Update WAAS App-embedded Policy
PUT/api/v33.01/policies/firewall/app/app-embedded
x-prisma-cloud-target-env: {"permission":"policyWAAS"}
Updates the WAAS policy for web apps protected by App-Embedded Defender. All rules in the policy are updated in a single shot.
To invoke this endpoint in the Console UI:
- Navigate to Defend > WAAS > App-Embedded.
- Click + Add rule and enter the new rule information.
- Click the Add new app button to move to the configuration window.
- Configure the application with at least one endpoint, and click the Save button.
Adding and maintaining rules for a WAAS app involves populating a large and complex JSON request body. We recommend the following process:
- Manually define your app's policy via the Console UI as described here.
- Use the Export button on Defend > WAAS to export the app's policy rules to a JSON file.
- Use the exported file as a template to modify, then either import the file back in using the Import button, or use it as the basis for defining the rules to include in this endpoint's payload.
cURL Request
The following cURL command overwrites all rules in your current policy with a new policy that has a single rule.
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/firewall/app/app-embedded' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'
{
"_id":"appEmbeddedAppFirewall",
"rules":[
{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"applicationsSpec":[
{
"banDurationMinutes":5,
"certificate":{
},
"dosConfig":{
"effect":"disable",
"matchConditions":[
]
},
"apiSpec":{
"endpoints":[
{
"host":"*",
"basePath":"*",
"exposedPort":1,
"internalPort":1,
"tls":false,
"http2":false
}
],
"paths":[
{
"path":"/api/v1/logs/system/upload",
"methods":[
{
"method":"POST"
}
]
}
],
"effect":"disable",
"fallbackEffect":"disable"
},
"botProtectionSpec":{
"userDefinedBots":[
],
"knownBotProtectionsSpec":{
"searchEngineCrawlers":"disable",
"businessAnalytics":"disable",
"educational":"disable",
"news":"disable",
"financial":"disable",
"contentFeedClients":"disable",
"archiving":"disable",
"careerSearch":"disable",
"mediaSearch":"disable"
},
"unknownBotProtectionSpec":{
"generic":"disable",
"webAutomationTools":"disable",
"webScrapers":"disable",
"apiLibraries":"disable",
"httpLibraries":"disable",
"botImpersonation":"disable",
"browserImpersonation":"disable",
"requestAnomalies":{
"threshold":9,
"effect":"disable"
}
},
"sessionValidation":"disable",
"interstitialPage":false,
"jsInjectionSpec":{
"enabled":false,
"timeoutEffect":"disable"
}
},
"networkControls":{
"advancedProtectionEffect":"alert",
"deniedSubnetsEffect":"alert",
"deniedCountriesEffect":"alert",
"allowedCountriesEffect":"alert"
},
"body":{
"inspectionSizeBytes":131072
},
"intelGathering":{
"infoLeakageEffect":"disable",
"removeFingerprintsEnabled":true
},
"maliciousUpload":{
"effect":"disable",
"allowedFileTypes":[
],
"allowedExtensions":[
]
},
"csrfEnabled":true,
"clickjackingEnabled":true,
"sqli":{
"effect":"prevent",
"exceptionFields":[
]
},
"xss":{
"effect":"alert",
"exceptionFields":[
]
},
"attackTools":{
"effect":"alert",
"exceptionFields":[
]
},
"shellshock":{
"effect":"alert",
"exceptionFields":[
]
},
"malformedReq":{
"effect":"alert",
"exceptionFields":[
]
},
"cmdi":{
"effect":"alert",
"exceptionFields":[
]
},
"lfi":{
"effect":"alert",
"exceptionFields":[
]
},
"codeInjection":{
"effect":"alert",
"exceptionFields":[
]
},
"remoteHostForwarding":{
},
"selected":true,
"headerSpecs":[
]
}
],
"expandDetails":true
}
],
"minPort":30000,
"maxPort":31000
}'
Note: No response will be returned upon successful execution.
