CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Configuring Custom Rules and Exceptions Upon Log
  • Possible actions for custom rules and exceptions
  • Possible conditions for custome rules and exceptions
  • Keys
  • Regular Expression Values
  • Operators
  • View And Configure Custom Rules and Exceptions In Assets
  • Configuring custom rules and exceptions
  • Viewing Custom Rules and Exceptions
  • Save Custom Rules and Exceptions for Reuse In Additional Assets/Practices
  • Configure an Existing Custom Rule/Exception as Global
  • View and Manage Global Custom Rules and Exceptions Objects

Was this helpful?

  1. SETUP INSTRUCTIONS

Setup Custom Rules and Exceptions

PreviousSnort RulesNextSetup Web User Response Pages

Last updated 24 days ago

Was this helpful?

Configuring is easily done via the configuration wizard, and in the vast majority of the cases, is enough to fully protect the web assets without additional manual changes.

However, as event logs appear, a security administrator might want to make specific exceptions to the default behavior of the system, regardless of the .

Configuring Custom Rules and Exceptions Upon Log

The most common use case of custom rules and exception configuration is when a log is issued and as a security administrator decided that traffic matching one of the log fields (for example, the URI field) should not be detected or blocked by the CloudGuard WAF engine.

Step 1: From the events view, perform a "Right Click" on the relevant parameter in the log according to which the exclusion should occur and select "Add Exception"

Step 2: Review the custom rule / exception details and click OK

A common change might be to generalize the exception to all sources by deleting the condition for "Source Identifier", or to change the action from "Skip" (relevant only for the "Matched Parameter" field) to "Accept".

A custum rule/exception configured this way applies to the combination of the specific CloudGuard WAF security practice that caught the original event and the Asset relevant for the same traffic.

For further information on how to configure exceptions from asset view and the full options an exception can provide, please read further.

Possible actions for custom rules and exceptions

  • Accept - Traffic matching the exception's conditions will be accepted.

  • Drop - Traffic matching the exception's conditions will be blocked.

  • Skip - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator". Allows skipping the value of the matching parameter from being inspected by the CloudGuard WAF engines. The rest of the traffic will be inspected for malicious behavior. Skip action is not supported with Scheme Validation.

  • Suppress Log - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event.

Possible conditions for custome rules and exceptions

Keys

There are several keys allowed to be set in custom rules and exceptions, each of them may be relevant to a different security practice or sub-practice.

For CloudGuard WAF:

Exception Key
Value String Search Location
Relevant for Skip Action
Relevant Practices

Host

Regular expression of the HTTP Host name

Not on it own

All CloudGuard WAF Security

URI

HTTP full URI in request

Not on it own

All CloudGuard WAF Security

Source Identifier

Not on it own

All CloudGuard WAF Security

Source IP

IP address of the request's source in IP address or CIDR format (e.g. "<IP address>/<number of bits for network>")

Not on it own

All CloudGuard WAF Security

Parameter Name

Regular Expression of a parameter name is a key in the HTTP request body's XML or JSON file

Yes

Web and API attacks, and Schema Validation

Parameter Value

Regular Expression of a parameter value is the value to a key in the HTTP request body's XML or JSON file

Yes

Web and API attacks, and Schema Validation

Parameter Location

A value that matches the "Matched Location" field values in a CloudGuard WAF Log (e.g. "body", "cookie", "url", etc.)

Yes

Web and API attacks

Indicator

Regular expression of indicator/s to be be used with the "Skip" action. Allows exclusion of desired indicators while continuing to provide security for all other traffic.

Yes

All CloudGuard WAF Security

Protection Name

The protection name used by the security sub-practice

No

IPS and Snort Rules only

Country Code

Not on it own

All CloudGuard WAF Security

Country Name

Not on it own

All CloudGuard WAF Security

File Hash

MD5 string of the file the exception should apply to.

No

File Security only

File Name

The file name to match the configured exception.

No

File Security only

Response Body Note - Scanning response traffic adds a performance impact.

Regular expression of a pattern within the HTTP Response Body

Not on it own

HTTP Method

The relevant HTTP method: GET, POST, PUT, DELETE, PATC

Not on it own

All CloudGuard WAF Security

Header Value

Regular expression of the HTTP header value

Not on its own

All CloudGuard WAF Security

Header Name

Regular expression of the HTTP header name

Not on its own

All CloudGuard WAF Security

Regular Expression Values

The following is only relevant for keys where the table states their value is a regular expression.

Operators

A complex logical expression with "AND" and "OR" between conditions can be created.

In addition - the following operators are available for each condition:

  • Equals

  • Not Equals

  • Key Exists

View And Configure Custom Rules and Exceptions In Assets

Configuring custom rules and exceptions

Step 1: Browse to Policy->Assets, edit an existing asset and click on the "Custom Rules and Exceptions" tab

Step 2: Click to add a new custom rule / exception

Step 3: Create the exclusion according to the options described in this page

When clicking the 3 dotted lines you will see the logical operators available for multiple conditions:

When clicking on the ':' between key and value you will see the additional value-based operators for a single condition:

Add a comment for view purposes and click OK.

Viewing Custom Rules and Exceptions

When custom rules and exceptions are configured, the same location in the asset provides a view of the exceptions for the practice used by the asset. The view shows the comment and the last administrator that edited the exception:

All rules that are shown under the Custom Rules and Exceptions tab are being enforced. The order does not matter.

Save Custom Rules and Exceptions for Reuse In Additional Assets/Practices

It is possible to save a group of exception rules under a global name, and then use the same object by multiple assets and practices.

Configure an Existing Custom Rule/Exception as Global

Step 1: Click on the 3 dots in the top right corner of the custom rules and exceptions view

Step 2: Click Save and give a name to the new global "Exceptions" object

Step 3: In additional assets you can now click "Load" in the same location and select an existing "Custom Rules/Exceptions" object

View and Manage Global Custom Rules and Exceptions Objects

The global custom rules/exceptions objects can be viewed and edited under Policy->Behaviors:

Regular Expression the identifier, according to the definition of

For Geolocation-based exceptions. Country is resolved according to the source IP address. Code is the recommended use for country-based exceptions and can be searched according to the Alpha-2 code of ISO-3166.

For Geolocation-based exceptions. Country is resolved according to the source IP address. Name is less recommended for country-based exceptions, but is more readable. Exact names can be searched according to ISO-3166.

All CloudGuard WAF Security. In addition, this key allows

When an exception key expects a regular expression value (regex), it should be configured according to , which will undergo a partial search unless the '^' or '$' regular expression operators are used.

For a nicer tutorial about PCRE regular expression crafting, visit .

PCRE 2.0
here
Source Identifier in the Asset's configuration
here
here
adding manually Data Loss Prevention (DLP) rules
Web Application / API
automatic learning mechanism