How to set up firewall rules?
VNIS gives users a way to filter HTTP requests using customized firewall rules.
To set up firewall rules, navigate to ' Origin Shield' > 'Firewall rules'.
You need to set the target domain from the ' Operation level panel'.
First, click the 'Add rule' button, then follow the two simple steps to set up firewall rules.
Step 1: Set up firewall rule conditions
First, enter a rule name. Then you can specify the field, operator, and their corresponding values.
![Figure Needed: Screenshot showing firewall rule condition setup interface with field, operator, and value fields]
The 'Operator' defines how the "actual user request field and its values" relate to the "set rule field and its values". Such that when the two match, it will execute a response defined in the firewall action (e.g. Pass, Block, Challenge, etc.). While 'Filter value' and 'Value' specifies the value in/of the header or URI path that you wish to apply the Firewall protection to.
The table below specifies the possible input values for the filter value, operator, and value, in a specified field.
| Field | Filter value | Operator | Value |
|---|---|---|---|
| Parameter in REQUEST/GET/POST | Parameter name | Check this article | Parameter value |
| Any parameter in REQUEST/GET/POST | n/a | Check this article | Parameter value |
| # of parameters in REQUEST/GET/POST | Parameter name | =, >=, >, < | Integer |
| # of all parameters in REQUEST/GET/POST | n/a | =, >=, >, < | Integer |
| Parameter name in REQUEST/GET/POST | n/a | Check this article | Parameter name |
| # of parameter names in REQUEST | n/a | =, >=, >, < | Integer |
| Method in REQUEST | n/a | Check this article | Method |
| Header in REQUEST | Header name | Check this article | Header value |
| Any header in REQUEST | n/a | Check this article | Header value |
| # of header in REQUEST | Header name | =, >=, >, < | Integer |
| # of all headers in REQUEST | n/a | =, >=, >, < | Integer |
| Header name in REQUEST | n/a | Check this article | Header name |
| URI in REQUEST w/ query string | n/a | Check this article | URI value |
| URI in REQUEST w/o query string | n/a | Check this article | URI value |
| Geo location | n/a | Include, exclude | Country |
Field and operator definitions:
- REQUEST means request from any methods, i.e. it can be a GET request, POST request, PUT request, etc.
- GET (or POST) specifically means a GET (or POST) request (not just any request method).
- = means equal, >= means not equal, > means greater than, and < means less than.
- Include and exclude means what they meant, i.e to include and to exclude.
Filter value and value definitions:
- Parameter is what comes after "?" in a URL. Given a parameter: color=blue, the parameter name is "color", and the parameter value is "blue".
- Method means request method, e.g. GET, POST, PUT, DELETE, CONNECT, etc.
- There are 3 kinds of headers: General headers, Request headers, and Response headers. Header name/value in REQUEST means, a header name: header value on request header, e.g. host: developer.mozilla.org, user-agent: Mozilla/5.0, accept: application/xhtml+xml, etc.
You can add more conditions by pressing the '+' button. You can also delete a condition by pressing the 'Trash' icon on the right hand side of the condition.
You can see the summary description of the conditions you created as shown by the 'Hand pointer' icon.
Step 2: Set up firewall rule actions
A specific action will be executed when the user request matches the condition/s you set above are met.
You can set the specific actions by choosing one of the following: Block, Pass, Rate-Limit, Block & Redirect, and Challenge.
![Figure Needed: Screenshot showing firewall action selection dropdown with Block, Pass, Rate-Limit, Block & Redirect, and Challenge options]
- Block: VNIS will block the request when the condition/s are met.
- Pass: VNIS will allow the request to pass when the condition/s are met
- Rate-Limit: VNIS will initiate the rate-limit method when the condition/s are met. You can set the maximum allowed number of queries per minute, and the block time. The block time is the amount of time that queries will have to be blocked, if the queries exceed the maximum number of queries per minute.
- Block & Redirect: VNIS will block and redirect the request when the conditions are met. You can set the redirect status (30x), and the link which is the URL where you want to redirect the request to.
- Challenge: VNIS will initiate the challenge method when the condition/s are met. You can set the challenge mode and the challenge passage. Challenge passage means the time it takes before a user will has to be challenged again, while challenge mode can have:
- Browser-based (no delay): will initiate a JS challenge, which will trace whether the request was sent by a bot or not, before performing the request.
- Browser-based (standard): will initiate a JS challenge, which will redirect the request to a timer page set for 5 seconds, before performing the request.
- Human-based: will initiate a CAPTCHA challenge, which redirects the request to a test page where users have to take the "I am not a robot" test, before performing the request.
After you finish setting the conditions and action, click the 'Create' button to create the firewall rule.