FlashEdge WAF (Web Application Firewall) tutorials
The FlashEdge Web Application Firewall is built into the FlashEdge CDN and helps protect your content and applications against common web threats, including Layer 7 (application layer) DDoS attacks, unwanted IP access, and traffic from undesired countries.
This feature is available under the Firewall tab for each distribution separately within the FlashEdge CDN console.
Enabling Recommended Protection
Enable a curated set of Layer 7 protection rules designed to block the most common threats to web applications. This includes:
· Mitigate common web application vulnerabilities
· Prevent malicious actors from probing for weaknesses
· Block IP addresses associated with suspicious or harmful activity
Use this option to quickly apply a set of curated rules designed to block common web threats.
How to enable:
1. Go to your distribution in the FlashEdge CDN console.
2. Open the Firewall tab.
3. Check the Enable Recommended Protection option.
Configuring Country Protection
Restrict or allow access to your distribution based on the origin country of incoming requests.
Allow mode: Only selected countries will be allowed; all others will be blocked
Block mode: Selected countries will be blocked; all others will be allowed
To configure, check Enable country protection and define the country list and mode.
How to configure:
1. Go to your distribution in the FlashEdge CDN console.
2. Open the Firewall tab.
3. Check the Enable Country Protection option.
4. Select your mode (Allow or Block).
5. Add the countries you want to allow or block.
Configuring IP Address Protection
Manage access based on IP addresses. You can explicitly allow or block specific IPs or ranges.
Allow mode: Only listed IP addresses are permitted
Block mode: Listed IP addresses are denied access
To configure, check Enable IP address protection and add your rules accordingly.
How to configure:
1. Go to your distribution in the FlashEdge CDN console.
2. Open the Firewall tab.
3. Check the Enable IP Address Protection option.
4. Select your mode (Allow or Block).
5. Add the individual IPs or ranges as needed.
Advanced description of the FlashEdge WAF recommended protection
Mitigate common web application vulnerabilities
Name
Description
No User Agent HEADER
Checks for requests missing the User-Agent HTTP header.
User Agent Bad Bots HEADER
Detects bad bots using known User-Agent patterns like nessus or nmap.
Size Restrictions QUERYSTRING
Flags query strings longer than 2,048 bytes.
Size Restrictions Cookie HEADER
Flags cookie headers exceeding 10,240 bytes.
Size Restrictions BODY
Flags request bodies over 8 KB (8,192 bytes).
Size Restrictions URIPATH
Flags URI paths longer than 1,024 bytes.
EC2 MetaData SSRF BODY
Detects EC2 metadata access attempts in the request body.
EC2 MetaData SSRF COOKIE
Detects EC2 metadata access attempts in cookies.
EC2 MetaData SSRF URIPATH
Detects EC2 metadata access attempts in the URI path.
EC2 MetaData SSRF QUERYARGUMENTS
Detects EC2 metadata access attempts in query parameters.
GenericLFI QUERYARGUMENTS
Detects Local File Inclusion (LFI) patterns in query parameters, such as ../../.
GenericLFI URIPATH
Detects LFI attempts in the URI path.
GenericLFI BODY
Detects LFI patterns in the request body.
Restricted Extensions URIPATH
Flags URI paths with unsafe file extensions like .log or .ini.
Restricted Extensions QUERYARGUMENTS
Flags query arguments with risky file extensions.
Generic RFI QUERYARGUMENTS
Detects Remote File Inclusion (RFI) attempts using URLs with IPv4 addresses in query parameters.
Generic RFI BODY
Detects RFI patterns in the request body using embedded URLs with IPv4 hosts.
Generic RFI URIPATH
Detects RFI attempts in the URI path using URL-based payloads.
CrossSiteScripting COOKIE
Detects cross-site scripting (XSS) patterns in cookie values.
CrossSiteScripting QUERYARGUMENTS
Detects common XSS patterns in query arguments.
CrossSiteScripting BODY
Detects XSS patterns in the request body, such as <script>alert("hello")</script>.
CrossSiteScripting URIPATH
Detects XSS patterns in the URI path.
Prevent malicious actors from probing for weaknesses
This includes blocking of suspicious request patterns often used to find or exploit vulnerabilities. This helps reduce the risk of attacks on your application.
Name
Description and Label
Java Deserialization RCE
Checks request headers for patterns related to Java deserialization RCE attempts, such as known Spring vulnerabilities. Example: (java.lang.Runtime).getRuntime().exec("whoami"). Inspects up to 8 KB or 200 headers.
Java Deserialization RCE BODY
Checks the request body for Java deserialization RCE attempts, including Spring Core and Cloud Function vulnerabilities. Inspects up to the configured body size limit.
Java Deserialization RCE URIPATH
Scans the URI path for signs of Java deserialization RCE attempts.
Java Deserialization RCE QUERYSTRING
Scans the query string for Java deserialization RCE exploit patterns.
Host localhost HEADER
Detects use of localhost in the request host header.
PROPFIND METHOD
Flags requests using the PROPFIND HTTP method, often used to probe or exfiltrate XML data.
Exploitable Paths URIPATH
Detects access attempts to risky application paths like web-inf.
Log4J RCE HEADER
Inspects headers for Log4j RCE attempts (${jndi:ldap://...}) linked to known CVEs.
Log4J RCE QUERYSTRING
Scans the query string for Log4j RCE exploit patterns.
Log4J RCE BODY
Scans the request body for Log4j vulnerability attempts.
Log4J RCE URIPATH
Scans the URI path for Log4j RCE patterns like ${jndi:...}.
Block IP addresses associated with suspicious or harmful activity
Last updated
Was this helpful?