Waf
IMPORTANT: As announced, April 30, 2023 marked the formal retirement of the Fastly WAF (WAF Legacy and WAF 2020). Our Fastly Next-Gen WAF offers similar functionality. It monitors for suspicious and anomalous web traffic and protects, in real-time, against attacks directed at the applications and origin servers that you specify.
WAF 2020 filters requests through a set of security rules that match patterns known to be associated with malicious traffic. There are three types of rules:
- Scoring rules: Rules which, when matched, do not immediately flag the request, but will contribute a score to a category and an overall total. Rules based on the OWASP core ruleset are scoring rules, as are some Fastly rules.
- Strict rules: Strict rules are those which will, when matched, immediately flag a request. Most Fastly rules and all Trustwave rules are strict.
- Threshold rules: Rules which flag a request if a scoring category or the total anomaly score exceeds a configured threshold. Threshold rules work in conjunction with scoring rules, and do not match on characteristics of the request, but instead match on the current value of an anomaly score.
When a request is flagged by the WAF, it may be blocked and return an error response to the client, or may allow the request to proceed as normal, depending on a service's WAF configuration. Running a WAF in 'logging' mode is a common practice when it is first enabled to avoid false positives from blocking an unacceptable amount of legitimate traffic. See tuning your WAF in the WAF product documentation for more details.
The waf_debug_log
subroutine is invoked once for each rule matched by the WAF engine, providing the opportunity to sample the values of WAF variables after each rule is processed.
All waf.
-prefixed variables are read-write in VCL, and have no special meaning to the Fastly platform outside of the WAF product. While it is possible for these variables to be updated by custom VCL code, care should be taken to avoid conflicting with the use of these variables by the WAF. The variables waf.blocked
, waf.logged
, waf.passed
and waf.executed
, all of type BOOL
, are write-once: for each request, they start out set to false
and may be set
to true
, but once set to true
any further attempt to change the value will be ineffective.
- waf.anomaly_score
- waf.blocked
- waf.counter
- waf.executed
- waf.failures
- waf.http_violation_score
- waf.inbound_anomaly_score
- waf.lfi_score
- waf.logdata
- waf.logged
- waf.message
- waf.passed
- waf.php_injection_score
- waf.rce_score
- waf.rfi_score
- waf.rule_id
- waf.session_fixation_score
- waf.severity
- waf.sql_injection_score
- waf.xss_score