[C4Platforms] Update WAF for SaaS

Author: pedrosousa

src/assets/images/cloudflare-for-platforms/active-rule.png

@@ -21,12 +21,12 @@ Before you can use WAF for SaaS, you need to create a custom hostname. Review [G
 You can also create a custom hostname through the API:
 
 <APIRequest
-  path="/zones/{zone_id}/custom_hostnames"
-  method="POST"
-  json={{
-		"hostname": "<CUSTOM_HOSTNAME>",
-		"ssl": {
-			wildcard: false
+	path="/zones/{zone_id}/custom_hostnames"
+	method="POST"
+	json={{
+		hostname: "<CUSTOM_HOSTNAME>",
+		ssl: {
+			wildcard: false,
 		},
 	}}
 />
@@ -41,28 +41,23 @@ To apply WAF to your custom hostname, you need to create an association between
 
 3. Locate your custom hostname ID by making a `GET` call in the API:
 
-<APIRequest
-  path="/zones/{zone_id}/custom_hostnames"
-  method="GET"
-/>
+<APIRequest path="/zones/{zone_id}/custom_hostnames" method="GET" />
 
 4. Plan your [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/). It is fully customizable. In the example below, we have chosen the tag `"security_level"` to which we expect to assign three values (low, medium, and high).
 
 :::note
-
 One instance of low, medium, and high rules could be rate limiting. You can specify three different thresholds: low - 100 requests/minute, medium - 85 requests/minute, high - 50 requests/minute, for example. Another possibility is a WAF custom rule in which low challenges requests and high blocks them.
-
 :::
 
 5. Make an API call in the format below using your Cloudflare email and the IDs gathered above:
 
 <APIRequest
-  path="/zones/{zone_id}/custom_hostnames/{custom_hostname_id}"
-  method="PATCH"
-  json={{
-		"custom_metadata": {
-    "customer_id": "12345",
-    "security_level": "low"
+	path="/zones/{zone_id}/custom_hostnames/{custom_hostname_id}"
+	method="PATCH"
+	json={{
+		custom_metadata: {
+			customer_id: "12345",
+			security_level: "low",
 		},
 	}}
 />
@@ -73,41 +68,35 @@ This assigns custom metadata to your custom hostname so that it has a security t
 
 1. Locate the custom metadata field in the Ruleset Engine where the WAF runs. This can be used to trigger different configurations of products such as [WAF custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), and [Transform Rules](/rules/transform/).
 
-2. Build your rules either [through the dashboard](/waf/custom-rules/create-dashboard/) or via the API. An example rate limiting rule, corresponding to `"security_level"` low, is shown below as an API call.
-
-<APIRequest
-  path="/zones/{zone_id}/rulesets/phases/{ruleset_phase}/entrypoint"
-  method="PUT"
-  json={{
-		"rules": [
-			{
-				"action": "block",
-				"ratelimit": {
-					"characteristics": [
-						"cf.colo.id",
-						"ip.src"
-					],
-					"period": 10,
-					"requests_per_period": 2,
-					"mitigation_timeout": 60
-				},
-				"expression": "lookup_json_string(cf.hostname.metadata, \"security_level\") eq \"low\" and http.request.uri contains \"login\""
-			}
-		]
-	}}
-	parameters={{
-		ruleset_phase: "http_ratelimit"
-	}}
-/>
-
-To build rules through the dashboard:
-
-1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com) and navigate to your account and website.
-
-2. Select **Security** > **WAF**.
-
-3. Follow the instructions on the dashboard specific to custom rules, rate limiting rules, or managed rules, depending on your security goal.
-
-4. Once the rule is active, you should see it under the applicable tab (custom rules, rate limiting, or managed rules).
-
-![Rule Active](~/assets/images/cloudflare-for-platforms/active-rule.png)
+2. Build your rules either through the dashboard or via the API.
+
+   To build rules through the dashboard, follow the instructions specific to [custom rules](/waf/custom-rules/create-dashboard/), [rate limiting rules](/waf/rate-limiting-rules/create-zone-dashboard/), or [managed rules](/waf/managed-rules/deploy-zone-dashboard/), depending on your security goal.
+
+   An example rate limiting rule, corresponding to `"security_level"` low, is shown below as an API call.
+
+   <APIRequest
+   	path="/zones/{zone_id}/rulesets/phases/{ruleset_phase}/entrypoint"
+   	method="PUT"
+   	json={{
+   		rules: [
+   			{
+   				action: "block",
+   				ratelimit: {
+   					characteristics: ["cf.colo.id", "ip.src"],
+   					period: 10,
+   					requests_per_period: 2,
+   					mitigation_timeout: 60,
+   				},
+   				expression:
+   					'lookup_json_string(cf.hostname.metadata, "security_level") eq "low" and http.request.uri contains "login"',
+   			},
+   		],
+   	}}
+   	parameters={{
+   		ruleset_phase: "http_ratelimit",
+   	}}
+   />
+
+   :::caution
+   This API call will replace any existing rate limiting rules in the zone.
+   :::

src/assets/images/cloudflare-for-platforms/rule-expression.png

@@ -1,84 +1,81 @@
 ---
 pcx_content_type: how-to
-title: Managed Rulesets
+title: Managed rulesets
 sidebar:
   order: 4
 head:
   - tag: title
-    content: Managed Rulesets per Custom Hostname
-
+    content: Managed rulesets per custom hostname
 ---
 
 import { DashButton } from "~/components";
 
 If you are interested in [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/) but unsure of where to start, Cloudflare recommends using WAF Managed Rules. The Cloudflare security team creates and manages a variety of rules designed to detect common attack vectors and protect applications from vulnerabilities. These rules are offered in [managed rulesets](/waf/managed-rules/), like Cloudflare Managed and OWASP, which can be deployed with different settings and sensitivity levels.
 
