# Setup Custom Rules and Exceptions (old) Configuring [Web Application / API](https://waf-doc.inext.checkpoint.com/getting-started/protect-a-web-api) is easily done via the configuration wizard, and in the vast majority of the cases, is enough to fully protect the web assets without additional manual changes. However, as event logs appear, a security administrator might want to make specific exceptions to the default behavior of the system, regardless of the [automatic learning mechanism](https://waf-doc.inext.checkpoint.com/how-to/configure-contextual-machine-learning-for-best-accuracy). ## Configuring Custom Rules and Exceptions Upon Log The most common use case of custom rules and exception configuration is when a log is issued and as a security administrator decided that traffic matching one of the log fields (for example, the URI field) should not be detected or blocked by the CloudGuard WAF engine. #### Step 1: From the events view, perform a "Right Click" on the relevant parameter in the log according to which the exclusion should occur and select "Add Exception" ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FiUnB7KYwlXBduLTb2BUB%2Fappsec-monitor-events-add-exception.png?alt=media\&token=1947cbc3-ab4a-481c-a7f0-626d40d213b5) #### Step 2: Review the custom rule / exception details and click OK ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FXenDmKewKaDzxwkIkhTJ%2Fappsec-monitor-events-add-exception-popup.PNG?alt=media\&token=38695cef-b3cb-45c0-bb2d-a3238388d0e7) {% hint style="info" %} A common change might be to generalize the exception to all sources by deleting the condition for "**Source Identifier**", or to change the action from "Skip" (relevant only for the "Matched Parameter" field) to "Accept". {% endhint %} {% hint style="info" %} A custum rule/exception configured this way applies to the combination of the specific CloudGuard WAF security practice that caught the original event and the Asset relevant for the same traffic. {% endhint %} For further information on how to configure exceptions from asset view and the full options an exception can provide, please read further. ## Possible actions for custom rules and exceptions * **Accept** - Traffic matching the exception's conditions will be accepted. * **Drop** - Traffic matching the exception's conditions will be blocked. * **Skip** - Relevant only for specific keys like "Parameter Name", "Parameter Value" and "Indicator". Allows skipping the value of the matching parameter from being inspected by the CloudGuard WAF engines. The rest of the traffic will be inspected for malicious behavior.\ Skip action is not supported with Scheme Validation. * **Suppress Log** - Traffic matching the exception's condition will not activate their Log Trigger object/s upon event. ## Possible conditions for custome rules and exceptions ### Keys There are several keys allowed to be set in custom rules and exceptions, each of them may be relevant to a different security practice or sub-practice. {% hint style="warning" %} **IPS Exceptions Scope**\ Exceptions for requests that are **blocked or detected by IPS** are evaluated **only** against the following attributes: * `protectionName` – The name of the signature * `hostName` – The HTTP host name (if available) * `sourceIP` – The client IP address (if available) * `url` – The HTTP decoded path (if available) * `sourceIdentifier` – The source identifier (if available) Any additional attributes defined in an exception (for example, **HTTP method**) are **not supported** for IPS and are ignored.\ As a result, a request may still be blocked by IPS even if an exception is defined using unsupported fields. {% endhint %} For CloudGuard WAF:

Exception Key	Value String Search Location	Relevant for Skip Action	Relevant Practices
Host	Regular expression of the HTTP Host name	Not on it own	All CloudGuard WAF Security
URI	HTTP full URI in request	Not on it own	All CloudGuard WAF Security
Source Identifier	Regular Expression the identifier, according to the definition of Source Identifier in the Asset's configuration	Not on it own	All CloudGuard WAF Security
Source IP	IP address of the request's source in IP address or CIDR format (e.g. "<IP address>/<number of bits for network>")	Not on it own	All CloudGuard WAF Security
Parameter Name	Regular Expression of a parameter name is a key in the HTTP request body's XML or JSON file	Yes	Web and API attacks, and Schema Validation
Parameter Value	Regular Expression of a parameter value is the value to a key in the HTTP request body's XML or JSON file	Yes	Web and API attacks, and Schema Validation
Parameter Location	A value that matches the "Matched Location" field values in a CloudGuard WAF Log (e.g. "body", "cookie", "url", etc.)	Yes	Web and API attacks
Indicator	Regular expression of indicator/s to be be used with the "Skip" action. Allows exclusion of desired indicators while continuing to provide security for all other traffic.	Yes	All CloudGuard WAF Security
Protection Name	The protection name used by the security sub-practice	No	IPS and Snort Rules only
Country Code	For Geolocation-based exceptions. Country is resolved according to the source IP address. Code is the recommended use for country-based exceptions and can be searched here according to the Alpha-2 code of ISO-3166.	Not on it own	All CloudGuard WAF Security
Country Name	For Geolocation-based exceptions. Country is resolved according to the source IP address. Name is less recommended for country-based exceptions, but is more readable. Exact names can be searched here according to ISO-3166.	Not on it own	All CloudGuard WAF Security
File Hash	MD5 string of the file the exception should apply to.	No	File Security only
File Name	The file name to match the configured exception.	No	File Security only
Response Body Note - Scanning response traffic adds a performance impact.	Regular expression of a pattern within the HTTP Response Body	Not on it own	All CloudGuard WAF Security. In addition, this key allows adding manually Data Loss Prevention (DLP) rules
HTTP Method	The relevant HTTP method: GET, POST, PUT, DELETE, PATC	Not on it own	All CloudGuard WAF Security
Header Value	Regular expression of the HTTP header value	Not on its own	All CloudGuard WAF Security
Header Name	Regular expression of the HTTP header name	Not on its own	All CloudGuard WAF Security

{% hint style="info" %} **NOTE:** The policy installation lowers raw values (not Regex), and the agent is case-sensitive while matching to the inspected traffic. {% endhint %} ### Regular Expression Values {% hint style="warning" %} The following is only relevant for keys where the table states their value is a regular expression. {% endhint %} When an exception key expects a regular expression value (regex), it should be configured according to [PCRE 2.0](https://www.pcre.org/current/doc/html/), which will undergo a partial search unless the '^' or '$' regular expression operators are used. For a nicer tutorial about PCRE regular expression crafting, visit [here](https://learnxinyminutes.com/docs/pcre/). ### Operators A complex logical expression with "**AND**" and "**OR**" between conditions can be created. In addition - the following operators are available for each condition: * **Equals** * **Not Equals** * **Key Exists** ## View And Configure Custom Rules and Exceptions In Assets ### Configuring custom rules and exceptions #### Step 1: Browse to Policy->Assets, edit an existing asset and click on the "Custom Rules and Exceptions" tab

#### Step 2: Click to add a new custom rule / exception

#### Step 3: Create the exclusion according to the options described in this page When clicking the 3 dotted lines you will see the logical operators available for multiple conditions:

When clicking on the ':' between key and value you will see the additional value-based operators for a single condition:

Add a comment for view purposes and click OK. ### Viewing Custom Rules and Exceptions When custom rules and exceptions are configured, the same location in the asset provides a view of the exceptions for the practice used by the asset. The view shows the comment and the last administrator that edited the exception: ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FzRSfs4UQ5hJeFzh6nKGl%2FCustomRulesAndExceptions.png?alt=media\&token=05f85884-5d6f-44dd-a789-9d38eb231455) {% hint style="info" %} All rules that are shown under the Custom Rules and Exceptions tab are being enforced. The order does not matter. {% endhint %} ## Save Custom Rules and Exceptions for Reuse In Additional Assets/Practices It is possible to save a group of exception rules under a global name, and then use the same object by multiple assets and practices. ### Configure an Existing Custom Rule/Exception as Global #### Step 1: Click on the 3 dots in the top right corner of the custom rules and exceptions view ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FRMd5sGPNMuRZT8Kh7h7Y%2FCustomRulesAndExceptions2.png?alt=media\&token=1ea9e37a-88e0-4fb7-acea-4b4b4c71609c) #### Step 2: Click Save and give a name to the new global "Exceptions" object

#### Step 3: In additional assets you can now click "Load" in the same location and select an existing "Custom Rules/Exceptions" object ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FQFD0que06JyQPmCNBUna%2FCustomRulesAndExceptions3.png?alt=media\&token=e81bb074-3fd4-4690-acb8-f02441c5f1ff) ### View and Manage Global Custom Rules and Exceptions Objects The global custom rules/exceptions objects can be viewed and edited under **Policy->Behaviors**: ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FArs7SSko7hhY3AwPufbD%2Fappsec-behaviors-exceptions-edit.png?alt=media\&token=93100492-17e0-4987-8ce8-e308b44c7391)