Configuring Security Rules in the Portal

Note

Security Rules are available in the customer portal to accounts with the Security Suite. If you have not purchased this service, the config screen described here does not appear in the navigation pane. If you are interested in adding this to your account, please contact sales@instartlogic.com to learn more.

Security Rules control traffic and limit security risks. Note that security rules are applied across all properties by default.

Select a property and click Config -> Security Rules to display the Security Rules page:

The page displays a list of existing security rules, and allows you to create new rules, edit and reorder existing rules. Click any rule to view details and edit.

Rule order matters, with rules applied in the order listed below. Rules can be reordered by clicking Reorder Rules and using the up and down arrow buttons that appear in each row:

Click on Reorder Rules to enable list reordering buttons

 Click Apply to save any changes to the rule order.

Rule ordering only applies to Custom Rules. Order does not matter for Rate Limit rules.

Creating new rules

Click New Security Rule to create a new rule. The portal displays the Create a New Security Rule dialog box:

Each new rule needs to have a Event Severity assigned. Possible values are High, Medium, Low, or Info.

Rules can be one of two types:

  • a Custom Rule, which allows to you to specify conditions to match against requests and, if matched, either block – respond to the request with an HTTP status code of 403 (Forbidden) – or warn – respond normally to the request, but log it as a security event.
  • a Rate Limit rule, which allows you to specify thresholds on requests and stop responding if the thresholds are reached. The thresholds can be number of requests within a time period (in seconds). You can also specify a duration (in seconds) to continue holding back responses.

To define a security rule:

  1. Select the Event Severity for the rule.
  2. Select the Rule Type.

    If you choose Rate Limit, three additional fields appear to the right to allow you to specify the request rate:

    When creating a security rule, if you select Rate Limit as the rule type, you get three additional fields to specify the request rate

    Enter the number of requests, the time period (in seconds), and a block duration (also in seconds).

  3. Under Conditions, select a Rule Criteria from the pulldown list. The choices are

    • Request Method
    • Domain
    • Request Path
    • Request Query
    • Request Header
    • Cookies
    • ASN
    • Country
    • Browser
    • Client IP

    Each of these choices then supplies the appropriate fields to define the conditions for the selected criteria.

    For example, if you select Request Method, you can select equals or does not equal and then select a specific value from the Method pulldown list:

    When creating a security rule, if you select Request Method as one of the rule criteria, you get a pulldown list to select from the possible methods

    If you select Request Header, you also will see an additional required field, Header name:

    When creating a security rule, if you select Request Header as a rule criteria, you get a Header name field tp specify

    Likewise, for Cookie you need to specify Cookie name:

    When creating a security rule, if you select Cookie as the rule type, you get an additional fields to specify the cookie name

    You can add additional criteria by clicking the + at the right. If you do, you get a second line to add another rule criterion:

    Once you specify more than one condition, you get an additional checkbox for the boolean operation to apply in the rule: And or Or. Note that this selection applies to all criteria.

    Note

    If you apply the match conditions contains and does not contain, note that any special characters will need to escaped with a preceding percent (%) character. The following characters need to be escaped:

    ( ) . % + - * ? [ ^ $

    For example, if your string is content/acme-anvil-division/, you need to enter it in the field as content/acme%-anvil%-division/.

    By this means, you have full flexibility in creating complex custom conditions for security rules.

    At any point along the way, you can delete a condition by clicking the X at its right.

  4. Choose the Action for your rule: Warn (respond normally to the request, but log it as a security event) or Block (respond to the request with an HTTP status code 403 - Forbidden):

    Choose an Action for your rule and click Save
  5. Click Save.

List of Rule Criteria possibilities

Criterion nameMatch conditional(s)Possible values
Request Methodequals | does not equalValid HTTP method (from pulldown list)
Domainequals | does not equal
contains | does not contain
Valid string or substring
Request Pathequals | does not equal
contains | does not contain
Valid string or substring
Request Queryequals | does not equal
exists | does not exist
contains | does not contain
Valid string or substring
Request HeaderHeader name (required) and
equals | does not equal
exists | does not exist
contains | does not contain
Valid request header name and value
For example
accept-encoding:gzip, deflate, br
Cookies

Cookie name (required) and
equals | does not equal
exists | does not exist
contains | does not contain

Valid response header name and value
For example
vary:Accept-Encoding,Cookie,Authorization
ASNequals | does not equalValid string or substring of an officially registered autonomous system number
Countryequals | does not equalValid country name (from pulldown list)
Browserequals | does not equalValid browser name (from pulldown list)
Client IPequals | does not equalValid IPv4 address
Network Listequals | does not equalValid network list name (from pulldown list)

Editing an existing rule

At any point you can edit an existing rule or delete it entirely.

To edit an existing rule:

  1. From the rule list page, click the rule you want to change, and an Edit Security Rule dialog box appears:

    Editing an existing Security rule

    The fields are all the same as those provided in the Create a New Security Rule dialog box.

  2. Edit any of the fields, add additional criteria to the Conditions section, and delete criteria, as desired.
  3. Once you have changed the rule to your satisfaction, click Save Rule.

To delete an existing rule:

To delete an existing rule, open it for editing from the rule list page and click Delete Rule at the bottom.