Waf Charm

Blog

Follow us

WafCharm

We released a feature to change dynamic denylist’s rule actions

Table of Contents

  1. 1. Introduction
  2. 2. What is an Advanced rule policy?
  3. 3. What is a dynamic denylist?
  4. 4. How to change the dynamic denylist’s rule action
  5. 5. Conclusion

1. Introduction

On October 28th, 2024, we released a feature for advanced rule policy users that allows you to change the rule action of the dynamic denylist rule from the WAF Config page.

In this blog post, we will take a look at the new feature.

2. What is an Advanced rule policy?

The Advanced rule policy is a new rule policy that has been released with the WafCharm Console renewal.

The rule policy that had been available before the renewal is still available as the Legacy rule policy, and the new rule policy introduced with the renewal is available as the Advanced rule policy.

In Advanced rule policy, bot detection rules and features that allow you to add/delete rate-based and geo-match rules are available, as well as the rules for common web attacks.
*Advanced rule policy is only available for a new plan and AWS Marketplace version.

For more information about the renewal and WafCharm rules, please refer to the pages below.
We released a new WafCharm Console
About WafCharm rules for AWS WAF v2

3. What is a dynamic denylist?

The dynamic denylist rule is a rule that blocks suspicious IP addresses by dynamically adding/deleting IP addresses using the two WafCharm features below.

  • WafCharm re-evaluates your logs against hundreds of security signatures. Any detected threats are automatically added to the denylist.
  • WafCharm integrates with CSC's proprietary IP reputation database to cross-reference and add known malicious IP addresses to the denylist.

Reference: About Denylist and Allowlist

The dynamic denylist rule has been applied to the web ACL with the Block action. With this release, you can now choose between the Count or Block action or change the rule action as needed.
*Block action is selected by default. Please change the rule action to Count if you wish to use the Count action on your initial setup.

4. How to change the dynamic denylist’s rule action

The rule action can be changed when creating or editing the WAF Config.

Please change the rule action from the [Dynamic Denylist] section under the [IP addresses] tab. For more details, please refer to the Rule configurations in WAF Config (AWS WAF v2) page.

Please keep in mind that the rule action configurations on the WafCharm Console take precedence over the configurations you change from the AWS management console. Rule actions for rules like the Allowlist rule cannot be changed.

If you change the rule action of WafCharm rules on the AWS management console, the rule actions will be overridden by the default actions specified by WafCharm or actions specified in the WafCharm Console. Please ensure to change the rule actions from the WafCharm Console.

5. Conclusion

It was difficult to use the Count action for the dynamic denylist rule to see how the rule behaves because the default rule action was set to Block. However, with this new feature, you can apply the dynamic denylist rule with Count action to see how the rule operates and change the rule action to Block as needed.

You can use the feature anytime, so please adjust the rule action if necessary.

Back to list

Popular Post