DocumentationAEMAEM TutorialsAEM as a Cloud Service Tutorials

How to set up Traffic Filter rules including WAF rules

Last update: Sun Mar 23 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
  • Applies to:
  • Experience Manager as a Cloud Service

CREATED FOR:

  • Intermediate
  • Admin
  • Developer

Learn how to set up traffic filter rules, including WAF rules. Read about creating, deploying, testing, and analyzing results.

video poster

https://video.tv.adobe.com/v/3425407?quality=12&learn=on

Transcript
The setup process involves AEM project, Cloud Manager, third-party tools, and Adobe-provided dashboard tooling project. Let’s begin with AEM project. This is where you create or define the rules. You save these rules inside a YAML file, located within a new config folder at the root of the AEM project structure. Note that this config folder is not a Maven project or module, so there is no module entry in the main project POM file. Next, Cloud Manager configuration pipeline. To deploy these rules, you create a configuration pipeline in Adobe Cloud Manager. In the source code step, ensure that you select the config option, and in the code location text input field, enter slash config, which is the name of the folder containing the YAML files in your AEM project. Then, to test the rules, you can use third-party software. For this tutorial, I have installed tools such as curl to invoke Weaken web pages using the command line. Vegeta to simulate a denial of service by triggering a large number of requests. And Nikto to simulate security vulnerabilities like cross-site scripting and SQL injection attacks. Finally, for result analysis, install the dashboard tooling by cloning the AEMCS CDN Log Analysis ELK Tool repository from GitHub. This repository provides a pre-configured ELK Docker container that parses AEMCS CDN logs to visualize metrics. To get started, create directories for dev, stage, and prod environment inside the main logs directory, and use Docker command to start the ELK container. Additionally, import the adobe provided traffic filter rules dashboard into your locally running Elasticsearch application. The sample dashboard simplifies the result analysis with pre-configured panels. Please note that the dashboard will appear empty until you load the logs data. This concludes the one-time setup process. Please note that I have cloned and deployed the sample Weaken project to my AEMCS cloud service dev environment using full stack pipeline. Next, let’s explore practical rule examples and their result analysis.

Setup

The setup process involves the following:

  • creating rules with an appropriate AEM project structure and configuration file.
  • deploying rules using Adobe Cloud Manager’s configuration pipeline.
  • testing rules using various tools to generate traffic.
  • analyzing the results using AEMCS CDN logs and dashboard tooling.

Create rules in your AEM project

To create rules, follow these steps:

  1. At the top level of your AEM project, create a folder config.

  2. Within the config folder, create a new file called cdn.yaml.

  3. Add the following metadata to the cdn.yaml file:

kind: CDN
version: '1'
metadata:
  envTypes:
    - dev
    - stage
    - prod
data:
  trafficFilters:
    rules:

See an example of the cdn.yaml file within the AEM Guides WKND Sites Project:

WKND AEM project rules file and folder {width="800" modal="regular"}

Deploy rules through Cloud Manager deploy-rules-through-cloud-manager

To deploy the rules, follow these steps:

  1. Log into Cloud Manager at my.cloudmanager.adobe.com and select the appropriate organization and program.

  2. Navigate to the Pipelines card from the Program Overview page and click the +Add button and select the desired pipeline type.

    Cloud Manager Pipelines card

    In the example above, for demo purposes Add Non-Production Pipeline is selected since a dev environment is used.

  3. In the Add Non-Production Pipeline dialog, choose and enter the following details:

    1. Configuration step:

      • Type: Deployment Pipeline
      • Pipeline Name: Dev-Config

      Cloud Manager Config Pipeline dialog

    2. Source Code step:

      • Code to deploy: Targeted deployment
      • Include: Config
      • Deployment Environment: Name of your environment, for example, wknd-program-dev.
      • Repository: The Git repository from where the pipeline should retrieve the code; for example, wknd-site
      • Git Branch: The name of the Git repository branch.
      • Code Location: /config, corresponding to the top-level configuration folder created in the previous step.

      Cloud Manager Config Pipeline dialog

Test rules by generating traffic

To test rules, there are various third-party tools available and your organization may have a preferred tool. For the demo purpose, let’s use the following tools:

  • Curl for basic testing like invoking a URL and checking the response code.

  • Vegeta to perform denial of service (DOS). Follow the installation instructions from the Vegeta GitHub.

  • Nikto to find potential problems and security vulnerabilities like XSS, SQL injection, and more. Follow installation instructions from the Nikto GitHub.

  • Verify that the tools are installed and available in your terminal by running the commands below:

    code language-shell 
    # Curl version check
$ curl --version

# Vegeta version check
$ vegeta -version

# Nikto version check
$ cd <PATH-OF-CLONED-REPO>/program
./nikto.pl -Version

Analyze results using the dashboard tooling

After creating, deploying, and testing the rules, you can analyze the results using CDN logs and AEMCS-CDN-Log-Analysis-Tooling. The tooling provides a set of dashboards to visualize the results for Splunk and ELK (Elasticsearch, Logstash, and Kibana) stack.

The tooling can be cloned from the AEMCS-CDN-Log-Analysis-Tooling GitHub repository. Then, follow the instructions to install and load the CDN Traffic Dashboard and WAF Dashboard dashboards for your preferred observability tool.

In this tutorial, let’s use the ELK stack. Follow the ELK Docker container for AEMCS CDN Log Analysis instructions to set up the ELK stack.

  • After loading the sample dashboard, your Elastic dashboard tool page should look like the following:

    ELK Traffic Filter Rules Dashboard

NOTE
As there are no AEMCS CDN logs ingested yet, the dashboard is empty.

Next step

Learn how to declare traffic filter rules including WAF rules in the Examples and result analysis chapter, using the AEM WKND Sites Project.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69