Updating your Edge Firewall
In this document, we will indicate the features used in the deprecated versions, showing how to bring them to the latest version. To learn more about new features, and how to use them, see the product page and documentation.
Rule Sets deprecated from Edge Firewall show the following banner: This Edge Firewall rule set is deprecated. Please upgrade to the new version.
1. What has changed?
Until now, the use of a Rule Set from Edge Firewall or WAF was through activation of Edge Firewall and Web Application Firewall modules in the Main Settings tab of each Edge Application and subsequent use of Behaviors Set Edge Firewall Rule Set and Set WAF Rule Set in the Edge Application Rules Engine.
Edge Firewall has become an independent product that concentrates all security features: DDoS Protection, Network Layer Protection, Web Application Firewall, and Edge Functions.
Before update your version of the Edge Firewall it is necessary to have the latest version of the Edge Application product.
2. Assigning your Rule Sets to the latest version of Edge Firewall
To use the latest Azion Edge Firewall, follow the steps below, each section describes how each feature works on the new modules, Network Lists, and Rules Engine.
Step 1 - Creating new rule sets in Edge Firewall
First, you need to create a Rule Set and new rules based on pre-existing rules. Through the process, we will explain how each feature works on the latest version:
Create Edge Firewall Rule Set:
- Log into Real-Time Manager, go to the Products menu in the upper left corner, under SECURE select Edge Firewall. You can also click directly on Edge Firewall on the Getting started page.
- Add an Edge Firewall by clicking Add a Rule Set or edit an already created one.
- Follow the steps below according to the functionality:
Referrer Blocking
If you used Referer Block in your deprecated rule set, in the new rule set:
- Enable the module Web Application Firewall.
- Then, follow the tab Rules Engine in Criteria, and select Header Referer.
- Add the domain of the old Rule Set with the condition Header Referer, using the comparator does not match.
- For each domain in Accepted Domains of the old Rule Set, add an AND rule by repeating step 3.
- In Behavior, select the Behavior Deny 403.
Geo-Blocking
If you used Geo-Blocking in your deprecated rule set, in the new rule set:
- Access the Real-Time Manager and enter the Libraries > Network Lists menu.
- Add or edit a Network List.
- In the Type option, select Countries.
- Copy the list of countries from the deprecated rule set to Network Lists.
- In the Edge Firewall, enable the Network Layer Protection module.
- On the Rules Engine tab, create a new Rule and select Criteria: Network.
- Choose a logical operator where Match means Blacklist and Does not Match means Whitelist.
- Then, select the Country type of Network List created in steps 3 and 4.
- In Behavior, select the Behavior Deny 403.
Secure Token
If you used Secure Token in your deprecated rule set, in the new rule set:
- Enable the module Edge Functions.
- In the Functions tab, select Add function to instantiate a Secure Token Edge Function.
- Fill in the information and use the editor to customize Function Args to define the secret that composes the hash.
- On the Rules Engine tab, define a Criteria that will be used on Edge Function.
- In Behavior select Run Function, then select Secure Token function, created in steps 2 and 4.
IP Blocking
If you used IP Blocking in your deprecated rule set, in the new rule set:
- Access the Real-Time Manager and enter the Libraries > Network Lists menu.
- Add or edit a Network List.
- In the Type option, select IP/CIDR.
- Copy the list of IP`s from the deprecated rule set to Network Lists.
- In the Edge Firewall, enable the Network Layer Protection module.
- On the Rules Engine tab, create a new Rule and select Criteria: Network.
- Choose a logical operator where Match means Blacklist and Does not Match means Whitelist.
- Then, select the IP/CIDR type of Network List created in steps 3 and 4.
- In Behavior, select the Behavior Deny 403.
Rate Limiting
If you used Rate Limiting in your deprecated rule set, in the new rule set:
- Select the Rules Engine tab.
- Then, define the Criteria for your Rule Set.
- In Behavior, select Set Rate Limit.
- Set the number of requests per second in the Average Rate Limit.
- Set to Client IP Address or Global.
- After, set the Maximum burst size.
Association of Domains to the new Rule Set
After making the settings associate one or more domains to the new Rule Set:
- Edit the new Rule Set of the Edge Firewall.
- In the Domains section, select domains that will be associated with the Rule Set in Main Settings.
- Save to apply the configuration.
WAF Rule Set Association
After making the settings associate your WAF Rule Set to the new Rule Set. You can use the WAF Rule Sets the same way. However, they pass from the Edge Application to the Edge Firewall Rules Engine:
- Edit the new Rule Set of the Edge Firewall.
- Enable the module Web Application Firewall.
- On the Rules Engine tab, add or edit a Rule.
- Set the Criteria to condition the use of the WAF Rule Set.
- In Behavior select Set WAF Rule Set and choose a WAF Rule Set.
- Save to apply the settings.
Step 2 - Removing the Edge Firewall rules in the Edge Application
After creating and applying the Rule Sets for the latest version of Edge Firewall for your domain, remove the Rules in Edge Application:
- Log into Real-Time Manager, go to the Products menu in the upper left corner and under BUILD select Edge Applications.
- Edit an Edge Application with the Edge Firewall configuration.
- On the Rules Engine tab, identify the Behaviors Set Edge Firewall with Rule Sets or Set WAF Rule Set.
- Remove the Behavior from Edge Application.
- Next, confirm the deletion by clicking Delete and your rule will be removed.
3. Related documentation
Didn’t find what you were looking for? Open a support ticket.