WAF Rule Exclusions (2020)
Last updated 2021-09-27
IMPORTANT
As announced, April 30, 2023 marks the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
The WAF Rule Exclusions feature provides the ability to define criteria for allowing requests to proceed to the origin in cases where they would otherwise be blocked by Fastly's Web Application Firewall (WAF) security product. Creating exclusions allows you to reduce the rate of false positives for requests rejected by the WAF's detection logic while still protecting against application-layer attacks. You can use this feature to exclude WAF rules on a per-request basis.
How the WAF Rule Exclusions feature works
You can use the web interface or the Fastly API to create a rule exclusion policy. Every rule exclusion policy has two parts:
- Conditions: The URLs, cookie names, and request parameters that won't be processed by the rules associated with the rule exclusion policy.
- Rules: One or more rules that will be excluded for the conditions you specified in the rule exclusion policy. You can associate up to 30 rules per rule exclusion policy.
After you specify conditions and associate rules with a rule exclusion policy, you can activate the changes in production.
When a request matches the conditions set in a rule exclusion policy, the associated rules won't be triggered for the request parameters, URLs, and cookie names you specified in the rule exclusion policy. The parts of the request that haven't been excluded will still be processed by the WAF.
When rule exclusions can be useful
The WAF Rule Exclusions feature might be useful for:
- excluding a specific request parameter from being processed by a specific rule
- excluding a specific URL from being processed by a specific rule
- excluding a specific cookie from being processed by a specific rule
- specifying a single set of conditions to exclude many rules
- combining multiple rule exclusion policies using AND or OR logic to exclude a rule
For example, you could set up a rule exclusion that would ignore a rule if it was triggered by the following conditions:
- Does not match the following paths:
/checkout/*,/selfhelp/help - Matches on cookie name:
ec_bn,touch_cookie - Matches on request parameter name:
AdditionalInfo,data,Comment,terms,notes - Matches on JSON parameter name:
links.sending.Example.LimlURL
Working with WAF exclusions using the web interface
You can use the web interface to add, update, and remove rule exclusion policies.
NOTE
You can't use the web interface to configure variable rule exclusions. Those can be configured via the API.
Creating a rule exclusion policy
To create a rule exclusion policy, follow these instructions:
- Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
- Click the Settings link. The Settings page appears.
Click the Rule exclusions link. The Rule exclusions policies page appears.
Click the Create New Exclusion button. The Define exclusion policy page appears.
In the Name field, enter a human-readable name for the rule exclusion policy.
In the Define VCL condition field, enter the conditional expression in VCL that will be used to determine if the condition is met.
In the Apply to rules field, enter a WAF rule ID and click Add. The rules you add will be excluded for the conditions you specified in the Define VCL condition field.
Click the Submit button to save the rule exclusion policy.
Activate the changes to your WAF.
Updating a rule exclusion policy
To update an existing rule exclusion policy, follow these instructions:
- Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
- Click the Settings link. The Settings page appears.
Click the Rule exclusions link. The Rule exclusions policies page appears.
Find the rule exclusion policy you want to edit and then click the Edit link. The Define exclusion policy page appears.
Edit the conditions or rules as necessary.
Click the Submit button.
Activate the changes to your WAF.
Deleting a rule exclusion policy
To delete a rule exclusion policy, follow these instructions:
- Log in to the Fastly web interface. The Home page appears displaying a list of all services associated with your account.
Find your Fastly service in the list and then click the WAF link. The WAF summary page appears.
- Click the Settings link. The Settings page appears.
Click the Rule exclusions link. The Rule exclusions policies page appears.
Find the rule exclusion policy you want to edit and then click the Delete link.
Activate the changes to your WAF.
Creating a policy to exclude all rules
In certain circumstances, you may need to create an exclusion for all WAF rules. You can use a VCL condition to exclude all rules, as shown in the following example.
1if (req.http.host != "www.example.com") {2 set req.http.rqpass = "1";3 }Working with WAF exclusions using the API
You can use the Fastly API to add, view, update, and remove rule exclusion policies. For documentation and examples, see the WAF Rule Exclusions API documentation.
NOTE
To reduce the number of log entries generated, we recommend using the API to disable logging once the rule exclusion is working as expected.
Limitations
The WAF Rule Exclusions feature currently has the following limitations:
- A firewall can have a maximum of 300 rule exclusion policies.
- A rule exclusion policy can have a maximum of 30 rules associated with it.
- A rule exclusion policy can be only be associated with strict and scoring rules, not threshold rules.
Do not use this form to send sensitive information. If you need assistance, contact support.