How to Set Up and Configure a Firewall to Protect Your Website

Cloud Firewall

Overview

The VergeCloud Firewall gives you granular control over the HTTP(S) traffic flowing to your website or application. It acts as an intelligent security layer at the edge, enabling you to filter requests, protect critical endpoints, block malicious actors, and challenge suspicious clients before they reach your origin server. Built on a flexible and powerful rule engine, the firewall can evaluate a wide range of request attributes including IP address, country, headers, TLS/JA3 fingerprints, request methods, and more to determine whether a request should be allowed, challenged, or denied.

Unlike traditional firewalls that rely solely on signatures or basic IP filtering, VergeCloud takes a layered approach. You can create straightforward rules, such as blocking a specific IP or country, or develop advanced logic that correlates multiple signals like JA3 fingerprints, raw header values, user agents, and URI patterns. This gives you the ability to detect sophisticated bots, abusive automation, and targeted attacks that often slip past simple security filters. By pushing this logic to the edge, the firewall not only protects your application but also ensures optimal performance by reducing unwanted load on your servers.

Configurable Fields & Options

When creating firewall rules, you can combine any of the following fields to build precise conditions:
  1. Source IP Address – Match a single IP or a full CIDR range. Useful for blocking known attackers or allowing trusted addresses.
  2. Country – Filter traffic based on its geographic origin.
  3. URI Path – Match specific resource paths, with support for wildcards and regular expressions.
  4. Hostname – Inspect the domain or subdomain in the Host header.
  5. HTTP Version – Filter by HTTP/1.0, HTTP/1.1, HTTP/2, and so on.
  6. URI Query String – Match keywords or parameters in the query string.
  7. Request Method – GET, POST, PUT, DELETE, etc.
  8. Referer – Validate the originating page for requests.
  9. User Agent – Identify browsers, bots, or automation tools.
  10. Cookie – Check for session identifiers or other required cookies.
  11. AS Number (ASN) – Filter by specific autonomous systems, often useful for controlling data-center traffic.
  12. JA3 Fingerprint – Analyze TLS client fingerprints to identify non-browser clients or stealthy bots.

Firewall Response Actions

Each rule can trigger one of several actions when conditions are met:
  1. Allow – Let the request pass.
  2. Deny – Block the request with an HTTP 403 response.
  3. Cookie Challenge – Test whether the client can accept and return cookies.
  4. JS Challenge – Use lightweight JavaScript execution to distinguish real browsers from bots.
  5. CAPTCHA Challenge – Require human interaction for higher-risk scenarios.
  6. Bypass Security Modules – Exclude the request from certain protections, recommended only for controlled use cases.

How to Configure the Firewall (User Panel)

1. Navigate to Firewall Settings
Go to Dashboard → Security → Firewall Settings.

2. Set the Default Rule
Choose whether unmatched traffic should be allowed or denied by default. This forms the baseline security posture of your domain.

3. Create a New Rule
Select New Rule, assign a clear name, and set the priority. Higher-priority rules run first, so ordering is important—specific rules should always come before broad, general rules.

4. Define Parameters & Actions
  1. Choose the fields you want to match (e.g., Country, User Agent, URI Path, JA3).
  2. Select an operator such as Equals, Contains, Does Not Contain, In Range, etc.
  3. Enter the values (IP, CIDR, country code, regex pattern).
  4. Choose the action—Allow, Block, JavaScript Challenge, CAPTCHA, and so on.

For advanced cases, you can inspect Raw Request Headers or apply detailed regex matching. It’s often helpful to refer to VergeCloud’s Regex guide when crafting complex path or query patterns.

5. Save & Apply
Review the rule preview to ensure it matches your intent, then save it. After deployment, monitor logs to confirm expected behavior and adjust as needed. 

  
   

Testing & Validation

Before rolling out rules widely, it’s good practice to validate them:

  • curl Testing
    Send crafted requests to trigger your rule conditions. For example:
    curl -I -H "User-Agent: curl/7.68.0" https://yourdomain.com/admin
    Check whether the returned status code or challenge aligns with the configured action.

  • Ping & Traceroute
    Useful for confirming IP-based blocks and network-level filtering.

  • Browser Developer Tools
    Inspect cookies, challenge responses, and redirected flows in the Network tab.

  • Log Monitoring
    Logs help you understand real traffic patterns, detect false positives, and refine your rules over time.

Common Usage Scenarios & Example Rules

Here are practical, field-tested patterns you can implement immediately:

IP Blocking
Fields: Source IP Address
Operator: Equals / In Range
Value: 1.2.3.4/24
Action: Block

Geo-Blocking
Field: Country
Value: IN
Action: CAPTCHA or Block

Login Path Protection
Fields: URI Path, Request Method
Value: /admin, /login + POST
Action: JS Challenge or CAPTCHA

Anti-Scraping
Fields: User-Agent, JA3 Fingerprint
Value: "curl", suspicious JA3 hashes
Action: JS Challenge or Block

API Abuse Prevention
Fields: URI Path, Cookie, Referer
Value: /api/v1/orders, SessionID=12345, referer = your domain
Action: Block if invalid

Form Protection
Fields: URI Path, Request Method, Referer
Value: /form/submit, Method = POST, referer = your domain
Action: Block if not POST or invalid referer

ASN Blocking
Field: AS Number
Value: AS12345, AS67890
Action: Block or CAPTCHA to reduce data center scraping

Hotlink Protection
Field: Referer
Operator: Does Not Contain
Value: example.com
Action: Block

API Reference:

The Firewall API lets you list, create, update, delete, and reorder firewall rules, as well as view and update domain-level firewall settings. Full reference: https://api.vergecloud.com/docs#tag/firewall

Best Practices & Tips

  1. Order rules by priority—specific rules should be evaluated before broad rules.
  2. Start permissive, then tighten as you validate to avoid accidental downtime.
  3. Log first, block later—use logs to identify false positives before enforcing strict blocks.
  4. Combine signals (JA3 + UA + IP reputation) for robust detection.Document rule intent inside the rule description so teams can understand why a rule exists

    • Related Articles

    • DNS Cloud Option

      Overview After migrating your website to VergeCloud and completing the necessary DNS configurations, you can view and manage DNS Records for your domain and its subdomains directly from the DNS Records section within the VergeCloud dashboard. This ...

    • Steps to Activate Cloud Icon for VergeCloud

      Overview Before you activate the Cloud icon for your domain in VergeCloud, it’s important to make sure your server and DNS setup are fully prepared to work with the platform. Turning on the Cloud icon changes the way traffic reaches your website, ...

    • Web Application Firewall

      Overview VergeCloud’s Web Application Firewall (WAF) provides advanced application-layer protection through a highly accurate Regex-based Anomaly Scoring system. Instead of relying solely on signature matches, VergeCloud assigns weighted scores to ...

    • How to Whitelist VergeCloud’s IP Addresses in Your Firewall

      Overview To ensure seamless communication between VergeCloud’s edge servers and your origin or main server, it is essential to whitelist VergeCloud’s IP addresses in your firewall configuration. Without whitelisting, your firewall may block ...

    • Domain-Based and Organization-Based Roles

      Domain-Based Roles Domain-based roles apply to specific domains or services (such as CDN). Users assigned to these roles have control over domain-level features only and cannot access organization-wide settings, billing, or user management. Click on ...