- English
- 日本語
Fastly WAF rule set updates and maintenance (original)
Last updated 2022-06-16
IMPORTANT
As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.
IMPORTANT
Fastly does not publish CVE rules for this product on a regular basis. For customers looking for protection against specific CVE threats, we recommend using the Fastly Next-Gen WAF or Fastly WAF 2020.
For OWASP and Trustwave rules changes we use the following process:
- We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
- We translate the rules into Varnish Configuration Language (VCL) to run inside our cache nodes.
- We test the rules in our platform to ensure they perform adequately. We try to maximize performance and rule efficacy while reducing false positives.
- We correct bugs, if any are found.
- We propagate the rule set changes to our platform worldwide.
- Finally, we will provide customers with a notification and instructions on how to make rule updates.
Rule set maintenance
The following links provide information about the updates and changes to the provided rule sets:
ID | Version/Date | Type of Change | Affected Rule Sets |
---|---|---|---|
4fsI2JzgtoAXfwpZ89Fehx | v13 2021-03-08 |
|
|
6wvihQHbaCG7NBPTfm20S9 | v12 2019-08-29 |
|
|
1PD2HFpi6qwkAsePake7pw | v11 2019-03-25 |
|
|
3vnl3cwPda9Q3WYCDRuGW | v10 2018-09-05 |
|
|
67LUkBwzFzESzumlU2L0T8 | v9 2018-08-01 |
|
|
552NEtnDyzucKd3vTjLgFC | v8 2018-05-11 |
|
|
6LG4xleIDKWLblCJczGpi9 | v7 2018-03-28 |
|
|
1D0OPmXjm6ZMOe9rMGAeQj | v6 2018-01-25 |
|
|
2YXlqZJQxMkWyAjM4kggR3 | v5 2017-11-13 |
|
|
2vyJNHO7fngQYJXU8UGUY6 | v4 2017-10-06 |
|
|
4Z09wgjp7do8NrOIzlckFS | v3 2017-08-14 |
|
|
39EE4tZnEM9Q8hxFJMHYU5 | v2 2017-04-26 |
|
|
Updating to the newest rule set
Follow these instructions to update a WAF to use the newest rule set.
Reviewing the current rule set
Before updating your WAF to a new rule set, we recommend that you record the value of your WAF's currently active rule set. You can use this information to revert your WAF to its previous state.
Run the following curl command in a terminal application to find the currently active rule set:
$ curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \ https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
TIP
You can use this API endpoint to find your WAF's ID.
The output from the curl command is shown below. In the relationships
object, notice that this WAF is using <ID of your active configuration set>
. Remember the ID.
1{2 "data": {3 "attributes": {4 "last_push": null,5 "prefetch_condition": null,6 "response": null,7 "version": "1"8 },9 "id": "<your WAF ID>",10 "relationships": {11 "configuration_set": {12 "data": {13 "id": "<ID of your active configuration set>",14 "type": "configuration_set"15 }16 }17 },18 "type": "waf"19 }20}
Changing the rule set version
Follow these instructions to change the rule set version for a WAF:
Find the ID of the new rule set version you want to use in the rule set maintenance section.
On your computer, create a new file called
updated_relationship.json
.Copy and paste the following JSON into the file, replacing
<your rules ID>
with the ID of the rule set version you want to use:1{2 "data": {3 "id": "<your WAF ID>",4 "relationships": {5 "configuration_set": {6 "data": {7 "id": "<your rules ID>",8 "type": "configuration_set"9 }10 }11 },12 "type": "waf"13 }14}Save the changes to the
updated_relationship.json
file.In the directory you saved the file, run the following curl command in a terminal application to change the rule set version for a WAF:
1$ curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \2 -H Content-Type:application/vnd.api+json -d @updated_relationship.json \3 https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>Changing the rule set version for a WAF can take some time. Run the following curl command in a terminal application to monitor the status of the process:
$ curl -s -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>The process is complete when the output displays the ID of the new rule set version.
Updating to the latest rules
After you've verified that the rule set for the WAF has successfully been changed, follow these rules to update your WAF with the latest rules:
Run the following curl command in a terminal application to update the rule set:
1$ curl -s -X PATCH -H Fastly-Key:<your Fastly API token> -H Accept:application/vnd.api+json \2 -H Content-Type:application/vnd.api+json -d '{"data":{"id":"<your WAF ID>","type":"ruleset"}}' \3 https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rulesetThe response will look like this:
1{2 "data": {3 "id": "WAF_ID",4 "type": "ruleset"5 },6 "links": {7 "related": {8 "href": "https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"9 }10 }11}Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following curl command in a terminal application to monitor the status of the process:
$ curl -s -H Fastly-Key: FASTLY_API_TOKEN -H Accept:application/vnd.api+json \https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>The response for the
waf_update_status
will have astatus
ofcomplete
when the process is complete.1{2 "data": {3 "attributes": {4 "completed_at": "2017-04-05 18:47:28 UTC",5 "created_at": "2017-04-05 18:47:27 UTC",6 "message": null,7 "status": "complete",8 "updated_at": "2017-04-05 18:47:28 UTC"9 },10 "id": "<update status ID>",11 "type": "waf_update_status"12 }13}
Reverting to a previous rule set version
If a WAF rule set update doesn't go as planned, you can revert to the previous rule set version. Using the previous rule set ID you recorded in the reviewing the current rule set section, follow the instructions in changing the rule set version and updating to the latest rules.
Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.