Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Fastly WAF rule set updates and maintenance

      Last updated June 26, 2019

    Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.

    For OWASP and Trustwave rules changes we use the following process:

    1. We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
    2. We translate the rules into Varnish Configuration Language (VCL) to run inside our cache nodes.
    3. We test the rules in our platform to ensure they perform adequately. We try to maximize performance and rule efficacy while reducing false positives.
    4. We correct bugs, if any are found.
    5. We propagate the rule set changes to our platform worldwide.
    6. Finally, we will provide customers with a notification and instructions on how to make rule updates.

    Rule set maintenance

    The following links provide information about the updates and changes to the provided rule sets:

    ID Version/Date Type of Change Affected Rule Sets
    6wvihQHbaCG7NBPTfm20S9 v12
    2019-08-29
    • The OWASP Core Rule Set (CRS) was updated with 19 new rules that mitigate SQL injection, Content-Type anomalies, client side code injection, PHP injection, and remote code execution. In addition, 95 rules were updated in the OWASP CRS to enhance their effectiveness or reduce incidents of false positives.
    • The following rules were removed from the OWASP CRS: 920130, 920280, 920290, 921100, 941200, 941310, 941350, and 944220. Rules 941310, 941350, and 941200 specifically were removed due to performance issues that may impact your WAF.
    • Fastly Rules 4112012 and 4112031 have been updated to reduce incidents of false positives. Fastly Rule 4112030 was removed due to excessive false positives.
    • The Trustwave rules have been updated with 197 new rules, of which 44 are for WordPress and 94 for Joomla. These rules include better protections for customers using these platforms to publish web content.
    • Trustwave rules 217055, 2066577, and 2100097 were removed.
    • Some Fastly and Trustwave rules have been renumbered. Renumbering is handled transparently so there should be no impact to your production WAF objects.
    • OWASP
    • Fastly Rules
    • Trustwave
    1PD2HFpi6qwkAsePake7pw v11
    2019-03-25
    • Introduced new Fastly rule 4170010, which detects CVE-2019-6340 (Drupal 8 core Highly critical RCE)
    • Introduced new Fastly rule 4170020, which detects the Magento Magestore Store Locator extension vulnerability
    • Updated Fastly rule 4112031 to include additional user agents
    • Updated Fastly rules 4113001, 4120010, and 4120011 to show correct match data
    • Removed OWASP rules 905100 and 905110, which would never match
    • Updated OWASP rules 932100 and 932110 to avoid false positives for Windows and UNIX command injection
    • OWASP
    • Fastly Rules
    3vnl3cwPda9Q3WYCDRuGW v10
    2018-09-05
    • Introduced new OWASP rule 932190, which mitigates RCE (OS File Access Attempt) on low paranoia level WAF
    • Introduced new OWASP rule 941110, which mitigates XSS using script tag vector
    • Introduced new OWASP rule 944100, which mitigates RCE via Java deserialization vulnerabilities (CVE-2017-9805, CVE-2017-10271)
    • Introduced new OWASP rule 944110, which mitigates RCE via Java process spawn vulnerability (CVE-2017-9805)
    • Introduced new OWASP rule 944120, which mitigates RCE via Java serialization (CVE-2015-5842)
    • Introduced new OWASP rule 944240, which mitigates RCE via Java serialization (CVE-2015-5842)
    • Introduced new OWASP rule 944130, which detects suspicious Java classes
    • Introduced new OWASP rule 944250, which detects RCE via Java method
    • Introduced new OWASP rule 944200, which detects magic bytes being used that signal Java serialization
    • Introduced new OWASP rule 944210, which detects magic bytes being Base64 encoded that signal Java serialization
    • Introduced new OWASP rule 944220, which detects vulnerable Java class in use
