WAAS custom rules
WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.
Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.
Before using custom rules, ensure Console and Defender run the same version of Prisma Cloud Compute. For example, if a Console runs a newer version, but Defenders have not been upgraded, using functionality only available in the newer version will result in a WAAS error. If this occurs, upgrade Defenders to match their Console’s version.
Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.
Expressions support the following types:
- String list.
- String map.
- IP address (e.g. "192.168.0.1")
- CIDR block (e.g. "192.168.0.0/16")
Expressions have the following grammar:
- in--Can also be used to determine if an IP address is in a CIDR block: For example:
- keyword (similar to wildcards)--contains can be used for:
- string--Strings must be enclosed in double quotes.
- [ ]--Selector operator. Selects a specific value by key from a map. Headers, cookies, body params, and query params are maps. The selection operation template is as following:For example:
Expressions can examine the following attributes of a request: