Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  block by non default header-parameter

    Posted 10-11-2022 05:18
    Dear all,

    We planned to block the connection that came from certain mobile devices based on the non-default parameter in the header.

    the device id shows on the header on the parameter: X-Kony-Deviceid


    for that we tried the below :

    1. configure the lookup data and put all the devices' IDs.
    2. create a web service custom policy with Match Criteria " attached "



    but with no luck, the policy did not fit what we need.

    so please how we can configure the non-default parameter that predefines lookup data match criteria ??
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Mohammad Alriaty
    System Engineer
    Cloud Distribution for Communications & IT Co.
    Riyadh
    ------------------------------


  • 2.  RE: block by non default header-parameter

    Posted 10-11-2022 09:51
    Hi Mohammad,

    Does it work if the "HTTP Request Header Value" match criteria is used as in the below screenshot? (enter the device IDs under the "value" column.



    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------



  • 3.  RE: block by non default header-parameter

    Posted 10-12-2022 02:20
    Hi Jaired,

    Yes, it works.

    But we used lookup data as a global object, as there is a list of devices that need to be blocked based on X-Kony-DeviceId.

    ------------------------------
    Mohammad Alriaty
    System Engineer
    Cloud Distribution for Communications & IT Co.
    Riyadh
    ------------------------------



  • 4.  RE: block by non default header-parameter

    Posted 10-12-2022 11:25
    Hi Mohammed,

    I noticed in the screenshot provided that you are using a "source IP address" lookup set and you're checking in the "parameters" field. 

    Typically, the term "parameter" is in reference to a web URL parameter. 

    However, if I understand the use case correctly, you want to trigger based on a Header value


    Please try using a "Lookup Data Set Search" defined like below.



    1. This tells us where to look for the data - in this case - it's the Headers we are interested in.
    2. This narrows the scope - now that the we are looking at the headers - which header in particular should we be inspecting
    3. Now that we are looking at the X-kony-deviceid header, this defines the set of Values we should be comparing against - and if we find a matching value in the Lookup Data Set then the rule is triggers


    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------



  • 5.  RE: block by non default header-parameter

    Posted 10-12-2022 13:58
    Hi Jaired,

    Thank you for your efforts and prompt response,

    While troubleshooting, we tried different combinations but none of them worked, one of them what you shared.

    but the other thing  I need to check is, the lookup table itself, I will delete the title column and keep the values only.

    I will test it and update you with the result.




    ------------------------------
    Mohammad Alriaty
    System Engineer
    Cloud Distribution for Communications & IT Co.
    Riyadh
    ------------------------------



  • 6.  RE: block by non default header-parameter

    Posted 10-13-2022 05:22
    Hi Jaired,

    the results of today's troubleshooting:

    * trying to upload the lookup table as a CSV file and create it from GUI ==> not working.
    * trying with another parameter ( JSESSIONID ) ==> not working.

    but once I changed Operation to Exclude all as in the below screenshot it is working !!!

    any advice on this behavior?





    ------------------------------
    Mohammad Alriaty
    System Engineer
    Cloud Distribution for Communications & IT Co.
    Riyadh
    ------------------------------



  • 7.  RE: block by non default header-parameter

    Posted 10-17-2022 10:03
    Hi Mohammed,

    Interesting; I'll do some investigation in my lab and see what I find.


    Thanks.

    ------------------------------
    JairedAnderson
    Imperva
    ------------------------------