LOG IN SIGN UP
Documentation

Fastly WAF rule set updates and maintenance

  Last updated November 14, 2017

Fastly provides rule set updates to the Fastly WAF in a prompt manner to help protect customers against attacks.

For OWASP and Trustwave rules changes we use the following process:

  1. We regularly review the rule changes as they happen in both the OWASP Core Rule Set and the Trustwave Rule Set.
  2. We translate the rules into Varnish Configuration Language (VCL) to run inside our cache nodes.
  3. We test the rules in our platform to ensure they perform adequately. We try to maximize performance and rule efficacy while reducing false positives.
  4. We correct bugs, if any are found.
  5. We propagate the rule set changes to our platform worldwide.
  6. Finally, we will provide customers with a notification and instructions on how to make rule updates.

Rule set maintenance

The following table describes updates and changes to the provided rule sets:

ID Date Type of Change Affected Rule Sets
2YXlqZJQxMkWyAjM4kggR3 2017/11/13
  • Global update to OWASP 3.0.2 CRS release
  • Update Trustwave rules to latest available
  • Introduce new Fastly internal rule 10040 to block any HTTP POST body greater than 2 kibibytes in size.
  • OWASP
  • Trustwave
  • Fastly Rules
2vyJNHO7fngQYJXU8UGUY6 2017/10/11
  • Updates to rule 932140 to account for SAML false positives in Windows
  • Reintroduction of missing transforms on some OWASP rules
  • Introduction of Fastly internal rule to protect against CVE-2017-9805
  • OWASP
  • Fastly Rules
4Z09wgjp7do8NrOIzlckFS 2017/08/15
  • Reintroduction of individual threshold variables: http_violation_score_threshold, lfi_score_threshold, php_injection_score_threshold, rce_score_threshold, rfi_score_threshold, session_fixation_score_threshold, sql_injection_score_threshold, xss_score_threshold
  • Removal of unused threshold variables: brute_force_counter_threshold, dos_counter_threshold, outbound_anomaly_score_threshold, trojan_score_threshold
  • Additional bug fixes in OWASP rule set
  • OWASP
  • Trustwave
39EE4tZnEM9Q8hxFJMHYU5 2017/04/27
  • OWASP
  • Trustwave
  • Fastly Rules

Updating to the newest rule set

Follow these instructions to update a WAF to use the newest rule set.

Reviewing the current rule set

Before updating your WAF to a new rule set, we recommend that you record the value of your WAF's currently active rule set. You can use this information to revert your WAF to its previous state.

Run the following cURL command in a terminal application to find the currently active rule set:

curl -s -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>

The output from the cURL command is shown below. In the relationships object, notice that this WAF is using <ID of your active configuration set>. Remember the ID.

{
    "data": {
        "attributes": {
            "last_push": null,
            "prefetch_condition": null,
            "response": null,
            "version": "1"
        },
        "id": "<your WAF ID>",
        "relationships": {
            "configuration_set": {
                "data": {
                    "id": "<ID of your active configuration set>",
                    "type": "configuration_set"
                }
            }
        },
        "type": "waf"
    }
}

Changing the rule set version

Follow these instructions to change the rule set version for a WAF:

  1. Find the ID of the new rule set version you want to use in the rule set maintenance section.
  2. On your computer, create a new file called updated_relationship.json.
  3. Copy and paste the following JSON into the file, replacing <your rules ID> with the ID of the rule set version you want to use:

    {
        "data": {
            "id": "<your WAF ID>",
            "relationships": {
                "configuration_set": {
                    "data": {
                        "id": "<your rules ID>",
                        "type": "configuration_set"
                    }
                }
            },
            "type": "waf"
        }
    }
    
  4. Save the changes to the updated_relationship.json file.
  5. In the directory you saved the file, run the following cURL command in a terminal application to change the rule set version for a WAF:

    curl -s -X PATCH -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      -H Content-Type:application/vnd.api+json -d @updated_relationship.json \
      https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
    
  6. Changing the rule set version for a WAF can take some time. Run the following cURL command in a terminal application to monitor the status of the process:

    curl -s -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
          https://api.fastly.com/service/<your Fastly service ID>/version/<your service version number>/wafs/<your WAF ID>
    

    The process is complete when the output displays the ID of the new rule set version.

Updating to the latest rules

After you've verified that the rule set for the WAF has successfully been changed, follow these rules to update your WAF with the latest rules:

  1. Run the following cURL command in a terminal application to update the rule set:

    curl -s -X PATCH -H Fastly-Key: <your Fastly API token> -H Accept:application/vnd.api+json \
      -H Content-Type:application/vnd.api+json -d '{"data":{"id":"<your WAF ID>","type":"ruleset"}}' \
      https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset
    

    The response will look like this:

    {
        "data": {
            "id": "WAF_ID",
            "type": "ruleset"
        },
        "links": {
            "related": {
                "href": "https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>"
            }
        }
    }
    
  2. Updating the WAF with the latest rules can take some time. Using the URL in the response in the previous step, run the following cURL command in a terminal application to monitor the status of the process:

    curl -s -H Fastly-Key: FASTLY_API_TOKEN -H Accept:application/vnd.api+json \
    https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/update_statuses/<update status ID>
    

    The response for the waf_update_status will have a status of complete when the process is complete.

    {
        "data": {
            "attributes": {
                "completed_at": "2017-04-05 18:47:28 UTC",
                "created_at": "2017-04-05 18:47:27 UTC",
                "message": null,
                "status": "complete",
                "updated_at": "2017-04-05 18:47:28 UTC"
            },
            "id": "<update status ID>",
            "type": "waf_update_status"
        }
    }
    

Reverting to a previous rule set version

If a WAF rule set update doesn't go as planned, you can revert to the previous rule set version. Using the previous rule set ID you recorded in the reviewing the current rule set section, follow the instructions in changing the rule set version and updating to the latest rules.


Additional resources:


Back to Top