The BASIC > Services page allows you to create content rules for a service. Rules added to the service allow content-aware processing decisions for web traffic within that service. Rules can use HTTP request headers to make load-balancing and caching policy decisions. The type of challenge to be presented to the incoming clients for validation can be enabled when you edit a content rule in the BASIC > Services page.
To add a content rule to a service:
- In the BASIC > Services page, Services section, locate the service to which you want to add a content rule.
- Click Rule next to the service. The Add Content Rule window appears.
- Specify values for the following fields:
- Rule Group Name – Name to identify this rule group.
- Status - Set to On to make this rule group part of the rule match.
- Time Policy Group - Select a time policy group that you want to associate with the rule from the drop-down list. When the content rule Status is set to On, the associated time policy gets activated for the rule. The content rule is active only for the specified period. When a request matches the rule, the configured rule settings are applied. See Time-Based Rules.
- Mode - By default, a service is set to Passive mode which allows intrusions to be passed to the servers but logs to assist in refining the security policy. Set to Active to log and block intrusions. The active mode enforces the policy according to the action policy defined for the violation group in the SECURITY POLICIES > Action Policy page.
Active - Blocks any request when an anomaly or intrusion is observed.
Passive - Logs all anomalies and intrusions found and allows the traffic to pass through the Barracuda Web Application Firewall. Use this mode in the initial stages of deployment when you cannot allow any false positives which may break the service. - Access Log - Set to Enable to generate access logs for a service.
Web Firewall Policy - Select a web firewall policy to be associated with the content rule. By default, all content rules are associated with the 'default' policy. Any request that matches the rule group is validated against the associated security policy with the following exception:
The sub-policies, i.e., Request Limits and URL Normalization policies, are selected from the security policy associated with the service. Also, within the Action Policy, the categories like protocol violations, action policies corresponding to the request limits, and advanced security violations are selected from the security policy associated with the service.
The data theft protection is applied on the protected data types as selected from the security policy associated with the service.
- Host Match – Enter the matching criteria for host field in the request header. This is either a specific host match or a wildcard host match with a single " * " anywhere in the host name. Specify * if you want the rule to be matched with any host. If the service hosts multiple applications under different domains and you wish to add the rule only for a particular domain, enter the relevant host name. For example,
www.example.com
or*.example.com
. - URL Match – Enter the matching criteria for URL field in the request header. The URL should start with a "/" and can have only one " * " anywhere in the URL. A value of /* means that the ACL applies for all URLs in that domain. Use /* if you want to cover all the URLs in your domain. For example,
/*
,/index.html
,/public/index.html.
- Extended Match – Enter an expression that consists of a combination of HTTP headers and/or query string parameters. Use '*' to apply to any request that do not apply the extended match condition. Refer to Extended Match Syntax Help to find out how to write extended match expressions.
- Extended Match Sequence – Specify a number that will determine the order for matching the extended match rule. The order range is 1 to 1000 (default is 1000).
- Click Add.
For additional information, see How to Redirect Traffic to a Different Back-end Server Based on a URL Pattern.