VergeCloud Firewall: Setup, Rules, and Best Practices Guide

VergeCloud Firewall: A Step-by-Step Configuration Guide

The VergeCloud Firewall provides granular control over the HTTP(S) traffic flowing to your website or application. Serving as an intelligent security layer at the edge, it allows you to filter requests, protect critical endpoints, block malicious actors, and challenge suspicious clients before they reach your origin server. Built on a flexible and powerful rule engine, VergeCloud enables advanced firewall integration by evaluating a wide range of request attributes, including IP address, country, headers, TLS/
JA3 fingerprints,request methods, and more, to determine whether a request should be allowed, challenged, or denied.

Unlike traditional firewalls that rely solely on signatures or basic IP filtering, VergeCloud takes a layered approach. You can create straightforward rules, such as blocking a specific IP or country, or develop advanced logic that correlates multiple signals like JA3 fingerprints, raw header values, user agents, and URI patterns. This enables you to detect sophisticated bots, abusive automation, and targeted attacks that often bypass simple security filters. By enforcing logic at the edge, the firewall not only strengthens protection but also reduces unwanted load on your origin infrastructure.

Configurable Fields and Options in VergeCloud Firewall

When creating firewall rules, you can combine multiple fields to build precise and highly targeted conditions:

  1. Source IP Address – Match a single IP or CIDR range. Useful for blocking known attackers or allowing trusted addresses.
  2. Country – Filter traffic based on geographic origin.
  3. URI Path – Match specific resource paths, with wildcard and regex support.
  4. Hostname – Inspect the domain or subdomain in the Host header.
  5. HTTP Version – Filter by HTTP/1.0, HTTP/1.1, HTTP/2, etc.
  6. URI Query String – Match keywords or parameters in the query string.
  7. Request Method – GET, POST, PUT, DELETE, and more.
  8. Referer – Validate the originating page for incoming requests.
  9. User Agent – Identify browsers, bots, or automation tools.
  10. Cookie – Check for required session identifiers or validation cookies.
  11. AS Number (ASN) – Filter traffic from specific autonomous systems, commonly used to control data center traffic.
  12. JA3 Fingerprints – Analyze TLS client fingerprints to detect non-browser clients and stealth automation tools.

Request Handling Actions in VergeCloud Firewall

Each rule can trigger one of the following actions when conditions are met:

  1. Allow – Permit the request to pass through.
  2. Deny – Block the request with an HTTP 403 response.
  3. Cookie Challenge – Verify whether the client accepts and returns cookies.
  4. JS Challenge – Use lightweight JavaScript execution to distinguish real browsers from bots.
  5. CAPTCHA Challenge – Require human interaction for higher-risk requests.
  6. Bypass Security Modules – Exclude a request from specific protections (recommended only for controlled use cases).

How to Configure the Firewall (User Panel)

Custom Firewall Rules
  
    Firewall Settings section

1. Navigate to Firewall Settings
Go to Dashboard → Security → Firewall Settings.

2. Set the Default Rule
Choose whether unmatched traffic should be allowed or denied by default. This establishes the baseline security posture for your domain.

3. Create a New Rule
Select New Rule, assign a clear name, and set priority. Higher-priority rules execute first. Specific rules should always precede broader ones.

4. Define Parameters and Actions
  1. Select the fields to evaluate (e.g., Country, User Agent, URI Path, JA3).
  2. Choose an operator such as Equals, Contains, Does Not Contain, In Range, etc.
  3. Enter the required values (IP, CIDR, country code, regex pattern).
  4. Select the action—Allow, Block, JavaScript Challenge, CAPTCHA, etc.
For advanced use cases, you can inspect raw request headers or apply detailed regex matching to refine detection logic.

5. Save and Apply
Review the rule configuration, confirm accuracy, and save. After deployment, monitor logs to ensure expected behavior and adjust where necessary.

