Tab – Deny Rules

Airlock Gateway shows a list of expandable deny rule groups. Groups are enabled/disabled using the toggle button in the column "Active". In order to enable/disable individual rules, a group must be in security level "custom". Groups and individual rules can be set to "log only" mode by using the checkbox in column "log only". Use the Edit button in the "Exception" column to create or edit exceptions for a deny rule (group) on the current mapping. To display details of a deny rule, simply click on its name. The global deny rule page (Application Firewall -> Deny Rules) allows creation of new deny rules and groups.

Deny rules establish a negative security model, also known as deny lists. Deny rules are processed as the first filtering stage after decoding and decryption. Airlock Gateway provides a set of default deny rule groups to protect against common attack scenarios. For instance, there are specific deny rule groups dealing with SQL injection or Cross-site scripting (XSS) attacks.

These default deny rule groups are identified by the "(default)" name prefix and have a configurable security level, one for blocking and one for additional logging. In order to see all rules belonging to a group, click on the group name or the expand icon on the right side of the group row to expand the view.

• For a detailed introduction to the deny rule concept please refer to the general deny rule page.