All Products
Search

This Product

    Edge Security Acceleration:Managed rules

    Document Center

    Edge Security Acceleration:Managed rules

    Last Updated:Apr 15, 2025

    Intrusion attacks such as SQL injection, cross-site scripting (XSS), code execution, carriage return line feed (CRLF) injection, remote file inclusion (RFI), and webshells pose high risks but are usually difficult to detect by using custom rules and rate limiting rules. To address this issue, Edge Security Acceleration (ESA) offers built-in intelligent managed rules to defend against OWASP attacks and the latest origin vulnerabilities. You can enable protection against various types of attacks without manual configurations and updates.

    Enable managed rules

    You can enable a managed ruleset to protect your websites on ESA.

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane of the website details page, choose Security > WAF. On the WAF page, click the Managed Rules tab.

    3. In the Recommended Ruleset section on the Managed Rules tab, click Enable to enable the managed ruleset to protect your website from intrusion attacks and vulnerabilities.

    Edit managed rules

    After you enable Recommended Ruleset, you can perform the following steps to edit the managed ruleset:

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane of the website details page, choose Security > WAF > Managed Rules. On the Managed Rules tab, click Edit in the Actions column.

      For how to configure expressions for Filtered Requests, see Work with rules.

    3. Select a protection level by referring to Protection levels and select an action by referring to Actions. Click OK.

      image

    Delete managed rules

    You can perform the following steps to delete the managed ruleset:

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane of the website details page, choose Security > WAF. On the WAF page, click the Managed Rules tab. On the Managed Rules tab, click Delete in the Actions column.

    Availability

    Note

    The Entrance plan supports only 27 default basic protection rules and does not support rules such as XSS, SQL injection, cross-site request forgery, RFI, protocol non-compliance, webshell attacks, path traversal, deserialization, and expression injection.

    Item

    Entrance

    Pro

    Premium

    Enterprise

    Managed rules

    Supports basic rules

    Supports all rules

    Supports all rules

    Supports all rules

    All rules

    • Basic protection rules

      Basic protection rules can defend against several zero-day vulnerabilities and common attacks, providing the most basic protection capabilities.

    • SQL injection

      SQL injection is an attack in which malicious SQL code is inserted into entry fields for execution. This attack exploits an application's lack of input validation, which may lead to data breach and unauthorized deletion or modification of data in databases.

    • XSS

      XSS occurs when an attacker inserts malicious scripts into a web page, causing the browser to execute them, usually for the purpose of stealing user information, such as cookies, or injecting malicious code. XSS attacks are classified into reflected XSS, stored XSS, and DOM XSS.

    • Code execution

      A remote code execution (RCE) attack allows an attacker to run code on a target system, usually through vulnerability exploitation, upload of malicious files, or code injection. RCE attacks are a serious threat.

    • CRLF

      CRLF injection occurs when an attacker inserts carriage return and line feed characters to manipulate HTTP response headers. Attackers can use this vulnerability to execute XSS or HTTP response splitting.

    • Local file inclusion

      In a local file inclusion (LFI) attack, an attacker exploits a vulnerability in an application to include local files on a server by providing malicious paths. LFI attacks can expose sensitive information, and in severe cases, lead to remote code execution.

    • RFI

      An RFI attack allows an attacker to include a remote malicious file in an application by providing an external URL. Similar to LFI, RFI attacks can lead to malicious code execution.

    • Webshell

      Webshell is a web-based tool that is usually uploaded by attackers to compromised servers. It allows attackers to remotely control the servers through a web interface, such as executing commands and managing files.

    • OS command injection

      Operating system (OS) command injection embeds malicious OS commands in the program, making the server execute these commands.

    • Expression injection

      Expression injection attacks embed malicious expressions and causes unauthorized code execution.

    • Java deserialization

      Java deserialization attacks cause unauthorized code execution by deserializing malicious objects.

    • PHP deserialization

      PHP deserialization attacks cause unauthorized code execution by deserializing malicious objects.

    • SSRF

      Server-side request forgery (SSRF) allows an attacker to induce a server-side HTTP requests to an unintended destination.

    • Path traversal

      Path traversal attacks occur when an attacker is able to access files and directories that are outside of the intended scope by injecting relative paths (such as ../).

    • Arbitrary file upload

      An arbitrary file upload attack uploads malicious files and makes the server run the files.

    • .NET deserialization

      Deserialization is the process of converting data from one format, such as JSON, XML, or binary, back to an object. In. NET applications, unsafe deserialization can lead to arbitrary code execution. If an attacker gains control of the deserialized data, they may be able to inject malicious data and execute arbitrary code.

    • Scanning behavior

      Scanning behavior refers to the behavior and features of web application scanners. These tools automatically scan web applications for potential security vulnerabilities. They locate common vulnerabilities such as SQL injection and cross-site scripting (XSS), and analyze the responses of applications by generating and sending a large number of requests.

    • Business logic vulnerability

      A business logic flaw is a vulnerability that arises from the improper implementation or design of an application's workflow. These vulnerabilities are not mitigated by input validation and output encoding. Instead, they can enable an attacker to gain unauthorized access or engage in other malicious activities by manipulating the application's normal workflow.

    • Arbitrary file read

      Arbitrary file read allows any user to read any file on the system, typically via the file path parameter in an HTTP request. This vulnerability can allow an attacker to access sensitive information such as configuration files, credentials, and personal data.

    • Arbitrary file download

      Similar to arbitrary file read, the arbitrary file download allows any user to download arbitrary files on the system. This vulnerability can lead to the disclosure of sensitive information or even allow an attacker to obtain a full backup of the system for offline analysis.

    • XXE injection

      XML External Entity (XXE) vulnerability exploits the behavior of XML parsers when handling external entities. An attacker can leverage this to read system files, perform server-side request forgery (SSRF), or cause denial of service (DoS). This attack is usually implemented through XML input containing malicious external entities.

    • Other rules

      Other vulnerabilities and attacks against background systems.