Best Practices Guide
This guide covers recommended practices for deploying, configuring, and maintaining AtomicEdge WAF protection to maximize security while minimizing operational friction.
Initial Deployment
Pre-Deployment Planning
Before enabling protection:
Document Current Configuration – Record all DNS records and TTL values – Document origin server IP and port – List all hostnames used by your application – Note any custom headers or special requirements – Identify critical application workflows
Establish Baseline Metrics – Measure current page load times – Document error rates – Record average response times – Note peak traffic periods – Establish availability baseline
Create Rollback Plan – Document original DNS configuration – Verify origin server is accessible independently – Have credentials ready for quick DNS changes – Identify team members authorized to make emergency changes – Set up monitoring for immediate issue detection
Staged Rollout
Deploy protection progressively:
Phase 1: Staging Environment – Set up protection on staging subdomain – Enable all planned rule groups – Test all critical workflows – Identify false positives – Tune configuration before production
Phase 2: Low-TTL Production – Lower DNS TTL to 300 seconds – Wait for TTL to expire globally (2x TTL recommended) – Prepare for rapid rollback if needed
Phase 3: Production Cutover – Change production DNS during low-traffic period – Monitor logs intensively for first hour – Watch for error rate increases – Be ready to revert DNS if major issues occur – Keep team available for first 2-4 hours
Phase 4: Stabilization – Monitor for 24-48 hours before declaring success – Tune rules based on production traffic – Document any disabled rules – Gradually increase DNS TTL after stability confirmed
Testing Procedures
Before production deployment, test:
Functional Testing – User login and authentication – Form submissions (contact, registration, etc.) – File uploads – Search functionality – Shopping cart and checkout (e-commerce) – Admin panel operations – API endpoints
Security Testing – Verify attack patterns are blocked:
# XSS test
curl "https://staging.example.com/?test=<script>alert(1)</script>"
# SQL injection test
curl "https://staging.example.com/?id=1' OR '1'='1"
# Path traversal test
curl "https://staging.example.com/../../../etc/passwd"
Expected result: 403 Forbidden or configured block response
Performance Testing – Measure page load times – Test under load – Compare with pre-protection baseline – Verify acceptable latency
Rule Configuration
Defense in Depth
Use multiple rule groups for layered protection:
Baseline Protection – Enable OWASP Core Rule Set for all sites – Provides broad attack coverage – Well-tested and maintained – Good balance of security and false positives
Application-Specific Rules – Enable WordPress rules for WordPress sites – Consider Comodo rules for additional coverage – Layer complementary rulesets – Each layer catches what others might miss
Custom Tuning – Start with default configuration – Disable rules only when necessary – Document reason for each disabled rule – Re-evaluate disabled rules quarterly
Rule Disabling Strategy
When disabling rules:
Be Specific – Disable individual rule IDs, not entire groups – Document business justification – Note which application functionality requires the exception – Include date and person who disabled the rule
Test Impact – Verify disabling solves the false positive – Confirm security is not overly compromised – Test related functionality still works – Check that similar attacks are still blocked
Documentation Template
Rule ID: 941130
Reason: Blocks legitimate HTML in blog post content
Affected Functionality: Post editor, comments
Disabled By: Security Team
Date: 2024-01-15
Review Date: 2024-04-15
Response Configuration
Choose appropriate response actions:
403 Forbidden – Standard Use – Clear indication of block – Helps legitimate users understand issue – Recommended for most scenarios – Good balance of security and usability
404 Not Found – Stealth Mode – Hides protected resources – Reduces information disclosure – Useful for admin areas – May confuse legitimate users with wrong path
Drop – Aggressive Blocking – Wastes attacker resources – No indication of blocking – May cause user-side timeouts – Use for clearly malicious patterns only
Consider different responses for different paths: – 403 for public areas – 404 for admin areas – Drop for known attack sources
Access Control
IP Whitelisting
Implement origin server protection:
