Help Center

  1. StackPath Help
  2. WAF
  3. Portal User Guides

Enable WAF on an Existing Site

Avatar
Christopher Hotze
Updated:

Overview

You can use this document to enable the StackPath WAF on an existing site. 

The WAF combines all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security, and more into a single SaaS tool.

Before you begin:

To use this document and to prevent errors to your users, you must already have an SSL certificate set up in your account.

Step 1: Enable WAF for an existing site

With these instructions, you will enable a firewall product on your site, which may cause an interruption until the WAF is fully configured. As a result, StackPath recommends you enable the WAF when your website has low traffic.

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click Overview
  4. Navigate to the WAF section, and then use the slider to enable the WAF service. 

Step 2: Enable monitor mode

Before you configure the WAF, StackPath recommends that you set the WAF to monitor. While in monitor mode, the WAF will inspect all requests, but not block any request. This step is useful because you can inspect requests and test the WAF's behavior before you fully activate the WAF. 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click WAF
  4. Next to WAF Mode, in the drop-down menu, select Monitor

Step 3: View monitor results

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click Analytics
  4. Click the WAF tab.
  5. Review the information under Requests
    • This table logs all requests and the corresponding action that the WAF will take once your WAF is in Protect mode. 
  6. (Optional) To filter the list of requests based on the rule that the request triggered, click All Request Types, and then select a rule type.

    • To filter requests that triggered StackPath's predefined rules, select Policy - Blocked or Policy Whitelisted.

    • To filter requests that triggered custom rules created by users on your account, select Custom Rule - Blocked or Custom Rule - Whitelisted.

  7. (Optional) To view detailed information for a request, select the Rule Name for the corresponding request. 
    • In the following screenshot, a request was blocked because of the Challenge Automated Clients rule, which blocks requests if there is evidence that the request was automated and not made by a human user. WAF_in_Monitor_Mode.png

To learn more about how to filter for specific requests, see View WAF Analytics.

Step 4: Test WAF configurations in monitor mode

To configure your WAF, StackPath recommends that you navigate your website as both a user and as an administrator. With this, you can return to the Security Events table and determine if you need to create IP whitelist rules or custom WAF rules to allow requests to access your content. 

Specifically, review requests that relate to: 

  • Your Origin IP
  • Your Office IP
  • Your Workstation IP

If the WAF projects that it will block these requests while in protect mode, then you should update the WAF to avoid issues. 

Step 5: Update WAF to allow administrators, bots, and CMS 

Before the WAF is fully live, you need to make sure that critical IP address, content management systems, and bots are allowed to make successful requests. 

Note: By default, the WAF will block all automated traffic except for traffic that is whitelisted. 

To allow admin IP addresses: 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click Firewall
  4. Next to Allowed IPs, click Add IP/IP Range
  5. In the entry that appears, enter any administrative users' public IP address, and then click Save. 
    • Repeat this step as needed. 

To allow content management systems that you use on your website, such as WordPress, to prevent a blocked admin panel: 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click WAF
  4. Navigate to CMS Protection, and then use the slide to enable the desired content management system. 

To allow bots, such as Google: 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click WAF
  4. Navigate to Allow Known Bots, and then use the slide to enable the desired bot. 

Step 6: Configure API

If you plan to serve JSON requests through an API on your domain, then the WAF can be configured to disable the JavaScript Injection and Captcha functionalities for specified API URL paths. 

Step 7: Edit DNS records

In this step, you will modify your DNS records to point to the WAF and to the CDN. This action will cause the WAF to inspect all requests before requests are passed to your origin server. 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click Overview.
  4. Review the instructions in the portal, as well as the listed records to update. 

Screen_Shot_2019-12-16_at_12.21.00_PM.png

Step 8: Set WAF to protect mode

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
    • This action will refresh the portal. 
  3. In the left-side navigation menu, click WAF
  4. Next to WAF Mode, in the drop-down menu, select Protect.
    • With this action, the WAF will begin to inspect and act upon incoming requests.  

Related documentation

  • To learn how to locate, understand, and filter WAF data for incoming requests, see View WAF Analytics.
Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us