Overview
WAF combines all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security, and more into a single SaaS tool.
In the StackPath Control Portal, when you create a site, the portal will display a wizard to help you navigate the site creation process. This document helps to complement those on-screen instructions.
Before you begin, consider the following statements:
- Once enabled, your traffic will be diverted to the WAF which may result in temporary disruption to your end users. As a result, StackPath recommends you obtain the WAF during a period of low traffic.
- StackPath offers 3 types of WAF: Essentials, Professional and Enterprise.
- You can learn more about our WAF packages here.
Step 1: Create a Site
- In the StackPath Control Portal, in the left-side navigation menu, click Stacks.
- Locate and select the desired Stack.
- Under the Site section in the Dashboard, click the Create Site button.
- Select Full Site Integration.
- Enter the Domain Name and select Web Application Firewall (WAF).
- Enter the domain's Origin IP Address (The IP will likely auto-populate).
- Upload or create an SSL certificate. For more information on this step, please see Create and Manage SSL Certificates.
- Edit your site's DNS records as per the on-screen instructions.
Traffic will not begin passing through StackPath's network until those updated DNS records have fully propagated. To check the propagation status, we recommend using some type of Global DNS Propagation Checker.
Step 2: Enable Monitor Mode
Before you configure any WAF settings, StackPath recommends that you set the WAF to Monitor. While in Monitor mode, the WAF will inspect all requests, but not block any of them. This step is useful because you can inspect requests and test the WAF's behavior before you fully activate the WAF in Protect mode.
To learn more, see Learn and Enable the WAF's Monitor Mode.
In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click WAF.
- Next to WAF Mode, click the drop-down menu and select Monitor.
Step 3: View Results
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click Analytics.
- Click the WAF tab.
- Review the information under Requests.
- This table logs all requests and the corresponding action that the WAF will take once your WAF is in Protect mode.
- To filter the list of requests based on the rule that the request triggered, click Traffic Types in the drop-down menu.
-
To filter requests that triggered StackPath's predefined rules, select Policy - Blocked or Policy - Allowed.
-
To filter requests that triggered custom rules created by users on your account, select Custom Rule - Blocked or Custom Rule - Allowed.
- Policy - Blocked and Custom Rule - Blocked are the default filters.
-
- To view detailed information for a request, select the Rule Name for the corresponding request.
- In the following screenshot, a find that this specific request was blocked as a result of the Challenge Automated Clients policy, which blocks requests if there is evidence that the request was automated and not made by a human user.
- In the following screenshot, a find that this specific request was blocked as a result of the Challenge Automated Clients policy, which blocks requests if there is evidence that the request was automated and not made by a human user.
To learn more about how to filter for specific requests, see View WAF Analytics.
Step 4: Test WAF Configurations
In order to achieve your desired WAF behavior and configuration, StackPath recommends that you navigate through your website as both a user and as an administrator. The act of site navigation will generate entries in the Requests table, which you can then use to determine if you need to create IP whitelist rules or custom WAF rules to allow requests access to your site's content.
Specifically, review requests that relate to:
- Your Origin IP
- Your Office IP
- Your Workstation IP
If the WAF projects that it will block these requests while in Protect mode, then you should update your WAF settings to avoid issues. Step 5 below will further explain how you can update your settings.
Please see our IP Firewall article for more information.
Step 5: Allow Admins, Bots, and CMS
Before the WAF is fully live, you need to make sure that critical IP addresses, content management systems, and bots are allowed to make successful requests.
Allowing Admin IP Addresses:
If your site does not use a CMS, then we highly recommend whitelisting the site administrator's IP address.
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click Firewall.
- Next to Allowed IPs, click Add IP/IP Range.
- Note: Our platform only supports IPv4 addresses at this time.
- In the entry that appears, enter any administrative users' public IP address, and then click Save.
- Repeat this step as needed.
Allowing Content Management Systems (CMS):
Allow content management systems that you use on your website, such as WordPress, to prevent a blocked admin panel:
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Navigate to CMS Protection, and then use the slide to enable the desired content management system.
- The WordPress WAF Ruleset and Requests from Origin's IP policies are both enabled by default.
Allowing Bots
Follow the steps below to give bots, such as Google, the ability to crawl your site:
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Navigate to Allow Known Bots, and then use the slide to enable the desired bot.
- There are a few trusted bots in this section that are allowed by default, which is why we recommend reviewing this list before enabling the WAF's Protect mode.
Step 6: Configure your API
If you plan to serve JSON requests through an API on your domain, then the WAF can be configured to disable the JavaScript Injection and Captcha functionalities for specified API URL paths.
To learn more, see Add API Endpoints to the StackPath WAF.
Step 7: Enable Protect Mode
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Next to WAF Mode, in the drop-down menu, select Protect.
- With this action, the WAF will begin to inspect and act upon incoming requests.
Related Documentation
Once you have completed your WAF setup, be sure to review your WAF settings.
We also recommend whitelisting StackPath's WAF IP blocks on your internal firewall and/or with your hosting provider to prevent any unexpected errors.