gcloud alpha compute security-policies rules add-preconfig-waf-exclusion - add an exclusion configuration for preconfigured WAF evaluation into a security policy rule
gcloud alpha compute security-policies rules add-preconfig-waf-exclusion PRIORITY --target-rule-set=TARGET_RULE_SET [--request-cookie-to-exclude=[op=OP],[val=VAL]] [--request-header-to-exclude=[op=OP],[val=VAL]] [--request-query-param-to-exclude=[op=OP],[val=VAL]] [--request-uri-to-exclude=[op=OP],[val=VAL]] [--security-policy=SECURITY_POLICY] [--target-rule-ids=[RULE_ID,...]] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha compute security-policies rules add-preconfig-waf-exclusion is used to add an exclusion configuration for preconfigured WAF evaluation into a security policy rule.
Note that request field exclusions are associated with a target, which can be a single rule set, or a rule set plus a list of rule IDs under the rule set.
To add specific request field exclusions that are associated with the target of 'sqli-stable': ['owasp-crs-v030001-id942110-sqli', 'owasp-crs-v030001-id942120-sqli'], run:
$ gcloud alpha compute security-policies rules \ add-preconfig-waf-exclusion 1000 --security-policy=my-policy \ --target-rule-set=sqli-stable \ --target-rule-ids=owasp-crs-v030001-id942110-sqli,\ owasp-crs-v030001-id942120-sqli \ --request-header-to-exclude=op=EQUALS,val=abc \ --request-header-to-exclude=op=STARTS_WITH,val=xyz \ --request-uri-to-exclude=op=EQUALS_ANY
To add specific request field exclusions that are associated with the target of 'sqli-stable': [], run:
$ gcloud alpha compute security-policies rules \ add-preconfig-waf-exclusion 1000 --security-policy=my-policy \ --target-rule-set=sqli-stable \ --request-cookie-to-exclude=op=EQUALS_ANY
- PRIORITY
The priority of the rule to add the exclusion configuration for preconfigured WAF evaluation. Rules are evaluated in order from highest priority to lowest priority where 0 is the highest priority and 2147483647 is the lowest priority.
- --target-rule-set=TARGET_RULE_SET
Target WAF rule set where the request field exclusions being added would apply.
This, together with the target rule IDs (if given), determines the target for associating request field exclusions. See --target-rule-ids.
- --request-cookie-to-exclude=[op=OP],[val=VAL]
Adds a request cookie to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request cookie whose value will be excluded from inspection during preconfigured WAF evaluation.
You can specify an exact match or a partial match by using a field operator and a field value. Available field operators are:
- —
EQUALS: the operator matches if the field value equals the specified value.
- —
STARTS_WITH: the operator matches if the field value starts with the specified value.
- —
ENDS_WITH: the operator matches if the field value ends with the specified value.
- —
CONTAINS: the operator matches if the field value contains the specified value.
- —
EQUALS_ANY: the operator matches if the field value is any value.
A field value must be given if the field operator is not EQUALS_ANY, and cannot be given if the field operator is EQUALS_ANY. For example, --request-header-to-exclude op=EQUALS,val=abc or --request-header-to-exclude op=EQUALS_ANY.
This flag can be repeated to specify multiple request headers to exclude. For example, --request-header-to-exclude op=EQUALS,val=abc --request-header-to-exclude op=STARTS_WITH,val=xyz.
- --request-header-to-exclude=[op=OP],[val=VAL]
Adds a request header to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request header whose value will be excluded from inspection during preconfigured WAF evaluation.
Refer to the syntax under --request-cookie-to-exclude.
This flag can be repeated to specify multiple request headers.
- --request-query-param-to-exclude=[op=OP],[val=VAL]
Adds a request query parameter to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request query parameter in the query string or in the POST body whose value will be excluded from inspection during preconfigured WAF evaluation.
Refer to the syntax under --request-cookie-to-exclude.
This flag can be repeated to specify multiple request query parameters.
- --request-uri-to-exclude=[op=OP],[val=VAL]
Adds a request URI to the request field exclusions associated with the rule set and rule IDs (if given). This specifies a request URI from the request line to be excluded from inspection during preconfigured WAF evaluation.
Refer to the syntax under --request-cookie-to-exclude.
This flag can be repeated to specify multiple request URIs.
- --security-policy=SECURITY_POLICY
The security policy that this rule belongs to.
- --target-rule-ids=[RULE_ID,...]
A comma-separated list of target rule IDs under the WAF rule set where the request field exclusions being added would apply. If omitted, the added request field exclusions will be associated with the rule set only, which would apply to all the rule IDs under the rule set.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. This variant is also available:
$ gcloud beta compute security-policies rules \ add-preconfig-waf-exclusion