LOG IN SIGN UP
Documentation

Managing the Fastly WAF

  Last updated August 21, 2017

The Fastly WAF provides rules that detect and block potential attacks. The rules are collected into a policy and deployed within your Fastly service at the edge.

Inspecting the Fastly WAF rule set

You can inspect your Fastly WAF rule set at any time. By making an API call, you can download all of the data associated with your Fastly WAF rules. To inspect your Fastly WAF rule set, run the following cURL command in a terminal application:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/ruleset | perl -pe 's/\\n/\n/g'

Inspecting the VCL of a WAF rule

To inspect the VCL of a specific Fastly WAF rule, run the following cURL command in a terminal application:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/wafs/<your WAF ID> /rules/<rule_id>/vcl

See the API documentation for more information.

Blocking requests

When you start using Fastly WAF for the first time, all rules are set to log status to minimize false positives. We recommend you monitor the logs for a minimum of two weeks to make sure that the rules will not block legitimate requests to your web application. Requests will not be blocked until you switch one or more rules from log to block status.

Changing the status of a rule

To change the status of a rule from log to disabled or block, inspect your rule set or review your logs to find the waf.rule_id variable. Then, run the following cURL command in a terminal application for each rule you want to set to block or disabled status:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>-<WAF rule ID>", "type": "rule_status", "attributes":{ "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rules/<WAF rule ID>/rule_status

To change the status of a rule by a filter-tag (e.g., application-WordPress, language-html, or OWASP), run the following cURL command in a terminal application:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X POST -d '{"data": {"id": "<your WAF ID>", "type": "rule_status", "attributes": {"name": <tag>, "status": "block"}}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/<your Fastly service ID>/wafs/<your WAF ID>/rules/<WAF rule ID>/rule_statuses

See the API documentation for more information.

When you've finished setting rules to block status, you'll need to activate the changes.

OWASP Configuration

OWASP blocking is dependent on the following:

If a request triggers OWASP rules, it returns attack category scores and a cumulative score. If any of the final scores exceed the threshold limit and the OWASP rules are in block mode, Fastly sends the custom error response to the user.

Viewing OWASP settings

To view your OWASP settings, run following cURL command in a terminal application:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' https://api.fastly.com/service/<service_id>/wafs/<your WAF ID>/owasp

The cumulative anomaly score is displayed in the inbound_anomaly_score_threshold field.

Changing OWASP settings

To change any OWASP settings object, run the following OWASP update command in a terminal application:

curl -X PATCH -v -H "Content-Type: application/vnd.api+json" -H "Accept: application/vnd.api+json" -H "Fastly-Key: FASTLY_API_TOKEN" https://api.fastly.com/service/<service_id>/wafs/<waf_id>/owasp -d '{"data": {"attributes":{"inbound_anomaly_score_threshold":"50"}, "id":"<owasp_id>", "type":"owasp"}}'

When you've finished modifying OWASP settings, you'll need to activate the changes.

Activating changes

After you modify the status of one or more rules, you must activate the changes by running the following cURL command in a terminal application:

curl -H 'Fastly-Key: FASTLY_API_TOKEN' -X PATCH -d '{"data": {"id": "<your WAF ID>", "type": "ruleset"}}' -H 'Content-Type: application/vnd.api+json' https://api.fastly.com/service/ID/wafs/ID/ruleset

See the API documentation for more information.

Rules are versionless. Any changes to the rules will become effective after you run the command shown above. You won't need to activate a new version of your service to have the changes take effect.


Back to Top