WAAS Access Controls
WAAS allows for control over how applications and end-users communicate with the protected web application.
Network Listsallow administrators to create and maintain named IP address lists e.g. "Office Branches", "Tor and VPN Exit Nodes", "Business Partners", etc. List entries are composed of IPv4 addresses or IP CIDR blocks.
Network Lists, open Console, go to
Defend > WAASand select the
To export lists in CSV format, click
When importing IP addresses or IP CIDR blocks from a CSV file, first record value should be set to "ip" (case sensitive).
IPv6 entries are currently not supported.
IP-based access control
Network lists can be specified in:
We strongly advise users to practice caution when adding network lists to the IP Exception List as protections will not be applied for traffic originating from these IP addresses.
Country-Based Access Control
Specify country codes, ISO 3166-1 alpha-2 format, in one of the following categories (mutually exclusive):
Country of origin is determined by the IP address associated with the request.
HTTP Header Controls
WAAS lets you block or allow requests which contain specific strings in HTTP headers by specifying a header name and a value to match. The value can be a full or partial string match. Standard pattern matching is supported.
Requiredtoggle is set to
OnWAAS will apply the defined action on HTTP requests in which the specified HTTP header is missing. When the
Requiredtoggle is set to
Offno action will be applied for HTTP requests missing the specified HTTP header.
HTTP Header fields consist of a name, followed by a colon, and then the field value. When decoding field values, WAAS treats all commas as delimiters. For example, the Accept-Encoding request header advertises which compression algorithm the client supports.
Accept-Encoding: gzip, deflate, br
WAAS rules do not support exact matching when the value in a multi-value string contains a comma because WAAS treats all commas as delimiters. To match this type of value, use wildcards. For example, consider the following header:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36
To match it, specify the following wildcard expression in your WAAS rule:
File Upload Controls
Attackers may try to upload malicious files (e.g. malware) to your systems. WAAS protects your applications against malware dropping by restricting uploads to just the files that match any allowed content types. All other files will be blocked.
Files are validated both by their extension and their magic numbers. Built-in support is provided for the following file types:
- Audio: aac, mp3, wav.
- Compressed archives: 7zip, gzip, rar, zip.
- Documents: odf, pdf, Microsoft Office (legacy, Ooxml).
- Images: bmp, gif, ico, jpeg, png.
- Video: avi, mp4.
WAAS rules let you explicitly allow additional file extensions. These lists provide a mechanism to extend support to file types with no built-in support, and as a fallback in case Prisma Cloud’s built-in inspectors fail to correctly identify a file of a given type. Any file with an allowed extension is automatically permitted through the firewall, regardless of its 'magic number'.
Recommended For You
Recommended videos not found.