About the Fastly WAF rule management interface (original)

IMPORTANT

As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

The Fastly WAF rule management interface provides visibility and management for rules enabled on a WAF associated with a Fastly service. If you've been assigned the role of engineer or superuser, you can use the rule management interface to inspect the details of WAF rules, search and filter by rule ID or category, manage thresholds and scores, change rule modes, and deploy changes into production.

Limitations

The Fastly WAF rule management interface currently has the following limitations:

  • You can disable threshold rules, which is not recommended. We don't recommend disabling these because it removes categories of protection from your WAF.
  • You can't roll back or undo individual rule mode changes. If you change a rule mode inadvertently, you have to change the specific rule back to its original mode. For more information on making production changes to your WAF, see the section on deploying changes.
IMPORTANT

This interface allows you to modify the rule modes on your production service. Lowering threshold scores or changing rules from log to block may cause unexpected false positives.

Accessing the Fastly WAF rule management interface

You can access the Fastly WAF rule management interface from the WAF dashboard. To access the Fastly WAF rule management interface, follow the steps below:

  1. Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.

    link to WAF on the All service page

  2. Find your Fastly service in the list, and then click the WAF link. The WAF summary page appears.

  3. Click the Manage Rules link. The Manage rules page appears.

    the Manage rules page

Using the Fastly WAF rule management interface

The Fastly WAF rule management interface displays the rules currently enabled on the WAF associated with the selected Fastly service. If you haven't enabled rules or you don't see any rules on your WAF, contact support.

The Fastly WAF rule management interface consists of the following main sections:

WAF status bar

The status bar summarizes the status of your WAF.

the WAF status bar

  • Status Indicator: Displays Active (green) when the WAF is active on your service and protecting your origin.
  • WAF ID: Displays the WAF ID with a feature that allows you to copy the ID to the clipboard. The WAF ID may be used when accessing the Fastly WAF API.
  • Abbreviated Rule Summary: Shows your active rules and their associated mode.
  • Deployment Date: Shows the date and time (UTC) of the last successful service deployment that includes the VCL generated from the WAF rules enabled on this service.

Rule view

The rule view shows a list of all of rules currently enabled on your WAF and their associated mode. There are three types of rules: scoring rules, threshold rules (also called threat categories), and application-specific rules.

Rules have a rule name, tags, revision indicator, rule ID, mode selector, and Details link. The revision indicator is used to indicate whether or not a rule has been revised. A revised rule may provide additional protection over and above the earlier revision.

Scoring rules

Scoring rules increment a score based on anomalies detected in the incoming HTTP request, and threshold rules check that total against the value configured for the appropriate threshold. An example scoring rule is shown below.

the WAF scoring rule

TIP

Fastly sets default anomaly scores for four categories of rules. When an HTTP request trips a rule in a category, that numeric value is added to the total score for that category. The sum of all the rules' scores is the anomaly score for the HTTP request. For example, if an HTTP request trips a critical rule and an error rule, and the critical anomaly score is set to 6 and the error anomaly score is set to 5, the score for the HTTP request would be 11.

We don't recommend changing the values of the anomaly scores. Instead, we recommend changing the values of the thresholds on the Thresholds and Scores page.

Scoring rules have two possible modes:

  • Scoring: This mode means a rule is active and looking for threats. Rules in this mode will increment scores and log their result to your currently configured logging provider based on the setting for the corresponding threshold rule. For more information on threshold rules, see the section on threshold rules.
  • Disabled: This mode means a rule is inactive. Threats detected by this rule will NOT count towards your total anomaly score and their result will not be logged.

You can click the Details link to see the format of a rule in the Apache ModSecurity format as well as the corresponding generated VCL.

IMPORTANT

The generated VCL shows a general transformation from the Apache ModSecurity language to VCL. The VCL shown here does not show how a rule increments your anomaly score based on your configured values.

Threshold rules

Threshold rules cover a specific category of attack against your web application or API. An example threshold rule is shown below.

the WAF threshold rule

The threshold rule has a category name, revision indicator, tag, rule ID, mode selector, and Details link.

Threshold rules perform an action and either log or block and log client HTTP requests. These rules take action when a score exceeds a given threshold value. The corresponding threshold value for each category is configured on the Thresholds and Scores page.

Lowering thresholds increases the sensitivity of your WAF. Raising thresholds reduces the sensitivity of your WAF across the various threshold categories.

The Fastly WAF includes the following threshold rules organized into categories. Each rule has a corresponding threshold value that controls its sensitivity.

