# FlashEdge WAF (Web Application Firewall) tutorials The FlashEdge Web Application Firewall is built into the FlashEdge CDN and helps protect your content and applications against common web threats, including Layer 7 (application layer) DDoS attacks, unwanted IP access, and traffic from undesired countries. This feature is available under the **Firewall** tab for each distribution separately within the FlashEdge CDN console. *** ### Enabling Recommended Protection Enable a curated set of Layer 7 protection rules designed to block the most common threats to web applications. This includes: · Mitigate common web application vulnerabilities · Prevent malicious actors from probing for weaknesses · Block IP addresses associated with suspicious or harmful activity Use this option to quickly apply a set of curated rules designed to block common web threats. **How to enable:** 1\. Go to your **distribution** in the FlashEdge CDN console. 2\. Open the **Firewall** tab. 3\. Check the **Enable Recommended Protection** option. *** ### Configuring Country Protection Restrict or allow access to your distribution based on the origin country of incoming requests. * Allow mode: Only selected countries will be allowed; all others will be blocked * Block mode: Selected countries will be blocked; all others will be allowed To configure, check Enable country protection and define the country list and mode. **How to configure:** 1\. Go to your **distribution** in the FlashEdge CDN console. 2\. Open the **Firewall** tab. 3\. Check the **Enable Country Protection** option. 4\. Select your **mode** (Allow or Block). 5\. Add the countries you want to allow or block. *** ### Configuring IP Address Protection Manage access based on IP addresses. You can explicitly allow or block specific IPs or ranges. * Allow mode: Only listed IP addresses are permitted * Block mode: Listed IP addresses are denied access To configure, check Enable IP address protection and add your rules accordingly. **How to configure:** 1\. Go to your **distribution** in the FlashEdge CDN console. 2\. Open the **Firewall** tab. 3\. Check the **Enable IP Address Protection** option. 4\. Select your **mode** (Allow or Block). 5\. Add the individual IPs or ranges as needed. *** ### Advanced description of the FlashEdge WAF recommended protection #### Mitigate common web application vulnerabilities This part of our FlashEdge recommended protection includes general-purpose protection for web applications from a wide range of common vulnerabilities, including many listed in the [OWASP Top 10](https://owasp.org/www-project-top-ten/). It's a good starting point for most use cases. | Name | Description | | ------------------------------------ | ------------------------------------------------------------------------------------------------ | | No User Agent HEADER | Checks for requests missing the User-Agent HTTP header. | | User Agent Bad Bots HEADER | Detects bad bots using known User-Agent patterns like nessus or nmap. | | Size Restrictions QUERYSTRING | Flags query strings longer than 2,048 bytes. | | Size Restrictions Cookie HEADER | Flags cookie headers exceeding 10,240 bytes. | | Size Restrictions BODY | Flags request bodies over 8 KB (8,192 bytes). | | Size Restrictions URIPATH | Flags URI paths longer than 1,024 bytes. | | EC2 MetaData SSRF BODY | Detects EC2 metadata access attempts in the request body. | | EC2 MetaData SSRF COOKIE | Detects EC2 metadata access attempts in cookies. | | EC2 MetaData SSRF URIPATH | Detects EC2 metadata access attempts in the URI path. | | EC2 MetaData SSRF QUERYARGUMENTS | Detects EC2 metadata access attempts in query parameters. | | GenericLFI QUERYARGUMENTS | Detects Local File Inclusion (LFI) patterns in query parameters, such as ../../. | | GenericLFI URIPATH | Detects LFI attempts in the URI path. | | GenericLFI BODY | Detects LFI patterns in the request body. | | Restricted Extensions URIPATH | Flags URI paths with unsafe file extensions like .log or .ini. | | Restricted Extensions QUERYARGUMENTS | Flags query arguments with risky file extensions. | | Generic RFI QUERYARGUMENTS | Detects Remote File Inclusion (RFI) attempts using URLs with IPv4 addresses in query parameters. | | Generic RFI BODY | Detects RFI patterns in the request body using embedded URLs with IPv4 hosts. | | Generic RFI URIPATH | Detects RFI attempts in the URI path using URL-based payloads. | | CrossSiteScripting COOKIE | Detects cross-site scripting (XSS) patterns in cookie values. | | CrossSiteScripting QUERYARGUMENTS | Detects common XSS patterns in query arguments. | | CrossSiteScripting BODY | Detects XSS patterns in the request body, such as \. | | CrossSiteScripting URIPATH | Detects XSS patterns in the URI path. | #### Prevent malicious actors from probing for weaknesses This includes blocking of suspicious request patterns often used to find or exploit vulnerabilities. This helps reduce the risk of attacks on your application. | Name | Description and Label | | ------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Java Deserialization RCE | Checks request headers for patterns related to Java deserialization RCE attempts, such as known Spring vulnerabilities. Example: (java.lang.Runtime).getRuntime().exec("whoami"). Inspects up to 8 KB or 200 headers. | | Java Deserialization RCE BODY | Checks the request body for Java deserialization RCE attempts, including Spring Core and Cloud Function vulnerabilities. Inspects up to the configured body size limit. | | Java Deserialization RCE URIPATH | Scans the URI path for signs of Java deserialization RCE attempts. | | Java Deserialization RCE QUERYSTRING | Scans the query string for Java deserialization RCE exploit patterns. | | Host localhost HEADER | Detects use of localhost in the request host header. | | PROPFIND METHOD | Flags requests using the PROPFIND HTTP method, often used to probe or exfiltrate XML data. | | Exploitable Paths URIPATH | Detects access attempts to risky application paths like web-inf. | | Log4J RCE HEADER | Inspects headers for Log4j RCE attempts (${jndi:ldap\://...}) linked to known CVEs. | | Log4J RCE QUERYSTRING | Scans the query string for Log4j RCE exploit patterns. | | Log4J RCE BODY | Scans the request body for Log4j vulnerability attempts. | | Log4J RCE URIPATH | Scans the URI path for Log4j RCE patterns like ${jndi:...}. | #### Block IP addresses associated with suspicious or harmful activity Checks for IP addresses known to be involved in malicious activity. The list is built using multiple threat intelligence sources, including Amazon’s MadPot system. [Learn more about MadPot](https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime).