Link11 WAAP
v5
v5
  • Link11 WAAP Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Overview
  • Three types of Global Filters
  • Datafeed-based Global Filters
  • Self-managed Global Filters
  • Dynamic Global Filters
  • Administration
  • Components
  • Individual Parameters
  • General parameters
  • Tags
  • Action
  • Rule list
  • Manually creating a Rule list
  • Editing the Rules list

Was this helpful?

Export as PDF
  1. Console UI Walkthrough
  2. Security

Global Filters

Assigning tags and (potentially) executing an Action

PreviousSecurityNextFlow Control Policies

Last updated 1 month ago

Was this helpful?

Overview

This page allows you to administer Global Filters. These are applied to each request early in the .

A Global Filter has two purposes:

For each request, Link11 WAAP will evaluate all active Global Filters. The request will receive tags from all Filters which match it.

Three types of Global Filters

There are two types of Global Filters visible to admins:

  • Datafeed-based

  • Self-managed

Each has a different source for its Rule list (i.e., its criteria for determining if a Filter should be applied to the request being analyzed).

Datafeed-based Global Filters

These use an external URL as a data source. Many of these Filters are provided by Link11 and included out of the box, based upon online data feeds (e.g., Spamhaus DROP lists). Admins can also add new Filters of this type. For Datafeed-based Filters, the Rule list is pulled from the data source, and it is not editable in the interface.

Self-managed Global Filters

These are created and managed by admins. These are fully editable within the interface.

Self-managed Global Filters are not maintained by Link11. They must be kept up-to-date by admins.

Self-managed Filters that are based on an external data source are updated by selecting the "update now" button on the Editor page.

Dynamic Global Filters

Administration

The main List page (shown above) lists all current Global Filters. The Editor page (discussed below) enables administration of individual entries.

Components

Each Global Filter consists of:

  • Tag(s) to assign to requests that match the Rule list.

  • Rule list: The possible characteristics that a request could match (e.g., a list of IP addresses that it might originate from).

  • An Action that, if a match occurs, will be executed after all active Global Filters have been evaluated, unless a higher-priority Action overrides it.

  • General parameters for administrative purposes.

Each of these is described in depth below.

Individual Parameters

The discussion below will focus on self-managed Filters. For Link11-managed Filters, the parameters that are editable will work the same as discussed below.

General parameters

  • Name. A description that will be displayed within the L11WAAP interface.

  • Active. By default, this Global Filter will be evaluated for all incoming requests. To deactivate it, unselect this toggle.

  • Description: Information about this Filter, for use within the interface.

  • Source: For datafeed-based Global Filters, this contains the URL of the source data feed. For self-managed Global Filters, this field should be set to self-managed.

Tags

Action

The Action that is selected here will be applied globally to all requests that match the Rule list.

If a request triggers an Action, the Action is performed after all Global Filters have been evaluated and all applicable tags have been attached to the request.

Rule list

The list of Rules can be defined in different ways, depending on the type of Global Filter.

Datafeed-based Global Filter

Many Global Filters obtain their Rules from an external source, specified by the URL in the Source field. Some are maintained by Link11; others can be created and maintained by admins.

Datafeed-based Global Filters managed by Link11 are maintained automatically. Their underlying data sources are refreshed every 24 hours, and the Global Filters are updated automatically.

Datafeed-based Global Filters created by admins are maintained by admins. These are initially created by entering the URL of the source file into the Source field, then selecting the update now button that appears. L11WAAP will then populate the Rule list automatically. To refresh the Rule List, simply select the update now button again.

Self-managed Global Filter

Many Global Filters will be based on specific criteria for a use case, i.e. criteria that are not found in an external feed. Admins can create these manually, as described below.

The name for this type of Filter is somewhat ambiguous. Strictly speaking, the Datafeed-based Global Filters created by admins described above are also self-managed. To keep them distinct, it can be helpful to think of "self-managed" to refer to the direct editing and management of the Rules List.

Manually creating a Rule list

When a new Global Filter is created, its Rule list will be empty, as shown above.

A Rule list contains one or more Sections. Each Section contains one or more Entries, where each Entry defines a match condition for evaluating requests. Sections can also contain one or more nested Sections.

When a Section contains multiple items (whether Entries or other Sections), its Section Relation button defines the logical condition (either AND or OR) to apply among those items.

Example: A Rule list contains two sections, with the overall Section Relation set to AND. The first section has criteria a, b, c and the second has i, j, k . Within each section, the Section Relation is set to OR. Thus, for a request x, the evaluation will be ((x==a) OR (x==b) OR (x==c)) AND ((x==i) OR (x==j) OR (x==k)).

Defining a Section

To create a new Section, select the + New Section button. (If this button is not available, verify that the Source field is set to self-managed.)

Defining an entry

To create an Entry within a Section, select the + New Entry button. The following dialog will appear:

For some of the criteria categories, the dialog will appear as it is above. Multiple entries can be made at once, with each entry on a separate line. Each line contains the value, plus a pound sign (#) followed by an optional individual annotation (a label for display within the L11WAAP interface). If individual annotations are not provided, then L11WAAP will assign the content of the Annotation field to each entry. Example:

For other categories, one entry can be made at a time. Annotations are defined in the Annotation field, and are not preceded by a pound sign.

Most Rule criteria are case sensitive. The exception is Header, where the criteria are not case sensitive.

Category and Match

The Match parameter will vary, depending on the chosen Category.

Category
Match
Comments

Argument

Name: exact match, case sensitive. Value: regex

ASN

Exact match for ASN number

Authority

Regex

Combination of the domain and (optional) port

Cookie

Name: exact match, case sensitive. Value: regex

Country

Exact match

Header

Name: exact match, case insensitive. Value: regex

IP Address

Exact match for IP, CIDR

Method

Regex

Organization

Regex

Example: the Organization for ASN AS15169 is Google LLC.

Path

Regex

Path Matching Name

Exact match

Query

Regex

Region

Regex

Security Policy Name

Exact match

Subregion

Regex

Tag

Exact match

URI

Regex

Path + query

Examples

Here are some sample entries for the various categories. (Note that when the Rule list is displayed like this, for criteria that consist of Name and Value fields, the system displays a colon between them. This colon is not included when entering the criteria.)

Editing the Rules list

A Rule list for Self-managed Global Filters can be edited. Hover the cursor over the Entry that you wish to edit, and an "edit" button (a pencil icon) will appear. Select this button, and the Entry can be edited. After editing is complete, select the "confirm" button (a checkmark), then save the changes, and publish them.

ecurs

It can assign one or more to an incoming request. Subsequently, the tags can be used to make decisions about how the request is processed. After processing, a request's tags remain associated with it, and they are available for display in traffic analytics.

It also contains an , which can be executed when the Filter's conditions are met.

After all Filters have been evaluated, L11WAAP will execute the found in those Filters which matched the request.

Each active creates a Global Filter. These are managed automatically by the system, and are not visible to, or editable by, admins. They are mentioned here purely for informational purposes.

The administration of Global Filters follows the List/Editor UI conventions described .

This field contains one or more (separated by spaces) that will be assigned to all requests that fulfill the Rule list. Example: internal team-devops

The choices for this parameter are administered in the page.

Currently, there is not a category for a request's protocol. However, you can still create a protocol-based Global Filter by specifying an appropriate Tag, for example protocol:http or protocol:https. This is useful when blocking or redirecting unencrypted HTTP traffic ().

tags
Action
Dynamic Rule
here
Actions
how to do this
traffic filtering process
user tags
highest-priority Action
A Global Filter, opened in its Editor