ナビ付きでトピックを開く

 

Web Application Firewall (Legacy) Frequently Asked Questions

Applies To:
HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.
HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.
ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.
WAFWeb Application Firewall (Legacy) is designed to secure site traffic against DDoS and application layer attacks. It also filters unwanted traffic by enforcing a custom delivery profile and whitelists/blacklists.

This article explains the legacy version of WAF that will undergo end-of-life on June 30, 2021. Our new version of WAF expands upon all of the capabilities offered by WAF and Rate Limiting with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

General

ClosedHow does WAF secure my site?

WAF is designed to analyze HTTP traffic for malicious content. Upon detecting a threat, it will either generate an alert, block, redirect, or provide a custom response. Blocked requests will terminate at the edge of our network. This shields your origin serverRefers to the server(s) where content served via the CDN is stored. There are two types of origin servers, which are CDN and customer origin servers. All requests that cannot be fulfilled directly by an edge server are forwarded to an origin server. For example, a request for content that has not been previously cached is forwarded from an edge server to an origin server. from these threats.

ClosedDoes WAF require product activation?

Yes. Please contact your CDN account manager to activate WAF on your account.

ClosedDo I need to install software on my web server(s)?

No. WAF, which is a cloud-based platform that runs on our CDN, is designed to detect and prevent malicious traffic from reaching your web servers. By enforcing your security logic on the edge of our network, WAF is able to efficiently protect your web applications.

ClosedWhat type of security threats can be detected?

WAF may be configured to detect a wide variety of threats ranging from application-specific (e.g., IIS, WordPress, Drupal, etc.) to generic attacks (e.g., HTTP request violations, Java, SQL injections, etc.).

Learn more about our ECRS policies.

ClosedHow do I limit the request rate to my server(s)?

WAF screens traffic and then either alerts, blocks, redirects, or provides a custom response when a malicious request is detected. Leverage Rate Limiting to prevent your web server(s) from being overloaded by too many requests.

ClosedShould I obfuscate my web server(s)?

Yes. WAF only protects traffic that is routed via our CDN. It is considered a security best practice to obfuscate your web servers to prevent malicious actors from directly attacking your web servers and thereby bypassing the various security measures provided by our CDN.

Set up your firewall to only allow requests from our network.

View our IP blocks (Customer Origin Group / Legacy).

ClosedWill WAF affect performance?

The latency due to WAF screening traffic can be measured in sub-milliseconds. Users should not be able to perceive a difference in the performance of secured traffic when compared to traffic that is not secured by WAF.

ClosedDoes WAF screen all traffic?

The set of traffic that will be screened by WAF varies according to these factors:

Configuration

ClosedDo I need to tune each site or domain separately?

WAF configuration is very flexible. It allows you to tailor the traffic profiles that will be protected by each WAF configuration. This provides you with the ability to:

  • Apply a single WAF configuration to all of your traffic.
  • Tune your WAF configuration for each desired site or domain.
  • Tune your WAF configuration for specific types of requests (e.g., URLs) to a particular site or domain.
ClosedHow do I set up WAF to secure my site's traffic?

The recommended approach for securing site traffic requires performing the following steps:

  1. Create a profile.
  2. Create an instance that alerts when malicious site traffic is found.
  3. Create a rule that determines when WAF security will be applied to your site's traffic.
  4. Monitor the WAF dashboard. Verify that alerts are not generated for legitimate traffic.
  5. Once the frequency of false positives reaches an acceptable level, modify the instance to block malicious traffic.

You may configure WAF to screen your traffic using two different profiles. This type of setup, known as Dual WAF, allows you to test changes to your WAF configuration while still ensuring that your traffic is protected by WAF with a known configuration. Once you have vetted your changes and eliminated false positives, you may then quickly enforce the new configuration on your production traffic.

Learn more.

ClosedWhat role does Rules Engine play in a WAF configuration?

Rules Engine identifies the types of requests that will be screened by WAF and the WAF policy that will be used to screen those requests. Leveraging Rules Engine to screen traffic allows WAF security policy to vary according to the type of traffic. For example, a CMS-specific policy may be enabled for CMS traffic and disabled for all other traffic.

ClosedHow long does it take for WAF configuration changes to take effect?

The following table describes the length of time it takes for changes to your WAF configuration to take effect.

