Security Application Manager

A Security Application Manager configuration:

Traffic Identification

Identify the set of traffic to which a Security Application Manager configuration's rules will be applied by host, URL path, or both.

Host

By default, a Security Application Manager configuration applies to all hosts. However, you may limit a Security Application Manager configuration to one or more hosts. WAF compares the entire Host header value against the specified value.

Key information:

URL Path

By default, a Security Application Manager configuration applies to all URL paths. However, you may limit a Security Application Manager configuration to one or more URL paths. WAF compares the entire URL path against the specified value.

Key information:

Match Comparison Modes

Your Security Application Manager configuration determines how WAF compares a request's host or URL path against the specified value. The available modes are listed below.

Wildcard and regular expression match comparison modes require WAF Premier, WAF Standard, or WAF Essentials. If you currently have WAF Insights and would like to use this capability, please contact your CDN account manager to upgrade to the full version.

Exact Match (Multiple Entries)

WAF compares the specified value(s) against the entire host or URL path. It will only apply this Security Application Manager configuration to a request when one of the specified value(s) is an exact match. This comparison is case-sensitive.

Sample Configuration:

cat

bat

Matches:

cat

bat

Does Not Match:

Cat

Bat

Category

Moscato

Batch

Wildcard Match

WAF checks whether the entire host or URL path is a case-sensitive match for the wildcard pattern. The supported set of wildcards are listed below.

Wildcard Description

Example

Matches

Does Not Match

*

Matches zero or more characters.

cat*

cat

category

muscat

cAt

Category

?

Matches a single character.

cat?

cats

muscats

Cats

cat

[abc]

Matches a single character defined within the brackets.

[cm]art

cart

mart

tart

start

[a-z]

Matches a single character from the specified range.

[a-z]art

cart

mart

tart

Cart

marT

start

[!abc]

Matches a single character that is not defined within the brackets.

[!cm]art

Cart

Mart

tart

cart

mart

tArt

[!a-z]

Matches a single character that is excluded from the specified range.

[!a-m]art

Cart

Mart

tart

cart

mart

tArt

Example:

Setting the URL path(s) option to the following value allows WAF to apply this Security Application Manager configuration to any request whose URL path starts with /marketing/:

/marketing/*

The following sample request will match the above pattern:

https://cdn.example.com/marketing/mycampaign/image.png

Regex Match

WAF checks whether the entire host or URL path is a match for the pattern defined in a regular expression.

Regular expressions are case-sensitive.

Sample Configuration:

^[a-zA-Z0-9]*$

Matches:

cat

CAT7

Category

Does Not Match:

Category 7

Cat#7

Threat Detection

Identify threats by adding the following rule(s) to your Security Application Manager configuration:

You may apply an access, custom, or managed rule in one of the following modes:

Auditing a profile that is already being applied to production traffic will cause the same threat to be logged twice.

Enforcement

You may customize how rules that run in production mode will be enforced. Enforcement is triggered when:

WAF will only generate alerts for rules that run in audit mode. This enforcement action cannot be customized.

Rate and bot rules may only run in production mode. You cannot run them in audit mode.

The available enforcement actions are described below.

Mode Description

Alert Only

Rate limited requests or detected threats will only generate an alert.

Our recommendation for testing new configurations is to use audit mode instead of applying the Alert Only enforcement action to a rule running in production mode.

WAF applies a single enforcement action per mode (i.e., production or audit). Once enforcement is triggered for that mode, WAF does not perform further evaluation of that request. If you are setting up a rule in production mode, we recommend that you limit your use of the Alert Only enforcement to the shortest amount of time necessary to validate changes to your configuration.

Block Request

Access Rules, Custom Rules, and Managed Rules

Detected threats will be dropped and the client will receive a 403 Forbidden response.

Custom Response

Rate limited requests or detected threats will receive a custom response.

  • Response Body: Define the payload that will be delivered to the client in response to a detected threat.

    This option supports the use of event variables to customize the response according to the detected threat.

    Sample payload for a CSS file:

    body {

    background-color: #ffffff;

    }

  • HTTP Status Code: Defines the HTTP status code that will be sent to the client.

  • Custom Response Headers: Defines one or more response headers that will be sent to the client. Define each custom response header on a separate line.

    Syntax:

    Name:Value

    Example:

    MyCustomHeader: True

    This option supports the use of event variables to customize the response according to the detected threat.

