Getting Started Guide

This guide walks through setting up AtomicEdge WAF protection for your website, from initial account setup through verifying protection is active.

Overview

AtomicEdge provides web application firewall protection by routing your traffic through distributed edge endpoints. The setup process involves:

  1. Creating an account and adding your site
  2. Configuring DNS to route traffic through protection
  3. Enabling and configuring WAF rules
  4. Testing protection is working
  5. Monitoring and tuning for your application

Expected setup time: 30-60 minutes for initial configuration, plus DNS propagation time.

Prerequisites

Before starting, ensure you have:

  • Domain name for your website
  • Access to DNS management for your domain
  • Origin server IP address
  • Administrative access to your web server
  • Testing tools (web browser, curl, or similar)

Step 1: Create Account

Sign Up

Visit the AtomicEdge dashboard and create an account:

  1. Provide email address
  2. Choose a strong password
  3. Verify email address
  4. Complete account setup

Choose Plan

Select a plan based on your needs:

  • Number of protected sites
  • Traffic volume
  • Required features
  • Support level

You can upgrade or downgrade plans as your needs change.

Step 2: Add Your Site

Create Site Configuration

In the dashboard:

  1. Click “Add Site” or “New Site”
  2. Enter your domain name (example.com)
  3. Enter origin server IP address
  4. Select backend protocol (HTTP or HTTPS)
  5. Configure backend port (typically 80 or 443)
  6. Save configuration

Important: Use the actual IP address of your origin server, not a domain name.

Note Edge Endpoint Information

After creating the site, you’ll receive:

  • Edge endpoint IP address(es)
  • SSL certificate provisioning status
  • Configuration deployment status

Note these for DNS configuration.

Step 3: Configure DNS

Lower TTL (Preparation)

Before changing DNS:

  1. Access your DNS provider
  2. Find your domain’s A record
  3. Lower TTL to 300 seconds (5 minutes)
  4. Wait for 2x the old TTL (if TTL was 3600, wait 2 hours)

This enables quick rollback if needed.

Update DNS Records

Change your domain’s A record:

Previous Configuration:

Type: A
Name: @
Value: [your-origin-ip]
TTL: 3600

New Configuration:

Type: A
Name: @
Value: [provided-edge-ip]
TTL: 300

If using www subdomain:

Type: A
Name: www
Value: [provided-edge-ip]
TTL: 300

Save DNS changes.

Verify DNS Propagation

Wait 5-30 minutes for DNS propagation, then verify:

dig example.com A +short

Expected output: Edge endpoint IP (not your origin IP)

Test from multiple DNS servers:

dig @8.8.8.8 example.com A +short
dig @1.1.1.1 example.com A +short

Step 4: Verify SSL Certificate

Certificate Provisioning

SSL certificates are provisioned automatically after DNS is configured:

  1. DNS must point to edge endpoint
  2. Port 80 must be accessible
  3. Certificate issuance takes 1-5 minutes

Check certificate status in dashboard.

Test HTTPS

Once certificate is issued:

curl -I https://example.com

Expected result: 200 OK or appropriate status code for your homepage.

Browser test: Visit https://example.com and verify no certificate warnings.

Step 5: Configure WAF Protection

Enable Rule Groups

In site settings under WAF Protection:

For Most Sites: – Enable OWASP Core Rule Set – Response: 403 Forbidden

For WordPress Sites: – Enable OWASP Core Rule Set – Enable WordPress Rule Set – Response: 403 Forbidden

For Enhanced Protection: – Enable OWASP Core Rule Set – Enable WordPress Rule Set (if applicable) – Enable Comodo Rule Set – Response: 403 Forbidden

Save configuration. Deployment takes 30-60 seconds.

Step 6: Test Protection

Verify Site Loads

Test that your site loads normally:

curl -I https://example.com

Expected result: Your site loads correctly with normal status codes.

Browser test: Navigate your site and verify all pages load.

Test Critical Functionality

Test important site features:

  • User login
  • Form submissions
  • Search functionality
  • Shopping cart (if applicable)
  • Admin panel access

Ensure everything works correctly.

Test WAF Blocking

Verify protection is active by testing known attack patterns:

XSS Test:

curl -I "https://example.com/?test=<script>alert(1)</script>"

Expected result: 403 Forbidden

SQL Injection Test:

curl -I "https://example.com/?id=1' OR '1'='1"

Expected result: 403 Forbidden

Path Traversal Test:

curl -I "https://example.com/../../../etc/passwd"

Expected result: 403 Forbidden

If these tests return 200 OK, protection may not be active. Verify DNS and configuration.

Step 7: Monitor and Tune

Initial Monitoring

Monitor closely for the first 24-48 hours:

  1. Check security logs for blocked attacks
  2. Watch for false positive indicators
  3. Monitor error rates
  4. Check performance metrics
  5. Verify legitimate traffic flows

Review Security Logs

In the dashboard Logs section:

  • View blocked attack attempts
  • Identify attack types and sources
  • Analyze attack patterns
  • Export logs for analysis

Handle False Positives

If legitimate traffic is blocked:

  1. Identify blocked requests in logs
  2. Note the rule ID causing the block
  3. Navigate to site WAF settings
  4. Add rule ID to disabled rules list
  5. Test that operation now succeeds
  6. Document why rule was disabled

Step 8: Additional Features

Rate Limiting

Protect login and API endpoints:

  1. Enable Rate Limiting feature
  2. Configure events per minute threshold
  3. Add protected paths (/wp-login.php, /api/, etc.)
  4. Test that legitimate use works
  5. Verify excessive requests are blocked

