Unit: seconds.

     • Configure a directory traversal blocking rule

       Adds an attack source to the blacklist when it accesses many non-existent directories on the protected object within a short period. All requests from this source are then blocked or monitored for a specified duration.

       Parameter	Description
       Block Object	Attack source type to track: Cookie Value Of: Tracks attack frequency by a specific cookie value. Header: Tracks attack frequency by a specific request header. Client IP: Tracks attack frequency by client IP address. Session: Tracks attack frequency by client session. URI Query String Parameter: Tracks attack frequency by a specific query string parameter.
       Time Range (Seconds)	Time window for detecting requests. Valid values: 5 to 1,800. Unit: seconds.
       Requests	Maximum requests a tracked object can send to a single domain within the time window. Valid values: 3 to 50,000.
       404 Error Rate	Maximum percentage of requests that return a 404 response code. Valid values: 1 to 100. Unit: percent (%).
       Non-existent Directories	Maximum non-existent directories a tracked object can access within the time window. Static files such as images are excluded. Valid values: 2 to 50,000.
       Blocking Duration (Seconds)	Duration to block the matched object. Valid values: 60 to 86,400. Unit: seconds.

     • Scanner Blocking

       Blocks or monitors requests from common scanners such as Sqlmap, Acunetix (AWVS), Nessus, AppScan, WebInspect, Netsparker, Nikto, and RSAS.

   • Then execute...: Action to take on matching requests, as described in WAF.

4. Click OK.

Supported editions