    All characters, including spaces, defined before or after the colon will be treated as a part of the specified header name or value, respectively.

Drop request

Rate Rules Only

Rate limited requests will be dropped and the client will receive the following response:

  • HTTP status code: 503 Service Unavailable
  • Response header: Retry-After: 10 seconds

The Retry-After response header provides a hint to the client as to when service may resume.

Redirect (HTTP 302)

Rate limited requests or detected threats will be redirected to the specified URL.

Key information:

  • The HTTP status code for this response will be a 302 Found.
  • Set the URL option to the full URL to which rate limited requests or detected threats will be redirected.

    Example:

    http://cdn.mydomain.com/marketing/busy.html

Event Variables

A custom response header value or a custom response body may include variables that describe the event. These variables are described below.

Variable Description

EVENT_ID

Represents the system-defined ID assigned to the request that was identified as a threat.

Find out detailed information about the detected threat by passing this ID to the Get Event Log Entry endpoint (REST API).
Learn more.

CLIENT_IP

Represents the IP address of the device that submitted the detected threat.

TIMESTAMP

Represents the date and time at which the detected threat was submitted.

REQUEST_URL

Represents the URL for the request that was deemed a threat.

Add an event variable to a custom response header value or a custom response body by enclosing it with double curly braces.

Example:

{{EVENT_ID}}

Order of Precedence

The recommended practice is to create a Security Application Manager configuration that is tuned for each of your applications. This allows you to apply a restrictive security policy with minimal false positives. Each Security Application Manager configuration's host and URL path conditions determine the set of traffic to which it may be applied. If a request is eligible to be screened by multiple Security Application Manager configurations, then WAF will screen it using the first eligible configuration in the list.

Reorder Security Application Manager configurations by dragging the desired configuration's icon to the desired position.

Security Application Manager Administration

You may create, modify, and delete Security Application Manager configurations.

Key information:

To create a Security Application Manager configuration

  1. Navigate to the Security Application Manager page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Application Manager.

  2. Click Add New.
  3. In the Name option, type the unique name by which this Security Application Manager configuration will be identified.
  4. Optional. Identify the set of traffic to which this security policy will be applied by defining a hostname and/or URL path through the Hostname and URL path(s) options.

    Select one of the following modes:

    • Default: Use this mode to apply this Security Application Manager configuration regardless of the request's host or URL path.
    • Exact match (multiple entries): Use this mode to apply this Security Application Manager configuration to the specified hostname(s) or URL path(s).

      Learn more.

    • Wildcard match: Use this mode to apply this Security Application Manager configuration to all hostnames or URL paths that satisfy the specified wildcard pattern.

      Learn more.

    • Regex match: Use this mode to apply this Security Application Manager configuration to all hostnames or URL paths that satisfy the specified regular expression pattern.

      Learn more.

    Enable the Negative match option to configure a Security Application Manager configuration to look for requests that do not match the specified value or pattern.

  5. Optional. Select an access rule through which production traffic will be screened and determine how threats identified by it are handled.

    If you have not already created the desired access rule, you can save your Security Application Manager configuration, create an access rule, edit your Security Application Manager configuration, and then resume this procedure.

    1. From the Rules section, click Access Rule.
    2. From the Production Access Rule option, select the desired access rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the access rule selected in step ii will be handled (i.e., block, alert, redirect, or send a custom response).

      Learn more.

  6. Optional. Audit production traffic using a new access rule.

    1. From the Rules section, click Access Rule.
    2. From the Audit Access Rule option, select the desired access rule.

    Filter the Threats dashboard by the above access rule or the audit profile type to track detected threats.

    Disable auditing by setting the Audit Managed Rule option to No Audit Rule.

  7. Optional. Select a rate rule through which production traffic will be rate limited.

    If you have not already created the desired rate rule, you can save your Security Application Manager configuration, create a rate rule, edit your Security Application Manager configuration, and then resume this procedure.

    1. From the Rules section, click Rate Rules.
    2. From the Add Rate Rule option, select the desired rate rule.

      If the selected rate rule contains a condition group, then a request must satisfy the Security Application Manager configuration's host and URL path match conditions and all of the conditions within at least one condition group in order to be eligible for rate limiting.

    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the managed rule selected in step ii will be handled (i.e., drop request, alert, redirect, or send a custom response).

      Learn more.

      WAF does not perform further evaluation of a request once enforcement is triggered. For this reason, we recommend that you limit your use of the Alert Only enforcement to the shortest amount of time necessary to validate changes to your configuration.

