Overview
Reserved tags, or magic tags, are pre-defined tags that trigger specific actions. Unlike user defined tags, reserved tags are not completely customizable, however, they do play a key role in tag generating rules.
Below are some use cases and examples of reserved tags along with their descriptions.
Use Cases
Pre-condition
Using Reserved tags, you'll only need to create a single WAF rule that can be used later on in other rules used to tackle same use case.
For example, you have a set of WAF rules that deal with orders originating from certain countries.
With tag generating rules, you only need to tag the use case with something like ‘Order from high-risk countries', and then look for this tag in every rule within your rule set.
If you need to add or remove a country from one of your rules, all you need to do is go to the main rule that created the tag and update it, which in turn updates all other sets of rules using this tag simultaneously.
Testing a rule condition
If you perform traffic analysis and want to track certain cases without taking any action on them, then tagging specific types of requests will enable you to do so without intervening with the natural flow of your WAF policies and custom rules. You will be able to click on the requests and see if they hold the tag you’ve created.
This is true also for optimizing an existing rule. If you created a rule and are noticing false positives, then marking a tag with a designated future rule will enable you to specify if your future rule does a better job of defining the conditions to trigger it.
'Logged in', 'Registered' or 'Paid' Users
You can tag requests that are coming from a Paid, Logged in, or a Registered user. Set this up using a secure condition (e.g. IP=1.2.3.4), or use a signal from the server response to mark this tag.
For example, you can create a rule that looks for a set-cookie header with a cookie that designates logged in users, or you can inject a special header for logged in users, where the WAF can look for this info with a rule formed on the response phase and tag the request.
The WAF Rules engine will see this tag and add it to the user session for you to use on other requests from the same session, as well as take that into account when it will process the risks from this client.
Monitor
When you will tag a request with the Monitor tag, you will be able to see these requests within the requests graph.
This was usually done using the Monitor action. However, with the Monitor action, if conditions are met, the rest of the rules engine will take this as the action of the request and other rules and actions will not be processed, which may not be your original intention.
The Monitor Reserved tag will replace the Monitor action, as tag generating rules don’t inhibit other rules and do not interfere with other actions.
Ignore Automation
This functionality will notify the WAF of legit automation behavior and exclude them from our anti-automations policies. This means you can still benefit from the protection of unknown automation while still allowing legit known automations to create traffic without being interrupted by the WAF.
Login Pages
This tag will notify the WAF if certain endpoints are used as login pages. This functionality will help identify certain attacks, such as brute force attacks.
‘Malicious Activity’ and ‘Legitimate Activity’
Using thresholds configured by Support, the WAF will recognize and tag requests as being either malicious or legitimate.
For example, the WAF can be configured to identify malicious/legitimate actors based on the thresholds of declined/successful orders that need to be exceeded.
If the threshold for declined orders is set to three, and the threshold for successful orders is set to two, then a client would be considered a legitimate actor if it made two successful orders after being wrong twice.
Denial of Inventory Detection
This mitigation method aims to detect hoarder bots using endpoints such as add to cart and checkout, cookies and more. The WAF will calculate the number of items held in each clients' cart, and using thresholds configured by Support, tag each one that did not check out as hoarderbot if the threshold is exceeded.
Please reach out to Support to inquire about Malicious Activity, Legitimate Activity and/or Denial of Inventory Detection tags, as these require additional configuration.