Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Purging
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Managing the Fastly WAF

      Last updated April 24, 2018

    The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge.

    Inspecting the Fastly WAF rule set

    You can inspect your Fastly WAF rule set at any time. By making an API call, you can download all of the data associated with your Fastly WAF rules. To inspect your Fastly WAF rule set, run the following cURL command in a terminal application:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset | perl -pe 's/\\n/\n/g'
    

    Inspecting the VCL of a WAF rule

    To inspect the VCL of a specific Fastly WAF rule, run the following cURL command in a terminal application:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/wafs/<your WAF ID> /rules/<rule_id>/vcl
    

    See the API documentation for more information.

    Blocking requests

    When you start using Fastly WAF for the first time, all rules are set to log status to minimize false positives. We recommend you monitor the logs for a minimum of two weeks to make sure that the rules will not block legitimate requests to your web application. Requests will not be blocked until you switch one or more rules from log to block status.

    Changing the status of rules

    To change a rule from log status to disabled or block status, inspect your rule set or review your logs to find the waf.rule_id variable. Then, run the following cURL command in a terminal application for each rule:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>-<WAF rule ID>", "type": "rule_status", "attributes":{ "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rules/<WAF rule ID>/rule_status
    

    To change the status of a group of rules, use a filter-tag (e.g., application-WordPress, language-html, or OWASP) by running the following cURL command in a terminal application:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X POST -d '{"data": {"id": "<your WAF ID>", "type": "rule_status", "attributes": {"name": <tag>, "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rule_statuses
    

    See the API documentation for more information. When you've finished setting rules to block status, you'll need to activate the changes.

    OWASP Configuration

    OWASP blocking is dependent on the following:

    If a request triggers OWASP rules, it returns attack category scores and a cumulative score. If any of the final scores exceed the threshold limit and the OWASP rules are in block mode, Fastly sends the custom error response to the user.

    Viewing OWASP settings

    To view your OWASP settings, run following cURL command in a terminal application:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<service_id>/wafs/<your WAF ID>/owasp
    

    The cumulative anomaly score is displayed in the inbound_anomaly_score_threshold field.

    Changing OWASP settings

    To change any OWASP settings object, run the following OWASP update command in a terminal application:

    1
    
    curl -X PATCH -v -H "Content-Type: application/vnd.api+json" -H "Accept: application/vnd.api+json" -H "Fastly-Key: FASTLY_API_TOKEN" https://api.fastly.com/service/<service_id>/wafs/<waf_id>/owasp -d '{"data": {"attributes":{"inbound_anomaly_score_threshold":"50"}, "id":"<owasp_id>", "type":"owasp"}}'
    

    When you've finished modifying OWASP settings, you'll need to activate the changes.

    Activating changes

    After you modify the status of one or more rules, you must activate the changes by running the following cURL command in a terminal application:

    1
    
    curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>", "type": "ruleset"}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/ID/wafs/ID/ruleset
    

    See the API documentation for more information.

    Rules are versionless. Any changes to the rules will become effective after you run the command shown above. You won't need to activate a new version of your service to have the changes take effect.

    Back to Top