The Rules Engine for Edge Firewall is a feature designed to implement security logics for your applications. The Rules Engine settings tab can be found inside a created Edge Firewall configuration. An Edge Firewall Rules Engine configuration is called an Edge Firewall Rule Set.
The Rules Engine is programmable, you define what are the conditions (Criteria) and commands (Behaviors). If the Criteria are met, the Behaviors will be executed.
You can use the Rules Engine for Edge Firewall to configure all operational aspects of your application’s firewalls. Here are some implementations examples you can use it for:
- Block a request.
- Ignore a request.
- Limit the access rate.
- Apply Web Application Firewall (WAF) policy.
- Run an Edge Function for Edge Firewall with your own security code.
- Monitor traffic to identify threats.
An Edge Firewall Rule Set can have as many rules as needed. These rules are also interchangeable, as you can share the same rule for all other Edge Firewall configurations.go to Edge Firewall reference
How Rules Engine for Edge Firewall worksSection titled How Rules Engine for Edge Firewall works
Each request from your users to your application is processed first by Edge Firewall. You can define a set of security rules in Edge Firewall.
The rules are composed by Criteria, which represent the conditions for executing the rules, and by Behaviors, which represent the actions that need to be executed.
The processing of the rules is sequential and you can use them as a powerful set of variables and comparison operators. If the conditions are met, the Behaviors of each rule are executed until all the rules are processed.
Rule Set detailsSection titled Rule Set details
An Edge Firewall Rule Set is composable by:
- Identification name, visible from the Rule Set list.
- Description, visible from the Rule Set list.
- Active switch, to enable/disable without deleting it.
CriteriaSection titled Criteria
Criteria determines the set of conditions that need to be met for the execution of Behaviors. The availability of criteria depends on the enabled modules of your Edge Firewall.go to Edge Firewall modules reference
Criteria variablesSection titled Criteria variables
These are all the Criteria variables you can set:
|Header Accept||Header that tells you what types of media the customer accepts for the response.||Web Application Firewall|
|Header Accept-Encoding||Header that tells you what types of content encoding, usually compression algorithms, that the client accepts for the response.||Web Application Firewall|
|Header Accept-Language||Header that informs the expected language.||Web Application Firewall|
|Header Cookie||Header containing the cookies sent by the client in the request to the server.||Web Application Firewall|
|Header Origin||Header that informs the origin of a cross-site access request or a preflight request. The source is a URI indicating the name of the server, with no path information.||Web Application Firewall|
|Header Referer||Header indicating the address of the document, or element in a document, from which the request’s URI was obtained.||Web Application Firewall|
|Header User Agent||Header with a characteristic string that allows servers to identify the application, operating system, vendor, and/or version of the device.||Web Application Firewall|
|Request Args||All arguments sent by the user in the request string (query string).||Web Application Firewall|
|Network||The IP address of the client making the HTTP request, which can be used for any network comparison (CIDR, ASN or Country).||Network Layer Protection|
|Hostname||In order of precedence: the hostname of the request line, or the value of the Host header field of the request, or the name of the server serving the request.||-|
|Request Method||The request’s HTTP method. For example: ||-|
|Request URI||This relates to the ||-|
|Scheme||The scheme of the request: HHTP or HTTPS.||-|
|Client Certificate Validation||Server process to authenticate client digital certificate.||-|
|SSL Verification Status||Server result to client certificate validation. It can be ||-|
Comparison OperatorsSection titled Comparison Operators
The condition for the execution of a rule must be the comparison of a variable with an argument. The comparison operators are:
|is equal||The value of the variable is equal to the argument, compared character by character.||string|
|is not equal||The value of the variable isn’t exactly the same as the argument.||string|
|starts with||The value of the variable starts with the argument.||string|
|does not start with||The value of the variable doesn’t start with the argument.||string|
|matches||The value of the variable matches the regular expression or list entered as an argument.||regular expression or list|
|does not match||The value of the variable doesn’t match the regular expression entered as an argument.||regular expression or list|
|exists||The variable has a defined value. For example, Request Args exists if an argument is sent in the request’s query string.||-|
|does not exist||The variable doesn’t have a defined value. For example, Request Args doesn’t exist if an argument is sent in the request’s query string.||-|
Logic OperatorsSection titled Logic Operators
Multiple conditions can be defined using the logical operators
If explicit precedence is required, you can add multiple criteria groups under the
BehaviorsSection titled Behaviors
In Behavior, you add the action commands you want to perform if the rule’s criteria are met.
These are all the available behaviors:
|Deny (403 Forbidden)||It closes the request with HTTP 403 Forbidden response.||-|
|Drop (Close Without Response)||It closes the request without responding to the customer.||-|
|Set Rate Limit||It defines an access rate limit that, if exceeded, will result in an HTTP 429 Too Many Requests response. To configure the Rate Limit, you must inform:|
The configured value will be the Rate Limit for each Azion Edge Node, implemented using the Leaky Bucket algorithm. It’s recommended to use
|Set WAF Rule Set||It associates the WAF Rule Set to be used in the request. WAF policies must be previously configured in the Edge Libraries > WAF Rules.||Web Application Firewall|
|Run a Function||It runs a function specified as a parameter. The function must have been previously instantiated and parameterized in the Functions tab in order to be used.||Edge Functions|
|Set Custom Response||It allows a customized response when the request matches the criteria. You can customize the ||-|