Difference between standard and WAF traffic filter rules
Feature | Standard Traffic Filter Rules | WAF Traffic Filter Rules |
---|---|---|
Purpose | Prevent abuse such as DoS, DDoS, scraping, or bot activity | Detect and react to sophisticated attack patterns (for example, OWASP Top 10), which also protects from bots |
Examples | Rate limiting, geo-blocking, user-agent filtering | SQL injection, XSS, known attack IPs |
Flexibility | Highly configurable via YAML | Highly configurable via YAML, with predefined WAF flags |
Recommended Mode | Start with log mode, then move to block mode | Start with block mode for ATTACK-FROM-BAD-IP WAF Flag and log mode for ATTACK WAF Flag, then move to block mode for both |
Deployment | Defined in YAML and deployed via Cloud Manager Config Pipeline | Defined in YAML with wafFlags and deployed via Cloud Manager Config Pipeline |
Licensing | Included with Sites and Forms licenses | Requires WAF-DDoS Protection or Enhanced Security license |
The standard traffic filter rules are useful for enforcing business-specific policies, such as rate limits or blocking specific regions, as well as blocking traffic based on request properties and headers such as IP address, path or user agent.
The WAF traffic filter rules, on the other hand, provide comprehensive proactive protection for known web exploits and attack vectors, and have advanced intelligence to limit false positives (i.e., blocking legitimate traffic).
To define both types of rules, you use the YAML syntax, see Traffic Filter Rules Syntax for more details.
When and why to use them
Use standard traffic filter rules when:
- You want to apply organization-specific limits, like IP rate throttling.
- You are aware of specific patterns (for example, malicious IP addresses, regions, headers) that needs filtering.
Use WAF traffic filter rules when:
- You want comprehensive, proactive protection from widespread known attack patterns (for example, injection, protocol abuse), as well as known malicious IPs, collected from expert datasources.
- You want to deny malicious requests while limiting the chance of blocking legitimate traffic.
- You want to limit the amount of effort to defend against common and sophisticated threats, by applying simple configuration rules.
Together, these rules provide a defense-in-depth strategy that allows AEM as a Cloud Service customers to take both proactive and reactive measures in securing their digital properties.
Adobe-recommended rules
Adobe provides recommended rules for standard traffic filter and WAF traffic filter rules to help you quickly secure your AEM sites.
-
Standard traffic filter rules (available by default): Address common abuse scenarios such as DoS, DDoS and bot attacks against CDN edge, origin, or traffic from sanctioned countries.
Examples include:- Rate limiting IPs that make more than 500 requests/second at the CDN edge
- Rate limiting IPs that make more than 100 requests/second at the origin
- Blocking traffic from countries listed by the Office of Foreign Assets Control (OFAC)
-
WAF traffic filter rules (requires add-on license): Provides additional protection against sophisticated threats, including OWASP Top Ten threats like SQL injection, cross-site scripting (XSS), and other web application attacks.
Examples include:- Blocking requests from known bad IP addresses
- Logging or blocking suspicious requests that are flagged as attacks