Web Application Firewall (WAF)

WAF Insights does not support automation via our REST API web service. If you are currently using WAF Insights, upgrade your WAF solution to take advantage of our REST API.

The following endpoints automate the administration of WAF.

Type

Description

Security Application Manager

A Security Application Manager configuration:

Identifies the set of traffic to which it applies by hostname, a URL path, or both.
Defines how threats will be detected via access rules, custom rules, managed rules, and rate rules.

If one or more condition group(s) have been defined within a rate rule, then traffic will only be rate limited when it also satisfies at least one of those condition groups.
Defines the production and/or audit enforcement action that will be applied to traffic identified as threats.

Endpoints:

Access Rules

An access rule identifies valid requests and threats via whitelists, accesslists, and blacklists.

Endpoints:

Bot Rule Sets

A bot rule set contains one or more bot rules. Each bot rule defines the set of requests that will require a client (e.g., a web browser) to solve a challenge before resolving the request.

Endpoints:

Rate Rules

A rate rule determines the maximum number of requests that will be allowed within a given time period.

Endpoints:

Custom Rule Sets

A custom rule set defines custom threat assessment criterion.

Endpoints:

Managed Rules

A managed rule identifies a rule set configuration and describes a valid request.

Endpoints:

Threats Event Log

The following endpoints retrieve WAF threat event log information:

Endpoint	Description
Get Available Event Log Fields	Provides definitions for event log fields.
Get Event Count	Indicates the total number of threats detected over a given time period.
Get Event Log Entries	Retrieves event log data over a given time period.
Get Event Log Entry	Retrieves detailed information for a specific event log entry.
Get Top Event Log Entries	Retrieves the top 10 events for the specified field.

Rates Event Log

The following endpoints retrieve event log information on rate limited requests:

Endpoint	Description
Get Available Event Log Fields	Retrieves a list of the available event log fields.
Get Event Log Entries	Retrieves event log information for a set of rate limited requests.
Get Event Log Entry	Retrieves event log information for a specific rate limited request.
Get Event Log Entry Count	Indicates the total number of rate limited requests that meet the specified criteria.
Get Top Event Log Entries	Indicates the type of records that are most frequently rate limited.

Responsive Threat Mitigation

Although the above endpoints may be used to automate many different aspects of WAF configuration, the primary purpose of these endpoints is to provide the means to automatically update it to adapt to a changing threat landscape.

The basic workflow for automated threat mitigation is:

	Phase	Description
1	Threat Detection	A noticeable increase in malicious threats to your site is detected. This increase may be detected by using one or more of the following tools: Third-party Application: A third-party application (e.g., Nagios or Splunk) may be used to detect unusual network conditions that might be indicative of an application layer attack. Real-time Alerts: The Real-Time Alerts component of the Real-Time Statistics feature provides notifications when certain network conditions (e.g., bandwidth usage, total traffic, traffic by status code, etc.) are detected.
2	Threat Identification	Analyze traffic patterns to identify the source of the malicious attack. Example: For example, a sudden increase in traffic from a single IP address may be indicative of a malicious bot. If WAF is currently configured to audit traffic instead of blocking it, this may be detected by analyzing the response for the Get Top Event Log Entries endpoint. A sample request that returns the top IP addresses that are generating traffic to your origin servers is shown below. GET https://api.transactcdn.com/v2/mcc/customers/0001/waf/eventlogs/top?field=Client%20IP&start_time=2016-02-23&end_time=2016-02-24 HTTP/1.1
3	Threat Mitigation	Update each relevant configuration so that it automatically detects and blocks the source of this application layer attack. Validate that a change will not negatively impact production traffic by auditing traffic using the desired configuration. Configure how traffic will be audited by defining acl_audit_id, profile_audit_id, and rules_audit_id within the desired Security Application Manager configuration via the Manage All Security Application Manager Configurations (Scopes) endpoint. These properties identify how traffic will be audited via an access control list configuration, request profile, and a custom rule set, respectively. The recommended method for updating your configuration via a script is described below. Identify each configuration that requires an update by performing the following steps: Identify the set of rules (e.g., access rules, managed rules, and custom rule sets) that require updating. Request the Get All Security Application Manager Configurations (Scopes) endpoint. Find all instances of the rules identified in step i: Production acl_prod_id \| profile_prod_id \| rules_prod_id Audit acl_audit_id \| profile_audit_id \| rules_audit_id Although malicious traffic may only be directed to one site, it may make sense to apply the same configuration (e.g., blacklisting an IP address) to all of your sites. Retrieve those configurations via one of the following endpoints: Get Access Rule (ACL) Get Custom Rule Set Get Managed Rule (Profile) Modify the response from the above endpoint to allow WAF to identify the source of this malicious traffic. For example, if an IP address is identified as the source of malicious traffic, then add that IP address to the blacklist: ... "ip" : { "accesslist" : [], "blacklist" : ["104.255.65.0\/22", "169.54.233.10"], "whitelist" : [] }, ... Update the desired configuration via one of the following endpoints: Update Access Rule (ACL) Update Custom Rule Set Update Managed Rule (Profile)

Phase

Description

Threat Detection

A noticeable increase in malicious threats to your site is detected.

This increase may be detected by using one or more of the following tools:

Third-party Application: A third-party application (e.g., Nagios or Splunk) may be used to detect unusual network conditions that might be indicative of an application layer attack.
Real-time Alerts: The Real-Time Alerts component of the Real-Time Statistics feature provides notifications when certain network conditions (e.g., bandwidth usage, total traffic, traffic by status code, etc.) are detected.

Threat Identification

Analyze traffic patterns to identify the source of the malicious attack.

Example:

For example, a sudden increase in traffic from a single IP address may be indicative of a malicious bot. If WAF is currently configured to audit traffic instead of blocking it, this may be detected by analyzing the response for the Get Top Event Log Entries endpoint.

A sample request that returns the top IP addresses that are generating traffic to your origin servers is shown below.

GET https://api.transactcdn.com/v2/mcc/customers/0001/waf/eventlogs/top?field=Client%20IP&start_time=2016-02-23&end_time=2016-02-24 HTTP/1.1

Threat Mitigation

Update each relevant configuration so that it automatically detects and blocks the source of this application layer attack.

Validate that a change will not negatively impact production traffic by auditing traffic using the desired configuration. Configure how traffic will be audited by defining acl_audit_id, profile_audit_id, and rules_audit_id within the desired Security Application Manager configuration via the Manage All Security Application Manager Configurations (Scopes) endpoint. These properties identify how traffic will be audited via an access control list configuration, request profile, and a custom rule set, respectively.

The recommended method for updating your configuration via a script is described below.

Identify each configuration that requires an update by performing the following steps:
1. Identify the set of rules (e.g., access rules, managed rules, and custom rule sets) that require updating.
2. Request the Get All Security Application Manager Configurations (Scopes) endpoint.
3. Find all instances of the rules identified in step i:
  - Production
    
    acl_prod_id | profile_prod_id | rules_prod_id
  - Audit
    
    acl_audit_id | profile_audit_id | rules_audit_id
Although malicious traffic may only be directed to one site, it may make sense to apply the same configuration (e.g., blacklisting an IP address) to all of your sites.
Retrieve those configurations via one of the following endpoints:
Modify the response from the above endpoint to allow WAF to identify the source of this malicious traffic.

For example, if an IP address is identified as the source of malicious traffic, then add that IP address to the blacklist:

...

"ip" : {

"accesslist" : [],

"blacklist" : ["104.255.65.0\/22", "169.54.233.10"],

"whitelist" : []

},

...
Update the desired configuration via one of the following endpoints: