LOG IN SIGN UP
Documentation

About the Fastly WAF rule management interface

  Last updated March 19, 2019

The Fastly WAF rule management interface provides visibility and management for rules enabled on a WAF associated with a Fastly service. If you've been assigned the role of engineer or superuser, you can use the rule management interface to inspect the details of WAF rules, search and filter by rule ID or category, manage thresholds and scores, change rule modes, and deploy changes into production.

Beta Limitations

The Fastly WAF rule management interface currently has the following limitations:

Accessing the Fastly WAF rule management interface

You can access the Fastly WAF rule management interface from the WAF dashboard. To access the Fastly WAF rule management interface, follow the steps below:

  1. Log in to the Fastly web interface. The All services page appears.

    link to WAF on the All service page

  2. Find your Fastly service in the list, and then click the WAF link. The WAF summary page appears.
  3. Click the Manage Rules link. The Manage rules page appears.

    the Manage rules page

Using the Fastly WAF rule management interface

The Fastly WAF rule management interface displays the rules currently enabled on the WAF associated with the selected Fastly service. If you haven't enabled rules or you don't see any rules on your WAF, contact support@fastly.com.

The Fastly WAF rule management interface consists of the following main sections:

WAF status bar

The status bar summarizes the status of your WAF.

the WAF status bar

Rule view

The rule view shows a list of all of rules currently enabled on your WAF and their associated mode. There are three types of rules: scoring rules, threshold rules (also called threat categories), and application-specific rules.

Rules have a rule name, tags, revision indicator, rule ID, mode selector, and Details link. The revision indicator is used to indicate whether or not a rule has been revised. A revised rule may provide additional protection over and above the earlier revision.

Scoring rules

Scoring rules increment a score based on anomalies detected in the incoming HTTP request, and threshold rules check that total against the value configured for the appropriate threshold. An example scoring rule is shown below.

the WAF scoring rule

Scoring rules have two possible modes:

You can click the Details link to see the format of a rule in the Apache ModSecurity format as well as the corresponding generated VCL.

Threshold rules

Threshold rules cover a specific category of attack against your web application or API. An example threshold rule is shown below.

the WAF threshold rule

The threshold rule has a category name, revision indicator, tag, rule ID, mode selector, and Details link.

Threshold rules perform an action and either log or block and log client HTTP requests. These rules take action when a score exceeds a given threshold value. The corresponding threshold value for each category is configured on the Thresholds and Scores page.

Lowering thresholds increases the sensitivity of your WAF. Raising thresholds reduces the sensitivity of your WAF across the various threshold categories.

The Fastly WAF includes the following threshold rules organized into categories. Each rule has a corresponding threshold value that controls its sensitivity.

ID Threshold Name Rule Action Condition Corresponding Threshold Value Action Choice
1010090 Inbound Anomaly Score Action taken when the inbound anomaly score exceeds the configured inbound anomaly threshold Inbound anomaly threshold Log or Block & Log
1010080 Session Fixation Action taken when the session fixation score exceeds the configured session fixation threshold Session fixation threshold Log or Block & Log
1010070 HTTP Violation Action taken when the HTTP violation score exceeds the configured HTTP violation threshold HTTP violation threshold Log or Block & Log
1010060 PHP Injection Action taken when the PHP injection score exceeds the configured PHP injection threshold PHP injection threshold Log or Block & Log
1010050 Remote Command Execution (RCE) Action taken when the RCE anomaly score exceeds the configured RCE threshold RCE threshold Log or Block & Log
1010040 Local File Inclusion (LFI) Action taken when the LFI score exceeds the configured LFI threshold LFI threshold Log or Block & Log
1010030 Remote File Inclusion (RFI) Action taken when the RFI score exceeds the configured RFI threshold RFI threshold Log or Block & Log
1010020 Cross-site Scripting (XSS) Action taken when the XSS score exceeds the configured XSS threshold XSS threshold Log or Block & Log
1010010 SQL Injection Action taken when the SQL injection score exceeds the configured SQL injection threshold SQL injection threshold Log or Block & Log

Application-specific rules

Application-specific rules look at incoming HTTP requests to find signatures designed to take advantage of specific vulnerabilities within the context of a specific library, framework, or component. They take effect immediately. Application-specific rules have three possible modes:

The rule search box allows you to search for a specific rule using the rule ID. The result is shown in the Rule View.

Category filters

The category filters allow you to view the different types of rules currently configured on your WAF. Filters can be combined.

Thresholds and scores

The Thresholds and scores page allows you to configure thresholds and other OWASP security policy settings. You can access these settings by clicking the Thresholds and Scores link.

the WAF thresholds and scores page

This page can be used to tune the sensitivity of your WAF with respect to thresholds and scores.

WAF policy execution

When the Fastly WAF processes an inbound request, scoring rules execute first followed by threshold rules. Application-specific and Fastly rules are executed last.

If the accumulated score exceeds the configured threshold, the threshold rules take action. For more information on the threshold categories and action condition, please see the table in the threshold rules section.

the WAF process

Deploying changes

The Fastly WAF rule management interface allows you to change rule modes and threshold values that change the way rules behave in the face of potential web-oriented attacks. After changing rule modes, you can click the Deploy button to put these changes into production.

deploy button for the Fastly WAF

After clicking Deploy, you'll see a confirmation message asking if you want to deploy your changes. Click Yes to continue.

confirmation window for WAF deployment

Once the deployment is complete, you can verify that the changes were deployed by looking at the date below the deploy button.

last deploy time of WAF


Additional resources:


Back to Top