IBM Cloud Docs
Migration to managed rules

Migration to managed rules

The CIS web application firewall (WAF) capabilities are moving under the Rulesets Engine feature. This change requires a manual migration and it is recommended that you use the CIS UI migration wizard. To do so, you need to review the configuration, as well as review security events before finishing the update.

After you complete the migration, any automation that uses APIs, CLIs, or Terraform that are related to WAF will stop working and must be updated to use the new managed rulesets.

Instances created after June 2024 use the new Ruleset Engine and do not need to be migrated.

To migrate your instance to managed rules, take the following steps:

  1. Navigate to the Security section.
  2. Select the WAF tab. If the CIS instance has not been upgraded, you receive the message to Update to the new WAF.
  3. Click Review configuration.
  4. In the Review configuration panel, the rule sets are listed in the order in which they are applied.
  5. Enable or disable the rule sets by using the switches in the Status column.
  6. From the Actions menu beside each rule set, you can choose to edit or reorder the rule set, or delete it completely. These actions are considered overrides from the default.
  7. In the Managed rule sets section, you can add or configure rule sets that are not yet added.
    • Click Add on the rule set you want to add, then toggle the switch from Disabled to Enabled on the new rule.
    • Click Configure on the rule set you want to configure before migrating. In the Configure deployment side panel, you can accept all incoming requests or update the scope of execution with the customized filters you make in the expression builder. Then, click Save.
  8. Click Deploy in the side panel to continue.
  9. (Enterprise only) Review the security events in the Security > Events tab, and select Ready to update when you feel the events are correct.
  10. Select Turn off previous version to finalize the migration (this step cannot be undone), or cancel to continue editing. This transition does not incur any downtime.

Editing rule sets

From the Action menu, you can select the following actions:

  • Edit: Opens a panel where you can change rule set actions and status, as well as perform a batch edit of rules within the rule set. Edits are considered overrides of the default rules.
  • Delete: Removes the rule set from the list.
  • Move up: Changes the order in which the rule sets are executed by moving one row higher in priority.
  • Move to...: Changes the priority order in which the rule sets are executed.

Adding an exception

To add your own exceptions, take the following steps.

  1. Click Add exception.
  2. In the Add exception side panel, enter a name for your exception.
  3. Select options in the When incoming requests match... section, or use the expression builder to fine-tune the exception.
  4. If you want to log matching requests, move the switch to the On position.
  5. Select if you want the exception to skip all remaining rules, or skip specific rules from a managed rule set.
  6. Click Save.

Managed rules FAQs

What if I don't migrate?

Users who don’t manually migrate are automatically migrated to the Managed Rules on 12 June 2025, with no expected impact to their current WAF policies or security. From this date forward, you must use the Ruleset Engine API to make WAF and Managed Rules configurations.

Rules and configuration might be slightly different than before, because the new Managed Rules added more robust OWASP security coverage. This ruleset is updated from OWASP v2.x to OWASP v3.x.

What will happen to the previous WAF APIs?

After deprecation, the previous WAF APIs will not be available and generate an error, returning a message that indicates to switch to the Managed Rules feature.

How can I confirm that the migration is complete?

Run the Migration Status API check. You can also check to see whether the UI shows the wizard on the WAF page. If the wizard appears, you must migrate.

Can I revert to the previous WAF?

No. Migration to managed rulesets is final and cannot be undone.

Why can I no longer see the migration wizard?

The wizard appears only when the previous WAF is enabled. If you don't see the wizard, you've likely already migrated.

How do I migrate without using the IBM UI or migration wizard?

While APIs are available, the wizard is the recommended method.

Known issues with migration

You can contact IBM Cloud support for help with the following errors:

  • If the number of firewall rules you want to migrate exceeds 200.
  • If the length of a firewall rule expression is longer than 4 KB.