Web Application Firewall (WAF) inspects requests based on WAF rules and decides whether to block or monitor them accordingly. The main features of WAF include:
- Comprehensive protection against OWASP attacks, including injection attacks, inherent flaws and outdated components, and failed encryption mechanisms.
- Two different rule set update methods are offered for selection: Automatic and Manual. You can switch between these two methods based on your experience and security management needs.
- Automatic: WAF will automatically update the rule set, automatically learn website traffic and optimize rules, to help you greatly reduce management work, ensuring that the website is always using the latest rule set to against threats.
- Manual: WAF will not automatically adjust any of your configurations, you can fully independently update and manage the rule set.
Go to WAF > Managed Rules:
- Log in to the CDNetworks Console, find the security product in use under Subscribed Products.
- o to Security part, Configurations > Policies.
- Find the hostname for which you want to configure security policies, click .
1. Select the Protection Mode
When the website uses WAF protection for the first time, it is recommended to use Protection Mode: Monitor. This mode will not block requests that hit the WAF rules, it will only record logs. You can confirm the monitoring logs before switch to the Block Mode. Usually, it is recommended that you observe for 7 days before turning on the Block Mode to ensure that the WAF fully adapts to the website traffic and optimizes the rules. You can also shorten the observation time appropriately according to the actual business situation, but it is not recommended to be less than 24 hours at the shortest.
If your website is currently under extremely high security risks and you want to be immediately protected by WAF, you can choose the Block mode. This mode will directly block requests that hit the WAF rules (the actual processing action is subject to the action configured by the hit rules). You need to accept a certain risk of flase positive cases. According to the experience of CDNetworks security experts, in most cases, the default rule set will not cause obvious flase positive cases.
2. Manage WAF Managed Rules
2.1. Ruleset Mode: Automatic (recommended)
Relying on the continuous tracking of threats by the CDNetworks security expert team and updating the rules in real time, as well as the intelligent automatic rule tuning mechanism, WAF provides you with an automatic rule set management solution. While significantly reducing management costs, it still always keeps the WAF protection in the best state.
Note: The Value Added Service of WAF include the auto-generation of suggestions derived from daily website traffic and continuous optimization rules.
By using the Automatic mode, you can :
- When WAF updates rules, the new rules will be automatically added to the hostname’s rule set to cope with the latest threats.
- WAF will continuously learn website traffic and optimize rules every day, automatically generate suggestions and apply them to exception configurations. You don’t need to manually pay attention to the risk of false positive cases introduced by business changes.
- You can still manually adjust the rules’ actions and exceptions as needed.
2.2. Ruleset Mode: Manual
If you are a web security expert and want to independently manage the WAF rule set in a more detailed way, you can choose Manual mode.
Under this mode, WAF will not automatically adjust any of your configurations, and you need to take the following responsibilities:
- Manually evaluate and upgrade WAF rule set.
- Regularly check the suggestions automatically generated by WAF and evaluate whether to apply them. You can also use your own operation tools or other methods to complete this task.
2.2.1. Evaluate and upgrade WAF rule set.
In manual mode, when the WAF rule set version is updated, a prompt will appear above the rule list. After clicking the prompt to enter the rule set upgrade page, you can see all the hostname lists that need to update the rule set version and the updated rule information, and decide whether to upgrade the rule set based on this information.
- Hostname: The hostname of the ruleset to be upgraded.
- Current ruleset version: The current version number of the ruleset for this hostname.
- Rules to be updated: The number of rules that should be updated to the latest version, including new and updated ones.
- List of rules to be updated: You can view the rule ID, description, recommended action, etc.
When you decide to upgrade the rule set, select the hostnames that need to be upgraded, click on batch upgrade to update all hostnames at once, or find the specific hostname you wish to operate and click . After a second confirmation, WAF will update the rule set for the hostname to the latest version.
If a rule is updated, the action originally configured for the rule will not be changed.
2.2.2. Evaluate whether to apply suggestions.
In manual mode, WAF will still generate suggestions for you, but it will not automatically apply them to the configuration. They will only be displayed in the rule list to provide reference for your management of WAF rules.
You can evaluate the suggestions in the following ways:
- The suggestions are displayed in the Recommendations tab of each rule in the rule list, the initial status is “pending”. You can sort all rules in descending order according to the number of suggestions, so as to quickly find out which rules WAF has generated suggestions for.
- Expand the Recommendations tab of each rule to view the specific suggestion content, which is usually an exception configuration for a certain path.
- Evaluate whether you need to adopt the suggestions and add exceptions in conjunction with your business. You can also go to the Attack Logs to filter out logs of corresponding rules and paths and make further judgments through detailed information in the logs to make a decision.
- If accepted, please click on “add to exceptions”, this suggestion will be added to the configuration in the exceptions tab and classified as “source: Recommendations”.
- If not accepted, you can choose “reject”. The status of this suggestion will be updated to “rejected” and permanently retained in the Recommendations tab to ensure that WAF will not push the same wrong suggestions again.
- If you are temporarily unable to determine, you can leave it unprocessed. If in the next analysis period, WAF generates the same suggestion again, the update time of this suggestion will be refreshed, indicating that there is continuous request traffic corresponding to this suggestion, and you are advised to confirm again at this time.
3. Filter and view WAF rules
3.1. Filter WAF rules
- In the filter on the left side of the rule list, select the rule type, OWASP type, or enter the rule ID, rule name, rule description, and vulnerability number to filter rules according to your needs.
- To see which rules have exceptions set or recommendations generated, click the sort button on the rule list, and the system will sort all the rules.
- To view the rules that use a certain action, select the action on the rule list for filtering.
3.2. View WAF rules
- Expand the rule to view exceptions, recommendations, and more information.
- Select the Exceptions tab to view the exceptions configurations currently in use. The exceptions are categorized by configuration source under this tab. Through this categorization by source, you can clearly see how the exception configurations in the rules were added.The source classification is as follows:
- Select the Exceptions tab to view the exceptions configured for the rule. The exceptions are categorized by configuration source under this tab, and the source categories are as follows:
- Manually: Exceptions that you manually added to the hostname under the security policy.
- Shared configuration: Exceptions that you created under shared configuration and associated with the hostname.
- Recommendation: Exceptions automatically generated by WAF and applied by the WAF’s automatic mode or applied manually by you.
- Select the Recommendation tab to view pending and rejected recommendations.
- Select the More Information tab to view the recommended actions and rule description for this rule.