Setting up WAF

Applies To:

HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.

HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.

ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.

WAF Essential (Legacy)WAF Essential (Legacy) provides basic protection against DDoS, application layer attacks, and volumetric attacks. Consider using WAF for a more robust solution.

This article explains the legacy version of WAF Essential that will undergo end-of-life on June 30, 2021. Our new version of WAF Essentials expands upon all of the capabilities offered by the legacy version of WAF Essential with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

The following information is only applicable for the WAF Essential product. This security offering provides limited Web Application Firewall and Rate Limiting functionality.

Setting up WAF requires:

Creating a profile.
Setting up an instance.
Activating an instance.

Administer WAF profiles and configure an instance from the WAF Manager page.

Provide additional protection to your web server(s) by setting up a rate limit.
Learn more.

Administering Profiles

Key information:

You may create up to 2 profiles.

If you would like to replace an existing profile, then you should make the desired changes to it. Alternatively, you may delete the obsolete profile and then create another one.

Please upgrade from WAF Essential to the full version if your business needs require more than 2 profiles. Contact your CDN account manager to learn more.
Production traffic will not be screened by WAF unless both of the following conditions are true:
1. A profile has been associated with an instance.
2. The above instance has been activated via Rules Engine.
It may take up to 5 minutes for an updated profile configuration to be applied across our entire network.

Creating a Profile

This section provides step-by-step instructions on how to create a profile.

To create a profile

From the WAF Manager page, click Add Profile.
In the Name option, type the unique name by which this profile will be identified. This name should be sufficiently descriptive to identify it when setting up an instance.
Optional. Click the Access Controls tab. Define IP address, country, user agent, URL, and referrer whitelists/blacklists as needed.
Click the Policies tab. Set the Security Level option to a level (e.g., Medium) that balances security with risk tolerance. Requests that are scored at or higher than the specified value will be identified as malicious traffic.

Learn more.

Ensure that your web applications are secured by the latest threat detection policies by enabling the Automatically opt-in to the latest ECRS ruleset option.
Review all enabled policies and rules to ensure that the legitimate traffic is not targeted by mistake.
Click Save.

Learn how to set up a rule exception.

Modifying a Profile

Modifying an existing profile:

May update how production traffic is screened without having to modify an instance.
Does not affect profiles created from that profile's template.

A common reason for updating a profile is to reduce false positivesWeb Application Firewall: A false positive is a legitimate request that was identified as malicioius traffic by Web Application Firewall. by adding a rule exception. A rule exception identifies one or more rules that should be ignored for a specific set of requests. Typically, rule exceptions are identified via analysis within the WAF Dashboard.

To modify a profile

From the WAF Manager page, click on the desired profile.
Make the desired changes to settings, access controls, and policies.
Optional. Add one or more rule exceptions.
To add a rule exception
1. Navigate to the Exceptions tab.
2. Click + Add New Condition.
3. From the Parameter option, select whether requests will be identified by argument (i.e., query string argument or request body parameter), cookie, or request header.
4. From the Argument | Cookie | Header Name option, type one of the following values:
  - The exact name of the query string argument / request body parameter, cookie, or request header by which requests will be identified.
  - A regular expression pattern for the query string argument / request body parameter, cookie, or request header by which requests will be identified. Mark the Regex? option to indicate that the specified value should be interpreted as a regular expression.
5. In the Applied Rule ID's option, type the ID for each rule that will be ignored when processing the requests identified in step 3.iv.
6. Click Create Condition.
Learn more about rule exceptions.
Click Save.

Deleting a Profile

A profile may be permanently deleted from the system.

Profiles associated with an instance may not be deleted. Please modify the instance to point to a different profile before attempting to delete the profile.

To delete a profile

From the WAF Manager page, click the desired profile.
Click Delete Profile.
Type "DELETE" and then click Delete.

Setting up an Instance

Set up an instance that identifies a profile that WAF may use to screen traffic.

It may take up to 5 minutes for an instance configuration to be applied across our entire network.

An instance will not affect production traffic unless it has been activated.

To set up an instance

From the WAF Manager page, find the Name option and then type the unique name by which this instance will be identified. This name should be sufficiently descriptive to identify it during the activation process that is performed from within Rules Engine.
From the Production Profile option, select a profile that may be applied to production traffic.
From the Production Action option, determine how unwanted traffic will be handled (i.e., block, alert, redirect, or send a custom response).

Learn more.
Use the Audit Profile option to test out a new security configuration. Perform one of the following steps:
- Enable Auditing: Select a profile that contains the security configuration that should be tested on production traffic. Detected threats will generate alerts of type "audit."
- Disable Auditing: Verify that the Audit Profile option is set to "No Audit Profile."
Click Save.

Activating / Deactivating an Instance

An instance must be activated via Rules Engine before Web Application Firewall may assess production traffic for potential threats and ensure that traffic conforms to a specific delivery profile. This activation process is a safety measure designed to ensure the following:

Only vetted WAF profiles are applied to site traffic.
WAF is only applied to requests that match the criteria defined in rules containing a Web Application Firewall feature.
Instance activation via Rules Engine provides the following benefits:
- Centralized Configuration: An instance provides a central location for changing the WAF profile used to screen traffic. This reduces the possibility for the oversight of an old WAF configuration.
- Flexibility: The use of Rules Engine to define the type of requests that will be screened allows WAF to be configured to meet any and all organizational needs. It allows an instance to be applied to different types of requests.

Activate an instance by performing the following steps:

Create or duplicate a draft.
Create or modify a rule to include the Web Application Firewall feature.
Set the Web Application Firewall feature to the instance.
Lock the draft as a policy.
Deploy the policy to the Production environment.

Consider the following items when activating an instance:

The placement of the Web Application Firewall feature within a rule determines the type of requests that will be secured via WAF.
Activate the Web Application Firewall feature for each type of request that should be secured via WAF.
- Determine a rule's scope (e.g., all requests or by customer origin) by balancing the need to secure as much traffic as possible with the level of restrictive measures imposed by the WAF security profile.
  
  The recommended approach for instance activation is to apply the most restrictive policy to as much traffic as possible while causing minimal impact to data delivery.
- Only a single Web Application Firewall feature should be activated per request type (e.g., all requests or origin-specific requests).
- Multiple occurrences of the Web Application Firewall feature may point to the same instance. This allows the corresponding security policy to be applied to different types of requests.
A WAF instance may be deactivated by simply deleting the Web Application Firewall feature associated with the desired rule.
The activation/deactivation of a Web Application Firewall instance is dependent on Rules Engine. Rule changes, such as adding, modifying, or deleting a rule, may take up to an hour to propagate. Additionally, all rule changes must undergo an internal review process.

Learn more.