Request
- application/json
Body
- Array [
- Array [
- Array [
- ]
- Array [
- Array [
- Array [
- ]
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- Array [
- ]
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
- Array [
- ]
- ]
Unique internal ID.
Specifies the upper limit (maxima) for a port number to use in an application firewall.
Specifies the lower limit (minima) for a port number to use in an application firewall.
rules object[]
Specifies the rules in a policy.
Indicates whether to allow non-compliant characters in the HTTP request header.
applicationsSpec object[]
Lists the OpenAPI specifications in a rule.
apiSpec object
APISpec is an API specification
Description of the app.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
endpoints object[]
The app's endpoints.
Base path for the endpoint.
Exposed port that the proxy is listening on.
Indicates if the proxy supports gRPC (true) or not (false).
URL address (name or IP) of the endpoint's API specification (e.g., petstore.swagger.io). The address can be prefixed with a wildcard (e.g., *.swagger.io).
Indicates if the proxy supports HTTP/2 (true) or not (false).
Internal port that the application is listening on.
Indicates if the connection is secured (true) or not (false).
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
paths object[]
Paths of the API's endpoints.
methods object[]
Supported operations for the path (e.g., PUT, GET, etc.).
Type of HTTP request (e.g., PUT, GET, etc.).
parameters object[]
Parameters that are part of the HTTP request.
Indicates if an empty value is allowed (true) or not (false).
Indicates if multiple values of the specified type are allowed (true) or not (false).
Indicates if arrays should generate separate parameters for each array item or object property.
Possible values: [path,query,cookie,header,body,json,xml,formData,multipart
]
ParamLocation is the location of a parameter
Maximum allowable value for a numeric parameter.
Minimum allowable value for a numeric parameter.
Name of the parameter.
Indicates if the parameter is required (true) or not (false).
Possible values: [simple,spaceDelimited,tabDelimited,pipeDelimited,form,matrix,label
]
ParamStyle is a param format style, defined by OpenAPI specification It describes how the parameter value will be serialized depending on the type of the parameter value. Ref: https://swagger.io/docs/specification/serialization/ https://github.com/OAI/OpenAPI-Specification/blob/master/versions/3.0.0.md#style-examples
Possible values: [integer,number,string,boolean,array,object
]
ParamType is the type of a parameter, defined by OpenAPI specification Ref: https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types
Relative path to an endpoint such as "/pet/{petId}".
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Unique ID for the app.
attackTools object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
autoApplyPatchesSpec object
AutoApplyPatchesSpec is the configuration for automation apply patches protection
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Ban duration, in minutes.
body object
BodyConfig represents app configuration related to HTTP Body
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
InspectionSizeBytes represents the max amount of data to inspect in request body.
Skip indicates that body inspection should be skipped.
botProtectionSpec object
BotProtectionSpec is the bot protections spec
Indicates if an interstitial page is served (true) or not (false).
jsInjectionSpec object
JSInjectionSpec is the js injection protection spec
Indicates if JavaScript injection is enabled (true) or not (false).
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
knownBotProtectionsSpec object
KnownBotProtectionsSpec is the known bot protections spec
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
reCAPTCHASpec object
ReCAPTCHASpec is the reCAPTCHA spec
Indicates if the reCAPTCHA page is served at the start of every new session (true) or not (false).
customPageSpec object
CustomReCAPTCHAPageSpec is the custom reCAPTCHA page spec
Custom HTML for the reCAPTCHA page.
Indicates if the custom reCAPTCHA page is enabled.
Indicates if reCAPTCHA integration is enabled (true) or not (false).
secretKey object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
ReCAPTCHA site key to use when invoking the reCAPTCHA service.
Duration for which the indication of reCAPTCHA success is kept. Maximum value is 30 days * 24 = 720 hours.
Possible values: [checkbox,invisible
]
ReCAPTCHAType is the reCAPTCHA configured type
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
unknownBotProtectionSpec object
UnknownBotProtectionSpec is the unknown bot protection spec
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
requestAnomalies object
RequestAnomalies is the request anomalies spec
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [3,6,9
]
RequestAnomalyThreshold is the score threshold for which request anomaly violation is triggered
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
userDefinedBots object[]
Effects to perform when user-defined bots are detected.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Header name which defines the bot.
Header values corresponding to the header name. Can contain wildcards.
Name of the bot.
Subnets where the bot originates. Specify using network lists.
certificate object
Secret Stores the plain and encrypted version of a value. The plain version is not stored in a database
Specifies an encrypted value of the secret.
Specifies the plain text value of the secret.
Indicates whether clickjacking protection is enabled (true) or not (false).
cmdi object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
codeInjection object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
Indicates whether Cross-Site Request Forgery (CSRF) protection is enabled (true) or not (false).
customBlockResponse object
CustomBlockResponseConfig is a custom block message config for a policy
Custom HTML for the block response.
Custom HTTP response code for the block response.
Indicates if the custom block response is enabled (true) or not (false).
customRules object[]
List of custom runtime rules.
Custom rule ID.
Possible values: [audit,incident
]
Action is the action to perform if the custom rule applies
Possible values: [block,prevent,alert,allow,ban,disable
]
Effect is the effect that will be used for custom rule
Indicates if event ID header should be attached to the response or not.
dosConfig object
DoSConfig is a dos policy specification
alert object
DoSRates specifies dos requests rates (thresholds)
Average request rate (requests / second).
Burst request rate (requests / second).
ban object
DoSRates specifies dos requests rates (thresholds)
Average request rate (requests / second).
Burst request rate (requests / second).
Enabled indicates if dos protection is enabled.
Network IPs to exclude from DoS tracking.
matchConditions object[]
Conditions on which to match to track a request. The conditions are \"OR\"'d together during the check.
File types for request matching.
HTTP methods for request matching.
responseCodeRanges object[]
Response codes for the request's response matching.
End of the range. Can be omitted if using a single status code.
Start of the range. Can also be used for a single, non-range value.
Indicates if the custom session ID generated during bot protection flow is tracked (true) or not (false).
headerSpecs object[]
Configuration for inspecting HTTP headers.
Indicates if the flow is to be allowed (true) or blocked (false).
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Header name.
Indicates if the header must be present (true) or not (false).
Wildcard expressions that represent the header value.
intelGathering object
IntelGatheringConfig is the configuration for intelligence gathering protections
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Indicates if server fingerprints should be removed (true) or not (false).
lfi object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
malformedReq object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
maliciousUpload object
MaliciousUploadConfig is the configuration for file upload protection
Allowed file extensions.
Possible values: [pdf,officeLegacy,officeOoxml,odf,jpeg,png,gif,bmp,ico,avi,mp4,aac,mp3,wav,zip,gzip,rar,7zip
]
Allowed file types.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
networkControls object
NetworkControls contains the network controls config (e.g., access controls for IPs and countries)
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
countries object
AccessControls contains the access controls config (e.g., denied/allowed sources)
Alert are the denied sources for which we alert.
Allow are the allowed sources for which we don't alert or prevent.
AllowMode indicates allowlist (true) or denylist (false) mode.
Enabled indicates if access controls protection is enabled.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Prevent are the denied sources.
Network lists for which requests completely bypass WAAS checks and protections.
networkControlsExceptionSubnets object
FeatureExceptions represents subnets that should bypass WAAS features
Subnets are network lists for which requests bypass WAAS features.
subnets object
AccessControls contains the access controls config (e.g., denied/allowed sources)
Alert are the denied sources for which we alert.
Allow are the allowed sources for which we don't alert or prevent.
AllowMode indicates allowlist (true) or denylist (false) mode.
Enabled indicates if access controls protection is enabled.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
Prevent are the denied sources.
remoteHostForwarding object
RemoteHostForwardingConfig defines a remote host to forward requests to
Indicates if remote host forwarding is enabled (true) or not (false).
Remote host to forward requests to.
responseHeaderSpecs object[]
Configuration for modifying HTTP response headers.
Header name (will be canonicalized when possible).
