Rules

Seer Box allows you to define protection rules useful for blocking threats directed toward your applications. These rules will then be translated and synchronized to the configured protection devices (more details in the Firewall management section).

Rules can be of two types, application rules and network rules.

Types

Application rules

Application rules allow a request to be blocked by inspecting its internal fields, such as uri parameters, headers, or the body of the request. This type of rules can be translated and synchronized to application-level protection devices (Web Application Firewall).

Field	Description
Status	It indicates whether the rule is enabled or not. The status icon represents the result of synchronization process with the WAF
Rule specifications	As the Alert specifications, they define the context specifications related to the rule's target
Target	It represents the main field affected by the rule's matching action
Behaviour	It indicates the strategy and the matching string specified in the rule
Action details	The properties of the rule, such as its action and the execution priority over others

Network rules

Network rules allow a request to be blocked based on the client making the request. This type of rule can be translated and synchronized to network-level protection devices (such as firewalls).

Field	Description
Status	It indicates whether the rule is enabled or not. The status icon represents the result of synchronization process with the firewall
Rule specifications	Default value for this rule type: All request hosts
Target	Default value for this rule type: Client address
Behaviour	It indicates the strategy and the matching string specified in the rule
Action details	The properties of the rule, such as its action, the execution priority over others, and the activation duration

Rule management

Rule management is allowed to users in the admin group or to users belonging to a group having Handle rules permission associated with the group of domains to which the rule belongs.

warning

Network rule management is not subject to the latter limitation since it is not associated with any particular domain.

Create a rule

In addition to creating one or more rules from the alert detail page with the Advanced Protection function, custom rules can be created.

From Seer Box web interface

1. Access the Protection - Rules page: in this section you can view the list of all created rules.

2. To create a custom rule click on the Other actions - Create custom rule button in the upper right corner of the page.

3. A wizard will be displayed that will allow you to create an application rule or a network rule. For more details on the wizard please see the section Advanced Protection.

4. After entering the data it is possible to click on the Save rule button to confirm the creation.

The new rule will appear on the summary page.

Edit a rule

Editing a rule will only allow you to act on the properties of the rule, and not on the context, target or matching strategy specifications.

From Seer Box web interface

1. Access the Protection - Rules page: in this section you can view the list of all created rules.

2. Click on the Edit button with a pencil icon located on the right end of the rule you want to edit.

3. Edit the chosen fields.

4. Click on the Save button to confirm the changes.

Delete a rule

From Seer Box web interface

1. Access the Protection - Rules page: in this section you can view the list of all created rules.

2. Select one or more rules to delete by clicking on the checkbox located at the left end of each item.

3. As soon as at least one item is selected, the Delete button with a trashcan icon will appear in the upper right corner of the rules' list.

4. Clicking this button displays a modal confirming the operation. Click on the Confirm button to proceed.

warning

Deleting a rule will not automatically synchronize it on the protection device. Be sure to perform a synchronization after performing all deletions.

Synchronize target devices

Rules created on Seer Box can be translated and synchronized to protection devices such as WAFs and perimeter firewalls.

Synchronization of target devices is only allowed to users in the admins group or users belonging to a group with permission related to uploading application rules or network rules (Load application rules or Load network rules).

From Seer Box web interface

1. Access the Protection - Rules page: in this section you can view the list of all created rules.

2. Click on the Update network rules button to synchronize the network rules to a firewall. Alternatively, click on the Update application rules button to synchronize application rules to a WAF.

3. The status icon will indicate the result of the operation for each rule.