Firewall Configuration – Allow only edge endpoint IPs to origin – Block all other traffic on HTTP/HTTPS ports – Test that direct origin access is blocked – Verify edge traffic still flows
Example iptables rules:
# Allow edge endpoints
iptables -A INPUT -p tcp -s [edge-ip-1] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s [edge-ip-1] --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s [edge-ip-2] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s [edge-ip-2] --dport 443 -j ACCEPT
# Drop other HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Benefits – Prevents bypassing WAF protection – Forces all traffic through security layer – Reduces attack surface – Simplifies origin security
Admin Area Protection
Use Page Protection for sensitive areas:
Recommended Configuration
Protected Paths:
/wp-admin/
/admin/
/administrator/
/manager/
Whitelist:
[Office IP]
[VPN exit IP]
[Admin home IPs]
Response: 404 Not Found
Maintenance – Update whitelist when team members change – Remove IPs for departed employees – Use VPN for consistent IP addresses – Document each whitelisted IP – Review whitelist quarterly
Rate Limiting
Apply rate limiting to attack-prone endpoints:
Login Endpoints
Path: /wp-login.php
Events per minute: 5
Response: Drop
API Endpoints
Path: /api/
Events per minute: 60
Response: 403
Search Functions
Path: /search
Events per minute: 20
Response: 403
Balance security and usability – legitimate users should not be affected.
Monitoring and Maintenance
Daily Monitoring
Check daily:
- Error rate trends
- New rule triggers
- Attack pattern changes
- Geographic attack distribution
- False positive indicators
Set up dashboard alerts for: – Unusual traffic spikes – High block rates – New attack patterns – Service availability issues
Weekly Review
Review weekly:
- Security log summaries
- Most triggered rules
- Top blocked IPs
- Attack trend analysis
- False positive patterns
Adjust configuration based on patterns: – Disable rules causing repeated false positives – Add persistent attackers to block lists – Update rate limits based on traffic patterns
Monthly Maintenance
Perform monthly:
- Review all disabled rules
- Test if disabled rules are still needed
- Update documentation
- Review whitelist entries
- Check for ruleset updates
- Analyze long-term trends
Quarterly Assessment
Conduct quarterly:
- Full security configuration review
- Test all critical workflows
- Review disabled rule justifications
- Update rollback procedures
- Train team on configuration changes
- Document lessons learned
Security Hardening
Defense in Depth
WAF is one layer – implement additional security:
Application Security – Keep software updated (CMS, plugins, libraries) – Use strong authentication – Enable two-factor authentication – Implement session timeout – Use secure password policies
Network Security – Firewall origin server – Use VPN for administrative access – Segment internal networks – Monitor for intrusion attempts – Implement DDoS protection
Data Security – Encrypt sensitive data at rest – Use HTTPS for all traffic – Regular database backups – Secure backup storage – Test backup restoration
Access Control – Principle of least privilege – Regular access reviews – Revoke unnecessary access – Audit administrative actions – Strong authentication for all accounts
Origin Server Hardening
Secure origin even with WAF protection:
Web Server – Disable unnecessary modules – Remove default content – Hide server version – Configure security headers – Disable directory listing
Application – Validate all input – Use parameterized queries – Implement CSRF protection – Secure session handling – Log security events
System – Keep OS patched – Disable unused services – Configure firewall – Enable audit logging – Monitor system logs
Compliance Considerations
For regulated industries:
Logging Requirements – Retain security logs per compliance requirements – Export logs to SIEM if required – Implement log integrity protection – Document logging procedures
Access Controls – Implement role-based access – Audit administrative actions – Document access policies – Regular access reviews
Change Management – Document all configuration changes – Require approval for production changes – Test in staging first – Maintain change history
Performance Optimization
Origin Server Optimization
Optimize origin to reduce latency:
Caching – Implement application caching – Use opcode caching (PHP OPcache) – Cache database queries – Use object caching (Redis, Memcached)
Database Optimization – Index frequently queried columns – Optimize slow queries – Regular maintenance – Consider read replicas for high traffic
