How to update Edge Firewall

Previously, to use a rule set from Edge Firewall or Web Application Firewall (WAF), you had to activate these modules in the Main Settings tab of each edge application. Then, criteria and behaviors were applied in the application’s Rules Engine tab.

Azion Edge Firewall has evolved into an independent product including all security functionalities: DDoS Protection, Network Layer Protection, Web Application Firewall, and Edge Functions. This update facilitates the creation of new security policies that can be applied globally or specifically. Consequently, rule sets used in deprecated versions of Edge Firewall have also been deprecated.

This documentation will guide you through updating the Edge Firewall features used in the deprecated versions to the latest ones. Each section describes how each feature works on the new modules, Network Lists, and Rules Engine.

Go to Edge Firewall reference

Creating new rules in Edge Firewall

First, you must create an edge firewall to add new rules based on the pre-existing rules later.

  1. Access Azion Console > Edge Firewall.
  2. Create a new edge firewall by clicking the + Edge Firewall button.
    • Alternatively, you can edit an already created one.
  3. Follow the steps explained below according to the functionality.

Referrer Block

referer-blocking

If you used Referer Block in your deprecated rule set, still in the new edge firewall:

  1. In the Main Settings tab, enable the Web Application Firewall module.
  2. Click the Save button.
  3. Go to the Rules Engine tab.
  4. Click the + Rule Engine button.
  5. Give a name and, optionally, a description for your rule.
  6. In the Criteria section, set the desired criteria to trigger the rule:
    • If Header Referer does not match yourdomain.com.
    • Use the accepted domain of the old rule set.
  7. For each domain in Accepted Domains of the old rule set, click the + Add Criteria button and repeat the step 6.
  8. In the Behavior section, select Deny (403 Forbidden).
  9. Click the Save button.

Geo-Blocking

geo-blocking

If you used Geo-Blocking in your deprecated rule set:

  1. Access Azion Console > Network Lists.
  2. Create a new network list by clicking the + Network List button.
    • Alternatively, you can edit an already created one.
  3. Give a name for your network list.
  4. In Type, select Countries.
  5. In the Countries dropdown, select the countries you want to add, based on the the deprecated rule set.
  6. Click the Save button.

Now it’s time to create a rule using the network list for your edge firewall:

  1. Go to Products menu > Edge Firewall.
  2. Select the firewall you created previously.
  3. In Main Settings, enable the Network Layer Protection module.
  4. Click the Save button.
  5. Go to the Rules Engine tab.
  6. Click the + Rule Engine button.
  7. Give a name and, optionally, a description for your rule.
  8. In the Criteria section, set the desired criteria to trigger the rule:
    • If Network does not match your network list (to use as an allowlist) or If Network matches your network list (to use as a blocklist).
    • Select the network list you created in the previous steps as the value.
  9. In the Behavior section, select Deny (403 Forbidden).
  10. Click the Save button.

Secure Token

secure-token

If you used Secure Token in your deprecated rule set, still in the new edge firewall:

  1. In the Main Settings tab, enable the Edge Functions module.
  2. Click the Save button.
  3. Go to the Functions Intances tab.
  4. Click the + Function Intance button.
  5. Give a name for your instance.
  6. In Edge Function, select the Secure Token function.
  7. Use the Arguments box to define the secret that composes the hash.
  8. Click the Save button.
  9. Go to the Rules Engine tab.
  10. Click the + Rules Engine button.
  11. Give a name and, optionally, a description for your rule.
  12. In the Criteria section, set the desired criteria to trigger the rule.
  • For example: if Host is equal xxxxxxxxxxxx.map.azionedge.net/classes.
  1. In the Behavior section, select Run Function.
  2. In the dropdown, select the function instance you created to Secure Token.
  3. Click the Save button.

IP Blocking

ip-blocking

If you used IP Blocking in your deprecated rule set:

  1. Access Azion Console > Network Lists.
  2. Create a new network list by clicking the + Network List button.
    • Alternatively, you can edit an already created one.
  3. Give a name for your network list.
  4. In Type, select IP/CIDR.
  5. In the List box, copy the list of blocked IPs from the deprecated rule set.
  6. Click the Save button.

Now it’s time to create a rule using the network list for your edge firewall:

  1. Go to Products menu > Edge Firewall.
  2. Select the firewall you created previously.
  3. In Main Settings, enable the Network Layer Protection module.
  4. Click the Save button.
  5. Go to the Rules Engine tab.
  6. Click the + Rule Engine button.
  7. Give a name and, optionally, a description for your rule.
  8. In the Criteria section, set the desired criteria to trigger the rule:
    • If Network does not match your network list (to use as an allowlist) or If Network matches your network list (to use as a blocklist).
    • Select the network list you created in the previous steps as the value.
  9. In the Behavior section, select Deny (403 Forbidden).
  10. Click the Save button.

Rate Limiting

rate-limiting

If you used Rate Limiting in your deprecated rule set, still in the new edge firewall:

  1. Go to the Rules Engine tab.
  2. Click the + Rule Engine button.
  3. Give a name and, optionally, a description for your rule.
  4. In the Criteria section, set the desired criteria to trigger the rule.
  5. In the Behavior section, select Set Rate Limit.
  6. In the Rate Limit type, select either Req/s or Req/min and define the average rate limit.
  7. Select if you want to set a limit by Client IP Address or Global and the maximum burst size.
  8. Click the Save button.

Domains association

You can also associate one or more domains with the new edge firewall:

  1. Access Azion Console > Edge Firewall.
  2. Select the firewall you created previously.
  3. In the Main Settings tab, go to the Domains section.
    • Select each domain you want to associate with this firewall and click the > button.
    • Select multiple domains by using ctrl on Windows and Linux or command on Mac and click the > button.
    • Select >> to select all domains presented on the Available list.
  4. Click the Save button.

WAF Rule Set Association

You can also associate one or more WAF Rule Sets with the new edge firewall:

  1. Access Azion Console > Edge Firewall.
  2. Select the firewall you created previously.
  3. In the Main Settings tab, enable the Web Application Firewall module.
  4. Click the Save button.

Now it’s time to create a rule using the WAF Rule Set for your edge firewall:

  1. Go to the Rules Engine tab.
  2. Click the + Rule Engine button to add a new rule or edit an existing one.
  3. Give a name and, optionally, a description for your rule.
  4. In the Criteria section, set the desired criteria to trigger the rule.
  5. In the Behavior section, select Set WAF Rule Set and choose a WAF Rule Set.
  6. Click the Save button.

Removing the Edge Firewall rules in your edge application

After creating and applying the rule for the latest version of Edge Firewall for your domain, you must remove the rules in your edge application:

  1. Access Azion Console > Edge Application.
  2. Select the edge application with the deprecated configurations.
  3. In the Rules Engine tab, select any rule including the behaviors Set Edge Firewall with Rule Sets or Set WAF Rule Set.
  4. Remove the behavior by clicking the trash can icon and your rule will be removed.
    • To remove the whole rule, in the list, click the three points in the right corner of the rule and select the Delete option. Then, confirm the deletion in the modal and your rule will be removed.
  5. Click the Save button.

Contributors