How to tune WAF

You can use the WAF Tuning feature to analyze network lists, IPs, and countries that have matched configured WAF rule sets.

In this guide, you’ll filter possible attacks in your WAF and create an allowed rule from the results you receive.


Requires:


After setting up the initial configurations, proceed as follows:

  1. Access Azion Console > WAF Rules.
  2. Select the WAF Rule Set you want to tune or create a new one.
  3. Select the Tuning tab.
    • You’ll find the available variables to filter.
  4. Define the time range you want to analyze.
  5. In the Domain(s) dropdown, select the domains you want to analyze. Mandatory field.
  6. You can also choose to filter by network list.
  7. Optionally, you can click the + Filter button to filter by IP Address or Country
    • In this case, click the Apply button.

To exemplify a real-life situation, let’s assume the existence of a few variables:

  1. On Time Range, select Last 12 hours.
  2. On Domain(s), select www.mydomain.com and www.anotherdomain.com.
  3. On Network List, select Blocklist IPs.

You’ll receive a list of records regarding the filters you’ve applied. In this case, records that match the Blocklist IPs network list.

You can do a drilldown of the records by clicking on each of them with information on Rule IDs, Hits, Paths, IPs, Countries, Top 10 IPs Address, and Top 10 Countries.


Once you filter a query with WAF Tuning, you can create an allowed rule from the presented results. To do so:

  1. Use the Field chechbox to select the records you want to create an allowed rule.
    • You can select as many records as you want.
  2. Click the Allow Rules button.

You can go to the Allowed Rules tab on the WAF Rules page to check the allowed rule was successfully created. All new requests to the specified domains in your configured edge firewall will be treated according to the newly added rules.


Contributors