WAF Rule Exclusions (2020)

The WAF Rule Exclusions feature provides the ability to define criteria for allowing requests to proceed to the origin in cases where they would otherwise be blocked by Fastly's Web Application Firewall (WAF) security product. Creating exclusions allows you to reduce the rate of false positives for requests rejected by the WAF's detection logic while still protecting against application-layer attacks. You can use this feature to exclude WAF rules on a per-request basis.

How the WAF Rule Exclusions feature works

You can use the web interface or the Fastly API to create a rule exclusion policy. Every rule exclusion policy has two parts:

  • Conditions: The URLs, cookie names, and request parameters that won't be processed by the rules associated with the rule exclusion policy.
  • Rules: One or more rules that will be excluded for the conditions you specified in the rule exclusion policy. You can associate up to 30 rules per rule exclusion policy.

After you specify conditions and associate rules with a rule exclusion policy, you can activate the changes in production.

When a request matches the conditions set in a rule exclusion policy, the associated rules won't be triggered for the request parameters, URLs, and cookie names you specified in the rule exclusion policy. The parts of the request that haven't been excluded will still be processed by the WAF.

When rule exclusions can be useful

The WAF Rule Exclusions feature might be useful for:

  • excluding a specific request parameter from being processed by a specific rule
  • excluding a specific URL from being processed by a specific rule
  • excluding a specific cookie from being processed by a specific rule
  • specifying a single set of conditions to exclude many rules
  • combining multiple rule exclusion policies using AND or OR logic to exclude a rule

For example, you could set up a rule exclusion that would ignore a rule if it was triggered by the following conditions:

  • Does not match the following paths: /checkout/*, /selfhelp/help
  • Matches on cookie name: ec_bn, touch_cookie
  • Matches on request parameter name: AdditionalInfo, data, Comment, terms, notes
  • Matches on JSON parameter name: links.sending.Example.LimlURL

Working with WAF exclusions using the web interface

You can use the web interface to add, update, and remove rule exclusion policies.

Creating a rule exclusion policy

To create a rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The All services page appears.
  2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
  3. Click the Settings link. The Settings page appears.
  4. Click the Rule exclusions link. The Rule exclusions policies page appears.
  5. Click the Create New Exclusion button. The Define exclusion policy page appears.

    creating a new WAF rule exclusion policy

  6. In the Name field, enter a human-readable name for the rule exclusion policy.
  7. In the Define VCL condition field, enter the conditional expression in VCL that will be used to determine if the condition is met.
  8. In the Apply to rules field, enter a WAF rule ID and click Add. The rules you add will be excluded for the conditions you specified in the Define VCL condition field.
  9. Click the Submit button to save the rule exclusion policy.
  10. Activate the changes to your WAF.

Updating a rule exclusion policy

To update an existing rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The All services page appears.
  2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
  3. Click the Settings link. The Settings page appears.
  4. Click the Rule exclusions link. The Rule exclusions policies page appears.

    the WAF rule exclusion policies page

  5. Find the rule exclusion policy you want to edit and then click the Edit link. The Define exclusion policy page appears.
  6. Edit the conditions or rules as necessary.
  7. Click the Submit button.
  8. Activate the changes to your WAF.

Deleting a rule exclusion policy

To delete a rule exclusion policy, follow these instructions:

  1. Log in to the Fastly web interface. The All services page appears.
  2. Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
  3. Click the Settings link. The Settings page appears.
  4. Click the Rule exclusions link. The Rule exclusions policies page appears.

    the WAF rule exclusion policies page

  5. Find the rule exclusion policy you want to edit and then click the Delete link.
  6. Activate the changes to your WAF.

Creating a policy to exclude all rules

In certain circumstances, you may need to create an exclusion for all WAF rules. You can use a VCL condition to exclude all rules, as shown in the following example.

1
2
3
if (req.http.host != "www.example.com") {
    set req.http.rqpass = "1";
   }

Working with WAF exclusions using the API

You can use the Fastly API to add, view, update, and remove rule exclusion policies. For documentation and examples, see the WAF Rule Exclusions API documentation.

Limitations

The WAF Rule Exclusions feature currently has the following limitations:

  • A firewall can have a maximum of 300 rule exclusion policies.
  • A rule exclusion policy can have a maximum of 30 rules associated with it.
  • A rule exclusion policy can be only be associated with strict and scoring rules, not threshold rules.
Back to Top