IDThreshold NameRule Action ConditionCorresponding Threshold ValueAction Choice
1010090Inbound Anomaly ScoreAction taken when the inbound anomaly score exceeds the configured inbound anomaly thresholdInbound anomaly thresholdLog or Block & Log
1010080Session FixationAction taken when the session fixation score exceeds the configured session fixation thresholdSession fixation thresholdLog or Block & Log
1010070HTTP ViolationAction taken when the HTTP violation score exceeds the configured HTTP violation thresholdHTTP violation thresholdLog or Block & Log
1010060PHP InjectionAction taken when the PHP injection score exceeds the configured PHP injection thresholdPHP injection thresholdLog or Block & Log
1010050Remote Command Execution (RCE)Action taken when the RCE anomaly score exceeds the configured RCE thresholdRCE thresholdLog or Block & Log
1010040Local File Inclusion (LFI)Action taken when the LFI score exceeds the configured LFI thresholdLFI thresholdLog or Block & Log
1010030Remote File Inclusion (RFI)Action taken when the RFI score exceeds the configured RFI thresholdRFI thresholdLog or Block & Log
1010020Cross-site Scripting (XSS)Action taken when the XSS score exceeds the configured XSS thresholdXSS thresholdLog or Block & Log
1010010SQL InjectionAction taken when the SQL injection score exceeds the configured SQL injection thresholdSQL injection thresholdLog or Block & Log
IMPORTANT

Disabling a threshold rule removes an entire category of protection from your WAF. Use caution when disabling threshold rules.

Application-specific rules

Application-specific rules look at incoming HTTP requests to find signatures designed to take advantage of specific vulnerabilities within the context of a specific library, framework, or component. They take effect immediately. Application-specific rules have three possible modes:

  • Logging Mode: This mode means a rule is active and looking for threats. Rules in this mode will log their result on an exact match. The result is logged to your currently configured logging provider.
  • Blocking Mode: This mode means a rule is active and looking for threats. Rules in this mode block the HTTP request and prevent it from going to the origin. Rules in blocking mode also log the result to your currently configured logging provider.
  • Disabled: This mode means a rule is inactive. HTTP requests that match a rule will flow directly to your origin.

The rule search box allows you to search for a specific rule using the rule ID or keyword. The result is shown in the Rule View.

Keyword search allows you to search for rules that contain a specific query string in the rule source. For example, you can search for rules that contain keywords such as java, php, loic, or ddos. Keyword search compares your query string against the rule's mod_security source.

You can control the scope of the search through the use of the Include all and Exclude applied filters. Selecting Include all expands the search to the entire rule library as well as the rules currently active on your WAF. Selecting Exclude applied searches only the rules in the library that are not currently active on your WAF.

the WAF rule search

Category filters

The category filters allow you to view the different types of rules currently configured on your WAF. Filters can be combined.

  • Status filter: Allows you to filter by rule mode for log, block, or disabled.
  • Publisher filter: Allows you to filter by rule publisher. Currently supported publishers include OWASP, Trustwave, and Fastly.
    TIP

    Use the Publisher filter and select OWASP to show all rules in scoring mode.

  • Attack type filter: Allows you to show the rules enabled on your WAF that offer protection for specific categories of attack.

Thresholds and scores

The Thresholds and scores page allows you to configure thresholds and other OWASP security policy settings. You can access these settings by clicking the Thresholds and Scores link.

the WAF thresholds and scores page

This page can be used to tune the sensitivity of your WAF with respect to thresholds and scores.

Adding new rules to your WAF

You may want to add new rules to your WAF based on changing attack patterns and risks to your application. You can add new rules by using the scope filters displayed under the search box to browse, search, and select new rules. Selecting the Include all filter will display all rules in the current rule library in the Rule View.

TIP

By selecting Include all, you will see considerably more rules than you have currently active. Pagination allows you to browse through the rule base.

Once the rules are available to browse, you can use the search box to search for a specific rule ID or keyword. For example, if you're interested in protecting against Apache Struts2 vulnerabilities published in CVE-2017-9805, you might search for struts2 or RCE.

the WAF rule search with Include all selected

The Rule View will appear as follows.

the WAF rule view results

You can view the rule source by selecting the Details link. This provides you with more information about how the rule executes in VCL.

You can enable a rule by selecting Options and changing the mode to either Log only or Block.

the WAF rule with a rule blocked

TIP

The available options for OWASP rules are Scoring and Disabled. To enable a new OWASP rule, select Scoring.

Verifying a rule is active

After you select the rule mode, the rule appears at the top of the rule view. To verify that your rule was added, you should deselect the Include all filter and use the Status, Publisher, or Attack type filters and confirm that the rule has been added to your WAF.

After you verify that the rule has been added, follow the instructions in the deploying changes section to deploy your changes.

WAF policy execution

When the Fastly WAF processes an inbound request, scoring rules execute first followed by threshold rules. Application-specific and Fastly rules are executed last.

If the accumulated score exceeds the configured threshold, the threshold rules take action. For more information on the threshold categories and action condition, please see the table in the threshold rules section.

the WAF process

Deploying changes

The Fastly WAF rule management interface allows you to change rule modes and threshold values that change the way rules behave in the face of potential web-oriented attacks. After changing rule modes, you can click the Deploy button to put these changes into production.

deploy button for the Fastly WAF

After clicking Deploy, you'll see a confirmation message asking if you want to deploy your changes. Click Yes to continue.

confirmation window for WAF deployment

Once the deployment is complete, you can verify that the changes were deployed by looking at the date below the deploy button.

last deploy time of WAF

IMPORTANT

Changes to your WAF only occur after you select the Deploy button.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support.