Configuration Action Time

Profile

Add

Modify

Delete

2 minutes

Instance

Add

Modify

Delete

2 minutes

Rules Engine

Add

Modify

Delete

1 hour

Complex rules must undergo an internal review process before the requested change takes effect. Once the updated configuration has been approved, it must be propagated throughout our network.

Learn more.

The role of Rules Engine in a WAF setup is to determine the type of requests that will be secured by WAF. As a result, it should not require frequent updates. Typically, updates to profiles and instances fine-tune your WAF configuration. These type of updates take effect in a relatively short time period. This allows you to quickly react to newly identified security threats.

ClosedI've defined security policies within Rules Engine and WAF. Which will take effect first?

Rules defined within Rules Engine take effect before WAF. Rules that may conflict with a WAF configuration typically involve blocking or modifying certain types of requests. For example, Rules Engine may block a request even though it qualifies for whitelisting via WAF.

Web Application Firewall Rule Set

A rule set contains a set of policies that define how site traffic will be screened for malicious traffic.

ClosedHow is a rule set defined?

All profiles must be associated with a rule set. A profile's rule set may be defined upon creating or modifying a profile.

ClosedWhich type of rule set should I use?

The recommend rule set is ECRS. This rule set provides protection against a variety of application-specific and unknown vulnerabilities.

ClosedDoes it matter whether live traffic is filtered by irrelevant policies?

Yes. The ECRS rule set contains a variety of policies that are application-specific. Those policies should be disabled if they do not apply to the traffic being filtered by WAF (as defined by Rules Engine). Leaving these policies enabled may introduce false positives.

View the recommended rule set configuration.

ClosedHow often is the ECRS rule set updated?

The ECRS rule set is updated as needed to address new threats.

ClosedShould I update my profile to point to the latest version of a rule set?

Our recommendation is to always use the latest version of a rule set. However, care should be taken when making changes to a profile that is being leveraged by WAF to filter site traffic. Modifying such a profile will alter how WAF filters HTTP traffic.

The recommended approach for updating a profile's rule set is through the following process:

  1. Create a copy of the desired profile.

    Make sure that the new profile leverages the latest version of the rule set.

  2. Create a new instance that leverages the newly created profile.

    Set the Production Action option to "alert."

  3. From within Rules Engine, update a rule to include an additional Web Application Firewall feature that leverages the new instance.
    1. Edit the rule that enables WAF.
    2. Add a Web Application Firewall feature under the existing one.
    3. Point the new Web Application Firewall feature to the newly created instance.
    4. Save your changes. Once the rule has been approved, it may take up to an hour for the new rule to take effect.
  4. Monitor the WAF dashboard for false positives.
  5. If the level of false positives is acceptable, update the original profile to use the new version of the rule set and then remove the duplicate Web Application Firewall feature from your rule.

Threat Detection

ClosedHow can I minimize false positives?

The recommended approach to minimizing false positives is summarized below.

  1. Create a profile for each type of request that requires a different screening process.
  2. Create an instance for each profile created in step 1. Make sure to set each instance to only alert when a threat is detected.

  3. From within Rules Engine, add ruleRules Engine: Refers to a set of statements that identify a set of requests and the manner in which those requests will be handled.s or rule statementRules Engine: Refers to the set of conditional expressions & conditions that identify a single type of request. The last conditional expression in a statement should contain a set of actions that will be applied to that request type.s that identify specific types of requests and the instances that will be leveraged when screening that traffic.

  4. Wait until a representative sampling of traffic has been screened (e.g., 24 hours).
  5. Use the dashboard to review the detected threats. Adjust the corresponding profiles as needed.

Learn more.

ClosedWhat happens when a request is blocked?

The user experience for requests blocked by WAF is described below.

  • The user will receive a 403 Forbidden instead of the requested asset.
  • The response for the blocked request will include an additional response header. The name of this response header is defined by the corresponding profile's Response Header Name option. This response header will be set to "403."

Default WAF response header name/value:

X-EC-Security-Audit: 403

Log Data

ClosedHow long is event log data accessible?

Event log data is available for 30 days.

ClosedHow can I retrieve event log data?

Event log data for the last 30 days is available either through the WAF Dashboard or our REST API service.

Learn more about our REST API service.

More Information
ClosedFrequently Asked Questions