Static Asset Optimization – Minify CSS and JavaScript – Optimize images – Use modern formats (WebP) – Implement lazy loading
Resource Management – Adequate server resources (CPU, RAM) – Monitor resource utilization – Scale resources as needed – Load balance multiple origin servers
Content Delivery
Optimize content delivery:
Compression – Enable gzip/brotli compression – Compress text-based assets – Configure origin to compress responses
Caching Headers – Set appropriate cache headers – Use cache-control directives – Configure ETags – Leverage browser caching
HTTP/2 – Enable HTTP/2 on origin – Optimize for multiplexing – Reduce round trips
Monitoring Performance
Track performance metrics:
Key Metrics – Time to first byte (TTFB) – Page load time – Origin response time – Error rates – Throughput
Baselines – Establish performance baselines – Monitor for degradation – Alert on threshold violations – Investigate anomalies
Optimization Targets – TTFB under 200ms – Page load under 2 seconds – Origin response under 100ms – Error rate under 0.1%
Incident Response
Preparation
Before incidents occur:
Documentation – Emergency contact list – Escalation procedures – Configuration documentation – Rollback procedures – Communication templates
Tools – Access to dashboard – DNS management credentials – Monitoring dashboards – Log analysis tools – Communication channels
Team – Define roles and responsibilities – Ensure 24/7 coverage if needed – Train team members – Run incident drills – Document lessons learned
Attack Response
During active attacks:
Immediate Actions 1. Assess attack scope and impact 2. Review security logs for patterns 3. Enable geographic blocking if applicable 4. Adjust rate limiting for attacked endpoints 5. Consider changing response to “drop”
Short-Term Mitigation 1. Block attacking IPs or ranges 2. Disable rules attackers might exploit (temporarily) 3. Add additional rate limiting 4. Monitor continuously 5. Document attack characteristics
Long-Term Response 1. Analyze attack patterns 2. Update permanent configuration 3. Review why attack succeeded 4. Implement additional protections 4. Update incident response procedures
False Positive Response
When legitimate traffic is blocked:
Immediate 1. Identify affected users/functionality 2. Review logs for trigger pattern 3. Disable specific problematic rule 4. Verify traffic now flows correctly 5. Communicate fix to affected users
Follow-Up 1. Test that false positive is resolved 2. Verify security is not overly reduced 3. Document the exception 4. Schedule review of disabled rule 5. Update testing procedures
Documentation
Maintain Current Documentation
Document:
Configuration – Current rule groups enabled – All disabled rules with reasons – Whitelist entries with descriptions – Rate limiting configuration – Response action settings
Changes – Change history – Reason for each change – Testing performed – Rollback procedures – Known issues
Procedures – Deployment procedures – Testing procedures – Incident response – Escalation paths – Emergency contacts
Architecture – DNS configuration – Origin server details – Network topology – Integration points – Dependencies
Knowledge Transfer
Ensure team knowledge:
Training – Train new team members – Document common tasks – Provide dashboard walk-through – Review incident procedures – Update training materials
Documentation Location – Centralize documentation – Keep it version controlled – Make it accessible – Regular reviews – Update after changes
Continuous Improvement
Regular Assessment
Periodically assess:
Security Posture – Attack blocking effectiveness – False positive rate – Configuration completeness – Coverage of critical assets – Incident response readiness
Performance – Latency impact – Throughput – Error rates – Resource utilization – User experience
Operations – Configuration complexity – Maintenance burden – Team expertise – Documentation quality – Process efficiency
Stay Current
Keep protection current:
Rule Updates – Monitor for ruleset updates – Test updates in staging – Deploy updates regularly – Document update procedures
Threat Intelligence – Follow security advisories – Monitor for new attack patterns – Update configuration for new threats – Participate in security community
Technology Updates – Keep origin software current – Update monitoring tools – Leverage new features – Optimize configuration
By following these best practices, you maintain strong security posture while minimizing operational overhead and ensuring legitimate traffic flows smoothly.