Help Center

  1. StackPath Help
  2. WAF
  3. Getting Started

Setting up a WAF Instance on an Existing Site

Avatar
Joelle Lanke
Updated:

Overview

StackPath's WAF combines all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security and more into a single SaaS tool.

This document serves as a guide that will walk you through how to add WAF to an existing site.

Before you begin, consider the following statements:

  • You must already have an SSL certificate set up in your account to prevent errors to your users.
  • Once enabled, your traffic will be diverted to the WAF which may result in temporary disruption to your end users. As a result, StackPath recommends you obtain the WAF during a period of low traffic.
  • StackPath offers 3 types of WAF: Essentials, Professional and Enterprise.

Step 1: Obtain WAF for an Existing Site

  1. In the StackPath Control Portal, in the left-side navigation menu, click Stacks.
  2. Locate and select the desired Stack.
  3. In the left-side navigation menu, click Sites.
  4. Locate and select the desired Site.
  5. In the left-side navigation, click WAF.
  6. Review your options:
    • If you do not have WAF, then review the product information, and then click Continue. This action will refresh the page with the WAF enabled.
    • If you already have WAF Essentials and want to upgrade to WAF Professional or WAF Enterprise, you can accomplish this by adjusting your subscription from the Billing page.

Step 2: Enable Monitor Mode

Before you configure any WAF settings, StackPath recommends that you set WAF Mode to Monitor. While in Monitor mode, the WAF will inspect all requests, but will not block any of them. This feature is useful because it allows you to inspect requests and test the WAF's behavior before fully activating WAF's Protect mode. 

To learn more, see Learn and Enable the WAF's Monitor Mode.

  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation, click WAF.
  4. Next to WAF Mode, click the drop-down menu and select Monitor.

Monitor.png

Step 3: View Results

  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation, click Analytics.
  4. Click the WAF tab.
  5. Review the information under Requests.
    • This table logs all requests and the corresponding action that the WAF will take once the WAF is in Protect mode.Screen_Shot_2022-04-18_at_3.03.35_PM.png
  6. To filter the list of requests based on the type of rule that the request triggered, click Traffic Types in the drop-down menu.

    • To filter requests that triggered StackPath's predefined rules, select Policy - Blocked or Policy - Allowed.

    • To filter requests that triggered custom rules created by users on your account, select Custom Rule - Blocked or Custom Rule - Allowed.

    • Policy - Blocked and Custom Rule - Blocked are the default filters.
  7. To view detailed information for a request, select the Rule Name for the corresponding request.
    • In the following screenshot, you will find that this specific request was blocked as a result of the Challenge Automated Clients policy, which blocks requests if there is evidence that the request was automated and not made by a human user. WAF_in_Monitor_Mode.png
To learn more about how to filter for specific requests, see View WAF Analytics.

Step 4: Test WAF Configurations

In order to achieve your desired WAF behavior and configuration, StackPath recommends that you navigate through your website as both a user and as an administrator. The act of site navigation will generate entries in the Requests table, which you can then use to determine if you need to create IP whitelist rules or custom WAF rules to allow requests access to your site's content. 

Specifically, review requests that relate to: 

  • Your Origin IP
  • Your Office IP
  • Your Workstation IP

If the WAF projects that it will block these requests while in Protect mode, then you should update your WAF settings to avoid issues. Step 5 below will further explain how you can update your settings.

Please see our Allowing and Blocking IP Addresses article for more information.

Step 5: Allow Admins, Bots, and CMS 

Before the WAF is fully live, you need to make sure that critical IP addresses, content management systems, and bots are allowed to make successful requests. 

Allowing Admin IP Addresses:

If your site does not use a CMS, then we highly recommend whitelisting the site administrator's IP address.

  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation menu, click Firewall
  4. Next to Allowed IPs, click Add IP/IP Range
    • Note: Our platform only supports IPv4 addresses at this time.
  5. In the entry that appears, enter your administrative users' public IP address, and then click Save. 
    • Repeat this step as needed. 

Firewall.png

Allowing Content Management Systems:

Follow the steps below to allow content management systems that you use on your website, such as WordPress, which will prevent a blocked admin panel: 

  1. In the StackPath Control Portal, in the left-side navigation menu, click Sites
  2. Locate and select the desired site.
  3. In the left-side navigation menu, click WAF
  4. Navigate to CMS Protection, and then use the toggle buttons to enable/disable the desired content management system. 
    • The WordPress WAF Ruleset and Requests from Origin's IP policies are both enabled by default.

3.png

Allowing Bots

Follow the steps below to give bots, such as Google, the ability to crawl your site:

  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation menu, click WAF
  4. Navigate to Allow Known Bots, and then use the slide to enable the desired bot. 
    • There are a few trusted bots in this section that are allowed by default, which is one of the reasons why we recommend reviewing this list before enabling the WAF's Protect mode.

4.png

Step 6: Configure your API

If you plan to serve JSON requests through an API on your domain, then the WAF can be configured to disable the JavaScript Injection and Captcha functionalities for specified API URL paths. API.png

To learn more, see Adding API Endpoints to the StackPath WAF.

Step 7: Edit DNS Records

In this step, you will modify your site's DNS records to point to the WAF and/or CDN. After you modify your DNS records, your site's traffic will begin passing through StackPath's network, which will allow the WAF to inspect all requests. 

If your site is already connected to our CDN using a "Full Site Integration", then you may disregard this step and move on to Step 8.
  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation menu, click Overview.
  4. Review the instructions in the portal, as well as the listed records to update. 

DNS_Records.png

Traffic will not begin passing through StackPath's network until those updated DNS records have fully propagated. To check the propagation status, we recommend using some type of Global DNS Propagation Checker.

Step 8: Enable Protect Mode

  1. In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
  2. Locate and select the desired site.
  3. In the left-side navigation menu, click WAF
  4. Next to WAF Mode, in the drop-down menu, select Protect.
    • With this action, the WAF will begin to inspect and act upon incoming requests.  

Related Documentation

Once you have completed your WAF setup, be sure to review your WAF settings.

We also recommend whitelisting StackPath's CDN/WAF IP blocks on your internal firewall and/or with your hosting provider to prevent any unexpected errors.

Was this article helpful?

Related articles

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Contact Us