Our WAF offering is designed to secure site traffic against malicious and unwanted traffic. The core methods through which it secures site traffic are listed below.
The configuration process for WAF is illustrated below.
Step-by-step instructions on how to create an access rule, rate rule, and managed rule are provided below.
Create a custom rule to identify threats using custom criteria that takes into account your site's traffic profile to avoid false positives.
Create an Access Rule
Create an access rule that identifies traffic that should be allowed, denied, or screened through whitelists, accesslists, and blacklists.
Navigate to the Access Rules page.
Click Add Access Rule.
In the Name option, type My Access Rule.
From the Add an Access Control option, select IP.
Click Add Blacklist.
Specify an IP address from which suspicious traffic originates.
Click Save.
Create a Rate Rule
Use a rate rule to restrict the flow of traffic to your application.
Navigate to the Rate Rules page.
Click Add Rate Rule.
In the Rule name option, type My Rate Limit.
In the Apply rate limit to option, select IP address.
In the Rate limit section, set the Number of requests option to 100 and the Time period option to 1 minute.
Click Save.
Create a Managed Rule
Create a managed rule that leverages predefined rules to detect application layer attacks.
Navigate to the Managed Rules page.
Click Add Managed Rule.
In the Name option, type My Managed Rule.
Click the Policies tab. In the Ruleset option, select ECRS 2020-11-02.
Set the Threshold option to 5.
Set the Paranoia Level option to 1.
From the Policies section, disable policies that do not apply to your application. For example, you may safely disable Adv Drupal, Adv SharePoint, and Adv WordPress if your application does not leverage those platforms.
Click Save.
Step-by-step instructions on how to create a Security Application Manager configuration that identifies the security policy that will be applied to your application are provided below.
Navigate to the Security Application Manager page.
Click Add New.
In the Name option, type My Application.
From the Rules section, click Access Rule.
From the Production Access Rule option, select My Access Rule.
From the Action type option, select Alert only.
From the Rules section, click Managed Rule.
From the Production Managed Rule option, select My Rate Limit.
From the Action type option, select Alert only.
From the Rules section, click Rate Rules.
From the Add Rate Rule option, select My Managed Rule.
From the Action type option, select Drop request (429 Too Many Requests).
Click Save.
The Threats dashboard illustrates threat detection trends and lists recent illegitimate requests. This dashboard is a useful tool for:
By default, the dashboard tracks the set of threats detected over the last week.
Data Gathering
After an instance has been activated, time needs to pass to allow WAF to gather sufficient data from which trends may be detected.
Wait a reasonable amount of time (e.g., 24 hours) after setting up a Security Application Manager configuration.
Navigate to the Threats Dashboard
View graphs and detailed alert data from the Threats dashboard.
Navigate to the Threats Dashboard page.
Review Trends
The dashboard's graph provides insight into trends at a glance.
Review the graph at the top of the dashboard. Check for an abnormally high number of detected threats.
Analyze Individual Threats
It is useful to view detailed information on detected threats to ensure that WAF is correctly identifying threats.
Click the icon from the upper-right hand side of the window.
Click on each alert to view detailed information on it.
If an alert was generated for a legitimate request, then review the Rule Tags, Matched On, and Matched Value fields to see why the request was flagged.
Our recommendation is that all of the following conditions be met before disabling a rule:
You may safely disable a threat detection policy if it secures a platform (e.g., Drupal, SharePoint, and WordPress) that is not leveraged by your application.
If you must disable a rule, then note the values for the Rule Tags and Rule ID fields.
Look for the rule ID defined in the Rule ID fields within your managed rule's policy. Disable that rule.
You may filter rules by ID when viewing a managed rule's policy.