How to Configure WAF on VergeCloud for Enhanced Website Security

How Application Layer Security Works in VergeCloud WAF

VergeCloud’s Web Application Firewall (WAF) provides advanced application-layer protection through a highly accurate Regex-based Anomaly Scoring system. Instead of relying solely on signature matches, VergeCloud assigns weighted scores to incoming requests based on the rules they trigger. When the cumulative anomaly score of a request meets or exceeds the configured threshold, the system automatically blocks it. This approach significantly reduces false negatives, improves detection of complex attack patterns, and provides a flexible framework for fine-tuning security posture.

Web Application Firewalls have become a critical part of modern security architecture. As threats increasingly target the application layer where user input, authentication, transactions, and data processing occur traditional network firewalls are no longer sufficient. WAFs serve as an essential security layer designed to detect, mitigate, and prevent malicious traffic before it reaches your origin servers.

Key Security Functions of VergeCloud WAF

Threat Detection and Prevention

VergeCloud’s WAF defends against common and advanced attack vectors such as Cross-Site Scripting (XSS), SQL Injection (SQLi), Remote File Inclusion (RFI), and Local File Inclusion (LFI). Through deep inspection of incoming requests, the WAF evaluates payloads, headers, parameters, and behavior patterns. Malicious requests are assigned high anomaly scores and blocked before reaching the application.


Continuous Traffic Monitoring

The WAF continuously analyzes traffic behavior across all endpoints. By monitoring changes in request size, frequency, user agents, header values, and parameter structures, it helps identify anomalies that may indicate an active attack campaign or reconnaissance attempt.


Regulatory Compliance

Industries that manage sensitive user data—such as e-commerce, banking, and healthcare—must meet strict compliance frameworks like PCI DSS, HIPAA, and ISO 27001. VergeCloud’s WAF helps maintain compliance by preventing unauthorized access and securing transactional data.


Application Layer Security

Application-layer attacks often bypass traditional firewalls. VergeCloud’s WAF specifically focuses on Layer 7 traffic, ensuring protection against attacks embedded within URLs, POST payloads, form parameters, cookies, and API requests.
When properly configured, VergeCloud’s WAF not only blocks harmful activity but also reduces downtime, prevents data breaches, and enhances overall service reliability.

Real-World Example of WAF Protection in Action

Suppose an e-commerce website begins experiencing automated bot attacks and payload-based SQL injection attempts on its payment API. With VergeCloud’s WAF enabled, anomaly scoring quickly identifies abnormal request patterns, malicious payloads, and irregular traffic spikes. Suspicious requests accumulate high anomaly scores and are blocked, allowing genuine customers to complete purchases without disruption.
This type of automated, intelligent filtering is especially valuable for high-traffic services, as it minimizes manual intervention and provides continuous protection.

Settings and Configuration of VergeCloud’s WAF




You can configure the WAF to operate in one of two modes
  1. Off — WAF is disabled. No requests will be inspected.
  2. Log-Only — WAF analyzes and logs requests without blocking them. Ideal for initial setup, false-positive tuning, and rule customization.
  3. Protection — WAF blocks requests that match rules and exceed the sensitivity level.

VergeCloud WAF Packages

Enable WAF packages as needed. You can modify their rulesets and sensitivity settings for tailored protection. Each package can be individually toggled on or off and configured with a sensitivity level. Click Edit Rules to customize individual rules within a package.
  1. CRS
  2. VergeCloud
  3. Comodo 

AlertDetection Mode (Log Only) is temporary and automatically resets to Off after 14 days.

EXCEPTION RULES

Exception Rules allow you to selectively enable or disable WAF protection for specific domain paths or IP ranges. This is particularly useful when certain trusted sources, internal tools, or known paths require bypassing WAF inspection without compromising overall security
 
To access Exception Rules, navigate to the WAF section of your domain settings. 

WAF exception rules
 
  1. Priority : The order in which rules are evaluated (highest priority first).
  2. Path : The URL path pattern the rule applies to.
  3. Sources : The IP address or CIDR range the rule applies to (or "Any").
  4. Action : Whether WAF protection is applied or bypassed for this rule.
  5. ID : A unique identifier for the rule.
  6. Status : Whether the rule is currently Active or Inactive.
Adding a New Exception Rule
 

To add a new exception rule, click the "+ Add New Rule" button in the top-right corner of the Exception Rules panel.
 
Step 1: Define Rule Conditions
 Under the "If a request matches these conditions" section, configure the following fields:
  1. Path : Enter the URL path this rule should apply to. You must use Glob-pattern syntax (e.g., /admin/*, /api/**, /images/*.png). This field is required.
  1. IP/CIDR : Optionally enter a specific IP address or CIDR range (e.g., 203.0.113.0/24) to restrict the rule to requests from that source. Leave blank to apply to all sources.
Description : Provide an optional description to document the purpose of the rule.
 
