Skip to content

feat(google_fastly_waf): add baseline protection variable and adjust immediate block logic#447

Merged
Tibap merged 3 commits intomainfrom
sseehra-waf-baseline_protection
Mar 12, 2026
Merged

feat(google_fastly_waf): add baseline protection variable and adjust immediate block logic#447
Tibap merged 3 commits intomainfrom
sseehra-waf-baseline_protection

Conversation

@sseehra
Copy link
Contributor

@sseehra sseehra commented Mar 11, 2026
edited by Tibap
Loading

Description

This PR introduces a new ngwaf_baseline_protection parameter to enable configuration of a "baseline WAF protection" profile. The goal is to apply a standardized level of protection to non-critical applications for which we do not plan to develop custom rules.

Since the immediate_blocking feature can result in blocking legitimate traffic, the baseline protection uses a default threshold that should balance security and usability.

Protection behavior is:

  • Immediate blocking is enabled by default
  • If the ngwaf_baseline_protection parameter is passed to the module, immediate blocking is disabled and the following thresholds are used: 3 attacks in 1 minute, 10 attacks in 10 minutes, 60 attacks in 60 minutes.

Related Tickets & Documents

@github-actions github-actions bot added the minor This PR will increment a minor version label Mar 11, 2026
Tibap
Tibap previously approved these changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@Tibap Tibap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just updated the description to include more details about this change. Otherwise looks good to me, let's test if this works.

@sseehra sseehra marked this pull request as ready for review March 11, 2026 19:57
bkochendorfer
bkochendorfer previously approved these changes Mar 11, 2026
View reviewed changes
@Tibap Tibap dismissed stale reviews from bkochendorfer and themself via d6d07c4 March 12, 2026 14:44
@github-actions
Copy link
Contributor

github-actions bot commented Mar 12, 2026

Release plan

Directory Previous version New version
google_fastly_waf 2.17.0 2.18.0

bkochendorfer
bkochendorfer previously approved these changes Mar 12, 2026
View reviewed changes
@Tibap Tibap merged commit f7cfb26 into main Mar 12, 2026
10 checks passed
@Tibap Tibap deleted the sseehra-waf-baseline_protection branch March 12, 2026 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bkochendorfer bkochendorfer bkochendorfer approved these changes

@Tibap Tibap Tibap left review comments

@jasonthomas jasonthomas Awaiting requested review from jasonthomas jasonthomas is a code owner

@jbuck jbuck Awaiting requested review from jbuck jbuck is a code owner

@whd whd Awaiting requested review from whd whd is a code owner

Assignees

No one assigned

Labels

minor This PR will increment a minor version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sseehra @bkochendorfer @Tibap