CacheGuard-OS
User's Guide - Version UF-2.3.5


The WAF

WAF stands for Web Application Firewall and protects Web applications from malicious Web requests intended to compromise or damage applications and/or servers. CacheGuard appliance integrates a WAF that works jointly with the Web Server Cloaking to provide an enhanced level of security for Web servers. The WAF can protect against content attacks such as, but not limited to, XSS (Cross-site Scripting), SQL injection and command injection. Malicious requests are blocked before they reach real Web servers (hosts).

To enable the WAF, both rweb and waf modes must be activated using the mode rweb on and mode waf on commands. You can refer to the Web Server Cloaking section to learn how to configure the rweb mode. Then use the waf command to configure content filtering for protected Web applications. The CacheGuard WAF provides two types of content filtering that may be activated concurrently on the same appliance. The two content-filtering types are as follows:

Generic Filters

Generic WAF rules are organised in groups called filters (a filter is composed of WAF rules). Each blocking rule in a generic filter has a score (an integer) and whenever a rule matches in Web traffic its score is added to a global tally. Once a threshold score is reached for a given transaction, the WAF blocks the traffic. Generic filters are provided by OWASP and are classified as follows: Generic filters may be activated or deactivated globally. For example, to activate the WAF and protect all websites (cloaked by the reverse Web proxy in rweb mode) against SQL injection attacks, use the following commands: If no generic WAF filter is specified for a website, that website is protected by globally activated generic WAF filters. If a particular website requires specific protection, you may activate or deactivate generic WAF filters for that website. For example, to deactivate the sqli generic filter for the www.example.com website, use:

Custom Filters

Custom WAF filters provide precise control over Web requests for a specific website. A custom WAF filter consists of custom WAF rules defined in a textual file that you load into a CacheGuard appliance. A custom WAF rule permits or denies a Web request according to its HTTP method and content. A rule is defined in one, two or three lines depending on the specified HTTP method.

A custom WAF rule must begin with the rule keyword followed by an identifier, an action (allow or deny) and an HTTP method (in lowercase). Supported HTTP methods are GET, HEAD and POST. For the GET and POST methods, a second optional line may specify allowed contents (the path and arguments) in the Web request. That second line must begin with the uri keyword and be followed by a PCRE (Perl Compatible Regular Expression) that specifies allowed contents. For the POST method, a third optional line may specify allowed contents in the POST body. That line must begin with the body keyword and be followed by a regular expression specifying allowed data in the body of the POST request.

As an example, the following custom WAF filter includes six rules: the first and second rules allow GET requests on "/" and "/index.html" respectively. The third rule allows POST requests to "/cgi-bin/set-phone.cgi" with a body matching "name=<string>&phone=<numbers>". The final three rules deny any other Web requests. 

rule r1 allow get
uri "^/$"

rule r2 allow get
uri "^/index\.html$"

rule r3 allow post
uri "^/cgi-bin/set-phone.cgi$"
body "^name=[[:print:]]*\&phone=[[:digit:]]*$"

rule r4 deny get
rule r5 deny head
rule r6 deny post
To apply this custom WAF filter to the www.example.com website, save it on a trusted file server and then load it into your CacheGuard appliance and associate it with the www.example.com website. Refer to the access file command manual to learn how to declare a trusted file server. The following commands load a custom WAF filter from a file named www.example.com.rules on a TFTP server at 172.18.2.1 and apply it to the website: When a custom WAF filter is loaded, the custom WAF rule compiler validates its content and rejects the load if an error is detected. Note that when generic WAF filters are combined with a custom WAF filter, generic filters are applied first. Malicious requests are therefore rejected by generic filters before reaching the custom filter.

Reputation Filters

CacheGuard appliance can block Web requests originating from IP addresses with a poor reputation. Reputation-based filtering can block requests from specific countries or from entries listed in an RBL (Real Time Blacklist). See the waf command manual for more information on reputation-based filtering.

Website Auditing

A Web-auditing GUI is integrated into the CacheGuard appliance and permits inspection of HTTP requests for a given website. Web auditing helps you determine why a Web request was blocked and which WAF rule (generic or custom) caused the block. To enable Web auditing for the www.example.com website, use the following commands: The Web-auditing GUI is accessible via https://<cacheguard-ip-address>:8091 where <cacheguard-ip-address> is the CacheGuard appliance IP address. The IP address to use depends on the administration access policy and topology configured on the appliance. Refer to the access admin and admin topology command manuals for further information. The screenshot below shows the Web-auditing GUI.
Sometimes a WAF rule unintentionally matches legitimate traffic (a false-positive). Web auditing assists in detecting such false positives so they may be addressed either by modifying the Web application (when feasible) or by bypassing the rules that cause the false positives. Refer to the waf command manual to learn more about WAF rule bypassing.
Copyright (C) 2009-2025 CacheGuard - All rights reserved