How to tune WAF
You can use the WAF Tuning feature to analyze network lists, IPs, and countries that have matched configured WAF rule sets.
In this guide, you’ll filter possible attacks in your WAF and create an allowed rule from the results you receive.
Tuning WAF
Requires:
After setting up the initial configurations, proceed as follows:
- Access Azion Console > WAF Rules.
- Select the WAF Rule Set you want to tune or create a new one.
- Select the Tuning tab.
- You’ll find the available variables to filter.
- Define the time range you want to analyze.
- In the Domain(s) dropdown, select the domains you want to analyze. Mandatory field.
- You can also choose to filter by network list.
- Optionally, you can click the + Filter button to filter by IP Address or Country
- In this case, click the Apply button.
To exemplify a real-life situation, let’s assume the existence of a few variables:
- On Time Range, select Last 12 hours.
- On Domain(s), select
www.mydomain.comandwww.anotherdomain.com. - On Network List, select Blocklist IPs.
You’ll receive a list of records regarding the filters you’ve applied. In this case, records that match the Blocklist IPs network list.
You can do a drilldown of the records by clicking on each of them with information on Rule IDs, Hits, Paths, IPs, Countries, Top 10 IPs Address, and Top 10 Countries.
- Access Real-Time Manager (RTM) > WAF Rules.
- Select the WAF Rule Set you want to tune or create a new one.
- Select the Tuning tab.
- Under the Filter Possible Attacks section, you’ll find the available variables to filter.
- In the Domain(s) dropdown, select the domains you want to analyze. Mandatory field.
- Optionally, you can choose to filter by:
- Time range
- Network List
- IP Address
- Country
- Click the Apply filter button.
To exemplify a real-life situation, let’s assume the existence of a few variables:
- On Domain(s), select
www.mydomain.comandwww.anotherdomain.com. - On Time Range, select Last 12 hours.
- On Network List, select Blocklist IPs.
- Click Apply filter.
You’ll receive a list of records regarding the filters you’ve applied. In this case, records that match the Blocklist IPs network list.
You can do a drilldown of the records by clicking on each of them with information on Hits, IPs, Countries, Top 10 IPs Address, Top 10 Countries, and Top 10 Paths.
Creating an Allowed Rule
Once you filter a query with WAF Tuning, you can create an allowed rule from the presented results. To do so:
- Use the Field chechbox to select the records you want to create an allowed rule.
- You can select as many records as you want.
- Click the Allow Rules button.
You can go to the Allowed Rules tab on the WAF Rules page to check the allowed rule was successfully created. All new requests to the specified domains in your configured edge firewall will be treated according to the newly added rules.
- Use the Field chechbox to select the records you want to create an allowed rule.
- You can select as many records as you want.
- Click the Allow Rules button.
You can go to the Allowed Rules tab on the WAF Rules page to check the allowed rule was successfully created. All new requests to the specified domains in your configured edge firewall will be treated according to the newly added rules.
Contributors
