Overview
StackPath's WAF combines all aspects of website security and traffic management, including Layer 7 DDoS protection, web app security and more into a single SaaS tool.
This document serves as a guide that will walk you through how to add WAF to an existing site.
Before you begin, consider the following statements:
- You must already have an SSL certificate set up in your account to prevent errors to your users.
- To add an SSL certificate to your account, see Create and Manage SSL Certificates.
- Once enabled, your traffic will be diverted to the WAF which may result in temporary disruption to your end users. As a result, StackPath recommends you obtain the WAF during a period of low traffic.
- StackPath offers 3 types of WAF: Essentials, Professional and Enterprise.
- Please reference our WAF Packages Offerings document to learn more.
Step 1: Obtain WAF for an Existing Site
- In the StackPath Control Portal, in the left-side navigation menu, click Stacks.
- Locate and select the desired Stack.
- In the left-side navigation menu, click Sites.
- Locate and select the desired Site.
- In the left-side navigation, click WAF.
- Review your options:
- If you do not have WAF, then review the product information, and then click Continue. This action will refresh the page with the WAF enabled.
- If you already have WAF Essentials and want to upgrade to WAF Professional or WAF Enterprise, you can accomplish this by adjusting your subscription from the Billing page.
- Please refer to our Manage Subscription Plan article for more information on how to do this.
Step 2: Enable Monitor Mode
Before you configure any WAF settings, StackPath recommends that you set WAF Mode to Monitor. While in Monitor mode, the WAF will inspect all requests, but will not block any of them. This feature is useful because it allows you to inspect requests and test the WAF's behavior before fully activating WAF's Protect mode.
To learn more, see Learn and Enable the WAF's Monitor Mode.
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click WAF.
- Next to WAF Mode, click the drop-down menu and select Monitor.
Step 3: View Results
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation, click Analytics.
- Click the WAF tab.
- Review the information under Requests.
- This table logs all requests and the corresponding action that the WAF will take once the WAF is in Protect mode.
- This table logs all requests and the corresponding action that the WAF will take once the WAF is in Protect mode.
- To filter the list of requests based on the type of rule that the request triggered, click Traffic Types in the drop-down menu.
-
To filter requests that triggered StackPath's predefined rules, select Policy - Blocked or Policy - Allowed.
-
To filter requests that triggered custom rules created by users on your account, select Custom Rule - Blocked or Custom Rule - Allowed.
- Policy - Blocked and Custom Rule - Blocked are the default filters.
-
- To view detailed information for a request, select the Rule Name for the corresponding request.
- In the following screenshot, you will find that this specific request was blocked as a result of the Challenge Automated Clients policy, which blocks requests if there is evidence that the request was automated and not made by a human user.
- In the following screenshot, you will find that this specific request was blocked as a result of the Challenge Automated Clients policy, which blocks requests if there is evidence that the request was automated and not made by a human user.
To learn more about how to filter for specific requests, see View WAF Analytics.
Step 4: Test WAF Configurations
In order to achieve your desired WAF behavior and configuration, StackPath recommends that you navigate through your website as both a user and as an administrator. The act of site navigation will generate entries in the Requests table, which you can then use to determine if you need to create IP whitelist rules or custom WAF rules to allow requests access to your site's content.
Specifically, review requests that relate to:
- Your Origin IP
- Your Office IP
- Your Workstation IP
If the WAF projects that it will block these requests while in Protect mode, then you should update your WAF settings to avoid issues. Step 5 below will further explain how you can update your settings.
Please see our Allowing and Blocking IP Addresses article for more information.
Step 5: Allow Admins, Bots, and CMS
Before the WAF is fully live, you need to make sure that critical IP addresses, content management systems, and bots are allowed to make successful requests.
Allowing Admin IP Addresses:
If your site does not use a CMS, then we highly recommend whitelisting the site administrator's IP address.
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click Firewall.
- Next to Allowed IPs, click Add IP/IP Range.
- Note: Our platform only supports IPv4 addresses at this time.
- In the entry that appears, enter your administrative users' public IP address, and then click Save.
- Repeat this step as needed.
Allowing Content Management Systems:
Follow the steps below to allow content management systems that you use on your website, such as WordPress, which will prevent a blocked admin panel:
- In the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Navigate to CMS Protection, and then use the toggle buttons to enable/disable the desired content management system.
- The WordPress WAF Ruleset and Requests from Origin's IP policies are both enabled by default.
Allowing Bots
Follow the steps below to give bots, such as Google, the ability to crawl your site:
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Navigate to Allow Known Bots, and then use the slide to enable the desired bot.
- There are a few trusted bots in this section that are allowed by default, which is one of the reasons why we recommend reviewing this list before enabling the WAF's Protect mode.
Step 6: Configure your API
If you plan to serve JSON requests through an API on your domain, then the WAF can be configured to disable the JavaScript Injection and Captcha functionalities for specified API URL paths.
To learn more, see Adding API Endpoints to the StackPath WAF.
Step 7: Edit DNS Records
In this step, you will modify your site's DNS records to point to the WAF and/or CDN. After you modify your DNS records, your site's traffic will begin passing through StackPath's network, which will allow the WAF to inspect all requests.
If your site is already connected to our CDN using a "Full Site Integration", then you may disregard this step and move on to Step 8.
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click Overview.
- Review the instructions in the portal, as well as the listed records to update.
Traffic will not begin passing through StackPath's network until those updated DNS records have fully propagated. To check the propagation status, we recommend using some type of Global DNS Propagation Checker.
Step 8: Enable Protect Mode
- In the Dashboard section located in the StackPath Control Portal, in the left-side navigation menu, click Sites.
- Locate and select the desired site.
- In the left-side navigation menu, click WAF.
- Next to WAF Mode, in the drop-down menu, select Protect.
- With this action, the WAF will begin to inspect and act upon incoming requests.
Related Documentation
Once you have completed your WAF setup, be sure to review your WAF settings.
We also recommend whitelisting StackPath's CDN/WAF IP blocks on your internal firewall and/or with your hosting provider to prevent any unexpected errors.