ナビ付きでトピックを開く

 

Handling Detected Threats

Applies To:
HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.
HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.
ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.
WAFWeb Application Firewall (Legacy) is designed to secure site traffic against DDoS and application layer attacks. It also filters unwanted traffic by enforcing a custom delivery profile and whitelists/blacklists.

This article explains the legacy version of WAF that will undergo end-of-life on June 30, 2021. Our new version of WAF expands upon all of the capabilities offered by WAF and Rate Limiting with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

All threats detected by Web Application Firewall will be logged. Logged threats may be viewed from the Web Application Firewall dashboard.

Standard security practices dictate that measures should be taken to prevent sensitive data (e.g., credit card information or passwords) from being passed as clear text from the client to your origin server. Another incentive for encrypting sensitive data is that it will be logged by our system when an alert is triggered as a result of this data. If sensitive data cannot be encrypted or obfuscated, then it is strongly recommended to contact our technical customer support to disable logging for the Matched Value field.

An instance configuration determines whether any of the following additional actions will be applied to the detected threat.

Mode Description

Block Request

Detected threats will be dropped and the client will receive a 403 Forbidden response.

Alert Only

Detected threats will only generate an alert.

Use this mode to track detected threats through the dashboard without affecting traffic.

Redirect (HTTP 302)

Detected threats will be redirected to the specified URL.

Key information:

  • The HTTP status code for this response will be a 302 Found.

  • Set the URL option to the full URL to which detected threats will be redirected.

    Example:

    http://cdn.mydomain.com/marketing/busy.html

Custom Response

Detected threats will receive a custom response.

Define the custom response that will be sent in response to a detected threat.

  • Response Body: Configure whether the response body will consist of a default error page or the value defined in the Response Body option.

    • Display Default Error Page: Mark this option to respond to detected threats with a web page that describes the detected threat. Specifically, it will indicate the client's IP address, the requested URL, and the date/time at which the request was screened.

      This option does not control the status code or the headers included in the response. Configure those settings through the HTTP Status Code and the Custom Response Headers options, respectively.

    • Response Body: Defines the payload that will be delivered to the client in response to a detected threat.

      This option supports the use of event variables to customize the response according to the detected threat.

      Sample payload for a CSS file:

      body {

      background-color: #ffffff;

      }

      Setting a value in the Response Body option will cause it to take precedence over the Display Default Error Page option.

  • HTTP Status Code: Defines the HTTP status code that will be sent to the client.

    ClosedView a list of valid HTTP status codes.
    • 100
    • 101
    • 102
    • 200
    • 201
    • 202
    • 203
    • 204
    • 205
    • 206
    • 207
    • 208
    • 226
    • 300
    • 301
    • 302
    • 303
    • 304
    • 305
    • 306
    • 307
    • 308
    • 400
    • 401
    • 402
    • 403
    • 404
    • 405
    • 406
    • 407
    • 408
    • 409
    • 410
    • 411
    • 412
    • 413
    • 414
    • 415
    • 416
    • 417
    • 421
    • 422
    • 423
    • 424
    • 426
    • 428
    • 429
    • 431
    • 451
    • 500
    • 501
    • 502
    • 503
    • 504
    • 505
    • 507
    • 508
    • 509
    • 510
    • 511

  • Custom Response Headers: Defines one or more response headers that will be sent to the client. Define each custom response header on a separate line.

    Syntax:

    Name:Value

    Example:

    MyCustomHeader:True

    This option supports the use of event variables to customize the response according to the detected threat.

    All characters, including spaces, defined before or after the colon will be treated as a part of the specified header name or value, respectively.

Event Variables

A custom response header value or a custom response body may include variables that describe the event. These variables are described below.

Variable Description

EVENT_ID

Represents the system-defined ID assigned to the request that was identified as a threat.

Find out detailed information about the detected threat by passing this ID to the Get Event Log Entry endpoint (REST API).
Learn more.

CLIENT_IP

Represents the IP address of the device that submitted the detected threat.

TIMESTAMP

Represents the date and time at which the detected threat was submitted.

REQUEST_URL

Represents the URL for the request that was deemed a threat.

Add an event variable to a custom response header value or a custom response body by enclosing it with double curly braces as shown below.

Syntax:

{{VARIABLE_NAME}}

Example:

{{EVENT_ID}}
More Information