Best practices for traffic filter rules including WAF rules
Learn recommended best practices for configuring traffic filter rules including WAF rules in AEM as a Cloud Service to enhance security and mitigate risks.
General best practices
- Start with the recommended set of standard traffic filter and WAF rules provided by Adobe, and tweak them based on your application’s specific needs and threat landscape.
- Collaborate with your security team to determine which rules align with your organization’s security posture and compliance requirements.
- Always test new or updated rules in Development environments before promoting them to Stage and Production.
- When declaring and validating rules, begin with the
actiontypelogto observe behavior without blocking legitimate traffic. - Move from
logtoblockonly after analyzing sufficient traffic data and confirming that no valid requests are being affected. - Introduce rules incrementally, involving QA, performance, and security testing teams to identify unintended side effects.
- Regularly review and analyze rule effectiveness using dashboard tooling. Frequency of review (daily, weekly, monthly) should align with your site’s traffic volume and risk profile.
- Continuously refine rules based on new threat intelligence, traffic behavior, and audit results.
Best practices for traffic filter rules
-
Use Adobe recommended standard traffic filter rules as a baseline, which includes rules for edge, origin protection, and OFAC-based restrictions.
-
Review alerts and logs regularly to identify patterns of abuse or misconfiguration.
-
Adjust threshold values for rate limits based on your application’s traffic patterns and user behavior.
See the following table for guidance on how to choose the threshold values:
table 0-row-2 1-row-2 2-row-2 1-align-left 2-align-left 4-align-left 5-align-left 7-align-left 8-align-left Variation Value Origin Take the highest value of the Max Origin Requests per IP/POP under normal traffic conditions (that is, not the rate at the time of a DDoS) and increase it by a multiple Edge Take the highest value of the Max Edge Requests per IP/POP under normal traffic conditions (that is, not the rate at the time of a DDoS) and increase it by a multiple Also see the choosing threshold values section for more details.
-
Move to
blockaction only after confirming that thelogaction does not impact legitimate traffic.
Best practices for WAF rules
- Start with the Adobe recommended WAF rules, which include rules for blocking known bad IPs, detecting DDoS attacks, and mitigating bot abuse.
- The
ATTACKWAF flag should alert you to potential threats. Make sure that there are no false positives before moving toblock. - If recommended WAF rules do not cover specific threats, consider creating custom rules based on your application’s unique requirements. See a complete list of WAF flags in the documentation.
Implementing rules
Learn how to implement traffic filter rules and WAF rules in AEM as a Cloud Service:
Protecting AEM websites using standard traffic filter rules
Learn how to protect AEM websites from DoS, DDoS and bot abuse using Adobe-recommended standard traffic filter rules in AEM as a Cloud Service.
Protecting AEM websites using WAF rules
Learn how to protect AEM websites from sophisticated threats including DoS, DDoS, and bot abuse using Adobe-recommended Web Application Firewall (WAF) rules in AEM as a Cloud Service.