1 of 20
2 of 20
3 of 20
4 of 20
5 of 20
6 of 20
7 of 20
8 of 20
9 of 20
10 of 20
11 of 20
12 of 20
13 of 20
14 of 20
15 of 20
16 of 20
17 of 20
18 of 20
19 of 20
20 of 20

doc

Rules Engine for Edge Firewall

The Rules Engine is designed for you to be able to implement your security logic at the edge. Based on programmable criteria, you choose what you want to do.

Here are some of the ways Rules Engine can help you:

  • Block a request.
  • Ignore a request.
  • Limit the access rate.
  • Apply Web Application Firewall (WAF) policy.
  • Run an Edge Function with your own security code.
  • Monitor traffic to identify threats.

Getting to Know Rules Engine

  1. How it works
  2. Rules
  3. Configuring Azion Edge Firewall
  4. Creating a configuration with the Web Application Firewall Module using Criteria and Behavior
  5. Creating a Web Application Firewall configuration using the WAF Rule Set for your application
  6. Debugging rules

1. How it works

Each request from your users to your application is processed first by Edge Firewall.

You can define a set of security rules in Edge Firewall. The rules are composed by Criteria, which represent the conditions for executing the rules, and by Behaviors, which represent the actions that need to be executed.

The processing of the rules is sequential and you can use then as Criteria as a powerful set of variables and comparison operators. If the conditions are met, the Behaviors of each rule are executed until all the rules are processed or a rule with a finalizing behavior is found in the path - Deny or Drop.


2. Rules

Rules are always composed of Criteria (conditions) and Behaviors (actions).

Criteria

It determines the set of conditions that need to be met for the execution of Behaviors.

Variables

Criteria Description Requirements
Header Accept Header that tells you what types of media the customer accepts for the response. Web Application Firewall
Header Accept-Encoding Header that tells you what types of content encoding, usually compression algorithms that the client accepts for the response. Web Application Firewall
Header Accept-Language Header that informs the expected language. Web Application Firewall
Header Cookie Header containing the cookies sent by the client in the request to the server. Web Application Firewall
Header Origin Header that informs the origin of a cross-site access request or a preflight request. The source is a URI indicating the name of the server, with no path information. Web Application Firewall
Header Referer Header indicating the address of the document, or element in a document, from which the request’s URI was obtained. Web Application Firewall
Header User Agent Header with a characteristic string that allows servers to identify the application, operating system, vendor and/or version of the device. Web Application Firewall
Hostname In order of precedence: the hostname of the request line, or the value of the Host header field of the request, or the name of the server serving the request. -
Network The IP address of the client making the HTTP request, which can be used for any network comparison (CIDR, ASN or Country). Network Layer Protection
Request Args All arguments sent by the user in the request string (query string). Web Application Firewall
Request Method The request’s HTTP method. For example: GET, POST, PUT, etc. -
Request URI This relates to the $ {uri} variable from Rules Engine for Edge Applications. The normalized (urldecoded) URI of the request. The value of $ {uri} can change during the processing of a request, for example, when an internal redirect occurs or when index files are used. It does NOT carry the Query String parameters as ${request_uri} do. -
Scheme The scheme of the request: http or https. -

Comparison Operators

The condition for the execution of a rule must be the comparison of a variable with an argument. The comparison operators are:

Operador Description Argument
is equal The value of the variable is equal to the argument, compared character by character. string
is not equal The value of the variable is not exactly the same as the argument. string
starts with The value of the variable starts with the argument. string
does not start with The value of the variable does not start with the argument. string
matches The value of the variable matches the regular expression or list entered as an argument. regular expression
list
does not match The value of the variable does not match the regular expression entered as an argument. regular expression
list
exists The variable has a defined value. For example, Request Args exists if an argument is sent in the request’s query string. -
does not exist The variable does not have a defined value. For example, Request Args does not exist if an argument is sent in the request’s query string. -

Note: The options vary according to the selected Criteria.

Logic Operators

Multiple conditions can be defined using the logical operators “and” and “or”. The operator “and” has implicit precedence over the operator “or”.

