WAF Rule Exclusions (2020)

IMPORTANT

As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.

The WAF Rule Exclusions feature provides the ability to define criteria for allowing requests to proceed to the origin in cases where they would otherwise be blocked by Fastly's Web Application Firewall (WAF) security product. Creating exclusions allows you to reduce the rate of false positives for requests rejected by the WAF's detection logic while still protecting against application-layer attacks. You can use this feature to exclude WAF rules on a per-request basis.

How the WAF Rule Exclusions feature works

You can use the web interface or the Fastly API to create a rule exclusion policy. Every rule exclusion policy has two parts:

  • Conditions: The URLs, cookie names, and request parameters that won't be processed by the rules associated with the rule exclusion policy.
  • Rules: One or more rules that will be excluded for the conditions you specified in the rule exclusion policy. You can associate up to 30 rules per rule exclusion policy.

After you specify conditions and associate rules with a rule exclusion policy, you can activate the changes in production.

When a request matches the conditions set in a rule exclusion policy, the associated rules won't be triggered for the request parameters, URLs, and cookie names you specified in the rule exclusion policy. The parts of the request that haven't been excluded will still be processed by the WAF.

When rule exclusions can be useful

The WAF Rule Exclusions feature might be useful for:

  • excluding a specific request parameter from being processed by a specific rule
  • excluding a specific URL from being processed by a specific rule
  • excluding a specific cookie from being processed by a specific rule
  • specifying a single set of conditions to exclude many rules
  • combining multiple rule exclusion policies using AND or OR logic to exclude a rule

For example, you could set up a rule exclusion that would ignore a rule if it was triggered by the following conditions:

  • Does not match the following paths: /checkout/*, /selfhelp/help
  • Matches on cookie name: ec_bn, touch_cookie
  • Matches on request parameter name: AdditionalInfo, data, Comment, terms, notes
  • Matches on JSON parameter name: links.sending.Example.LimlURL

Working with WAF exclusions using the web interface

You can use the web interface to add, update, and remove rule exclusion policies.

NOTE

You can't use the web interface to configure variable rule exclusions. Those can be configured via the API.

Creating a rule exclusion policy

To create a rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
  2. Find your Fastly service in the list and then click WAF.

  3. Click Settings.
  4. Click Rule exclusions.

  5. Click Create New Exclusion.

    creating a new WAF rule exclusion policy

  6. Fill out the Define exclusion policy fields as follows:

    • In the Name field, enter a human-readable name for the rule exclusion policy.
    • In the Define VCL condition field, enter the conditional expression in VCL that will be used to determine if the condition is met.
    • In the Apply to rules field, enter a WAF rule ID and click Add. The rules you add will be excluded for the conditions you specified in the Define VCL condition field.
  7. Click Submit to save the rule exclusion policy.

  8. Activate the changes to your WAF.

Updating a rule exclusion policy

To update an existing rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
  2. Find your Fastly service in the list and then click the WAF link.

  3. Click Settings.
  4. Click Rule exclusions.

    the WAF rule exclusion policies page

  5. Find the rule exclusion policy you want to edit and then click Edit.

  6. Edit the conditions or rules as necessary.

  7. Click Submit.

  8. Activate the changes to your WAF.

Deleting a rule exclusion policy

To delete a rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
  2. Find your Fastly service in the list and then click the WAF link.

  3. Click Settings.
  4. Click Rule exclusions.

    the WAF rule exclusion policies page

  5. Find the rule exclusion policy you want to edit and then click Delete.

  6. Activate the changes to your WAF.

Creating a policy to exclude all rules

In certain circumstances, you may need to create an exclusion for all WAF rules. You can use a VCL condition to exclude all rules, as shown in the following example.

1if (req.http.host != "www.example.com") {
2 set req.http.rqpass = "1";
3 }

Working with WAF exclusions using the API

You can use the Fastly API to add, view, update, and remove rule exclusion policies. For documentation and examples, see the WAF Rule Exclusions API documentation.

NOTE

To reduce the number of log entries generated, we recommend using the API to disable logging once the rule exclusion is working as expected.

Limitations

The WAF Rule Exclusions feature currently has the following limitations:

  • A firewall can have a maximum of 300 rule exclusion policies.
  • A rule exclusion policy can have a maximum of 30 rules associated with it.
  • A rule exclusion policy can be only be associated with strict and scoring rules, not threshold rules.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.