Edge Firewall

Azion Edge Firewall is a security product that protects your servers and applications from the network layer to the application layer. With Edge Firewall, you can configure protection against all types of threats and attacks, all in a single place.

Advantages of using Edge Firewall:

  • Low-latency access, requests and responses.
  • Prevention of cybercriminals from reaching your origin/server by processing and blocking unwanted requests on the Azion Edge Network.
  • Highly programmable, modular, and extendible.
  • Creation of allowed rules, blocklists, and greylists based on IP/CIDR address, ASN, or user location.
  • Protection of applications from the Tor network and other malicious traffic sources, including botnets, malware, proxies, and others.
  • Access rate limitation to applications using complex criteria and multiple buckets.
  • Mitigation of Denial of Service (DoS and DDoS) attacks.
  • Protection against OWASP Top 10 threats and others.
  • Implementation of bot mitigation techniques, including blocklists, fingerprints, tampering protection, brute force prevention, advanced rate limiting, human challenge, and others.
  • Integration of Azion curated functions or third-party software in Edge Firewall for extended functionalities, such as IP reputation, fingerprint, JASON Web Tokens (JWT), credential stuffing, account takeover, price scraping, contact scraping, and others.

For more details on the product’s accounting, see the pricing page.

ScopeSource
Edge FirewallHow to update your Edge Firewall
Network Layer ProtectionHow to create IP blocklists with Network Layer Protection
Web Application FirewallHow to check your WAF mode

By using Azion as your Edge Computing platform, you can create security settings on Edge Firewall to protect your applications. Those edge firewall settings represent a set of rules that will be applied to the domains of your applications.

An edge firewall consists in an identification name, all your application domains where Edge Firewall should be applied, what are the applied modules, and what are the security rules configured in the Rules Engine tab.

See all available Edge Firewall modules:

  • DDoS Protection.
  • Edge Functions for Edge Firewall.
  • Network Layer Protection.
  • Web Application Firewall (WAF).

Rules Engine for Edge Firewall

Section titled Rules Engine for Edge Firewall

After activating the modules you want, you must configure your security rules in the Rules Engine tab. The rules you configure will run sequentially until the request is blocked or restricted or until all your rules are processed, at which point the request is released. The request’s data stream only passes onto your edge application if none of your Edge Firewall rules block or reject the request, ensuring that malicious requests don’t reach your application.

Each rule is made of Criteria (conditionals) and Behaviors (commands). The Behaviors setup will run if the conditions are met. For example, you can set up rules to block requests that come from IPs that are in a blocklist or even make up rules to exclude IPs that are in the allowed rules list. In this example, “block” is the Behavior, while the IP of the request is in the blocklist and not present in the allowed rules is the condition (Criteria).

go to Rules Engine reference

The Criteria and Behaviors available in Edge Firewall depend on the modules you have enabled in the edge firewall main configuration. Here’s the list of Criteria and Behaviors available to each Edge Firewall module:

List of Criteria and Behaviors available to each Edge Firewall module:

ModuleCriteriaBehavior
Edge FunctionsHostname
Request URI
Scheme
Client Certificate Validation
Deny (403 Forbidden)
Drop (Close Without Response)
Set Rate Limit
Network Layer ProtectionHostname
Network
Request URI
Scheme
Client Certificate Validation
Deny (403 Forbidden)
Drop (Close Without Response)
Set Rate Limit
Web Application FirewallHeader Accept
Header Accept-Encoding
Header Accept-Language
Header Cookie
Header Origin
Header Referer
Header User Agent
Hostname
Request Args
Request Method
Request URI
Scheme
Client Certificate Validation
Deny (403 Forbidden)
Drop (Close Without Response)
Set Rate Limit
Set WAF Rule Set

The DDoS Protection module protects your content and applications against Distributed Denial of Service (DDoS) attacks, as it detects attacks using advanced algorithms that run on Azion’s distributed network. This distributed network is connected to several mitigation centers to guarantee mitigation during large-scale attacks, both at the network and application levels.

go to DDoS Protection reference

Edge Functions are components of Azion Edge Computing Platform, which enable serverless functions to be added to your edge applications or edge firewall configurations, relieving your infrastructure, performing functions closer to the end-user, ensuring the necessary agility and scalability to meet your business objectives. You can also choose a ready-to-use function, or even write your own.

go to Edge Functions for Edge Firewall reference

This module allows the creation of filters by IP/CIDR, ASN addresses, or by countries (geolocation) through the configuration of Network Lists and the definition of business rules that will validate blocking or release Criteria, according to your need, specified on your Edge Firewall configuration.

go to Network Layer Protection reference

With the Origin Shield add-on, you can create a security perimeter for your origin infrastructure, be it a cloud provider, hosting, or even your own data center. You can configure that only some specific IP addresses on our network can access your origin, and all requests from unwanted IP addresses are blocked.

go to Origin Shield reference

Azion Web Application Firewall (WAF) protects your applications against threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and many others. The WAF analyses HTTP and HTTPS requests, detects and blocks threats before they can reach your infrastructure and affect your application performance.

It works at layer 7 at the application level and is based on scoring. Each request is compared with a very rigorous and detailed set of application patterns and is given a score, which is associated with a certain threat family. According to the score that this request has, it can be released or blocked. This happens directly in Azion’s edge nodes before the threat reaches your origin or causes any damage. It’s possible to customize the desired sensitivity, and have a differentiated blocking for each threat family.

go to Web Application Firewall reference

You can clone an existing edge firewall through Azion API.

The new cloned edge firewall will have identical settings as the original one, including main settings, functions instances, and rules from Rules Engine. However, the domains associated with the original edge firewall won’t be copied to the cloned one.

You need to retrieve the ID of the edge firewall you want to clone and then run a POST request to clone it, providing a new name.

clone an edge firewall

These are the default limits:

ScopeLimit
Network Lists entries20,000 lines
ASN in a network list20,000 lines
IP/CIDR in a network list20,000 lines
Web Application Firewall128 kB

Contributors