Comment on page
An ACL (Access Control List) Policy is a set of sequential criteria by which a request is evaluated. The input controls at the top of this page are described here: Policies & Rules Entry Administration. Specific editing of an ACL Profile is described below.
Out of the box, Curiefense includes a default ACL Profile. It can (and usually should) be edited, but it cannot be deleted. It is used for all URLs where no other Policy has been assigned.
The top part of the interface shows the ACL Profile that is currently being edited. Each Policy consists of one or more tags. Each tag is listed under the action which will be triggered when a request matches that particular tag.
In the interface, the tags are listed below their associated actions. Evaluation is performed from left to right:
- The incoming request is evaluated to see if it matches any of the tags in the far left column.
- If a match is found, that column's action is performed, and no further evaluation is done.
- If a match is not found, then the next column to the right is evaluated. A match will trigger that column's action; otherwise the next column is evaluated.
- This process continues until an action is taken or all columns have been evaluated.
- If a request does not match any tags in this Policy, it is passed to the WAF for further inspection.
An ACL Profile that blocks requests via the Enforce Deny Action will only apply to the paths/URLs in the Security Policy where this ACL Profile has been assigned. If you want to block requests globally for specific Tags, this can be done by defining the appropriate Action within the relevant Tag Rules.
Be very cautious when adding the "all" tag to an action column. In most situations, that action will be taken for all requests for which a match was not found in any columns to the left.
Another possible use is to place "all" in the Deny column, to create a positive security model. (This will block all requests which did not explicitly meet any of the conditions to be Bypassed or Allowed.) But even this usage can be dangerous. Unless all the conditions for Bypassing or Allowing requests are fully and correctly defined, this can result in False Positive errors, and some legitimate requests will be blocked and filtered.
In other columns, "all" can have serious consequences. For example, placing it in the Enforce Deny column will block all incoming traffic to which this ACL Profile is applied. On the other hand, placing it in the Bypass column will allow all incoming traffic (and exempt it from being scrubbed by the WAF!), except for those requests which matched a tag in the Enforce Deny column.
Summary: before using the "all" tag in an ACL Profile, carefully consider its ramifications.