WAF Rule Sets

The Rules Engine for Web Application Firewall (WAF) is a feature developed to help you protect your edge applications in the context of your own applications. With Rules Engine for Web Application Firewall, you can define your own set of security rules (Rule Set), designed specifically for your needs.

These rules are composed of criteria and behaviors. The criteria represent the conditions for executing the rules, and the behaviors represent the actions that need to be executed. The rules are processed sequentially, and if the conditions are met, the behaviors of each rule are executed. WAF Rule Set is what a set of custom rules for Web Application Firewall is called.

Prerequisites

Section titled Prerequisites

To configure a WAF Rule Set, you must have an Edge Firewall configuration with the Web Application Firewall module activated.

Monitoring threat detection with Real-Time Metrics

Section titled Monitoring threat detection with Real-Time Metrics

A WAF configuration associated with an edge application generates a lot of information. You can use the Real-Time Metrics to visualize, analyze, and export this data.

In Real-Time Metrics, the first graph on the WAF tab (threats vs requests) shows three time series:

  • Regular Requests: all HTTP and HTTPS requests are analyzed by WAF and are considered secure.
  • Threats: the volume of threats detected by WAF and accounted for, when in counting mode. These threats aren’t being blocked at the moment.
  • Threats Blocked: threats effectively blocked by WAF. To start blocking the threats found, the rule set must be in blocking mode.
go to real-time metrics reference

If you also have the Data Streaming service, you can track more detailed information about IP, date and time of access, status code, detected attack family, and the configured mode of action.

$time-iso8601 $azion-client-id $azion-virtualhost-id $azion-configuration-id $azion-solution $azion-solution-id $host $conn-request-time $req-method $resp-status $req-uri $waf-threat-family $waf-threat-action $client-geoip-country-name $client-geoip-region-name $client-addr $client-port $req-header(User-Agent) $req-header(Referer) 2017-01-04T17:00:19+00:00 1234a 10203b 1020304050 ha 1441740010 www.yoursite.com 0.129 GET 200 /request-uri?key=value $XSS $LEARNING-BLOCK Brazil Sao Paulo 1.2.3.4 61511 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 https://www.yoursite.com/referrer 2017-01-04T17:00:19+00:00 1234a 10203b 1020304050 ha 1441740010 www.yoursite.com 0.025 POST 200 /request-uri $SQL $LEARNING-BLOCK Brazil Santa Catarina 2.3.4.5 61513 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 https://www.yoursite.com/referrer 2017-01-04T17:00:40+00:00 1234a 10203b 1020304050 ha 1441740010 www.yoursite.com 0.026 GET 301 /request-uri?key=value $RFI $LEARNING-BLOCK Brazil Rio de Janeiro 5.6.7.8 26102 Mozilla/5.0 (Linux; Android 5.1.1; SM-G800H Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 https://www.yoursite.com/referrer 2017-01-04T17:00:41+00:00 1234a 10203b 1020304050 ha 1441740010 www.yoursite.com 0.391 POST 200 /request-uri $UWA $LEARNING-BLOCK Brazil Rio Grande do Sul 9.10.11.12 26102 Mozilla/5.0 (Linux; Android 5.1.1; SM-G800H Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.91 Mobile Safari/537.36 https://www.yoursite.com/referrer

Based on this information, you can adjust the sensitivity of the WAF Rule Set, until no more false positives occur. You can also ask Azion to generate an allowlist for your application.

Contributors