# 3.2 WAF – Web Application Firewall
#### 🛡️ Overview
The **Web Application Firewall (WAF)** in ShieldsGuard is an advanced, multi-layered security engine designed to protect your applications against all known Layer 7 threats — from SQL injection to file inclusion, command injection, and even data leakage.
ShieldsGuard supports three different WAF models, each accessible via separate tabs:
1. **ShieldsGuard WAF** *(recommended — proprietary engine)*
2. **ModSecurity v4** *(community/open standard ruleset)*
3. **ModSecurity v3** *(legacy compatibility ruleset)*
> ⚠️ **Only one rule set can be active at any given time.**\
> If `ShieldsGuard WAF` is active, `v3` and `v4` are automatically disabled, and vice versa.
We strongly recommend using **ShieldsGuard WAF** for best security, performance, and enterprise-grade rule support.
### 🔒 ShieldsGuard WAF (Recommended)
#### 🔧 Description
ShieldsGuard WAF is a **custom-built, proprietary firewall engine** developed by the ShieldsGuard security engineering team. It contains **handcrafted, threat-intelligence-enhanced rules**, designed to detect and stop real-world attack patterns before they ever reach your application.
It is continuously updated and optimized for:
* Performance under high load
* Low false-positive rates
* Real-time botnet and CVE protection
* Enterprise-grade precision
#### 🧩 Rule Modules
Below is the complete list of available `.conf` modules within ShieldsGuard WAF:
| Rule File | Description |
| ----------------------------------------- | ---------------------------------------------- |
| 00\_asl\_whitelist.conf | Whitelisted IP/User-Agent definitions |
| 00\_asl\_x\_searchengines.conf | X search engine behavior filtering |
| 00\_asl\_y\_searchengines.conf | Y search engine behavior filtering |
| 00\_asl\_z\_aa\_threat\_intelligence.conf | Real-time threat intelligence integration |
| 00\_asl\_z\_antievasion.conf | Evasion technique detection |
| 00\_asl\_zz\_strict.conf | Strict mode for aggressive filtering |
| 01\_asl\_content.conf | General content attack detection |
| 01\_asl\_content\_smuggling.conf | HTTP smuggling prevention |
| 01\_asl\_content\_z.conf | Extended payload filtering |
| 03\_asl\_dos.conf | Application-layer DoS and slowloris protection |
| 05\_asl\_exclude.conf | Global exclusions definition |
| 10\_asl\_antimalware.conf | Malware upload and binary detection |
| 11\_asl\_brute\_enhanced.conf | Bruteforce attack blocking |
| 11\_asl\_data\_loss.conf | Sensitive data exfiltration attempts |
| 12\_asl\_adv\_rules.conf | Advanced heuristics for dynamic payloads |
| 12\_asl\_adv\_xss\_rules.conf | Cross-Site Scripting (XSS) protection |
| 12\_asl\_brute.conf | Basic bruteforce detection |
| 13\_asl\_brute\_enhanced.conf | Extended bruteforce detection |
| 13\_asl\_command\_injection.conf | OS command injection blocking |
| 20\_asl\_useragents.conf | Suspicious user-agent filtering |
| 21\_asl\_useragents.conf | Known malicious agent blocking |
| 30\_asl\_antispam.conf | Spam bots and injection via forms |
| 31\_asl\_urispam.conf | URI-based spam detection |
| 45\_asl\_hpp.conf | HTTP parameter pollution detection |
| 50\_asl\_rootkits.conf | Known webshell/rootkit patterns |
| 51\_asl\_paranoid\_extra.conf | Paranoid-level detection logic |
| 51\_asl\_rootkits.conf | Enhanced rootkit detection |
| 51\_asl\_wordpress\_extra.conf | Additional rules for WordPress hardening |
| 60\_asl\_recons.conf | Reconnaissance & fingerprinting detection |
| 61\_asl\_recons\_dlp.conf | Data leak prevention during scans |
| 80\_asl\_proxy\_abuse.conf | Proxy chaining, Tor & VPN abuse |
| 98\_asl\_jitp.conf | Just-in-time payload heuristics |
| 99\_asl\_jitp.conf | Extended payload interpretation logic |
> 🛠️ Enterprise users receive assistance in tuning these rules with direct engineer access and 24/7 monitoring options.
>
> ### 📘 ModSecurity v4 Rule Set
>
> #### 💡 Description
>
> ModSecurity v4 is a **structured, open-source community-driven ruleset**, built around OWASP Core Rule Set (CRS) standards. ShieldsGuard supports v4 through modular `.conf` files, each focusing on specific vulnerabilities or exploit methods.