Note: You must use Glob-pattern to specify the path. For example, use /wp-admin/** to match all paths under /wp-admin/.
 
Step 2: Define the Action
 Under the "Then" section, choose how matching requests should be handled:
  1. Apply WAF Protection : Active WAF rules are applied to this path as usual. Use this when you want to explicitly enforce WAF rules on a specific path, even if other rules might bypass it.
  1. Bypass WAF Rules : Allows access to this path while excluding selected WAF rules. Use this for trusted paths, internal health checks, or whitelisted IP ranges that do not need WAF inspection.
Step 3: Set the Rule Status
The rule status toggle in the top-right of the form defaults to Active. Set it to Inactive if you want to save the rule without immediately applying it.
 
Step 4: Save the Rule
 Choose one of the following save options:
  1. Save : Immediately activates and applies the exception rule.
  2. Save as Draft : Saves the rule without activating it, allowing you to review or edit before it goes live.
  3. Cancel : Discards all changes and returns to the Exception Rules list.
Alert
Note: Exception Rules are powerful and should be used carefully. Bypassing WAF rules for broad paths or open IP ranges may expose your application to threats. Always scope rules as narrowly as possible.

Configuring and Fine-Tuning VergeCloud WAF

Before fully activating the WAF in protection mode, VergeCloud recommends running it in observation mode. This helps:
  1. Identify real threats vs. normal user behavior
  2. Detect false positives
  3. Fine-tune rule sets
Using the WAF Attacks Analysis dashboard, you can evaluate logs, view detailed rule triggers, inspect payloads, and disable/enable individual rule IDs as needed. To disable a specific rule, open the corresponding rule set and toggle individual rules using the on/off switch.

Vergecloud WAF Packages

WAF Rule Packages in VergeCloud

VergeCloud supports multiple WAF rule packages:

VergeCloud’s WAF Package (Default)

Provides balanced, general-purpose protection:
XSS
SQL Injection
Bot detection
Unusual request patterns
Suspicious HTTP methods
Payload anomalies

CRS Package

Based on the OWASP Core Rule Set:
  1. SQLi
  2. XSS
  3. LFI/RFI
  4. Code injection (PHP/Java)
  5. HTTPoxy
  6. Shellshock
  7. Metadata leakage
  8. Bot/scanner detection

Comodo Package

A comprehensive commercial-grade rule set with advanced intrusion prevention, compatible with other packages.

You can refer to attack statistics in Analytics & Logs to see the WAF logs

Managing VergeCloud WAF Through API Automation

Automate WAF configuration can use VergeCloud’s extensive WAF API. The API allows you to manage rule packages, reorder priorities, reconfigure modules, create or update custom rules, and retrieve detailed rule information programmatically. These capabilities are ideal for CI pipelines, infrastructure automation, or custom security workflows.

Explore the complete WAF API documentation at https://api.vergecloud.com/cdn/api-docs#tag/waf

In conclusion, VergeCloud’s Web Application Firewall provides a flexible and intelligent approach to protecting modern web applications. By combining anomaly scoring, real-time traffic analysis, and configurable rule sets, it ensures strong defense against both common and advanced attack vectors. With support for multiple operating modes, detailed configuration options, and API-based automation, the WAF allows teams to tailor security to their specific needs while maintaining performance, reliability, and compliance.

    • Related Articles

    • Using Layer 4 Network on VergeCloud

      Overview The VergeCloud Layer 4 Proxy enhances security and performance for applications using TCP protocol. It is ideal for non-HTTP traffic such as email, FTP, SSH, VoIP, or gaming. By proxying connections through VergeCloud’s edge, your origin ...

    • Security Shortcuts

      Overview Firewall Security Shortcuts make it easy to apply strong security protections with just a few clicks. Instead of building rules from scratch, each shortcut gives you a ready-to-use firewall configuration designed for a specific scenario such ...

    • How to Configure Rate Limiting in VergeCloud

      Rate limiting is a fundamental security and traffic management feature that helps maintain the stability and reliability of modern web applications and APIs. In VergeCloud, you can control how many requests can be made within a specific time frame, ...

    • Steps to Activate Cloud Icon for VergeCloud

      Overview Before you activate the Cloud icon for your domain in VergeCloud, it’s important to make sure your server and DNS setup are fully prepared to work with the platform. Turning on the Cloud icon changes the way traffic reaches your website, ...

    • Security Headers

      Security headers are HTTP response headers that instruct a browser on how to handle your website securely. They operate silently in the background and help reduce risks such as insecure connections, script injection, clickjacking, and unintended data ...