Managing the Fastly WAF (original)

  Last updated 2018-04-24

IMPORTANT

On April 30, 2023, the Fastly WAF (WAF Legacy and WAF 2020) will reach its end of life date and will no longer be supported for existing customers. As an alternative, the Fastly Next-Gen WAF offers similar functionality as well as additional features. This product is a web application firewall that monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify. It can be controlled via the web interface dashboard or application programming interface (API). We encourage you to contact waftransition@fastly.com or your Fastly account team to evaluate Fastly Next-Gen WAF and begin the transition process.

The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge.

Inspecting the Fastly WAF rule set

You can inspect your Fastly WAF rule set at any time. By making an API call, you can download all of the data associated with your Fastly WAF rules. To inspect your Fastly WAF rule set, run the following curl command in a terminal application:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset | perl -pe 's/\\n/\n/g'
NOTE

The | perl -pe 's/\\n/\n/g' is optional and can assist with formatting.

Inspecting the VCL of a WAF rule

To inspect the VCL of a specific Fastly WAF rule, run the following curl command in a terminal application:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/wafs/<your WAF ID> /rules/<rule_id>/vcl

See the API documentation for more information.

Blocking requests

When you start using Fastly WAF for the first time, all rules are set to log status to minimize false positives. We recommend you monitor the logs for a minimum of two weeks to make sure that the rules will not block legitimate requests to your web application. Requests will not be blocked until you switch one or more rules from log to block status.

Changing the status of rules

To change a rule from log status to disabled or block status, inspect your rule set or review your logs to find the waf.rule_id variable. Then, run the following curl command in a terminal application for each rule:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>-<WAF rule ID>", "type": "rule_status", "attributes":{ "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rules/<WAF rule ID>/rule_status

To change the status of a group of rules, use a filter-tag (e.g., application-WordPress, language-html, or OWASP) by running the following curl command in a terminal application:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X POST -d '{"data": {"id": "<your WAF ID>", "type": "rule_status", "attributes": {"name": <tag>, "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rule_statuses
NOTE

When changing rule statuses for a group of rules using a filter-tag, the above API call will preserve the status of any disabled rules updated individually. If all rules under the filter-tag should be forced to have a log or block state, add the parameter force:true under attributes in the request body.

See the API documentation for more information. When you've finished setting rules to block status, you'll need to activate the changes.

NOTE

If you need to enable more than 1,000 rules, contact our customer support team at https://support.fastly.com/.

OWASP Configuration

OWASP blocking is dependent on the following:

  • All OWASP rules (excluding rules changed from log to disabled mode) set to block mode.
  • Threshold limits set for the cumulative score and attack categories.

If a request triggers OWASP rules, it returns attack category scores and a cumulative score. If any of the final scores exceed the threshold limit and the OWASP rules are in block mode, Fastly sends the custom error response to the user.

Viewing OWASP settings

To view your OWASP settings, run following curl command in a terminal application:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<service_id>/wafs/<your WAF ID>/owasp

The cumulative anomaly score is displayed in the inbound_anomaly_score_threshold field.

Changing OWASP settings

To change any OWASP settings object, run the following OWASP update command in a terminal application:

$ curl -X PATCH -v -H "Content-Type: application/vnd.api+json" -H "Accept: application/vnd.api+json" -H "Fastly-Key: FASTLY_API_TOKEN" https://api.fastly.com/service/<service_id>/wafs/<waf_id>/owasp -d '{"data": {"attributes":{"inbound_anomaly_score_threshold":"50"}, "id":"<owasp_id>", "type":"owasp"}}'

When you've finished modifying OWASP settings, you'll need to activate the changes.

Activating changes

After you modify the status of one or more rules, you must activate the changes by running the following curl command in a terminal application:

$ curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>", "type": "ruleset"}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/ID/wafs/ID/ruleset

See the API documentation for more information.

Rules are versionless. Any changes to the rules will become effective after you run the command shown above. You won't need to activate a new version of your service to have the changes take effect.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support.