search

Setup Custom Rules and Exceptions

hashtag
What are Custom Rules and Exceptions?

CloudGuard WAF is automatically configured through the wizard and learning mechanisms, which are sufficient in most cases.

Custom Rules and Exceptions allow security administrators to fine-tune behavior when specific traffic should be handled differently — for example, to prevent false positives or adjust enforcement for known traffic patterns.

hashtag
Creating an Exception

Steps:

  1. Go to Monitor->Important Events

  2. Right-click a relevant Log (URI, Parameter Name, etc.)

  3. Select Add a Custome Rule / Exception

  1. Review the exception and click OK and Enforce

hashtag
Actions

  • Accept – Allow matching traffic

  • Drop – Block matching traffic

  • Skip – Skip inspection of a specific parameter or indicator while continuing to inspect the rest of the request

    • Is only relevant to the Web Attacks Sub practice

  • Suppress Log – Do not generate logs for matching traffic

hashtag
Exception Keys Overview

Exception Key
What It Matches
Relevant Security Practices

Host

HTTP host name (regular expression)

All CloudGuard WAF Security

URI

Full HTTP request URI

All CloudGuard WAF Security

HTTP Method

HTTP method (GET, POST, PUT, DELETE, PATCH)

All CloudGuard WAF Security

Source IP

Client IP address or CIDR range

All CloudGuard WAF Security

Source Identifier

Identifier as defined in the asset configuration (regular expression)

All CloudGuard WAF Security

Country Code

Source country based on IP (ISO-3166 Alpha-2 code)

All CloudGuard WAF Security

Country Name

Source country name based on IP (ISO-3166)

All CloudGuard WAF Security

Header Name

HTTP header name (regular expression)

All CloudGuard WAF Security

Header Value

HTTP header value (regular expression)

All CloudGuard WAF Security

Parameter Name

Name of a parameter in the request body (XML or JSON)

Web and API Attacks, Schema Validation

Parameter Value

Value of a parameter in the request body (XML or JSON)

Web and API Attacks, Schema Validation

Parameter Location

Location of the matched parameter (e.g. body, cookie, URL)

Web and API Attacks

Indicator

Specific indicator(s) detected by the WAF (regular expression)

Web and API Attacks

Response Body

Pattern found in the HTTP response body (regular expression)

All CloudGuard WAF Security

Protection Name

Name of the security signature or protection

IPS and Snort Rules only

File Name

Name of a transferred file

File Security only

File Hash

MD5 hash of a transferred file

File Security only

circle-info

Some exception keys support the Skip action. See Skip Action Support for details and limitations.

circle-exclamation

IPS Exceptions Scope Exceptions for requests that are blocked or detected by IPS are evaluated only against the following attributes:

  • protectionName – The name of the signature

  • hostName – The HTTP host name (if available)

  • sourceIP – The client IP address (if available)

  • url – The HTTP decoded path (if available)

  • sourceIdentifier – The source identifier (if available)

Any additional attributes defined in an exception (for example, HTTP method) are not supported for IPS and are ignored. As a result, a request may still be blocked by IPS even if an exception is defined using unsupported fields.

hashtag
Skip Action Support

The Skip action allows excluding a specific part of a request from inspection, while continuing to inspect the rest of the traffic for malicious behavior.

Skip is typically used to reduce false positives caused by known parameters or indicators, without weakening overall protection.

hashtag
How Skip Works

The Skip action excludes a specific matched value from security inspection, while continuing to inspect all other parts of the request.

  • Skip applies only to Skip-capable keys (Parameter Name, Parameter Value, and Indicator), which define what is skipped

  • All other keys act as scope or context, limiting when the exception applies

  • Only the matched value is skipped — all other request components continue to be inspected

Exception Key
Skip-capable

Parameter Name

Yes

Parameter Value

Yes

Indicator

Yes

Host, URI, Source Identifier, Source IP, Parameter Location, HTTP Method, Header Value, Header Name

Not on their own

circle-info

Example Explained

This exception skips security inspection for the value of the data.check_ip2 parameter on requests sent to the /uri URI from the specified source.

PreviousSnort RulesNextSetup Web User Response Pages

Last updated

Was this helpful?