-***
+---
 
 ## Prerequisites
 
 WAF for SaaS is available for customers on an Enterprise plan.
 
-If you would like to deploy a managed ruleset at the account level, refer to the [Ruleset Engine documentation](/ruleset-engine/managed-rulesets/deploy-managed-ruleset/).
+If you would like to deploy a managed ruleset at the account level, refer to the [WAF documentation](/waf/account/managed-rulesets/deploy-dashboard/).
 
 Ensure you have reviewed [Get Started with Cloudflare for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/) and familiarize yourself with [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/).
 
 Customers can automate the [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) tagging by adding it to the custom hostnames at creation. For more information on tagging a custom hostname with custom metadata, refer to the [API documentation](/api/resources/custom_hostnames/methods/edit/).
 
-***
+---
 
 ## 1. Choose security tagging system
 
 1. Outline `security_tag` buckets. These are fully customizable with no strict limit on quantity. For example, you can set `security_tag` to `low`,`medium`, and `high` as a default, with one tag per custom hostname.
 
 2. If you have not already done so, [associate your custom metadata to custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/#1-associate-custom-metadata-to-a-custom-hostname) by including the `security_tag`in the custom metadata associated with the custom hostname. The JSON blob associated with the custom hostname is fully customizable.
 
-:::note
-
+After the association is complete, the JSON blob is added to the defined custom hostname. This blob is then associated to every incoming request and exposed in the WAF through the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/reference/cf.hostname.metadata/) field. In the rule, you can access `cf.hostname.metadata` and get whatever data you need from that blob.
 
-After the association is complete, the JSON blob is added to the defined custom hostname. This blob is then associated to every incoming request and exposed in the WAF through the new field `cf.hostname.metadata`. In the rule, you can access `cf.hostname.metadata` and get whatever data you need from that blob.
+---
 
+## 2. Deploy rulesets
 
+:::note
+Account-level WAF requires an Enterprise plan with a paid add-on.
 :::
 
-***
-
-## 2. Deploy Rulesets
-
 1. In the Cloudflare dashboard, go to the **WAF** page.
 
    <DashButton url="/?to=/:account/application-security/waf" />
 
-:::note
-**WAF** at the account level will only be visible on Enterprise plans. If you do not see this option, contact your account manager.
-:::
+2. Go to the **Managed rulesets** tab.
 
-2. Select **Managed rulesets**.
+3. Select **Deploy** > **Deploy managed ruleset**.
 
-3. Select **Deploy a managed ruleset**.
+4. Next to **Cloudflare Managed Ruleset**, choose **Select ruleset**.
 
-4. Under **Field**, Select *Hostname*. Set the operator as *equals*. The complete expression should look like this, plus any logic you would like to add:
+5. Give a name to the rule deploying the ruleset in **Execution name**.
 
-![Rule expression](~/assets/images/cloudflare-for-platforms/rule-expression.png)
+6. Select **Edit scope** to execute the managed ruleset for a subset of incoming requests.
 
-5. Beneath **Value**, add the custom hostname.
+7. Select **Custom filter expression**.
 
-6. Select **Next**.
+8. Select **Edit expression** to switch to the [Expression Editor](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor).
 
-7. Find the **Cloudflare Managed Ruleset** card and select **Use this Ruleset**.
+9. The basic expression should look like this, plus any logic you would like to add (like filtering by a specific custom hostname with `http.host eq "<HOSTNAME>"`):
 
-8. Click the checkbox next to each rule you want to deploy.
+   ```txt
+   (lookup_json_string(cf.hostname.metadata, "security_tag") eq "low") and (cf.zone.plan eq "ENT")
+   ```
 
-9. Toggle the **Status** button next to each rule to enable or disable it. Then select **Next**.
+   :::note
+   Rulesets deployed at the account level will only apply to incoming traffic of Enterprise domains on your account. When you define a custom expression using the Expression Editor, use parentheses to enclose any custom conditions and end your expression with `and (cf.zone.plan eq "ENT")` so that the rule only applies to domains on an Enterprise plan.
+   :::
 
-10. On the review page, give your rule a descriptive name. You can modify the ruleset configuration by changing, for example, what rules are enabled or what action should be the default.
+10. Select **Next**.
 
-11. Select **Deploy**.
+11. (Optional) You can modify the ruleset configuration by changing, for example, what rules are enabled or what action should be the default.
 
-:::note
+12. Select **Deploy**.
 
+## Next steps
 
-While this tutorial uses Cloudflare Managed Rulesets, you can also create a custom ruleset and deploy on your custom hostnames. To do this, select **Browse Rulesets** > **Create new ruleset**. For examples of a low/medium/high ruleset, refer to [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/).
-
-
-:::
+While this guide uses the Cloudflare Managed Ruleset, you can also create a custom ruleset and deploy on your custom hostnames. To do this, go to the **Custom rulesets** tab and select **Create ruleset**. For examples of a low/medium/high ruleset, refer to [WAF for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/).