About rules
Rules are configurations that outline how the Next-Gen WAF should handle requests that meet defined condition sets. You can create rules at the corp (also known as account) or site (also known as workspace) level:
- Corp (account) rules: apply to all or multiple, specific sites (workspaces).
- Site (workspace) rules: apply to one specific site (workspace).
How rules work
Every rule outlines the conditions under which the WAF should take action and the type of action (e.g., allow or block) the WAF should take when the conditions are met.
When a web client makes a request to your protected web application, the Next-Gen WAF checks whether the request meets the criteria of any rules. If it does, the WAF uses the matching rule to determine the appropriate actions it needs to implement. When matching rules conflict, the WAF uses precedence logic to decide which rule it should listen to. After evaluating the request, the WAF tags the request with the appropriate signals and then performs the determined actions.
Rule types
There are four types of rules:
- Request rules: define arbitrary conditions that requests must meet in order for the WAF to take action and the actions the WAF should take when the conditions are met. For example, you could make a rule to block all requests with specific headers, requests to certain paths, or requests originating from specific IP addresses.
- Advanced rate limiting rules: handle requests from individual clients when a threshold (e.g., 100 requests in 1 minute) is passed. For example, you could make a rule to rate limit requests made to your web application's login page to prevent account takeover attacks. If too many failed login attempts are made from a specific IP address, it's reasonable to suspect that person is trying to guess a password and break into another person's account. The rate limit rule will block that IP address from the login path for a set amount of time and prevent them from continuing to guess passwords.
- Signal exclusion rules: prevent requests from being tagged with certain signals. Signal exclusion rules help prevent false positives. For example, let's say you have an internal CMS where employees can post raw HTML. If employees try to post raw HTML that look like a Cross-Site Scripting (XSS) attack, their requests might get tagged with the
XSSsystem signal and then blocked. To prevent false positives and your well-meaning employees from being accidentally blocked, you could create a signal exclusion rule to prevent requests that are coming from your VPN IP and post HTML from being tagged with theXSSsignal. - Templated rules: partially pre-constructed rules that are associated with an API, ATO, or CVE virtual patch system signal. Enable ATO and API templated rules to gain visibility into registrations, logins, and API requests. Temporarily enable a CVE virtual patch templated rule to protect your web application from the associated CVE while you implement a more permanent solution.
Action types
Possible action types include:
| Action type | Description | Request rules | Advanced rate limiting rules | Signal exclusion rules |
|---|---|---|---|---|
| Allow | The WAF allows the request regardless of any blocking rules that were matched and forwards the request to your origin. | ✅ | ❌ | ❌ |
| Block | The WAF prevents the request from accessing your origin, generates a response using the blocking response code that is configured for your site (workspace), and sends the response to the web client that initiated the request. | ✅ | ✅ - only supported at the site (workspace) level | ❌ |
| Log | The WAF stores and makes available the request and response data per our data storage policy. | ❌ | ✅ - only supported at the site (workspace) level | ❌ |
| Deception | The WAF returns a deceptive response to attackers, making them unsure whether their attack was successful. | ✅ - only supported at the site (workspace) level | ✅ - only supported at the site (workspace) level | ❌ |
| Add signal | The WAF tags the request with a specific signal. | ✅ | ❌ | ❌ |
| Exclude signal | The WAF prevents the request from being tagged with a specific signal. | ❌ | ❌ | ✅ |
| Browser challenge | Based on how you configured the rule, the WAF either sends a non-interactive (JavaScript proof-of-work) or interactive (CAPTCHA) challenge to the web client that initiated the request. For the WAF to allow the request, the web client must successfully complete the challenge. | ✅ - only supported at the site (workspace) level | ✅ - only supported at the site (workspace) level | ❌ |
| Dynamic challenge | Based on the request, the WAF determines what type of challenge to send to the web client that initiated the request. Challenge types include Private Access Tokens (PATs), non-interactive (JavaScript proof-of-work) challenges, and interactive (CAPTCHA) challenges. For the WAF to allow the request, the web client must successfully complete the challenge it receives. | ✅ - only supported at the site (workspace) level | ✅ - only supported at the site (workspace) level | ❌ |
| Verify token | The WAF checks whether the web client solved a challenge on a previous GET request and adds either the CHALLENGE-TOKEN-VALID or CHALLENGE-TOKEN-INVALID signal to the request. You must add an additional rule if you want to block requests that have CHALLENGE-TOKEN-INVALID signal. The verify token action is mostly used on POST requests. | ✅ - only supported at the site (workspace) level | ❌ | ❌ |
Precedence logic
When rules conflict, the Next-Gen WAF agent uses the following logic to determine which rule should take precedence:
- a rule with an allow action always takes precedence over a rule with a block action. For example, if you create a rule to block a range of IP addresses and a rule to allow one specific IP address within that range, requests from that IP address will be allowed because the allow rule takes precedence.
- a corp (account) rule usually takes precedence over a site (workspace) rule. The only time a corp (account) rule doesn't take precedence is when the site (workspace) rule has an allow action.
Viewing rules
The steps to view a rule depend on whether the rule applies to the entire corp (account) or to a single site (workspace).
Viewing rules that apply to multiple sites (workspaces)
To view a corp-level (account-level) rules, complete the following steps:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
- From the Corp Rules menu, select Corp Rules.
- Click View to the right of the rule that you want to view. The View page appears.
Viewing rules that apply to one site (workspace)
To view a site-level (workspace-level) rule, complete the following steps:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Rules menu, select Site Rules.
- Click View to the right of the rule that you want to view. The View page appears.
Deleting rules
The steps to delete a rule depend on whether the rule applies to multiple sites (workspaces) or to a single site (workspace).
Deleting rules that apply to multiple sites (workspaces)
To delete a corp-level (account-level) rule, follow these steps:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
- From the Corp Rules menu, select Corp Rules.
- Click Edit or View to the right of the rule that you want to delete.
- Click Remove corp rule and then Delete corp rule. The rule is deleted, and the Corp Rules page appears.
Deleting rules that apply to one site (workspace)
To delete a rule that applies to only one site (workspace), complete the following steps:
- Next-Gen WAF control panel
- Fastly control panel
Log in to the Next-Gen WAF control panel.
From the Sites menu, select a site if you have more than one site.
- From the Rules menu, select Site Rules.
- Click Edit or View to the right of the rule that you want to delete.
- Click Remove site rule and then Delete site rule. The rule is deleted, and the Site Rules page appears.
