Web Application Firewall
Web Application Firewall (WAF) is an Azion Edge Firewall module, developed to protect edge applications from threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and other web vulnerabilities. WAF analyzes HTTP and HTTPS requests, detects, and blocks malicious activity before it reaches your application infrastructure.
WAF operates in the seventh layer of the OSI model, the application layer, where the relationship between web applications and their respective network services and user data takes place. It also works as a barrier to filter and monitor traffic between your application and the requests from the internet.
Web Application Firewall is based on requests scoring methodology. Each HTTP/HTTPS request is compared to a very strict and detailed set of application standards and given a score that is associated with a particular family of threats. According to the score received by the request, it can be released or blocked directly in Azion’s edge nodes, before the threat reaches its origin or causes any type of damage. You define the desired level of sensitivity for blocking each family of threats.
WAF can operate in two modes: Learning or Blocking. You can set the mode in a rule in Rules Engine with the Set WAF Rule Set behavior or via Azion API.
You can use the Learning mode to avoid blocking lawful requests and malfunctions of your application. In this step, WAF identifies the legitimate behaviors of your application by placing them in an allowlist.
If internal traffic, tests, and false positives are being blocked by WAF, you can also fine-tune its settings in the Tuning feature, available inside a WAF configuration.
Implementation
| Scope | Source |
|---|---|
| Create WAF rule set | How to create a WAF rule set |
| WAF mode | How to check your WAF mode |
| WAF score | How to find information about WAF blocked requests |
| Integrate WAF with SIEMs | How to integrate WAF with SIEMs |
Prerequisites
To configure a WAF Rule Set, which is what a WAF configuration is called, you must have an Edge Firewall configuration with the Web Application Firewall module activated.
Go to configure edge firewall guideWAF Main Settings
The Main Settings section is configured by activating protection against specific threat families: SQL Injection, Remote File Inclusions (RFI), Directory Traversal, Cross-Site Scripting (XSS), File upload, Evading tricks, Unwanted Access, and Identified Attack, and setting a sensitivity level: Lowest, Low, Medium, High, and Highest.
The Threat Type Configuration table categorizes threats into families, according to the purpose of the attack.
Go to types of threats referenceGo to create a rule set guide
It’s possible to enable and disable protection for each threat family individually through the Active switch.
Sensitivity levels define how strictly WAF will consider a request as a threat.
Each sensitivity level tolerates a defined number of threat indicatives and the WAF score represents this amount of threat indicatives. The more flexible the sensitivity level is, the higher the WAF score it accepts. The most rigid sensitivity levels, on the other hand, only accept requests with fewer signs of threats.
Go to sensitivity levels referenceWAF Tuning
WAF Tuning is an analytical tool that shows IPs from requests that match the WAF rules. The Tuning tab is where you can make the WAF’s operation more flexible. IPs are displayed grouped in the Filter WAF rule table. You can filter by Domain, Time Range, Network Lists, IP, and Countries.
Go to tune WAF guideIn the filters below Filter Possible Attacks, you can enter the domain (required), time range, which network lists you prefer to use, which IPs you are investigating, and the country of origin of the requests.
By clicking the Apply filter button, a list of Possible Attacks will be displayed. This list includes the fields Rule ID, Description, Hits, IPs, Countries, Top 10 IPs Address, and Top 10 Countries.
Go to WAF Custom Allowed Rules referenceAllowed Rules
This tab allows you to create, edit, and delete Allowed Rules.
The Allowed Rules are composed of the fields:
| Field | Description |
|---|---|
Rule ID | Unique numeric ID of a WAF Rule |
Rule Description | Automatic textual description of what the rule is/does |
Reason | Alternative manual textual description |
URI | Uniform Resource Identifier (URI) is the path that goes after the domain in the URL |
Path | When specified, restricts the application of the Match Zone only to the defined path. The path delimits the scope of action of the rule |
Match Zone | Parts or fields of the requisition that’ll be compared with the match pattern. Read more about each option in the Match Zones table below |
Active | Allowed Rule active status switch |
Match Zone dropdown options
The Match Zone dropdown opens the options available to complete this field. Each option has a specific behavior, as explained in the table below.
| Field | Description | Field example | Matches on |
|---|---|---|---|
Conditional Query String | Match pattern will be compared with query string parameters of the request | ?id=123&user=admin | You can select to add either the key name or the value in the allowed rule |
Conditional Request Body | Match pattern will be compared with the body of the request under certain conditions | {"username": "admin", "password": "123456"} | You can select to add either the key name or the value in the allowed rule |
Conditional Request Header | Match pattern will be compared with the HTTP headers of the request under certain conditions | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 | You can select to add either the header name or the value in the allowed rule |
File Name (Multipart body) | Match pattern will be compared with the name of the files in multipart POSTs | - | - |
Path | Match pattern will be compared with the request path | - | - |
Query String | Match pattern will be compared to the query string, also called GET arguments | - | You can select to add either the key name or the value in the allowed rule |
Raw Body | Match pattern will be compared to the uninterpreted body of a requisition, also called the unparsed body | - | - |
Request Body | Match pattern will be compared to the body of a POST, also called POST arguments | - | You can select to add either the key name or the value in the allowed rule |
Request Header | Match pattern will be compared to the HTTP headers of the request | - | You can select to add either the header name or the value in the allowed rule |
Limits
These are the default limits:
| Scope | Limit |
|---|---|
| Debug Rules log size | 1.5 kB |
| WAF Tuning queries | 3 days |
Contributors
