How to create a WAF rule set

Web Application Firewall (WAF) allows you to create rule sets regarding possible threat types. You can set these rule sets on Rules Engine for Edge Firewall to execute their behaviors.

This guide will create a rule set to block threats from the SQL Injection family to prevent attacks that attempt a select query, for example. After creating an edge firewall and activating the WAF module, follow the steps described next.

Via Azion Console

Section titled Via Azion Console
  1. Access Azion Console > WAF Rules.
  2. Click the Add WAF button.
  3. On the Main Settings tab, give your WAF rule set a unique and easy-to-remember name. In this case, SQL Injection rule set.
  4. On the Threat Type Configuration section, look for the SQL Injection option.
  5. Choose the Sensitivity option High for this threat so WAF doesn’t allow requests considered as an SQL Injection threat.
  6. Make sure the Active switch is enabled.
  7. Click the Save button.

Repeat this process with other types of threats to which you want to create a rule set.

Now, you need to apply the rule set you’ve created in Rules Engine. To do so:

  1. Still on Azion Console go to Edge Firewall.
  2. Select the Rules Engine tab.
  3. Click the New Rule button.
  4. Give your rule a name and, optionally, a description.
  5. In the Criteria section, select the Request Args variable.
  6. As a comparison operator, select matches.
  7. As an argument, add content-type=select.
  8. In the Behaviors section, select Set WAF Rule Set.
  9. As arguments:
    • On the first dropdown menu, select the rule set you want to use. In this case, SQL Injection rule set.
    • On the second dropdown menu, select the mode you want Edge Firewall to operate on: Learning or Blocking. In this case, Blocking.
  10. Click the Save button.

Via API

Section titled Via API
  1. Run the following POST request to create a rule, replacing [TOKEN VALUE] with with your personal token:
Terminal window
curl --location 'https://api.azionapi.net/waf/rulesets' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "SQL Injection rule set",
    "mode": "blocking",
    "active": true,
    "sql_injection": true,
    "sql_injection_sensitivity": "high",
    "bypass_addresses": []
}'
  1. You’ll receive a response similar to this:
{
  "id": 6421,
  "name": "SQL Injection rule set",
  "mode": "counting",
  "active": true,
  "sql_injection": true,
  "sql_injection_sensitivity": "high",
  "remote_file_inclusion": true,
  "remote_file_inclusion_sensitivity": "medium",
  "directory_traversal": true,
  "directory_traversal_sensitivity": "medium",
  "cross_site_scripting": true,
  "cross_site_scripting_sensitivity": "medium",
  "evading_tricks": true,
  "evading_tricks_sensitivity": "medium",
  "file_upload": true,
  "file_upload_sensitivity": "medium",
  "unwanted_access": true,
  "unwanted_access_sensitivity": "medium",
  "identified_attack": true,
  "identified_attack_sensitivity": "medium",
  "bypass_addresses": []
}
  1. Copy the id value.
  2. Run the following POST request to create a rule, replacing [TOKEN VALUE] with with your personal token, the <edge_firewall_id> variable with your edge firewall id value, and <waf_rule_set_id> with the id you copied:
Terminal window
curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token azion5c2ecd92839e59b0cca662ada47b7382706' \
--header 'Content-Type: application/json' \
--data '{
    "name": "SQL Injection rule",
    "is_active": true,
    "behaviors": [
        {
            "name": "set_waf_ruleset",
            "argument": "<waf_rule_set_id>"
        }
    ],
    "criteria": [
        [
            {
                "variable": "request_args",
                "operator": "matches",
                "conditional": "if",
                "argument": "content-type=select"
            }
        ]
    ]
}'
KeyDescription
nameName of the rule
behaviorsArray that stores objects defining behaviors
criteriaArray that stores objects defining criteria

See the Azion API documentation to find out more about criteria and behavior objects.

  1. You’ll receive the following response:
{
  "results": {
    "name": "SQL Injection rule",
    "is_active": true,
    "behaviors": [
      {
        "name": "set_waf_ruleset",
        "argument": "6421"
      }
    ],
    "criteria": [
      [
        {
          "variable": "request_args",
          "operator": "matches",
          "conditional": "if",
          "argument": "content-type=select"
        }
      ]
    ],
    "last_modified": "2023-12-01T21:43:14.580949Z",
    "last_editor": "user@email.com",
    "id": 28735,
    "order": 4
  },
  "schema_version": 3
}

Wait a few minutes for the changes to propagate.



Contributors