Dear all,Hope you're all doing great!!!We have observed a http traffic initiated by zgrab scanner. So we didn't find relevant policy to this,User-agent: Mozilla/5.0 zgrab/0.x
Hi! You could create an incap rule to block that User Agent, it would look a bit like this
Hello Alden,Thanks for the information,It could be appreciable if there's a policy for On-premise WAF. And how to block "User agents" in On-Premise WAF.
Hi Jagadesh,There is a policy for "automated vulnerability scanning" under "Web Service Custom". (Main > Policies > Security)By default, this policy has an action of "none" and is not applied. Click the Apply To tab to apply it your applicable server groups. If you are satisfied with the results, you can change the action to "block".Alternatively, you can create a custom policy to block the specific user agent, similar to what Alden mentioned above for CWAF.Within the Security Policies screen, click the green + icon and select "Web Service". Give the policy a name and select "Web Service Custom" for type and click Create.Look within the list of Match Criteria until you find, "HTTP Request User-Agent (Header)"Click the green up arrow to move it up. (it will then turn to a blue down arrow)Click the green + next to the operation value and enter "Mozilla/5.0 zgrab/0.x" for the value.You may want to leave the action as "None" during initial testing. Remember to click the Apply To tab and apply to applicable server groups, and finally click Save.