API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
API
Chosen image
Home/WAAP

Configure WAAP for a domain

Web Application and API Protection (WAAP) is a single SaaS tool that combines all aspects of website security and traffic management, including Layer 7 DDoS protection, and web application security.

To secure your application with WAAP, you need to create a Gcore CDN resource for your domain, enable WAAP protection in the resource settings, and then verify that everything works as expected and you don’t block legitimate traffic. The following steps will guide you through this process and help you configure WAAP according to your requirements.

After you enable WAAP, all traffic will be diverted to our network, and it may cause a temporary disruption for your users. We recommend setting up Gcore WAAP during a low-traffic period to minimize the impact.

Step 1. Create a CDN resource

To secure your web application and APIs with Gcore WAAP, it’s necessary to create a CDN resource associated with your website’s origin.

If you don’t have Gcore CDN configured, follow the instructions from this guide: Create a CDN resource. To add an SSL certificate, check out the Add an SSL certificate to deliver content over HTTPS guide.

Update your domain’s DNS records so they point to our network. This is necessary to allow all traffic to pass through WAAP.

Step 2: Enable WAAP in CDN resource settings

Once your CDN resource is set up, you can activate WAAP protection for it:

1. In the Gcore Customer Portal, navigate to CDN > CDN resources.

2. Next to the resource that you want to protect with WAAP, click the three-dot icon and select Settings.

CDN resource settings page in the Customer Portal

3. Scroll down the page and find the Security section.

4. Enable the WAAP toggle to activate Web Application and API Protection for your CDN resource.

WAAP toggle

5. Click Save to apply the changes.

Consider that it might take up to 30 minutes for the HTTP traffic to start passing through our WAAP after the activation.

What to do if WAAP blocks content that shouldn’t be blocked?

You can adjust WAAP behavior and manage traffic filtering rules in the WAAP settings.

Instead of disabling WAAP protection for the whole resource, you can create a rule with an exception:

1. In the CDN resource settings, open the Rules tab.

2. Click Create rule > Create blank rule.

3. Give your rule a name.

4. In the Match criteria section, specify the URLs or a regular expression of files blocked by WAAP.

5. Set the origin pull protocol to Inherit from resource.

WAAP toggle

6. In the Options section, click Add option.

7. Find WAAP and then turn it off for the selected URL rule pattern.

8. Click Create rule.

Your content should no longer be blocked by WAAP.

Step 3: Use WAAP in monitor mode

After you enable WAAP, it will be automatically set to the monitor mode. In this mode, we’ll inspect all incoming requests but won’t take any action. It's best to use monitor mode for several days before enabling the protect mode to make sure that all security settings work correctly.

Completing this step is important because it allows you to analyze requests and test the WAAP behavior before you fully activate it.

Step 4: View your domain traffic

While keeping WAAP in monitor mode, you can view all logged requests and check the corresponding actions that the WAAP will take once you put it in the protect mode.

Go through the analytics pages to detect common traffic patterns and understand if the current configuration requires any adjustments.

For instance, you can find information about incoming web requests on the WAF analytics page in the Requests table:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the needed domain and click its name to open it.

3. In the sidebar, click Analytics > WAF.

4. Review the information under Requests.

Analytics page in the Customer Portal showing Requests table

5. You can also filter requests to get more granular information about your traffic:

  • Traffic types: View requests based on the rule that triggered the request.

  • Policy – Blocked or Policy – Allowed: View requests that triggered our predefined policies.

  • Select Custom Rule – Blocked or Custom Rule – Allowed: View requests that triggered custom rules created by your account users.

Policy - Blocked and Custom Rule - Blocked are the default filters automatically displayed for the table.

To view more information about a request, click the request ID and inspect the Request Details page.

Request details section open from the Analytics page

The screenshot above depicts a request that was blocked because of the SQL injection policy. It blocks requests if there is evidence that the request contains malicious SQL code.

Step 5: Test your WAAP configuration

To achieve the desired WAAP behavior, we recommend that you navigate through your website as both a user and administrator.

Navigating the website will generate entries in the Requests table. You can use this information to determine if you need to create IP allowlist rules or custom WAAP rules for some requests and let them access your website’s content.

Specifically, review requests that relate to:

  • Your origin IP: IP address assigned to your device.
  • Your office IP: IP address assigned to your device within your office's network.
  • Your workstation IP: IP address assigned to a workstation or specific computer in a network.

If you notice that WAAP will block such requests in the protect mode, you need to update your settings to prevent such a situation. You can find detailed instructions on how to update your settings in the following step.

Check out the allow and block IP addresses guide for more information.

Step 6: Allow admins, bots, and CMS

Before the WAAP is in protection mode, you need to ensure that critical IP addresses, content management systems (CMS), and common automated services are allowed to make successful requests.

Check the WAAP policy groups for a full list of security policies and their detailed overview.

Allow admin IP addresses

If your domain doesn’t use a CMS, we highly recommend allow listing the site administrator's IP address:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the needed domain and click its name to open it.

3. In the sidebar, click Firewall.

4. In the Allowed IPs section, click Add IP/IP Range.

Firewall page in the Customer Portal

5. Enter any admin user's public IP address.

6. Click Save.

Repeat these steps if needed.

Allow CMS

If you use content management systems, such as WordPress, allow traffic for CMS admins:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

2. Find the needed domain and click its name to open it.

3. In the sidebar, click WAAP.

4. On the Policies page, find CMS protection, and then allow traffic for a desired content management system by enabling a toggle next to it.

WAAP policies page with the highlighted CMS protection policy

The WordPress WAF Ruleset is enabled by default.

Allow common automated services

Follow these steps to allow crawlers, scanners, monitoring bots, and similar tools to access your website:

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

2. Find the needed domain and click its name to open it.

3. In the sidebar, click WAAP.

4. On the Policies page, click the Common automated services to expand the section and enable the desired bot.

WAAP policies page with the highlighted common automated bots policy

There are a few trusted bots in this section that are allowed by default, which is why we recommend reviewing this list before enabling the protect mode.

Step 7: Enable protect mode

1. In the Gcore Customer Portal, navigate to WAAP > Domains.

2. Find the needed domain and click its name to open it.

3. In the sidebar, click WAAP.

4. In the upper-right corner of the screen next to WAAp mode, select Protect. The WAAP will begin to inspect and act upon incoming requests.

Domains page in the Customer Portal

Was this article helpful?