Set up WAF by defining rules and then creating a Security Application Manager configuration that enforces them. After which, perform near-real-time threat monitoring through the dashboard.
Additional information on each of the above steps is provided below.
# |
Task | Description |
---|---|---|
1 |
Create Rules |
Create modular rules (i.e., Access Rules, Rate Rules,
|
2 |
Create a Security Application Manager Configuration |
Create a Security Application Manager configuration that identifies the type of traffic to which your rules will be applied and how threats will be handled. You may also use it to test new rules via an audit mode that generates alerts on flagged traffic. |
3 |
Monitor Threats |
Use the dashboard to:
|
Different applications and types of requests may require varying levels of protection. Create rules and Security Application Manager configurations for each use case that requires a unique level of protection.
A Security Application Manager configuration contains rules that define the criteria that determine whether traffic is legitimate or a threat. WAF leverages this security configuration and performs a sequential check for each criterion. An overview of this security check is provided below.
Proceed to the next step if the access rule does not contain at least one acceslist.
Does the request satisfy at least one criterion in each defined accesslistAn accesslist identifies traffic that may access your content upon passing a threat assessment. Traffic may be accesslisted by ASN, country, IP address, referrer, URL, user agent, HTTP method, media type, and/or file extension.? If not, then the request is identified as a threat and no further checks will be performed.
The above threat detection workflow is illustrated below.
If an access rule, rate rule, or custom rule cannot identify whether a request is legitimate or a threat, then it is up to the Security Application Manager configuration's managed rule to make that determination. The request will be evaluated according to a managed rule's enabled rules and its definition of a valid HTTP request. A request will not be considered a threat until a threshold of violations is met. The score assigned to a request is determined according to the severity and frequency of the violations.
Severity: Each rule is assigned a severity. Each severity is assigned an anomaly score from 2 to 5.
Severity | Anomaly Score | Description |
---|---|---|
Critical |
5 |
This severity level is triggered by web attack violations. |
Error |
4 |
This severity level is reserved for future use. |
Warning |
3 |
This severity level is triggered by malicious client violations. |
Notice |
2 |
This severity level is generally used to indicate protocol policy violations. |
A managed rule may be assigned a threshold value from 2 to 20. However, the recommended value is 5. A threshold value of 5 triggers threat identification after a single severe violation or multiple minor violations. This balanced approach identifies questionable requests without impacting legitimate traffic.