Announcing New Enhancements Coming to Web Application Protector

August 4, 2019 · by Amol Mathur ·

Akamai’s Web Application Protector (WAP) — which is designed to help you easily safeguard your web assets from DDoS and web application attacks — is getting a range of new enhancements which are beginning to roll out right now, and I wanted to give you a quick overview of the areas where you'll find these improvements (click to jump to any selection):

Here are further details on each item:

User interface improvements

The new and improved interface makes Web Application Protector more powerful and easier to use. The navigation has been simplified so that security protections and settings are more clearly organized and intuitive to use. (You'll see a banner at the top of the Web Application Protector summary page after your interface has been updated.)

WAP summary page
The new interface presents the currently active configuration. When you want to make changes, click the “Edit Last Created Version” link.
security protections
The Security Protections section is now easier to read and will indicate the Penalty Box setting.
edit summary
 You will now be able to rename a configuration and add notes to each configuration version.


select version
The Hostnames menu (which was previously on the left) has been moved into the main summary page, where you will be able to add and remove hostnames.
hostnames selector
The Hostnames selector makes it easier to add multiple hostnames to your configuration.

Configuration versioning

With this improvement, configuration versions can be managed with ease in the user interface; you’ll have the ability to roll back to previous configuration versions and view your detailed activation and version history.

version selector
Select which version you wish to view from the Version pull-down menu.
version history
The version history screen indicates the state of each configuration version, when it was created, which version it was based on, and which version is deployed to the Akamai Staging or Production networks. Although Web Application Protector will always create an editable Last Created version for you, the Action command permits you to create a new version based on previous versions of the configuration.
activation history
The activation history screen shows the exact time and date when configurations were activated and to which networks.


Expanded header-logging options

The new Advanced Settings tab in WAP will give you the option to customize the HTTP headers that are written to the security access logs.

header logging
Header Logging can be completely turned off or selectively specified.


Ability to activate configurations on the Akamai Staging network

This enhancement provides you with the option of activating your security configuration on the Akamai Staging network before deploying it to the production network. This allows for functional testing of your site, application, or API with new security configuration changes before exposing them to your end users.

activation details
To maintain the traditional workflow of Web Application Protector select “Staging & Production” on each activation.


Security protections

  • Network firewall: Ability to apply exclusions via network list to IP and GEO block controls
  • DoS protection: Ability to apply different response actions within a single rate policy, for IPv4 and IPv6 traffic
  • Web application firewall: Within Akamai’s web application firewall, you’ll see two specific enhancements:
    • The penalty box can be put into “alert” mode in addition to the existing “deny” mode
    • There will be enhanced exception criteria for attack groups, with support for wildcards in the match criteria and expanded header options


IP/Geo firewall
We have renamed the “Network Firewall” the “IP/Geo Firewall” to more accurately represent its function. It is also possible to completely turn off the IP/Geo Firewall with the toggle at the top of the page. The additional “Block Exceptions” function allows you to override IP and Geo blacklists. For example: If you have blacklisted a certain geography, but you wish to allow a set of specific IP addresses past the Geo blacklist, you can create a new Network List and add it to the “Block Exceptions”.
rate policy
While you can still change the action of each Rate Policy from the DoS Protection page, the rate policy settings are now editable by clicking the “View this Rate Policy” link.  This change makes it easier to review the rate policy settings.
rate limiting
If desired, different actions can now be applied to IPv4 and IPv6 traffic. Additional match criteria, such as Response Header and AS Number, are now available.
action not used
The “Disabled” function has been renamed to “Not Used”.
penalty box
In addition to continually updating the protection logic behind Automated Attack Groups, the Penalty Box setting is now easier to see and can be configured in Alert, Deny, or it can be turned off.
penalty box alert
While Deny will provide the best protection, Alert allows you to see what other requests adversaries are sending after the Automated Attack Groups have detected the first malicious request.
attack group exceptions
We have also made significant improvements to how Attack Group Exceptions are crafted. All of your existing exceptions will function, but you will now be able to except any Request Header.
exception example
Wildcard support is now included in the exceptions interface. To use wildcards (* and ?), specify a value with a wildcard and select the “Wildcards” checkbox. (Exception rules created in earlier versions of Web Application Protector treated wildcards as literals.)
custom rules
Custom Rules are now editable via the “View this Custom Rule” link, and retain the same functionality as before.
security configuration link
You will now also be able to use the “Security Configuration” link in the menu to navigate to Web Application Protector. 

These enhancements constitute a free update for all current Web Application Protector customers. Akamai will begin rolling out these enhancements to Web Application Protector customers starting in late September. Your account team will contact you if any special handling is required prior to the migration.

Meanwhile, we will continue designing and building more improvements to make Web Application Protector even more robust for you.

Amol Mathur is a product line director at Akamai Technologies.

Hans Cathcart, who is a senior product manager at Akamai Technologies, also contributed to this blog post.