How to set up Traffic Filter rules including WAF rules

Learn how to set up traffic filter rules, including WAF rules. Read about creating, deploying, testing, and analyzing results.

Setup

The setup process involves the following:

  • creating rules with an appropriate AEM project structure and configuration file.
  • deploying rules using Adobe Cloud Manager’s configuration pipeline.
  • testing rules using various tools to generate traffic.
  • analyzing the results using AEMCS CDN logs and dashboard tooling.

Create rules in your AEM project

To create rules, follow these steps:

  1. At the top level of your AEM project, create a folder config.

  2. Within the config folder, create a new file called cdn.yaml.

  3. Add the following metadata to the cdn.yaml file:

kind: CDN
version: '1'
metadata:
  envTypes:
    - dev
    - stage
    - prod
data:
  trafficFilters:
    rules:

See an example of the cdn.yaml file within the AEM Guides WKND Sites Project:

w-800 modal-image
WKND AEM project rules file and folder

Deploy rules through Cloud Manager deploy-rules-through-cloud-manager

To deploy rules, follow these steps:

  1. Log into Cloud Manager at my.cloudmanager.adobe.com and select the appropriate organization and program.

  2. Navigate to the Pipelines card from the Program Overview page and click the +Add button and select the desired pipeline type.

    Cloud Manager Pipelines card

    In the example above, for demo purposes Add Non-Production Pipeline is selected since a dev environment is used.

  3. In the Add Non-Production Pipeline dialog, choose and enter the following details:

    1. Configuration step:

      • Type: Deployment Pipeline
      • Pipeline Name: Dev-Config

      Cloud Manager Config Pipeline dialog

    2. Source Code step:

      • Code to deploy: Targeted deployment
      • Include: Config
      • Deployment Environment: Name of your environment, for example, wknd-program-dev.
      • Repository: The Git repository from where the pipeline should retrieve the code; for example, wknd-site
      • Git Branch: The name of the Git repository branch.
      • Code Location: /config, corresponding to the top-level configuration folder created in the previous step.

      Cloud Manager Config Pipeline dialog

Test rules by generating traffic

To test rules, there are various third-party tools available and your organization may have a preferred tool. For demo purpose, let’s use the following tools:

  • Curl for basic testing like invoking a URL and checking the response code.

  • Vegeta to perform denial of service (DOS). Follow installation instructions from the Vegeta GitHub.

  • Nikto to find potential problems and security vulnerabilities like XSS, SQL injection, and more. Follow installation instructions from the Nikto GitHub.

  • Verify that the tools are installed and available in your terminal by running the commands below:

    code language-shell
    # Curl version check
    $ curl --version
    
    # Vegeta version check
    $ vegeta -version
    
    # Nikto version check
    $ cd <PATH-OF-CLONED-REPO>/program
    ./nikto.pl -Version
    

Analyze results using the dashboard tooling

After creating, deploying, and testing the rules, you can analyze the results using Elasticsearch, Logstash, and Kibana (ELK) dashboard tooling. It can parse the AEMCS CDN logs, allowing you to visualize the results in the form of various charts and graphs.

Dashboard tooling can be cloned directly from the AEMCS-CDN-Log-Analysis-ELK-Tool GitHub repository and follow the steps to install and load the Traffic Filter Rules (including WAF) dashboard.

  • After loading the sample dashboard, your Elastic dashboard tool page should look like the following:

    ELK Traffic Filter Rules Dashboard

NOTE
As there are no AEMCS CDN logs ingested yet, the dashboard is empty.

Next step

Learn how to declare traffic filter rules including WAF rules in the Examples and result analysis chapter, using the AEM WKND Sites Project.

recommendation-more-help
4859a77c-7971-4ac9-8f5c-4260823c6f69