Indicates whether to override existing values (true) or add to them (false).
New header values.
Indicates if bans in this app are made by session cookie ID (true) or false (not).
Indicates if session cookies are enabled (true) or not (false).
Possible values: [Lax,Strict,None
]
SameSite allows a server to define a cookie attribute making it impossible for the browser to send this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage, and provide some protection against cross-site request forgery attacks.
See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite for details
Indicates the Secure attribute of the session cookie.
shellshock object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
sqli object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
tlsConfig object
TLSConfig holds the user TLS configuration and the certificate data
HSTSConfig object
HSTSConfig is the HTTP Strict Transport Security configuration in order to enforce HSTS header see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Enabled indicates if HSTS enforcement is enabled.
IncludeSubdomains indicates if this rule applies to all of the site's subdomains as well.
maxAgeSeconds is the time (in seconds) that the browser should remember that a site is only be accessed using HTTPS.
Preload indicates if it should support preload.
metadata object
CertificateMeta is the certificate metadata
IssuerName is the certificate issuer common name.
NotAfter is the time the certificate is not valid (expiry time).
SubjectName is the certificate subject common name.
Possible values: [1.0,1.1,1.2,1.3
]
MinTLSVersion is the list of acceptable TLS versions
xss object
ProtectionConfig represents a WAAS protection config
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
exceptionFields object[]
Exceptions.
Field in HTTP request.
Match and scrub by keys, relevant when location is not defined.
Possible values: [path,query,queryValues,cookie,UserAgentHeader,header,body,rawBody,XMLPath,JSONPath
]
ExceptionLocation indicates exception http field location
Indicates that sensitive data should be checked in response, only relevant for pattern based sensitive data rule.
Match and scrub by values, relevant when location is not defined.
Indicates whether to automatically detect and protect the HTTP ports.
collections object[]
Scopes the rule based on a list of collections.
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
Color is a hexadecimal representation of color code value
List of containers.
Free-form text.
List of functions.
List of hosts.
List of images.
List of labels.
Datetime when the collection was last modified.
Collection name. Must be unique.
List of Kubernetes namespaces.
User who created or last modified the collection.
Indicates whether this collection originates from Prisma Cloud.
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
Specifies the date and time when the rule was last modified.
Name of the rule.
Describes any noteworthy points for a rule. You can include any text.
Possible values: [container,host,
]
OutOfBandRuleScope represents the Out-of-Band Rule Scope
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
Specifies the timeout of the request reads in seconds. Default: 5 seconds.
Indicates whether to skip the API discovery. Values: true (skipped) or false (Do not skip).
trafficMirroring object
TrafficMirroringConfig specifies the traffic mirroring configuration is fine in that case
TODO #41884 - remove traffic mirroring enabled flag when no longer needed for BC Enabled indicates if traffic mirroring is enabled.
Sampling indicates if this is a sampling VPC.
vpcConfig object
VPCConfig is the VPC configuration (there is a 1-to-1 relation with the rule, only one configuration per rule)
AutoScalingEnabled indicates that the deployment is made with auto VPC observer instances scaling.
AutoScalingMaxInstances is the maximum deployed instances when auto scaling is enabled.
ConfigID is a unique ID for the configuration.
ConsoleHostname represents the hostname of the console to connect to.
CredentialID is the service provider authentication data.
InstanceNames are the names of the instances to mirror (can be wildcard).
InstanceType is the instance type to use for the defender instance.
LBARN is the ARN of the observed load balancer.
LBName is the name of the observed load balancer.
LBType is the type of the observed load balancer (currentlly only ALB is supported).
Ports are the ports to mirror.
Region is the AWS region the mirrored VMs are located in.
SubnetID is the ID of the subnet the defender will be deployed in.
Tags are the tags to filter for instances to mirror in Key:Value format or "*".
VPCID is the ID of the VPC to look for instances to mirror and to deploy the defender in.
Indicates whether the operating system of the app is Microsoft Windows. The default is Linux.
Responses
- 200
- default
OK