Security Policies and Rules

The security policy you apply to your web application impacts what security events you'd like WAF to respond to.


Start with a blank security policy or choose from out-of box templates for Web CMS and Web technologies, provided by Qualys.

The status icon tells you the policy status.

policy status when atleast web application is using it. (Active) At least one web application uses this policy.

policy status when policy is not active on any web application.(Not In Use) No web applications use this policy.

Make use of built-in policy templates for Drupal, Joomla, Wordpress, and OWA. Note that templates and system policies are not modifiable. Start with a blank policy if you want to customize the settings.

built-in policy templates.


We'll automatically add firewall rules (on the Rules tab) for:

1) Custom rules - These are rules you define using the wizard.

2) Exceptions - These rules apply to selected events on your web application. The rule action (always block or allow) will be the opposite of the original event's action.

3) Virtual Patches - These rules will block exploitation of selected vulnerabilities on your web application.

Go to your Events list, identify the security event you want to allow and choose Create exception from the Quick Actions menu. Review the exception details and feel free to update or remove rule conditions. Then click OK. We'll add the exception rule to your firewall. The exception is deployed to the WAF appliances that are protecting the application where the event was detected.

Changes to an underlying security policy will not change the function of a created exception. The same is true for virtual patches.

You install virtual patches from the WAS interface. Go to WAS > Web Applications > Detections. Identify the detection you want to patch (vulnerability or sensitive content) and choose Install Patch from the Quick Actions menu. Review the patch details and feel free to update or remove rule conditions. Then click OK. We'll add a virtual patch rule to your firewall.

You can widen or restrict the scope of a rule by editing the rule details. Go to Security > Rules, identify the rule you want to change and choose View from the Quick Actions menu. Then click Edit in the rule details. You can provide new values for contents to be matched and clear (un-check) any condition that should no longer be applied to the rule. Type your drop-down text here.

Yes. Select the rule on the Rules tab and choose Delete from the Quick Actions menu.

Exception - When you delete an event exception rule, the event may be blocked/allowed again on your web application.

Patch - When you delete a virtual patch rule, your web application will no longer be protected by the patch and the vulnerability will be detected again by future scans if not fixed.

Want to get visibility on vulnerabilities not yet fixed but blocked by WAF? Just enable enhanced scanning capabilities for your security policy) or for web application settings within WAS.