Instance

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

The purpose of an instance is to identify profiles which may be used to assess threats against production traffic. To this end, an instance:

Identifies a profileWeb Application Firewall: Refers to a configuration that defines the set of security restrictions that may be used to screen inbound HTTP/HTTPS traffic. that may be applied to production traffic.
Identifies how unwanted traffic, as defined by the above profile, will be handled.

Each detected threat is logged regardless of the action (i.e., block, custom response, redirect, or alert) defined within an instance.
Identifies whether the threats detected from an additional profile should be audited.
- Use this capability, known as Dual WAF, to test out a new WAF configuration without impacting production traffic.
- Threats detected by an audit profile may be tracked through the WAF Dashboard.
  - Use "Profile Type" to graph threats according to whether they were detected as a result of a production or audit profile.
  - Use the "Instance" and "Profile Type" filters to only display threats detected by a production or audit profile.
  Auditing a profile that is already being applied to production traffic will cause the same threat to be logged twice.

Handling Detected Threats

All threats detected by Web Application Firewall will be logged. Logged threats may be viewed from the Web Application Firewall dashboard.

Standard security practices dictate that measures should be taken to prevent sensitive data (e.g., credit card information or passwords) from being passed as clear text from the client to your origin server. Another incentive for encrypting sensitive data is that it will be logged by our system when an alert is triggered as a result of this data. If sensitive data cannot be encrypted or obfuscated, then it is strongly recommended to contact our technical customer support to disable logging for the Matched Value field.

An instance configuration determines whether any of the following additional actions will be applied to the detected threat.

Mode	Description
Block Request	Detected threats will be dropped and the client will receive a 403 Forbidden response.
Alert Only	Detected threats will only generate an alert. Use this mode to track detected threats through the dashboard without affecting traffic.
Redirect (HTTP 302)	Detected threats will be redirected to the specified URL. Key information: The HTTP status code for this response will be a 302 Found. Set the URL option to the full URL to which detected threats will be redirected. Example: http://cdn.mydomain.com/marketing/busy.html
Custom Response	Detected threats will receive a custom response. Define the custom response that will be sent in response to a detected threat. Response Body: Configure whether the response body will consist of a default error page or the value defined in the Response Body option. Display Default Error Page: Mark this option to respond to detected threats with a web page that describes the detected threat. Specifically, it will indicate the client's IP address, the requested URL, and the date/time at which the request was screened. This option does not control the status code or the headers included in the response. Configure those settings through the HTTP Status Code and the Custom Response Headers options, respectively. Response Body: Defines the payload that will be delivered to the client in response to a detected threat. This option supports the use of event variables to customize the response according to the detected threat. Sample payload for a CSS file: body { background-color: #ffffff; } Setting a value in the Response Body option will cause it to take precedence over the Display Default Error Page option. HTTP Status Code: Defines the HTTP status code that will be sent to the client. View a list of valid HTTP status codes. 100 101 102 200 201 202 203 204 205 206 207 208 226 300 301 302 303 304 305 306 307 308 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 421 422 423 424 426 428 429 431 451 500 501 502 503 504 505 507 508 509 510 511 Custom Response Headers: Defines one or more response headers that will be sent to the client. Define each custom response header on a separate line. Syntax: Name:Value Example: MyCustomHeader:True This option supports the use of event variables to customize the response according to the detected threat. All characters, including spaces, defined before or after the colon will be treated as a part of the specified header name or value, respectively.

Event Variables

A custom response header value or a custom response body may include variables that describe the event. These variables are described below.

Variable	Description
EVENT_ID	Represents the system-defined ID assigned to the request that was identified as a threat. Find out detailed information about the detected threat by passing this ID to the Get Event Log Entry endpoint (REST API). Learn more.
CLIENT_IP	Represents the IP address of the device that submitted the detected threat.
TIMESTAMP	Represents the date and time at which the detected threat was submitted.
REQUEST_URL	Represents the URL for the request that was deemed a threat.

Add an event variable to a custom response header value or a custom response body by enclosing it with double curly braces as shown below.

Syntax:

Example: