Combined Arms

 

An example security recipe combining Access Controls, Bot Management, and WAF.

# WAF Lenient mode 1 will allow 3 requests from humans with bot score 0 that triggered WAF.
http-request set-var(txn.sec_waf_lenient) int(1)

# Basic allowlist/denylist ACLs
acl sec_is_allowlisted src -f /var/lib/dataplaneapi/storage/general/ip_allowlist.acl
acl sec_is_denylisted src -f /var/lib/dataplaneapi/storage/general/ip_denylist.acl
http-request deny deny_status 403 if sec_is_denylisted

# Score remaining requests with Bot Management
filter botmgmt
acl sec_bot_is_human var(txn.sec_bot_label) -m str human
acl sec_bot_is_bot var(txn.sec_bot_label) -m str bot
http-request set-var(txn.sec_bot_score) req.botmgmt.score

# Process through WAF
filter waf advanced rules-file /var/lib/dataplaneapi/storage/waf/advanced/waf_core.rules log
acl sec_waf_blocked var(txn.advanced.block),bool 
acl sec_waf_dropped var(txn.advanced.drop),bool

# Deny bots with violations and humans if lenient mode is off
http-request deny deny_status 403 if sec_bot_is_bot !sec_is_allowlisted sec_waf_blocked
http-request deny deny_status 403 if sec_bot_is_human { var(txn.sec_waf_lenient) -m int eq 0 } \
     !sec_is_allowlisted sec_waf_blocked
http-request deny deny_status 403 if !sec_is_allowlisted !sec_simulation_mode \
     { var(txn.sec_waf_violations),sub(txn.sec_waf_allowed_violations) gt 0 }