    5. From the Time period option, select the time period for which the action selected in the next step will be applied to clients that exceed the rate limit defined in the rate rule selected in step ii.

      A "client" is defined by each rate rule according to the Apply rate limit to option. For example, configuring that option to Any request will apply the selected action to all requests regardless of the number of requests generated by each device. Alternatively, identifying clients by IP Address will only apply the selected action to requests that originate from each IP address that violates the specified rate limit.

    6. If you would like to apply an additional rate limit, then repeat steps ii - v.

      Use multiple rate rules to apply different rate limits to various traffic profiles. Set up this type of configuration using either a single or multiple Security Application Manager configurations. If you assign multiple rate rules to a single Security Application Manager configuration, then each rate rule should contain one or more condition group(s).

  8. Optional. Select a bot rule that identifies the set of production traffic to which a browser challenge will be applied.

    If you have not already created the desired bot rule, you can save your Security Application Manager configuration, create a bot rule, edit your Security Application Manager configuration, and then resume this procedure.

    1. From the Rules section, click Bot Rule.
    2. From the Production Bot Rule option, select the desired bot rule.
    3. Optional. From the Action type option, verify that it is set to Browser Challenge.

    4. Optional. From the Action status option, determine the HTTP status code for the response provided to clients that are being served the browser challenge.
    5. Optional. From the Valid for (in minutes) option, type the number of minutes for which our CDN will serve content to a client that solves a browser challenge without requiring an additional browser challenge to be solved. Specify a value between 1 and 1,440 minutes.
  9. Optional. Select a custom rule through which production traffic will be screened and determine how threats identified by it are handled.

    If you have not already created the desired custom rule, you can save your Security Application Manager configuration, create a custom rule, edit your Security Application Manager configuration, and then resume this procedure.

    1. From the Rules section, click Custom Rule.
    2. From the Production Custom Rule option, select the desired custom rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the custom rule selected in step ii will be handled (i.e., block, alert, redirect, or send a custom response).

      Learn more.

  10. Optional. Audit production traffic using a new custom rule.

    1. From the Rules section, click Custom Rule.
    2. From the Audit Custom Rule option, select the desired custom rule.

    Filter the Threats dashboard by the above custom rule or the audit profile type to track detected threats.

    Disable auditing by setting the Audit Custom Rule option to No Audit Rule.

  11. Optional. Select a managed rule through which production traffic will be screened and determine how threats identified by it are handled.

    If you have not already created the desired manged rule, you can save your Security Application Manager configuration, create a managed rule, edit your Security Application Manager configuration, and then resume this procedure.

    1. From the Rules section, click Managed Rule.
    2. From the Production Managed Rule option, select the desired managed rule.
    3. Optional. From the Action name option, type a name that describes the enforcement action configuration.
    4. From the Action type option, determine how threats identified by the managed rule selected in step ii will be handled (i.e., block, alert, redirect, or send a custom response).

      Learn more.

  12. Optional. Audit production traffic using a new managed rule.

    1. From the Rules section, click Managed Rule.
    2. From the Audit Managed Rule option, select the desired managed rule.

    Filter the Threats dashboard by the above managed rule or the audit profile type to track detected threats.

    Disable auditing by setting the Audit Managed Rule option to No Audit Rule.

  13. Click Save.
  14. Click Apply All Changes.
  15. Click Save Changes.

To reorder Security Application Manager configurations

  1. From the Security Application Manager page , drag the desired configuration's icon to the desired position.
  2. Click Apply All Changes.
  3. Click Save Changes.

If multiple Security Application Manager configurations are applicable to the same request, then consider updating their host or URL path conditions to a more restrictive pattern.

Traffic is always screened using the first eligible Security Application Manager configuration.

To modify a Security Application Manager configuration

  1. Navigate to the Security Application Manager page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Application Manager.

  2. Click on the desired Security Application Manager configuration.
  3. Make the desired changes.
  4. Click Save.
  5. Click Apply All Changes.
  6. Click Save Changes.

To delete a Security Application Manager configuration

  1. Navigate to the Security Application Manager page. ClosedHow?From the main menu, navigate to More | Security | WAF Tier | Security Application Manager.

  2. Click on the desired Security Application Manager configuration.
  3. Click Delete Security Application Manager.
  4. Type DELETE.
  5. Click Delete.
  6. Click Apply All Changes.
  7. Click Save Changes.