How to create a WAF rule set

Web Application Firewall (WAF) allows you to create rule sets regarding possible threat types. You can set these rule sets on Rules Engine for Edge Firewall to execute their behaviors.

This guide will create a rule set to block threats from the SQL Injection family to prevent attacks that attempt a select query, for example. After creating an edge firewall and activating the WAF module, follow the steps described next.

Access Azion Console > WAF Rules.
Click the + WAF Rule button.
On the Name field, give your WAF rule set a unique and easy-to-remember name. In this case, SQL Injection rule set.
On the Threat Type Configuration section, look for the SQL Injection option.
Choose the Sensitivity option High for this threat so WAF doesn’t allow requests considered as an SQL Injection threat.
Make sure the Active switch is enabled.
Click the Save button.

Repeat this process with other types of threats to which you want to create a rule set.

Now, you need to apply the rule set you’ve created in Rules Engine. To do so:

Still on Azion Console, go to Edge Firewall.
Select the edge firewall you want to apply the new rule.
Select the Rules Engine tab.
Click the + Rule button.
Give your rule a name and, optionally, a description.
In the Criteria section, select the Request Args variable.
As a comparison operator, select matches.
As an argument, add content-type=select.
In the Behaviors section, select Set WAF Rule Set.
As arguments:
- On the first dropdown menu, select the rule set you want to use. In this case, SQL Injection rule set.
- On the second dropdown menu, select the mode you want Edge Firewall to operate on: Learning or Blocking. In this case, Blocking.
Click the Save button.

Access Real-Time Manager (RTM) > WAF Rules.
Click the Add WAF button.
On the Main Settings tab, give your WAF rule set a unique and easy-to-remember name. In this case, SQL Injection rule set.
On the Threat Type Configuration section, look for the SQL Injection option.
Choose the Sensitivity option High for this threat so WAF doesn’t allow requests considered as an SQL Injection threat.
Make sure the Active switch is enabled.
Click the Save button.

Repeat this process with other types of threats to which you want to create a rule set.

Now, you need to apply the rule set you’ve created in Rules Engine. To do so:

Still on RTM, go to Edge Firewall.
Select the edge firewall you want to apply the new rule.
Select the Rules Engine tab.
Click the New Rule button.
Give your rule a name and, optionally, a description.
In the Criteria section, select the Request Args variable.
As a comparison operator, select matches.
As an argument, add content-type=select.
In the Behaviors section, select Set WAF Rule Set.
As arguments:
- On the first dropdown menu, select the rule set you want to use. In this case, SQL Injection rule set.
- On the second dropdown menu, select the mode you want Edge Firewall to operate on: Learning or Blocking. In this case, Blocking.
Click the Save button.

Run the following POST request to create a rule, replacing [TOKEN VALUE] with your personal token:

curl --location 'https://api.azionapi.net/waf/rulesets' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "SQL Injection rule set",
    "mode": "blocking",
    "active": true,
    "sql_injection": true,
    "sql_injection_sensitivity": "high",
    "bypass_addresses": []
}'

You’ll receive a response similar to this:

{
  "id": 6421,
  "name": "SQL Injection rule set",
  "mode": "counting",
  "active": true,
  "sql_injection": true,
  "sql_injection_sensitivity": "high",
  "remote_file_inclusion": true,
  "remote_file_inclusion_sensitivity": "medium",
  "directory_traversal": true,
  "directory_traversal_sensitivity": "medium",
  "cross_site_scripting": true,
  "cross_site_scripting_sensitivity": "medium",
  "evading_tricks": true,
  "evading_tricks_sensitivity": "medium",
  "file_upload": true,
  "file_upload_sensitivity": "medium",
  "unwanted_access": true,
  "unwanted_access_sensitivity": "medium",
  "identified_attack": true,
  "identified_attack_sensitivity": "medium",
  "bypass_addresses": []
}

Copy the id value.
Run the following POST request to create a rule, replacing [TOKEN VALUE] with with your personal token, the <edge_firewall_id> variable with your edge firewall id value, and <waf_rule_set_id> with the id you copied:

curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token azion5c2ecd92839e59b0cca662ada47b7382706' \
--header 'Content-Type: application/json' \
--data '{
    "name": "SQL Injection rule",
    "is_active": true,
    "behaviors": [
        {
            "name": "set_waf_ruleset",
            "argument": "<waf_rule_set_id>"
        }
    ],
    "criteria": [
        [
            {
                "variable": "request_args",
                "operator": "matches",
                "conditional": "if",
                "argument": "content-type=select"
            }
        ]
    ]
}'

Key	Description
`name`	Name of the rule
`behaviors`	Array that stores objects defining behaviors
`criteria`	Array that stores objects defining criteria

See the Azion API documentation to find out more about criteria and behavior objects.

You’ll receive the following response:

{
  "results": {
    "name": "SQL Injection rule",
    "is_active": true,
    "behaviors": [
      {
        "name": "set_waf_ruleset",
        "argument": "6421"
      }
    ],
    "criteria": [
      [
        {
          "variable": "request_args",
          "operator": "matches",
          "conditional": "if",
          "argument": "content-type=select"
        }
      ]
    ],
    "last_modified": "2023-12-01T21:43:14.580949Z",
    "last_editor": "user@email.com",
    "id": 28735,
    "order": 4
  },
  "schema_version": 3
}

Wait a few minutes for the changes to propagate.