>
> #### 🔧 Example Rules:
| Rule File | Description |
| ---------------------------------------------------- | ----------------------------------------- |
| REQUEST-901-INITIALIZATION.conf | Rule engine initialization |
| REQUEST-905-COMMON-EXCEPTIONS.conf | General exceptions for stability |
| REQUEST-911-METHOD-ENFORCEMENT.conf | Enforce allowed HTTP methods |
| REQUEST-913-SCANNER-DETECTION.conf | Identify automated vulnerability scanners |
| REQUEST-920-PROTOCOL-ENFORCEMENT.conf | Detect malformed HTTP requests |
| REQUEST-921-PROTOCOL-ATTACK.conf | Detect protocol-based evasion |
| REQUEST-922-MULTIPART-ATTACK.conf | Detect file upload boundary attacks |
| REQUEST-930-APPLICATION-ATTACK-LFI.conf | Local File Inclusion |
| REQUEST-931-APPLICATION-ATTACK-RFI.conf | Remote File Inclusion |
| REQUEST-932-APPLICATION-ATTACK-RCE.conf | Remote Code Execution attempts |
| REQUEST-933-APPLICATION-ATTACK-PHP.conf | PHP-specific attack patterns |
| REQUEST-934-APPLICATION-ATTACK-GENERIC.conf | Generic payload anomalies |
| REQUEST-941-APPLICATION-ATTACK-XSS.conf | Cross-site scripting |
| REQUEST-942-APPLICATION-ATTACK-SQLI.conf | SQL injection detection |
| REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf | Session hijack prevention |
| REQUEST-944-APPLICATION-ATTACK-JAVA.conf | Java-targeted attacks |
| REQUEST-949-BLOCKING-EVALUATION.conf | Decide if request should be blocked |
| RESPONSE-950-DATA-LEAKAGES.conf | Generic data leakage (SSN, CCN, etc.) |
| RESPONSE-951-DATA-LEAKAGES-SQL.conf | SQL error-based leakage |
| RESPONSE-952-DATA-LEAKAGES-JAVA.conf | Java stack leakage |
| RESPONSE-953-DATA-LEAKAGES-PHP.conf | PHP error output |
| RESPONSE-954-DATA-LEAKAGES-IIS.conf | IIS debug info |
| RESPONSE-955-WEB-SHELLS.conf | Known web shell signatures |
| RESPONSE-959-BLOCKING-EVALUATION.conf | Final blocking stage |
| RESPONSE-980-CORRELATION.conf | Multi-rule correlation logic |
### 🧱 ModSecurity v3 Rule Set
#### 📦 Description
ModSecurity v3 is a **lightweight, simplified version of v4**, maintained for legacy compatibility. While not as complete or intelligent as v4 or ShieldsGuard WAF, it offers baseline protection for older stacks.
#### 🔧 Example Rules:
| Rule File | Description |
| ----------------------------------------------- | ---------------------------- |
| REQUEST-901-INITIALIZATION.conf | Rule engine initialization |
| REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf | Drupal exclusions |
| REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf | WordPress exclusions |
| REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf | NextCloud exclusions |
| REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf | DokuWiki |
| REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf | cPanel |
| REQUEST-903.9006-XENFORO-EXCLUSION-RULES.conf | XenForo |
| REQUEST-905-COMMON-EXCEPTIONS.conf | Common exclusions |
| REQUEST-910-IP-REPUTATION.conf | IP reputation match |
| REQUEST-911-METHOD-ENFORCEMENT.conf | Method enforcement |
| REQUEST-912-DOS-PROTECTION.conf | DoS detection |
| REQUEST-913-SCANNER-DETECTION.conf | Scanner detection |
| REQUEST-920-PROTOCOL-ENFORCEMENT.conf | Protocol enforcement |
| REQUEST-921-PROTOCOL-ATTACK.conf | Protocol manipulation |
| REQUEST-922-MULTIPART-ATTACK.conf | Multipart abuse |
| REQUEST-930 to 944 | Application-level attacks |
| RESPONSE-950 to 980 | Data leakage and block logic |
### ✅ How to Use WAF in ShieldsGuard
1. Go to **Protection > WAF**
2. Enable **WAF Control** (top toggle)
3. Select the desired **WAF rule engine tab** (ShieldsGuard WAF / v4 / v3)
4. Activate the `.conf` modules relevant to your environment
5. Save and monitor – changes apply immediately
***
### 📌 Best Practices
* **Always use ShieldsGuard WAF** unless legacy compatibility is strictly required
* For CMS users (WordPress, Drupal, NextCloud), enable only one CMS exclusion rule at a time
* Enable all critical attack class protections (SQLi, XSS, RCE)
* Disable unused protocol types to reduce false positives
* For enterprise environments, contact the ShieldsGuard team for:
* Rule tuning
* False positive mitigation
* Custom platform rules
* CVE simulation and patching
### 🧠 Summary
ShieldsGuard WAF provides a complete application-layer security solution with options tailored for all needs — from enterprises needing expert-backed protection to legacy systems requiring minimal rules.
> 🔐 **Choose one rule engine. Activate only what you need. Let ShieldsGuard handle the rest.**
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.shieldsguard.com/getting-started/3.-protection/3.2-waf-web-application-firewall.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.