# Setup Custom Rules and Exceptions

### What are Custom Rules and Exceptions?

CloudGuard WAF is automatically configured through the wizard and learning mechanisms, which are sufficient in most cases.

Custom Rules and Exceptions allow security administrators to fine-tune behavior when specific traffic should be handled differently — for example, to prevent false positives or adjust enforcement for known traffic patterns.

### Creating an Exception 

{% tabs %}
{% tab title="Create an Exception from a Log" %}
**Steps:**

1. Go to **Monitor->Important Events**
2. Right-click a relevant Log (URI, Parameter Name, etc.)
3. Select **Add a Custome Rule /** **Exception**

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FNDuql0opSZIlLPvRlcmy%2F%7B0766A142-4A85-4299-8FD6-9FD58E65A6D2%7D.png?alt=media&#x26;token=d392b6d0-3671-4356-964c-be7f978644f0" alt=""><figcaption></figcaption></figure>

4. Review the exception and click **OK** and **Enforce**
   {% endtab %}

{% tab title="Create an Exception from Asset" %}

1. Go to **Policy → Assets**
2. Edit an asset and open **Custom Rules and Exceptions**
3. Click to add new rule

<figure><img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FjgchX2CYOAa6P1YTU5fG%2Fimage.png?alt=media&#x26;token=f101b65a-1858-4457-85ba-5cbe33ea08f1" alt=""><figcaption></figcaption></figure>

4. Configure conditions and action
5. Click **OK** and **Enforce**
   {% endtab %}
   {% endtabs %}

### Actions

* **Accept** – Allow matching traffic
* **Drop** – Block matching traffic
* **Skip** – Skip inspection of a specific parameter or indicator while continuing to inspect the rest of the request
  * Is only relevant to the Web Attacks Sub practice
* **Suppress Log** – Do not generate logs for matching traffic

### Exception Keys Overview

| Exception Key          | What It Matches                                                       | Relevant Security Practices            |
| ---------------------- | --------------------------------------------------------------------- | -------------------------------------- |
| **Host**               | HTTP host name (regular expression)                                   | All CloudGuard WAF Security            |
| **URI**                | Full HTTP request URI                                                 | All CloudGuard WAF Security            |
| **HTTP Method**        | HTTP method (GET, POST, PUT, DELETE, PATCH)                           | All CloudGuard WAF Security            |
| **Source IP**          | Client IP address or CIDR range                                       | All CloudGuard WAF Security            |
| **Source Identifier**  | Identifier as defined in the asset configuration (regular expression) | All CloudGuard WAF Security            |
| **Country Code**       | Source country based on IP (ISO-3166 Alpha-2 code)                    | All CloudGuard WAF Security            |
| **Country Name**       | Source country name based on IP (ISO-3166)                            | All CloudGuard WAF Security            |
| **Header Name**        | HTTP header name (regular expression)                                 | All CloudGuard WAF Security            |
| **Header Value**       | HTTP header value (regular expression)                                | All CloudGuard WAF Security            |
| **Parameter Name**     | Name of a parameter in the request body (XML or JSON)                 | Web and API Attacks, Schema Validation |
| **Parameter Value**    | Value of a parameter in the request body (XML or JSON)                | Web and API Attacks, Schema Validation |
| **Parameter Location** | Location of the matched parameter (e.g. body, cookie, URL)            | Web and API Attacks                    |
| **Indicator**          | Specific indicator(s) detected by the WAF (regular expression)        | Web and API Attacks                    |
| **Response Body**      | Pattern found in the HTTP response body (regular expression)          | All CloudGuard WAF Security            |
| **Protection Name**    | Name of the security signature or protection                          | IPS and Snort Rules only               |
| **File Name**          | Name of a transferred file                                            | File Security only                     |
| **File Hash**          | MD5 hash of a transferred file                                        | File Security only                     |

{% hint style="info" %}
Some exception keys support the **Skip** action. See **Skip Action Support** for details and limitations.
{% endhint %}

{% hint style="warning" %}
**IPS Exceptions Scope** Exceptions for requests that are **blocked or detected by IPS** are evaluated **only** against the following attributes:

* `protectionName` – The name of the signature
* `hostName` – The HTTP host name (if available)
* `sourceIP` – The client IP address (if available)
* `url` – The HTTP decoded path (if available)
* `sourceIdentifier` – The source identifier (if available)

Any additional attributes defined in an exception (for example, **HTTP method**) are **not supported** for IPS and are ignored. As a result, a request may still be blocked by IPS even if an exception is defined using unsupported fields.
{% endhint %}

### Skip Action Support

The **Skip** action allows excluding a **specific part of a request** from inspection, while continuing to inspect the rest of the traffic for malicious behavior.

Skip is typically used to reduce false positives caused by known parameters or indicators, without weakening overall protection.

#### How Skip Works

The **Skip** action excludes **a specific matched value** from security inspection, while continuing to inspect all other parts of the request.

* Skip applies **only to Skip-capable keys** (*Parameter Name*, *Parameter Value*, and *Indicator*), which define **what is skipped**
* All other keys act as **scope or context**, limiting **when** the exception applies
* Only the **matched value** is skipped — all other request components continue to be inspected

| Exception Key                                                                                                       | Skip-capable     |
| ------------------------------------------------------------------------------------------------------------------- | ---------------- |
| Parameter Name                                                                                                      | Yes              |
| Parameter Value                                                                                                     | Yes              |
| Indicator                                                                                                           | Yes              |
| `Host`, `URI`, `Source Identifier`, `Source IP`, `Parameter Location`, `HTTP Method`, `Header Value`, `Header Name` | Not on their own |

{% hint style="info" %}
**Example Explained**

<img src="https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FgnrkP3MvgmaZESlu8Tbz%2Fimage.png?alt=media&#x26;token=044da6be-4d3c-4508-84b5-606a11a14520" alt="" data-size="original">

This exception skips security inspection for the value of the `data.check_ip2` parameter on requests sent to the `/uri` URI from the specified source.
{% endhint %}