WAF rule set update for 2019-08-29 (legacy)
IMPORTANT: Our original WAF offering is now a legacy product. It was superseded by a new version, including a new interface and API, on July 13, 2020. The legacy version will continue to be supported for all existing users. The new version is available to all customers and is the default version for new customers as of July 13, 2020. Customers of the legacy WAF can contact firstname.lastname@example.org or their Fastly account team to upgrade.
Type of Change
- The OWASP Core Rule Set (CRS) was updated with 19 new rules that mitigate SQL injection, Content-Type anomalies, client side code injection, PHP injection, and remote code execution. In addition, 95 rules were updated in the OWASP CRS to enhance their effectiveness or reduce incidents of false positives.
- The following rules were removed from the OWASP CRS: 920130, 920280, 920290, 921100, 941200, 941310, 941350, and 944220. Rules 941310, 941350, and 941200 specifically were removed due to performance issues that may impact your WAF.
- Fastly Rules 4112012 and 4112031 have been updated to reduce incidents of false positives. Fastly Rule 4112030 was removed due to excessive false positives.
- The Trustwave rules have been updated with 197 new rules, of which 44 are for WordPress and 94 for Joomla. These rules include better protections for customers using these platforms to publish web content.
- Trustwave rules 217055, 2066577, and 2100097 were removed.
- Some Fastly and Trustwave rules have been renumbered. Renumbering is handled transparently so there should be no impact to your production WAF objects.
Affected Rule Sets
- Fastly Rules