If explicit precedence is required, you can add multiple criteria groups under the “and” logic.

Behaviors

In Behavior, you add the behaviors (actions) you want to perform if the rule’s conditions (Criteria) are met.

Behavior Description Requirements
Deny (403 Forbidden) It closes the request with HTTP 403 Forbidden response. -
Drop (Close Without Response) It closes the request without responding to the customer. -
Set Rate Limit It defines an access rate limit that, if exceeded, will result in an HTTP 429 Too Many Requests response. To configure the Rate Limit, you must inform:
Type is the field to select the type of request for the Rate Limit, choosing Req/s (Requests per Second) or Req/Min (Requests per Minute);
Average Rate Limit, which is the limit rate itself by second;
Client IP address, if you want the access rate to be counted by the client’s IP address or Global, if you want total access rate counted;
Maximum burst size, which indicates the maximum burst size of HTTP requests sent simultaneously, which will be queued and dispatched gradually, respecting the limit rate.

* The Maixumum Burst size is only available for the "Req/s"(Request per Second).
The configured value will be the Rate Limit for each Azion Edge Node, implemented using the Leaky Bucket algorithm. We recommend that you use *Maximum burst size
at a maximum of 10 times of the value configured in Average Rate Limit, which would result in penalizing the last request for a burst with up to a 10 second delay.
-
Set WAF Rule Set It associates the WAF Rule Set to be used in the request. WAF policies must be previously configured in the Edge Libraries > WAF Rules. Web Application Firewall
Run Function It runs a function specified as a parameter. The function must have been previously instantiated and parameterized in the Functions tab, in order to be used. Edge Functions

3. Configuring Azion Edge Firewall

Step 1: Creating a new Rule Set in Edge Firewall

  1. Access Real-Time Manager (RTM), select the Products Menu, and then the Edge Firewall section.

You will see the main interface where you can create and manage your Edge Firewall Rule Sets.

  1. Click the Add Rule Set button.
  2. Fill in the following fields:
    • Add Edge Firewall: assign a descriptive name for your Edge Firewall.
    • Domain Settings: in this section, select the domains to which you want these settings to be applied.
    • Edge Firewall Modules: enable the modules you deem necessary to be able to have access to the specific functionalities of each one. The available modules are:
      • Network Layer Protection.
      • Web Application Firewall (WAF).
      • Edge Functions.
  3. Select the field Active to activate the Rule Set.
  4. Click the Save button.

Step 2: Creating security rules through the Rules Engine

  1. Select the tab Rules Engine.
  2. Click on New Rule to add a new rule.
  3. Fill in the fields Rule Name, Criteria, and Behavior.
    • Rule Name: assign a descriptive name for your rule.
    • Criteria: parameterize your Rule Engine with the criteria that will define the conditions for the execution of the behaviors.
      • IF: conditional command. Select the variable, the comparison operator and the value to be compared. Example: IF Request URI starts with /product. This condition will test every request in which the URI starts with /product.

      You can combine more than one condition within the same rule, just add rules through the logical operators And and Or.

    • Behavior: define the action to be taken if the requisition matches the defined criteria. Select the attribute, and if necessary, select the condition and add the reference value. Some Actions do not require a complement, just select them so that their behavior is defined, for example, in the action Deny (403 Forbidden), which will return a HTTP Status Code 403 indicating that the server understood the request, but refuses to authorize it.
      • Then: Choose one of the available actions. The set of behaviors depends on the enabled Edge Firewall modules. Some options require the completion of complementary fields. Example: Then Set Rate Limit, Average Rate Limit (req/s or req/m) 2, Client IP Address, Maximum burst size 10.

      In this example, for the Set Rate Limit action, the additional fields Average Rate Limit (req/s or req/m) and Maximum Burst Size will appear, in addition to the restriction selection option by IP or Global address, that is, if the request meets the criteria of the Rule, then a rate limit of 2 requests per second, per IP address, will be set, with a burst limit of 10 requests.

