Enable WAF on an Existing Site

Overview

You can use this document to enable the StackPath WAF on an existing site. 

The WAF combines all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security, and more into a single SaaS tool.

• To get a high-level overview of the StackPath WAF, see Learn about the StackPath WAF.

Before you begin, to use this document and to prevent displaying errors to your visitors, you must already have an SSL certificate set up in your account.

• To add an SSL certificate to your account, see Create and Manage SSL Certificates. 

---

Step 1: Enable WAF for an existing site

With these instructions, you will enable a firewall product on your site, which may cause an interruption until the WAF is fully configured. As a result, StackPath recommends you enable the WAF when your website has low traffic.

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click Overview. 
4. Navigate to the WAF section, and then use the slider to enable the WAF service. 

---

Step 2: Enable monitor mode

Before you configure the WAF, StackPath recommends that you set the WAF to monitor. While in monitor mode, the WAF will inspect all requests, but not block any request. This step is useful because you can inspect requests and test the WAF's behavior before you fully activate the WAF. 

• To learn more, see Learn and Enable the WAF's Monitor Mode.

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click WAF. 
4. Next to WAF Mode, in the drop-down menu, select Monitor. 

---

Step 3: View monitor results

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click Analytics. 
4. Click the WAF tab.
5. Review the information under Security Events. 
   • This table logs all requests and the corresponding action that the WAF will take once your WAF is in Protect mode. 
6. (Optional) To filter the list of requests based on the rule that the request triggered, click All Request Types, and then select a rule type.
   • To filter requests that triggered StackPath's predefined rules, select Policy. 
   • To filter requests that triggered custom rules created by users on your account, select Custom Rules.
7. (Optional) To view detailed information, select a specific request. 
   • In the following screenshot, a request was blocked because of the Challenge Automated Clients rule, which blocks requests if there is evidence that the request was automated and not made by a human user.

---

Step 4: Test WAF configurations in monitor mode

To configure your WAF, StackPath recommends that you navigate your website as both a user and as an administrator. With this, you can return to the Security Events table and determine if you need to create IP whitelist rules or custom WAF rules to allow requests to access your content. 

Specifically, review requests that relate to: 

• Your Origin IP
• Your Office IP
• Your Workstation IP

If the WAF projects that it will block these requests while in protect mode, then you should update the WAF to avoid issues. 

---

Step 5: Update WAF to allow administrators, bots, and CMS 

Before the WAF is fully live, you need to make sure that critical IP address, content management systems, and bots are allowed to make successful requests. 

Note: By default, the WAF will block all automated traffic except for traffic that is whitelisted. 

To allow admin IP addresses: 

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click Firewall. 
4. Next to Allowed IPs, click Add IP/IP Range. 
5. In the entry that appears, enter any administrative users' public IP address, and then click Save. 
   • Repeat this step as needed. 

To allow content management systems that you use on your website, such as WordPress, to prevent a blocked admin panel: 

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click WAF. 
4. Navigate to CMS Protection, and then use the slide to enable the desired content management system. 

To allow bots, such as Google: 

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click WAF. 
4. Navigate to Allow Known Bots, and then use the slide to enable the desired bot. 

---

Step 6: Configure API

If you plan to serve JSON requests through an API on your domain, then the WAF can be configured to disable the JavaScript Injection and Captcha functionalities for specified API URL paths. 

• To learn more, see Add API Endpoints to the StackPath WAF.

---

Step 7: Edit DNS records

In this step, you will modify your DNS records to point to the WAF and to the CDN. This action will cause the WAF to inspect all requests before requests are passed to your origin server. 

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click Overview.
4. Review the instructions in the portal, as well as the listed records to update. 

---

Step 8: Set WAF to protect mode

1. In the StackPath Control Portal, in the left-side navigation menu, click Sites. 
2. Locate and select the desired site.
   • This action will refresh the portal. 
3. In the left-side navigation menu, click WAF. 
4. Next to WAF Mode, in the drop-down menu, select Protect.
   • With this action, the WAF will begin to inspect and act upon incoming requests.  

---