Rules Engine for Edge Firewall

The Rules Engine for Edge Firewall is a feature designed to implement security logics for your applications. The Rules Engine settings tab can be found inside a created edge firewall.

The Rules Engine is programmable, you define what are the conditions (Criteria) and commands (Behaviors). If the Criteria are met, the Behaviors will be executed.

You can use the Rules Engine for Edge Firewall to configure all operational aspects of your application’s firewalls. Here are some implementations examples you can use it for:

  • Block a request.
  • Ignore a request.
  • Limit the access rate.
  • Apply Web Application Firewall (WAF) policy.
  • Run an Edge Function for Edge Firewall with your own security code.
  • Monitor traffic to identify threats.

An edge firewall can have as many rules as needed. These rules are also interchangeable, as you can share the same rule for all other edge firewalls.

go to Edge Firewall reference

How Rules Engine for Edge Firewall works

Section titled How Rules Engine for Edge Firewall works

Each request from your users to your application is processed first by Edge Firewall. You can define a set of security rules in Edge Firewall.

The rules are composed by Criteria, which represent the conditions for executing the rules, and by Behaviors, which represent the actions that need to be executed.

The processing of the rules is sequential and you can use them as a powerful set of variables and comparison operators. If the conditions are met, the Behaviors of each rule are executed until all the rules are processed.

An edge firewall is composable by:

  • Identification name.
  • Description.
  • Criteria.
  • Behaviors.
  • Active switch, to enable/disable without deleting it.

Criteria determines the set of conditions that need to be met for the execution of Behaviors. The availability of criteria depends on the enabled modules of your Edge Firewall.

go to Edge Firewall modules reference

These are all the Criteria variables you can set:

CriteriaDescriptionRequirements
Header AcceptHeader that tells you what types of media the customer accepts for the response.Web Application Firewall
Header Accept-EncodingHeader that tells you what types of content encoding, usually compression algorithms, that the client accepts for the response.Web Application Firewall
Header Accept-LanguageHeader that informs the expected language.Web Application Firewall
Header CookieHeader containing the cookies sent by the client in the request to the server.Web Application Firewall
Header OriginHeader that informs the origin of a cross-site access request or a preflight request. The source is a URI indicating the name of the server, with no path information.Web Application Firewall
Header RefererHeader indicating the address of the document, or element in a document, from which the request’s URI was obtained.Web Application Firewall
Header User AgentHeader with a characteristic string that allows servers to identify the application, operating system, vendor, and/or version of the device.Web Application Firewall
Request ArgsAll arguments sent by the user in the request string (query string).Web Application Firewall
NetworkThe IP address of the client making the HTTP request, which can be used for any network comparison (CIDR, ASN or Country).Network Layer Protection
HostnameIn order of precedence: the hostname of the request line, or the value of the Host header field of the request, or the name of the server serving the request.-
Request MethodThe request’s HTTP method. For example: GET, POST, PUT, etc.-
Request URIThis relates to the ${uri} variable from Rules Engine for Edge Applications. The normalized (urldecoded) URI of the request. The value of ${uri} can change during the processing of a request, for example, when an internal redirect occurs or when index files are used. It doesn’t carry the Query String parameters as ${request_uri} do.-
SchemeThe scheme of the request: HHTP or HTTPS.-
Client Certificate ValidationServer process to authenticate client digital certificate.-
SSL Verification StatusServer result to client certificate validation. It can be Success, when the client certificate validation passed; Certificate Verification Error, when the client certificate wasn’t valid; and Missing Client Certificate, when the client certificate wasn’t sent in the request.-

The condition for the execution of a rule must be the comparison of a variable with an argument. The comparison operators are:

OperatorDescriptionArgument
is equalThe value of the variable is equal to the argument, compared character by character.string
is not equalThe value of the variable isn’t exactly the same as the argument.string
starts withThe value of the variable starts with the argument.string
does not start withThe value of the variable doesn’t start with the argument.string
matchesThe value of the variable matches the regular expression or list entered as an argument.regular expression or list
does not matchThe value of the variable doesn’t match the regular expression entered as an argument.regular expression or list
existsThe variable has a defined value. For example, Request Args exists if an argument is sent in the request’s query string.-
does not existThe variable doesn’t have a defined value. For example, Request Args doesn’t exist if an argument is sent in the request’s query string.-

Multiple conditions can be defined using the logical operators and and or.

If explicit precedence is required, you can add multiple criteria groups under the and logic.

In Behavior, you add the action commands you want to perform if the rule’s criteria are met.

These are all the available behaviors:

BehaviorDescriptionRequirements
Deny (403 Forbidden)It closes the request with HTTP 403 Forbidden response.-
Drop (Close Without Response)It closes the request without responding to the customer.-
Set Rate LimitIt defines an access rate limit that, if exceeded, will result in an HTTP 429 Too Many Requests response. To configure the Rate Limit, you must inform:
Type is the field to select the type of request for the Rate Limit, choosing Req/s (request per second) or Req/Min (request per minute).
Average Rate Limit, which is the limit rate itself by second.
Client IP address, if you want the access rate to be counted by the client’s IP address or Global, if you want total access rate counted.
Maximum burst size, which indicates the maximum burst size of HTTP requests sent simultaneously, which will be queued and dispatched gradually, respecting the limit rate.
The configured value will be the Rate Limit for each Azion Edge Node, implemented using the Leaky Bucket algorithm. It’s recommended to use Maximum burst size at a maximum of 10 times of the value configured in Average Rate Limit, which would result in penalizing the last request for a burst with up to a 10 second delay.
Note: as the Rate Limit is applied by IP address of Global and by rule, if a rule has more than one URI specified and uses the conditional Or, the rate limit will be shared between the URIs. Create different rules if you wish to have a Rate Limite for each URI.
-
Set WAF Rule SetIt associates the WAF Rule Set to be used in the request. WAF policies must be previously configured in the Edge Libraries > WAF Rules.Web Application Firewall
Run a FunctionIt runs a function specified as a parameter. The function must have been previously instantiated and parameterized in the Functions tab in order to be used.Edge Functions
Set Custom ResponseIt allows a customized response when the request matches the criteria. You can customize the Status Code by changing it from 200 to 499, Content Type header, and Content Body of your request with a maximum of 500 characters.-

While behaviors and rules are executed in the order they’re arranged, some behaviors can’t be stacked.

If a behavior of the type Set, such as Set Custom Response in Edge Firewall and Set Origin in Edge Application, is added multiple times to the rules in Rules Engine, only the last behavior from the last rule in which the criteria was met will be executed.

Behaviors of the type Add are cumulative and can be added multiple times to rules. This means that if Add Cookie and Add Header are executed multiple times for the same key-value pairs, multiple identical entries will be added.

However, for unique headers such as Host, the last behavior of type Add Header that is executed will overwrite the previous value, since there can’t be more than one Host header in a request.

Some behaviors, such as Deny, can finish the execution of rules. If a sequence of rules includes such behavior, any rules or behaviors that follow this type of finalizing behavior won’t be executed.


Watch a video tutorial about programming Edge Firewall rules for optimal WAF usage and cost optimization on Azion’s YouTube channel:


Contributors