Skip to main content

Behavioral WAF

The Web Application and API Protection (WAAP) includes a Behavioral WAF policy group that helps prevent malicious attacks on your websites. The policy group contains a set of sophisticated user behavior and reputation analysis policies that inspect traffic and defend your website against threats such as spamming or brute force attacks.

Info

This policy group is available in the Pro and Enterprise plans. More details on the Security pricing page.

Configure Behavioral WAF rules

You can review the Behavioral WAF rules and enable or disable them in the CDB Technical Web Portal:

  1. Navigate to WAAP > Default Rules.

  2. In the domain dropdown at the top of the page, select the needed domain.

  3. Click the Behavioral WAF tab to view and adjust the rules.

Info

Most Behavioral WAF policies are enabled by default, except for Repeated violations. To change a policy mode, click the dropdown near that policy.

Probing and forced browsing

Use CAPTCHA and JavaScript validation to challenge brute-forced requests on random URLs, which might aim to discover your web application's structure and hidden directories. Requests that fail to pass the validation will be blocked.

Obfuscated attacks and zero-day mitigation

Block clients that perform multiple injection attacks.

Repeated violations

Present with CAPTCHA or block those clients that failed to answer a previously displayed challenge. Requests that fail to pass the validation will be blocked.

Brute-force protection

Present users with CAPTCHA when there's an attempt to guess usernames and passwords on web login forms. If the client fails to pass the validation after a few attempts, the request will be blocked.

The Policies endpoints manage the Behavioral WAF policy group ? retrieve the current state of each rule and toggle individual policies on or off. Response examples include only the fields used in each step.

An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples. This policy group is available on the Pro and Enterprise WAAP plans.

Set these environment variables before running the examples:

export GCORE_API_KEY="{YOUR_API_KEY}"
export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"

View policy states

Returns the current enabled or disabled state of every Behavioral WAF rule for the domain.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

rule_sets = client.waap.domains.list_rule_sets(domain_id)
behavioral_set = next(
    rs for rs in rule_sets if rs.resource_slug == "behavioral-waf"
)
for rule in behavioral_set.rules:
    status = "enabled" if rule.mode else "disabled"
    print(f"{rule.id}: {rule.name} - {status}")
package main

import (
	"context"
	"fmt"
	"os"
	"strconv"

	gcore "github.com/G-Core/gcore-go"
	"github.com/G-Core/gcore-go/option"
)

func main() {
	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
	if err != nil {
		fmt.Println(err)
		return
	}
	for _, rs := range *ruleSets {
		if rs.ResourceSlug == "behavioral-waf" {
			for _, rule := range rs.Rules {
				status := "disabled"
				if rule.Mode {
					status = "enabled"
				}
				fmt.Printf("%s: %s - %s\n", rule.ID, rule.Name, status)
			}
		}
	}
}
curl -X GET "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/$WAAP_DOMAIN_ID/rule-sets" \
  -H "Authorization: APIKey $GCORE_API_KEY"

Response:

[
  {
    "id": 5,
    "name": "Behavioral WAF",
    "resource_slug": "behavioral-waf",
    "rules": [
      {
        "id": "S3008901",
        "name": "Probing and forced browsing",
        "action": "Block",
        "mode": true
      }
      // ...
    ]
  }
  // ...
]

The response contains all rule sets for the domain. Filter by resource_slug value behavioral-waf to find the Behavioral WAF group. Each rule has a mode field ? true means enabled, false means disabled.

Toggle a policy

Flips the state of one policy ? enabled becomes disabled, disabled becomes enabled. No request body is required.

ParameterRequiredDescription
policy_idYesID of the policy to toggle, obtained from the View policy states response.
domain_idYesID of the WAAP-protected domain.
import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

# Find the policy ID by name
rule_sets = client.waap.domains.list_rule_sets(domain_id)
behavioral_set = next(
    rs for rs in rule_sets if rs.resource_slug == "behavioral-waf"
)
policy = next(r for r in behavioral_set.rules if r.name == "Repeated violations")

result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Policy is now {status}")
package main

import (
	"context"
	"fmt"
	"os"
	"strconv"

	gcore "github.com/G-Core/gcore-go"
	"github.com/G-Core/gcore-go/option"
	"github.com/G-Core/gcore-go/waap"
)

func main() {
	client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
	domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

	// Find the policy ID by name
	ruleSets, err := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
	if err != nil {
		fmt.Println(err)
		return
	}
	var policyID string
	for _, rs := range *ruleSets {
		if rs.ResourceSlug == "behavioral-waf" {
			for _, rule := range rs.Rules {
				if rule.Name == "Repeated violations" {
					policyID = rule.ID
				}
			}
		}
	}

	result, err := client.Waap.Domains.Policies.Toggle(
		context.Background(),
		policyID,
		waap.DomainPolicyToggleParams{DomainID: domainID},
	)
	if err != nil {
		fmt.Println(err)
		return
	}
	status := "disabled"
	if result.Mode {
		status = "enabled"
	}
	fmt.Printf("Policy is now %s\n", status)
}
# Set POLICY_ID to the ID from the View policy states response or the policy reference below
curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/$WAAP_DOMAIN_ID/policies/$POLICY_ID/toggle" \
  -H "Authorization: APIKey $GCORE_API_KEY"

Response:

{"mode": true}

The API returns the updated policy state. Call the endpoint again to flip the policy back.

Policy reference