The Rules Engine for Web Application Firewall (WAF) is a feature developed to help you protect your edge applications in the context of your own applications. With Rules Engine for Web Application Firewall, you can define your own set of security rules (Rule Set), designed specifically for your needs.
These rules are composed of criteria and behaviors. The criteria represent the conditions for executing the rules, and the behaviors represent the actions that need to be executed. The rules are processed sequentially, and if the conditions are met, the behaviors of each rule are executed. WAF Rule Set is what a set of custom rules for Web Application Firewall is called.
PrerequisitesSection titled Prerequisites
To configure a WAF Rule Set, you must have an Edge Firewall configuration with the Web Application Firewall module activated.
Monitoring threat detection with Real-Time MetricsSection titled Monitoring threat detection with Real-Time Metrics
A WAF configuration associated with an edge application generates a lot of information. You can use the Real-Time Metrics to visualize, analyze, and export this data.
In Real-Time Metrics, the first graph on the WAF tab (threats vs requests) shows three time series:
- Regular Requests: all HTTP and HTTPS requests are analyzed by WAF and are considered secure.
- Threats: the volume of threats detected by WAF and accounted for, when in counting mode. These threats aren’t being blocked at the moment.
- Threats Blocked: threats effectively blocked by WAF. To start blocking the threats found, the rule set must be in blocking mode.
If you also have the Data Streaming service, you can track more detailed information about IP, date and time of access, status code, detected attack family, and the configured mode of action.
Based on this information, you can adjust the sensitivity of the WAF Rule Set, until no more false positives occur. You can also ask Azion to generate an allowlist for your application.