Difference between standard and WAF traffic filter rules

FeatureStandard Traffic Filter RulesWAF Traffic Filter Rules
PurposePrevent abuse such as DoS, DDoS, scraping, or bot activityDetect and react to sophisticated attack patterns (for example, OWASP Top 10), which also protects from bots
ExamplesRate limiting, geo-blocking, user-agent filteringSQL injection, XSS, known attack IPs
FlexibilityHighly configurable via YAMLHighly configurable via YAML, with predefined WAF flags
Recommended ModeStart with log mode, then move to block modeStart with block mode for ATTACK-FROM-BAD-IP WAF Flag and log mode for ATTACK WAF Flag, then move to block mode for both
DeploymentDefined in YAML and deployed via Cloud Manager Config PipelineDefined in YAML with wafFlags and deployed via Cloud Manager Config Pipeline
LicensingIncluded with Sites and Forms licensesRequires WAF-DDoS Protection or Enhanced Security license

The standard traffic filter rules are useful for enforcing business-specific policies, such as rate limits or blocking specific regions, as well as blocking traffic based on request properties and headers such as IP address, path or user agent.
The WAF traffic filter rules, on the other hand, provide comprehensive proactive protection for known web exploits and attack vectors, and have advanced intelligence to limit false positives (i.e., blocking legitimate traffic).
To define both types of rules, you use the YAML syntax, see Traffic Filter Rules Syntax for more details.

When and why to use them

Use standard traffic filter rules when:

  • You want to apply organization-specific limits, like IP rate throttling.
  • You are aware of specific patterns (for example, malicious IP addresses, regions, headers) that needs filtering.

Use WAF traffic filter rules when:

  • You want comprehensive, proactive protection from widespread known attack patterns (for example, injection, protocol abuse), as well as known malicious IPs, collected from expert datasources.
  • You want to deny malicious requests while limiting the chance of blocking legitimate traffic.
  • You want to limit the amount of effort to defend against common and sophisticated threats, by applying simple configuration rules.

Together, these rules provide a defense-in-depth strategy that allows AEM as a Cloud Service customers to take both proactive and reactive measures in securing their digital properties.

Adobe provides recommended rules for standard traffic filter and WAF traffic filter rules to help you quickly secure your AEM sites.

  • Standard traffic filter rules (available by default): Address common abuse scenarios such as DoS, DDoS and bot attacks against CDN edge, origin, or traffic from sanctioned countries.
    Examples include:

    • Rate limiting IPs that make more than 500 requests/second at the CDN edge
    • Rate limiting IPs that make more than 100 requests/second at the origin
    • Blocking traffic from countries listed by the Office of Foreign Assets Control (OFAC)
  • WAF traffic filter rules (requires add-on license): Provides additional protection against sophisticated threats, including OWASP Top Ten threats like SQL injection, cross-site scripting (XSS), and other web application attacks.
    Examples include:

    • Blocking requests from known bad IP addresses
    • Logging or blocking suspicious requests that are flagged as attacks
TIP
Start by applying the Adobe-recommended rules to benefit from Adobe’s security expertise and ongoing updates. If your business has specific risks or edge cases, or notices any false positives (blocking of legitimate traffic), you can define custom rules or extend the default set to meet your needs.