About threshold configurations
Threshold configurations cap the number of times requests from the same source (i.e., IP address or client) can exhibit defined characteristics (e.g., an attack signal) before the Next-Gen WAF flags the source. Once flagged, subsequent requests from the flagged source are handled (e.g., blocked) for a set period of time per the direction of the configuration.
There are three types of threshold configurations:
- advanced rate limiting rules: configurations that you define to cap how often an individual client can send requests that meet set conditions before all or some requests from that same client are blocked or logged.
- attack thresholds: configurations that we've defined to monitor and handle requests from IP addresses that contain attack signals. They apply to all attack signals for a site (workspace). You can lower and raise the attack thresholds and override them for individual attack signals by creating site alerts (also known as signal thresholds).
- site alerts (signal thresholds): configurations that you define to monitor and handle requests from IP addresses that contain specific signals.
Precedence for thresholds
When multiple threshold configurations exist, the Next-Gen WAF agent uses the following logic to determine which configuration should take precedence:
- The threshold configuration with the lowest threshold and smallest interval for a given action (i.e., block or log) will be checked first.
- Threshold configurations with a block action do not compete for precedence against those with a log action.
- After a threshold configuration with a block action flags an IP address, other threshold configurations with a block action can't flag that IP address until the existing flag is lifted.
- After a threshold configuration with a log action flags an IP address, other threshold configurations with a log action can't flag that IP address until the existing flag is lifted.
- A threshold configuration with a block action and a threshold configuration with a log action can both flag the same IP address.
Preventing specific IP addresses from being flagged
To prevent an IP address from being flagged by threshold configurations, create a request rule with an allow action. For example, let's say you plan to scan your web application for vulnerabilities. To ensure the scanning IP address isn't flagged, you can create a request rule with an allow action.
Monitoring threshold activity
You can monitor threshold activity via the control panel you use to access the Next-Gen WAF.
Control panel | Page |
---|---|
Next-Gen WAF | Events Observed Sources |
Fastly | Events Monitor |