Page Protection

Restrict admin area access:

  1. Enable Page Protection feature
  2. Add protected paths (/wp-admin/, /admin/)
  3. Add authorized IP addresses to whitelist
  4. Test access from allowed IPs
  5. Verify blocked from other IPs

Geographic Blocking

Block traffic from specific countries:

  1. Enable Geographic Blocking feature
  2. Select countries to block
  3. Test access from blocked regions (using VPN)
  4. Monitor logs for blocked attempts

Bot Protection

Block AI scrapers and malicious bots:

  1. Enable Bot Protection feature
  2. Configure response action (403, 404, drop)
  3. Verify legitimate bots still access (search engines)
  4. Test that scrapers are blocked

Step 9: Origin Server Protection

Firewall Configuration

Restrict origin server to accept only edge traffic:

Linux iptables:

# Allow edge endpoints
iptables -A INPUT -p tcp -s [edge-ip] --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s [edge-ip] --dport 443 -j ACCEPT

# Drop other HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

# Save rules
iptables-save > /etc/iptables/rules.v4

Nginx:

allow [edge-ip];
deny all;

Apache:

<Directory /var/www>
    Order deny,allow
    Deny from all
    Allow from [edge-ip]
</Directory>

Test that direct origin access is blocked:

curl -I http://[origin-ip]/

Expected result: Connection refused or timeout.

Verify edge traffic still flows:

curl -I https://example.com/

Expected result: Site loads normally.

Step 10: Increase DNS TTL

Finalize DNS Configuration

After 24-48 hours of stable operation:

  1. Access DNS management
  2. Increase TTL to 3600 (1 hour) or 86400 (24 hours)
  3. Save changes

Higher TTL reduces DNS query load but increases rollback time if needed.

Common First-Time Issues

Site Not Loading

Symptom: Site times out or shows errors after DNS change.

Check: – Verify DNS points to edge endpoint – Confirm origin server is running – Check backend IP in site settings – Verify origin firewall allows edge IPs

Solution: Review DNS configuration and origin connectivity.

Certificate Errors

Symptom: Browser shows SSL warnings.

Check: – DNS points to edge endpoint – Port 80 is accessible – Wait 5 minutes for issuance

Solution: Verify DNS and wait for certificate provisioning.

Everything Blocked

Symptom: All traffic returns 403, including homepage.

Check: – Review security logs – Check rule configuration – Verify no overly aggressive settings

Solution: Disable problematic rules temporarily, identify issue, tune configuration.

Some Features Don’t Work

Symptom: Login, forms, or other features fail.

Check: – Check security logs for blocks – Test specific functionality – Identify triggered rules

Solution: Disable rules blocking legitimate operations, test, document exceptions.

Next Steps

Documentation

Document your configuration:

  • DNS settings
  • Edge endpoint IPs
  • Origin server details
  • Disabled rules and reasons
  • Whitelist entries
  • Custom configurations

Monitoring

Set up ongoing monitoring:

  • Dashboard alerts
  • Log review schedule
  • Performance metrics
  • Security metrics

Maintenance

Plan regular maintenance:

  • Weekly log review
  • Monthly configuration review
  • Quarterly security assessment
  • Rule tuning as needed

Training

Ensure team is prepared:

  • Dashboard access and training
  • Incident response procedures
  • Escalation paths
  • Emergency contacts

Support Resources

Documentation

  • Dashboard documentation
  • Configuration guides
  • Troubleshooting guides
  • Best practices

Tools

  • Security log analysis
  • Performance monitoring
  • Configuration examples
  • Testing tools

Support

  • Email support
  • Documentation resources
  • Community forum
  • Emergency contact

Success Checklist

Before considering setup complete:

  • [ ] Site loads correctly via HTTPS
  • [ ] SSL certificate has no warnings
  • [ ] Critical functionality tested and working
  • [ ] Attack tests show blocking is active
  • [ ] Security logs show traffic flowing
  • [ ] False positives identified and resolved
  • [ ] Origin server firewall configured
  • [ ] Rate limiting configured (if applicable)
  • [ ] Admin area protection configured (if applicable)
  • [ ] Documentation completed
  • [ ] Team trained on dashboard
  • [ ] Monitoring established
  • [ ] DNS TTL increased after stability

Once complete, your site is protected by AtomicEdge WAF. Monitor regularly and tune configuration as your application evolves.

Additional Scenarios

WordPress Setup

For WordPress sites:

  1. Follow standard setup steps above
  2. Enable WordPress Rule Set
  3. Test admin panel login
  4. Test post/page editing
  5. Test plugin operations
  6. Configure rate limiting for wp-login.php
  7. Consider admin area IP restriction

See WordPress Integration Guide for details.

API Protection

For API-driven applications:

  1. Follow standard setup steps above
  2. Test API endpoints thoroughly
  3. Configure rate limiting for API paths
  4. Disable rules blocking legitimate API patterns
  5. Test authentication flows
  6. Monitor API error rates

E-Commerce Setup

For online stores:

  1. Follow standard setup steps above
  2. Test checkout process completely
  3. Test payment processing
  4. Verify cart operations
  5. Test coupon/discount codes
  6. Configure rate limiting for login
  7. Test high-traffic scenarios

Conclusion

AtomicEdge WAF protection provides strong security with minimal operational overhead. Following this guide establishes a solid baseline configuration. Continue monitoring and tuning to optimize protection for your specific application needs.

For questions or issues during setup, consult the troubleshooting guide or contact support.