The StackPath Web Application Firewall (WAF) service bundles all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security, and more into an easy-to-use SaaS tool, available right inside the StackPath Portal.
So, let's briefly touch on what exactly the WAF is and what it can do.
The StackPath WAF is a 2-tier system:
- The first tier is the WAF Servers themselves. The WAF nodes enforce traffic policies and deliver the actual WAF Service from each and every StackPath PoP.
- Second is a cloud-based Central Security Cloud (CSC), which analyzes high volumes of traffic for behavior profiling, inconsistency detection, and reputation recognition. This data continually updates the WAF nodes to provide a dynamic, behavioral approach to website security.
the WAF provides a security solution that is continually adapting to real-world traffic behavior to better secure your site or web application.
Let's Get Started
This guide will focus on getting the WAF setup as quickly as possible, but if you would like to know more about how the WAF works, feel free to check out this article.
Now, let's get started!
This guide assumes that you have a valid, trusted SSL Certificate setup in the Stack Path Portal. If you still need to do this, please follow the article linked here for instructions on how to get that done.
We highly recommend doing this step before moving on, so as to prevent errors for visitors to your site. If you have just completed our CDN Integration Guide, then you have already completed this step as well.
Enable the WAF
The first thing we need to do is to enable the WAF so that we can begin configuring it. Navigate to your Site Overview page and set the toggle for the WAF to "ON".
Please note that at this point, we are enabling a firewall product on your site, it's highly recommended that this be done during a time when you have low traffic, or can have your site "Under Maintenance".
As with any firewall product, there is a chance to interrupt your site until things are fully configured and dialed-in.
Enable Monitor Mode
This will be useful to help keep important requests and services from being blocked while the WAF is being set up.
For more information in the operating modes for the WAF, feel free to check out this article. (link will open a new tab.)
Support Tip: Viewing Security Events in Monitor Mode
The Security Event Analytics view is an important tool to be familiar with when implementing the StackPath WAF with your site. This logs all actions that the WAF takes against requests to your domain.
In Monitor Mode, these are especially useful as they can give us a view into how the WAF operate once we place it into Protect Mode.
Follow the steps below to navigate to your security events to look for any possible issues:
- Go to the Analytics option in the sidebar:
- Select the WAF tab:
- Scroll to the Security Events Section:
- Select the Desired Event for more details.
This example shows a request blocked for Invalid User Agent Prevention. This is a generic cURL request towards this example site's Edge Address. It's not carrying a typical browser's User Agent and does not need to be allowed through the WAF.
Support Tip: Testing the WAF Configuration in Monitor Mode
Another important step in configuring your WAF is to navigate around your site as if you were both a user and administrator to check for any security events that are generated. This will give insight into whether or not you need to create IP Whitelist Rules or even custom WAF Rules to allow these requests through.
Things you might want to look for are events generated for:
- Your Origin IP
- Your Office IP
- Your Workstation IP
If the WAF were to block any of these, it would almost certainly cause issues for the Administration of your site, if not its functionality.
In the next section, we will go over how to allow these common things through the WAF on while we are in Monitor Mode so as to make the change to Protect Mode as seamless as possible.
For more in-depth Security Event examples and information on troubleshooting blocked requests, please feel free to check out this article. (will open in new tab).
Allowing Administrators, Bots, and CMS Through the WAF
Before we go-live with the WAF, we want to make sure that your Mission-critical IP addresses, Content Management System, as well as any bots you may be using are allowed through so they are not blocked from communicating with your origin.
Having all of this information handy will make whitelisting things simple and very straight forward.
It's important to understand that the WAF will block ALL automated traffic EXCEPT ones that are whitelisted by default.
Let's begin with allowing Admin IPs through the WAF:
- Add any administrative users' public IP addresses to the WAF Whitelist in the Firewall tab.
- Next, we want to allow any CMS that are used on the site, like WordPress, through the WAF to prevent changes from the Admin panel being blocked:
- Lastly, we want to allow any bots such as Google at the like through the WAF to make sure that crawlers do not have issues getting through the WAF:
- Select WAF from the sidebar. The API URL Configuration section is found on this page.
- Enter the path of the APIs under your domain you would like to configure.
- are recursively allowed. For example, api/ allows api/v1/*, api/v2/*, etc.
- do not accept regex/wildcard input. For example, use api/ instead of api/*
- do not include protocol (or domain). For example, use api/ instead of https://example.foobar.com/api/ (the domain is added automatically)
- are case insensitive. API/ and api/ are interchangeable.
- require multiple entries for multiple APIs
Now that we've primed the WAF with these settings, its time to move on to the Go-Live part of this guide and edit your DNS records.
Editing DNS Records
After enabling the WAF and setting the WAF to Monitor Mode, the next step will be to actually integrate the WAF by modifying your DNS records to point to the WAF and CDN.
NOTE - Just as with the SSL Certificate, if you have already completed our CDN Integration Guide, you have already completed this step and may move on.
- First, navigate to your Overview Dashboard, you will see a view similar to the one below
- Follow the instructions in the Portal to modify your DNS records. This will point your domain to the WAF so that it can begin inspecting all requests before passing them to your origin server.
- Depending on your DNS provider and the TTL on your existing DNS records, these changes may take some time to propagate. To check to see if your integration has been completed, you can follow the steps in this article, which walk you through verifying this information. (Link will open in a new tab)
Setting WAF to Protect Mode
As you may recall, earlier in this guide we set the WAF to Monitor Mode to keep the WAF from blocking requests while it was being set up. As we have set up the WAF, the next step will be to set it to Protect mode to begin acting on requests coming into your site.
Navigate to the WAF Tab of your StackPath portal and set the mode to ON:
Congratulations! Your site is now set up and being protected by the WAF. Please feel free to check out the articles in the following section for useful information on dialing-in and leveraging the powerful features of the StackPath Web Application Firewall.
You have now successfully integrated the StackPath WAF with your site and can now begin setting up things like custom WAF Rules, Rate Limiting, and analyzing blocked requests! Below are a few useful articles to help you get familiar with the WAF and how to use it to its full potential. (Links will open in a new tab)
- Analyzing Security Events
- This article will show you how to look at the WAF analytics to make sure blocked events are legitimate should you get reports of users being blocked.
- What to Do About WAF Blocks
- An introduction on how to allow critical services through your WAF instance when you find a Security Event showing it's been blocked
- Creating Custom WAF Rules
- A break down of the custom Rules features and how to utilize them.
- Explaining WAF security screens
- Breaking down the various screens that visitors to your site may see and what they mean.
- Setting Up Rate Limiting
- Showing how to create custom Rate-limit rules to tailor your site to your user's behavior and protect your origin from volume-based threats.
We hope this guide was helpful in getting your all setup and ready to go with the StackPath WAF, as always if you have any questions or issues at all, please do not hesitate to reach out to support via live chat or email.