Enabling the WAF

Adobe enables the WAF service on new accounts within 2 to 3 weeks after provisioning is final. The WAF is implemented through the Fastly CDN service. You do not have to install or maintain any hardware or software.

NOTE
Before you can use the WAF service, you must all external traffic to your Adobe Commerce on cloud infrastructure project must route through the Fastly service. See Set up Fastly.

How it works

The WAF service integrates with Fastly and uses the cache logic within the Fastly CDN service to filter traffic at the Fastly global nodes. We enable the WAF service in your Production environment with a default WAF policy based on ModSecurity Rules from Trustwave SpiderLabs and the OWASP Top Ten security threats.

The WAF service inspects HTTP and HTTPS traffic (GET and POST requests) against the WAF ruleset and blocks traffic that is malicious or does not comply with specific rules. The service inspects only origin-bound traffic that attempts to refresh the cache. As a result, we stop most attack traffic at the Fastly cache, protecting your origin traffic from malicious attacks. By processing only origin traffic, the WAF service preserves cache performance, introducing only an estimated 1.5 milliseconds to 20 milliseconds of latency to every non-cached request.

Troubleshooting blocked requests

When the WAF service is enabled, it inspects all web and admin traffic against the WAF rules and blocks any web request that triggers a rule. When a request is blocked, the requestor sees a default 403 Forbidden error page that includes a reference ID for the blocking event.

WAF error page

You can customize this error response page from the Admin. See Customize the WAF response page.

If your Adobe Commerce admin page or storefront returns a 403 Forbidden error page in response to a legitimate URL request, submit an Adobe Commerce Support ticket. Copy the reference ID from the error response page and paste it into the ticket description.

To identify the WAF response for a particular request using New Relic, refer to the following:

  • Agent_response—Indicates the WAF response code (200 means good and 406 means blocked)
  • sigsci tags—Tags the request to a particular signal sciences tag based on the nature of the request