  4. Select the field Active to activate the rule set.
  5. Click Save to save the Edge Firewall Rule Set.

4. Creating a configuration with the Web Application Firewall Module using Criteria and Behavior

Create a configuration with Web Application Firewall business rules through the Rules Engine.

Example: Rate Limit of 2 requests per second with a burst of 10 for user-agent Googlebot.

  1. Select the Rules Engine tab.
  2. Click on New Rule to add a new rule.
  3. Fill the following fields:
  • Rule Name: give your Rule Engine a descriptive name. Example: Rate Limiting Googlebot.

  • Criteria: parameterize your Rule Engine with the Criteria that will define how your rule works.
    • IF: conditional command. Select the attribute, select the condition and add a value to be tested. Example: IF Request User-Agent Matches Googlebot. This condition will test every request where the user-agent header contains “Googlebot”. Example: Header User Agent Matches Googlebot And Network Matches Azion Tor Exit Nodes. In this case the rule will only fit into requests with a header containing “Googlebot” and originated in the Tor Network.
  • Behavior:
    • Then: Choose Set Rate Limit. Example: Then Set Rate Limit, Average Rate Limit (req/s or req/m) 2, Client IP Address, Maximum burst size 10. In this example, for the Set Rate Limit action, the additional fields Average Rate Limit (req/s or req/m) and Maximum Burst Size will appear, in addition to the restriction selection option by IP or Global address, that is, if the request meets the criteria of the Rule, then a rate limit of 2 requests per second, per IP address, will be set, with a burst limit of 10 requests.
      1. Select the field Active to activate the rule set.
      2. Click the Save button.

5. Creating a Web Application Firewall configuration using the WAF Rule Set for your application

The Rule set is the WAF rule set that enables protection against the most varied types of attacks. It defines the protections you want to activate, the detection sensitivity level, and the whitelist.

Creating a WAF configuration within your Edge Firewall

  1. Access the Real-Time Manager (RTM), then *Edge Libraries** > WAF Rules. You will see the main interface where you can create and manage your Web Application Firewall (WAF).
  2. Click the Add WAF button to add a new WAF configuration.
  3. Fill the fields Name, Mode, Threat Type, and Active.
    • Name (Name of your WAF): assign a descriptive name to your WAF.
    • Mode (WAF operation mode):
      • Learning: it analyzes all requests and identifies those with malicious behavior, however it does not block, it only counts. We recommend using this option only in the learning (calibration) stage of your WAF.
      • Blocking: it analyzes all requests and blocks those with malicious behavior.
    • Threat Type (families of threats): a list of the families or types of threats addressed by the WAF is presented. Select one of the 5 WAF sensitivity level you want for each one in Sensitivity. Activate all types you deem necessary by selecting Status.
    • Active: check this option to activate your WAF.
  4. Click the Save button to save your settings.

Associating the WAF to Behaviors within your Edge Firewall

For your WAF to effectively take action it is necessary to associate it with a Behavior, within a Rule of your Edge Firewall. Follow the steps:

  1. Access Real-Time Manager and enter the menu Edge Firewall.
  2. Click the Add Rule Set button to add a new rule set.
  3. Enable Web Application Firewall in the Edge Firewall Modules and select one or more domains to receive WAF protection.
  4. Save your rule set with a descriptive name. You will need it to perform the Rule Set configuration later on in the Rules Engine tab.
  5. In the Rules Engine tab, in the Behavior section, in the Then field, select Set WAF Rule Set and associate the desired WAF Rule Set.
  6. Make sure that the Active option is selected.
  7. Use Real-Time Metrics or WAF Logs through Real-Time Events and Data Streaming products to track detected threats.

WAF only blocks threats if it is configured in Blocking Mode.


6. Debugging rules

Note: this functionality is in early access. Contact our Sales team to enable it for your account.

You can debug rule sets created in Rules Engine for Edge Firewall through the GraphQL API, Data Streaming, or Real-Time Events.

See How to debug rules created with Rules Engine for detailed information and instructions on how to activate and use this functionality.


Didn’t find what you were looking for? Open a support ticket.