WAF Rule Exclusions

      Last updated December 14, 2020

    The WAF Rule Exclusions feature provides the ability to define criteria for allowing requests to proceed to the origin in cases where they would otherwise be blocked by Fastly's Web Application Firewall (WAF) security product. Creating exclusions allows you to reduce the rate of false positives for requests rejected by the WAF's detection logic while still protecting against application-layer attacks. You can use this feature to exclude WAF rules on a per-request basis.

    How the WAF Rule Exclusions feature works

    You can use the web interface or the Fastly API to create a rule exclusion policy. Every rule exclusion policy has two parts:

    After you specify conditions and associate rules with a rule exclusion policy, you can activate the changes in production.

    When a request matches the conditions set in a rule exclusion policy, the associated rules won't be triggered for the request parameters, URLs, and cookie names you specified in the rule exclusion policy. The parts of the request that haven't been excluded will still be processed by the WAF.

    When rule exclusions can be useful

    The WAF Rule Exclusions feature might be useful for:

    For example, you could set up a rule exclusion that would ignore a rule if it was triggered by the following conditions:

    Working with WAF exclusions using the web interface

    You can use the web interface to add, update, and remove rule exclusion policies.

    Creating a rule exclusion policy

    To create a rule exclusion policy, follow these instructions:

    1. Log in to the Fastly web interface. The All services page appears.
    2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
    3. Click the Settings link. The Settings page appears.
    4. Click the Rule exclusions link. The Rule exclusions policies page appears.
    5. Click the Create New Exclusion button. The Define exclusion policy page appears.

      creating a new WAF rule exclusion policy

    6. In the Name field, enter a human-readable name for the rule exclusion policy.
    7. In the Define VCL condition field, enter the conditional expression in VCL that will be used to determine if the condition is met.
    8. In the Apply to rules field, enter a WAF rule ID and click Add. The rules you add will be excluded for the conditions you specified in the Define VCL condition field.
    9. Click the Submit button to save the rule exclusion policy.
    10. Activate the changes to your WAF.

    Updating a rule exclusion policy

    To update an existing rule exclusion policy, follow these instructions:

    1. Log in to the Fastly web interface. The All services page appears.
    2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
    3. Click the Settings link. The Settings page appears.
    4. Click the Rule exclusions link. The Rule exclusions policies page appears.

      the WAF rule exclusion policies page

    5. Find the rule exclusion policy you want to edit and then click the Edit link. The Define exclusion policy page appears.
    6. Edit the conditions or rules as necessary.
    7. Click the Submit button.
    8. Activate the changes to your WAF.

    Deleting a rule exclusion policy

    To delete a rule exclusion policy, follow these instructions:

    1. Log in to the Fastly web interface. The All services page appears.
    2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
    3. Click the Settings link. The Settings page appears.
    4. Click the Rule exclusions link. The Rule exclusions policies page appears.

      the WAF rule exclusion policies page

    5. Find the rule exclusion policy you want to edit and then click the Delete link.
    6. Activate the changes to your WAF.

    Working with WAF exclusions using the API

    You can use the Fastly API to add, view, update, and remove rule exclusion policies. For documentation and examples, see the WAF Rule Exclusions API documentation.

    Limitations

    The WAF Rule Exclusions feature currently has the following limitations:

    Back to Top