Edge Firewall
Azion Edge Firewall is a security product that protects your servers and applications from the network layer to the application layer. With Edge Firewall, you can configure protection against all types of threats and attacks, all in a single place.
Advantages of using Edge Firewall:
- Low-latency access, requests and responses.
- Prevention of cybercriminals from reaching your origin/server by processing and blocking unwanted requests on the Azion Edge Network.
- Highly programmable, modular, and extendible.
- Creation of allowed rules, blocklists, and greylists based on IP/CIDR address, ASN, or user location.
- Protection of applications from the Tor network and other malicious traffic sources, including botnets, malware, proxies, and others.
- Access rate limitation to applications using complex criteria and multiple buckets.
- Mitigation of Denial of Service (DoS and DDoS) attacks.
- Protection against OWASP Top 10 threats and others.
- Implementation of bot mitigation techniques, including blocklists, fingerprints, tampering protection, brute force prevention, advanced rate limiting, human challenge, and others.
- Integration of Azion curated functions or third-party software in Edge Firewall for extended functionalities, such as IP reputation, fingerprint, JASON Web Tokens (JWT), credential stuffing, account takeover, price scraping, contact scraping, and others.
For more details on the product’s accounting, see the pricing page.
Implementation
Scope | Source |
---|---|
Main settings | How to configure main settings |
Update Edge Firewall | How to update your Edge Firewall |
Create network lists | How to create IP blocklists with Network Layer Protection |
WAF Mode | How to check your WAF mode |
How Azion Edge Firewall works
By using Azion as your Edge Computing platform, you can create security settings on Edge Firewall to protect your applications. Those edge firewall settings represent a set of rules that will be applied to the domains of your applications.
An edge firewall consists in an identification name, all your application domains where Edge Firewall should be applied, what are the applied modules, and what are the security rules configured in the Rules Engine tab.
Go to configure main settings guideRules Engine for Edge Firewall
After activating the modules you want, you must configure your security rules in the Rules Engine tab. The rules you configure will run sequentially until the request is blocked or restricted or until all your rules are processed, at which point the request is released. The request’s data stream only passes onto your edge application if none of your Edge Firewall rules block or reject the request, ensuring that malicious requests don’t reach your application.
Each rule is made of Criteria (conditionals) and Behaviors (commands). The Behaviors setup will run if the conditions are met. For example, you can set up rules to block requests that come from IPs that are in a blocklist or even make up rules to exclude IPs that are in the allowed rules list. In this example, “block” is the Behavior, while the IP of the request is in the blocklist and not present in the allowed rules is the condition (Criteria).
Go to Rules Engine reference Go to work with rules engine guideThe Criteria and Behaviors available in Edge Firewall depend on the modules you have enabled in the edge firewall main configuration. Here’s the list of Criteria and Behaviors available to each Edge Firewall module:
List of Criteria and Behaviors available to each Edge Firewall module:
Module | Criteria | Behavior |
---|---|---|
Edge Functions | Hostname Request URI Scheme Client Certificate Validation | Deny (403 Forbidden) Drop (Close Without Response) Set Rate Limit |
Network Layer Protection | Hostname Network Request URI Scheme Client Certificate Validation | Deny (403 Forbidden) Drop (Close Without Response) Set Rate Limit |
Web Application Firewall | Header Accept Header Accept-Encoding Header Accept-Language Header Cookie Header Origin Header Referer Header User Agent Hostname Request Args Request Method Request URI Scheme Client Certificate Validation | Deny (403 Forbidden) Drop (Close Without Response) Set Rate Limit Set WAF Rule Set |
About Edge Firewall modules
DDoS Protection
The DDoS Protection module protects your content and applications against Distributed Denial of Service (DDoS) attacks, as it detects attacks using advanced algorithms that run on Azion’s distributed network. This distributed network is connected to several mitigation centers to guarantee mitigation during large-scale attacks, both at the network and application levels.
Go to DDoS Protection referenceEdge Functions
Edge Functions are components of Azion Edge Computing Platform, which enable serverless functions to be added to your edge applications or edge firewall configurations, relieving your infrastructure, performing functions closer to the end-user, ensuring the necessary agility and scalability to meet your business objectives. You can also choose a ready-to-use function, or even write your own.
Go to Edge Functions for Edge Firewall reference Go to instantiate edge functions guideNetwork Layer Protection
This module allows the creation of filters by IP/CIDR, ASN addresses, or by countries (geolocation) through the configuration of Network Lists and the definition of business rules that will validate blocking or release Criteria, according to your need, specified on your Edge Firewall configuration.
Go to Network Layer Protection referenceOrigin Shield Add-on
With the Origin Shield add-on, you can create a security perimeter for your origin infrastructure, be it a cloud provider, hosting, or even your own data center. You can configure that only some specific IP addresses on our network can access your origin, and all requests from unwanted IP addresses are blocked.
Go to Origin Shield referenceWeb Application Firewall
Azion Web Application Firewall (WAF) protects your applications against threats such as SQL Injections, Remote File Inclusion (RFI), Cross-Site Scripting (XSS), and many others. The WAF analyses HTTP and HTTPS requests, detects and blocks threats before they can reach your infrastructure and affect your application performance.
It works at layer 7 at the application level and is based on scoring. Each request is compared with a very rigorous and detailed set of application patterns and is given a score, which is associated with a certain threat family. According to the score that this request has, it can be released or blocked. This happens directly in Azion’s edge nodes before the threat reaches your origin or causes any damage. It’s possible to customize the desired sensitivity, and have a differentiated blocking for each threat family.
Go to Web Application Firewall reference Go to create waf rule set guideClone for an edge firewall
You can clone an existing edge firewall through Azion API.
The new cloned edge firewall will have identical settings as the original one, including main settings, functions instances, and rules from Rules Engine. However, the domains associated with the original edge firewall won’t be copied to the cloned one.
You need to retrieve the ID of the edge firewall you want to clone and then run a POST request to clone it, providing a new name.
Clone an edge firewallLimits
These are the default limits:
Scope | Limit |
---|---|
Network Lists entries | 20,000 lines |
ASN in a network list | 20,000 lines |
IP/CIDR in a network list | 20,000 lines |
Web Application Firewall | 128 kB |
Domains per edge firewall | 200 |