    • Introduced new OWASP rule 944300, which detects Base64 encoded string that matched suspicious keyword
    • Introduced new Fastly internal rule 4134010, which mitigates CVE-2018-11776 Apache Struts v2 vulnerability
    • Introduced new Fastly internal rule 4113010, which detects suspicious X-Rewrite-URL header
    • Introduced new Fastly internal rule 4113020, which detects suspicious X-Original-URL header
    • Introduced new Fastly internal rule 4113030, which detects ESI directives in request
    • Introduced new Fastly internal rule 4113050, which detects ESI directives in body
    • Removed Trustwave rule 2200000, IP blocklist
    • Removed Trustwave rule 2200002, TOR Exit Nodes blocklist
    • OWASP
    • Fastly Rules
    • Trustwave
    67LUkBwzFzESzumlU2L0T8 v9
    2018-08-01
    • Introduced new Fastly internal rule 4134010, which mitigates common XXE attacks
    • Introduced new Fastly internal rule 4112019, which mitigates CtrlFunc Botnet Attack
    • Introduced new Fastly internal rule 4113001, which mitigates suspicious X-Forwarded-Host headers
    • Introduced new Fastly internal rule 4113002, which mitigates X-Forwarded-Host and Host headers that do not match
    • Introduced new Fastly internal rule 4120010, which detects illegal characters found in the client X-Forwarded-Host header
    • Introduced new Fastly internal rule 4120011, which detects illegal characters found in the client X-Forwarded-For header
    • Updated OWASP rule 930130 to include additional restricted files
    • OWASP
    • Fastly Rules
    552NEtnDyzucKd3vTjLgFC v8
    2018-05-11
    • Added logdata fields to OWASP rules 920230, 920260, 920270, 920271, 920272, 920273, 920274, 920360
    • Introduce new Fastly internal rule 4170001, which mitigates Drupal sa-core-2018-004 attack
    • Adjust threshold rule 1010090 message
    • OWASP
    • Fastly Rules
    6LG4xleIDKWLblCJczGpi9 v7
    2018-03-28
    • Introduce new Fastly internal rule 4170000, which mitigates Drupal sa-core-2018-002 attack
    • Updated Fastly internal 4112060 Wordpress PingBack rule
    • Updated Fastly internal rules that protect against DDoS bots (Rule IDs: 4112013 and 4112016)
    • Fastly Rules
    1D0OPmXjm6ZMOe9rMGAeQj v6
    2018-01-25
    • Update Trustwave rules to latest available
    • Introduce new Fastly internal rules to protect against DDoS bots (Rule IDs: 4112010-4112018, 4112030, 4112031, and 4112060)
    • Introduce new Fastly internal rule 10041 (which complements existing rule 10040) to block any HTTP POST body greater than 2 kibibytes in size that uses chunked encoding
    • Trustwave
    • Fastly Rules
    2YXlqZJQxMkWyAjM4kggR3 v5
    2017-11-13
    • Global update to OWASP 3.0.2 CRS release
    • Update Trustwave rules to latest available
    • Introduce new Fastly internal rule 10040 to block any HTTP POST body greater than 2 kibibytes in size.
    • OWASP
    • Trustwave
    • Fastly Rules
    2vyJNHO7fngQYJXU8UGUY6 v4
    2017-10-06
    • Updates to rule 932140 to account for SAML false positives in Windows
    • Reintroduction of missing transforms on some OWASP rules
    • Introduction of Fastly internal rule to protect against CVE-2017-9805
    • OWASP
    • Fastly Rules
    4Z09wgjp7do8NrOIzlckFS v3
    2017-08-14
    • Reintroduction of individual threshold variables: http_violation_score_threshold, lfi_score_threshold, php_injection_score_threshold, rce_score_threshold, rfi_score_threshold, session_fixation_score_threshold, sql_injection_score_threshold, xss_score_threshold
    • Removal of unused threshold variables: brute_force_counter_threshold, dos_counter_threshold, outbound_anomaly_score_threshold, trojan_score_threshold
    • Additional bug fixes in OWASP rule set
    • OWASP
    • Trustwave
    39EE4tZnEM9Q8hxFJMHYU5 v2
    2017-04-26
    • OWASP
    • Trustwave
    • Fastly Rules

    RSS and JSON feeds

    You can keep tabs on new rule sets by following our RSS and JSON feeds.

