Getting started with Web Application Firewall

DescriptionGetting Started: Cyber Security

Once Leaseweb Cyber security is configured and ready, there are few steps that need to be followed:


Adding/Reviewing web application

You need to first create a new web application. You can also edit ones we have added been already.

Go to the Manage Web Apps sub-section in Manage Company. To add a web application click on the Add web app button. To edit web application click the Edit button.

The following box appears:

NameWeb application name.
Domain nameWeb application domain name. It should be a valid domain name, it must be unique across all system web applications. After creation it can't be edited.
CNAMECNAME to be used in the DNS settings for this web application.
Origin serversThe origin servers for the web application. It should be a valid IPv4 address or domain name.
Additional domainsAdditional domain names should be valid and unique. You can add multiple domains separated by carriage-return / line-feed (Enter). You can also add Additional domains through wildcard usage e.g: *
Redirect from base domainAllows enabling of the base domain redirects. The most common case is enabling apex domain redirect to www. For example, redirect to
Base domain to redirect fromEnabled only when the 'Redirect from base domain' option is enabled. Allows setting the base domain to redirect from. The base domain should be part of the web app domain name.
Health checksHealth checks settings for the web application. Interval - 10 sec, Fail count - 2, Rise count - 2, Timeout - 5 sec.
HTTPs SupportRead-only settings, it's shown only when SSL is enabled. For enabling SSL for your web application please contact our support.
SPDY ProtocolAllows enabling of SPDY protocol support for the web application. Can be enabled only for web applications with SSL support.

Inviting Users

To invite a user, Click the Invite user button in the Manage Users sub-section under Manage Company in the sidebar.

The Invite new user box appears.

You can invite users using their email IDs and you can then manage their Web App permissions.

Adding/Reviewing caching rules

Caching helps with improving efficiency by storing frequently used data. This way cached content is served from edge server(s) without the need to fetch it from the origin.

You can manage caching rules directly in the Control Center under Caching Policies or Caching Rules

This also displays and allows for management of existing rule(s) you might already have.

It is important to point out that rules are implemented in the sequence they are added. It is advisable to add the most aggressive rules first to help prioritize the caching. A general approach can be to add 'do no cache' rules before caching rules.

Click on the Add rule button and select the new caching rule type.

Specify URL caching rule settings and defaults

Specify file caching rule settings and defaults

Specify never caching URL rule settings and defaults:

Specify never caching file rule settings and defaults:

Often used rules (samples):

  1. Do not cache WordPress admin page:

  2. Cache home page:

  3. Cache static content:

Cache statistics and logs:

Visit the Caching Policies page to view Cache Savings, Global Traffic, Hit Ratio, Top Not Cached and other statistics:

Visit the Caching Policies or Caching Logs page to view detailed asset caching statistics, including Request Date/Time, Asset, Client IP, Request URL, Cache Status, Country, Browser and OS information

Setting / Reviewing WAF rules

 Go to the WAF Policies section.

Next, enable the WAF engine. The WAF rules are separated into the following categories: 

 To enabled the WAF rule(s):

  1. Select the rule(s)
  2. Select the rule mode - Off, Alert only, Block
  3. Click the Save button

If you're just starting with a new web application, we recommend to set the following categories in Alert only mode:

  1. Genertic Attacks
  2. XSS
  3. SQL Injection
  4. Information Leakage

WAF alerts and logs can be reviewed in the WAF Logs sub section under WAF Engine:

Please note, WAF logs must be review periodically to determine and address false-positive alerts.