Firewall Rule Testing and Validation

Before rolling out rules widely, it’s good practice to validate them:

  • curl Testing
    Send crafted requests to trigger your rule conditions. For example:
    curl -I -H "User-Agent: curl/7.68.0" https://yourdomain.com/admin
    Check whether the returned status code or challenge aligns with the configured action.

  • Ping & Traceroute
    Useful for confirming IP-based blocks and network-level filtering.

  • Browser Developer Tools
    Inspect cookies, challenge responses, and redirected flows in the Network tab.

  • Log Monitoring
    Logs help you understand real traffic patterns, detect false positives, and refine your rules over time.

Practical Scenarios and Sample Firewall Rules

Below are practical examples that can be implemented immediately:

IP Blocking

Field: Source IP Address
Operator: Equals / In Range
Value: 1.2.3.4/24
Action: Block

Geo-Blocking

Field: Country
Value: IN
Action: CAPTCHA or Block

Login Path Protection

Fields: URI Path + Request Method
Value: /admin, /login + POST
Action: JS Challenge or CAPTCHA

Anti-Scraping

Fields: User Agent + JA3 Fingerprints
Value: "curl", suspicious JA3 hashes
Action: JS Challenge or Block

API Abuse Prevention

Fields: URI Path + Cookie + Referer
Value: /api/v1/orders, required SessionID, valid referer
Action: Block if invalid

Form Protection

Fields: URI Path + Request Method + Referer
Value: /form/submit, Method = POST
Action: Block if referer invalid

ASN Blocking

Field: AS Number
Value: Specific ASNs
Action: Block or CAPTCHA
Field: Referer
Operator: Does Not Contain
Value: example.com
Action: Block

VergeCloud Firewall API Reference

The Firewall API lets you list, create, update, delete, and reorder firewall rules, as well as view and update domain-level firewall settings. Full reference: https://api.vergecloud.com/docs#tag/firewall

Best Practices for VergeCloud Firewall

  1. Order rules carefully—specific conditions should precede broader rules.
  2. Start with monitoring and tighten enforcement gradually.
  3. Use logs to validate behavior before enforcing strict blocks.
  4. Combine multiple signals (JA3 fingerprints, user agents, IP reputation) for stronger detection.
  5. Document rule intent clearly within descriptions to ensure maintainability.
By leveraging VergeCloud Firewall’s powerful rule engine and flexible configuration options, you can ensure your web applications remain secure against bots, scraping, and targeted attacks. Implementing best practices, validating rules, and monitoring traffic patterns will help maintain optimal protection while minimizing false positives. For organizations seeking continuous operational assurance, VergeCloud also offers 24/7 cloud support services, providing expert assistance whenever you need it to keep your firewall policies effective and your infrastructure safe.

    • Related Articles

    • How to Configure Load Balancing on VergeCloud: Step by Step

      VergeCloud’s Load Balancer intelligently manages and distributes incoming traffic across multiple origin servers, providing seamless multi-cloud load balancing. This ensures high availability, stable performance, and consistently low response times ...

    • How to Whitelist VergeCloud’s IP Addresses in Your Firewall

      Overview To ensure seamless communication between VergeCloud’s edge servers and your origin or main server, it is essential to whitelist VergeCloud’s IP addresses in your firewall configuration. Without whitelisting, your firewall may block ...

    • Steps to Activate Cloud Icon for VergeCloud

      Overview Before you activate the Cloud icon for your domain in VergeCloud, it’s important to make sure your server and DNS setup are fully prepared to work with the platform. Turning on the Cloud icon changes the way traffic reaches your website, ...

    • Caching on VergeCloud: A Step-by-Step Guide to Faster Content Delivery

      Caching plays a crucial role in improving website performance by temporarily storing web content so it can be delivered faster and with less strain on your origin server. When caching is enabled through VergeCloud’s next-gen CDN, your content is ...

    • Web Application Firewall

      Overview VergeCloud’s Web Application Firewall (WAF) provides advanced application-layer protection through a highly accurate Regex-based Anomaly Scoring system. Instead of relying solely on signature matches, VergeCloud assigns weighted scores to ...