    Updating to the newest rule set

    Follow these instructions to update a WAF to use the newest rule set.

    Reviewing the current rule set

    Before updating your WAF to a new rule set, we recommend that you record the value of your WAF's currently active rule set. You can use this information to revert your WAF to its previous state.

    Run the following cURL command in a terminal application to find the currently active rule set:

    1
    2
    
    curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
          https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
    

    The output from the cURL command is shown below. In the relationships object, notice that this WAF is using <ID of your active configuration set>. Remember the ID.

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    
    {
        "data": {
            "attributes": {
                "last_push": null,
                "prefetch_condition": null,
                "response": null,
                "version": "1"
            },
            "id": "<your WAF ID>",
            "relationships": {
                "configuration_set": {
                    "data": {
                        "id": "<ID of your active configuration set>",
                        "type": "configuration_set"
                    }
                }
            },
            "type": "waf"
        }
    }
    

    Changing the rule set version

    Follow these instructions to change the rule set version for a WAF:

    1. Find the ID of the new rule set version you want to use in the rule set maintenance section.
    2. On your computer, create a new file called updated_relationship.json.
    3. Copy and paste the following JSON into the file, replacing <your rules ID> with the ID of the rule set version you want to use:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      
      {
          "data": {
              "id": "<your WAF ID>",
              "relationships": {
                  "configuration_set": {
                      "data": {
                          "id": "<your rules ID>",
                          "type": "configuration_set"
                      }
                  }
              },
              "type": "waf"
          }
      }
      
    4. Save the changes to the updated_relationship.json file.
    5. In the directory you saved the file, run the following cURL command in a terminal application to change the rule set version for a WAF:

      1
      2
      3
      
      curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
        -H Content-Type:application/vnd.api+json -d @updated_relationship.json \
        https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
      
    6. Changing the rule set version for a WAF can take some time. Run the following cURL command in a terminal application to monitor the status of the process:

      1
      2
      
      curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
            https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
      

      The process is complete when the output displays the ID of the new rule set version.

    Updating to the latest rules

    After you've verified that the rule set for the WAF has successfully been changed, follow these rules to update your WAF with the latest rules:

    1. Run the following cURL command in a terminal application to update the rule set:

      1
      2
      3
      
      curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \
        -H Content-Type:application/vnd.api+json -d '{"data":{"id":"<your WAF ID>","type":"ruleset"}}' \
        https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset
      

      The response will look like this:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      
      {
          "data": {
              "id": "WAF_ID",
              "type": "ruleset"
          },
          "links": {
              "related": {
                  "href": "https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"
              }
          }
      }
      
    2. Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following cURL command in a terminal application to monitor the status of the process:

      1
      2
      
      curl -s -H Fastly-Key: FASTLY_API_TOKEN -H Accept:application/vnd.api+json \
      https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>
      

      The response for the waf_update_status will have a status of complete when the process is complete.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      
      {
          "data": {
              "attributes": {
                  "completed_at": "2017-04-05 18:47:28 UTC",
                  "created_at": "2017-04-05 18:47:27 UTC",
                  "message": null,
                  "status": "complete",
                  "updated_at": "2017-04-05 18:47:28 UTC"
              },
              "id": "<update status ID>",
              "type": "waf_update_status"
          }
      }
      

    Reverting to a previous rule set version

    If a WAF rule set update doesn't go as planned, you can revert to the previous rule set version. Using the previous rule set ID you recorded in the reviewing the current rule set section, follow the instructions in changing the rule set version and updating to the latest rules.

    Back to Top

    Additional resources: