Dan Cvrcek [Tsvrcheck]

Dan Cvrcek [Tsvrcheck]

I am a left-handed contrarian living by JFDI. I delivered secret and certificate services, DNS automation and WAF protection for Barclays, Sky UK, TSB Bank, Deutsche Bank, or Comcast. With a professorship from Czech Republic and Cambridge University post-doctoral research, I combine startup agility with enterprise experience to transform clients’ operations. I am always interested in talking with people who want to change things.

3 minute read

Akamai Waf Getting Started Let me walk you through the process of configuring Akamai’s WAF

Akamai’s Web Application Firewall — part of the Kona Site Defender and App & API Protector product suite — is one of the most capable WAF solutions available to enterprise teams. This tutorial walks through how Akamai WAF works, how to configure it from scratch, and how to tune rules without disrupting live traffic.

How Akamai WAF Works

Akamai WAF operates at the edge of its CDN network, inspecting HTTP/HTTPS traffic before it reaches your origin servers. It functions on a per-hostname basis, covering ports 80 and 443, and is distinct from Akamai’s subnet-level DDoS protection. Traffic is evaluated against a managed ruleset — the Kona Rule Set — which Akamai updates automatically as new threats emerge. You can extend this with custom rules to match your application’s specific behavior.

When a request matches a rule, Akamai can either alert (log only) or block the request outright. Starting in alert mode is essential: it lets you identify false positives before blocking legitimate traffic.

Akamai WAF Configuration: Three Components to Set Up

Every new hostname onboarded to Akamai WAF requires three things: an HTTPS certificate, a Property, and a Security Configuration.

1. HTTPS Certificate

Generate a CSR for your domain and have your certificate issued by your preferred CA. Upload the certificate to Akamai — the platform stores the private key securely within its infrastructure. If your certificate isn’t ready when you start, you can complete Property and Security Configuration setup first; the certificate binds automatically once uploaded.

2. Property (Traffic Delivery Configuration)

A Property defines how Akamai handles and delivers traffic for your hostname. Start from Akamai’s templated Property and trim it down for a clean onboarding baseline:

  • Remove all caching rules initially — this eliminates a common source of unexpected behavior during testing
  • Remove monitoring rules you haven’t yet configured
  • Set your origin to point at your application server
  • Create an edge hostname, which is the CNAME target you’ll use for your DNS cutover

3. Security Configuration

Create a new Security Configuration using Akamai’s default template. Add your hostnames and set paths to /* to cover all traffic. At this stage, leave all protections in Alert mode — do not switch to Block yet.

Deploy the configuration to Akamai’s staging environment first.

Testing Your Akamai WAF Configuration

Before going live, test against Akamai’s staging network by modifying your hosts file to resolve your hostname to the staging IP. Run your full application test suite and exercise your APIs. This surfaces any rule conflicts or origin connectivity issues without customer impact.

Once staging looks clean, update your DNS CNAME to the edge hostname. The cutover itself is low-risk for most configurations; the main exception is complex mTLS setups, which require additional origin-side configuration.

Tuning WAF Rules and Reducing False Positives

After 2–4 weeks of production traffic, review alerts in Akamai’s Security Centre. The alerts will show you which Kona rules are firing and against which URLs or parameters.

For each alert pattern, decide:

  • True positive — legitimate attack traffic, no action needed
  • False positive — legitimate application traffic being flagged, add a targeted exception

Akamai WAF custom rules let you write path- or parameter-specific logic to handle edge cases the Kona Rule Set doesn’t account for well. Use these sparingly — overly broad exceptions undermine protection.

Tune your rate limiting rules at this stage too. DDoS rate limits control how many requests a single IP can make within a time window; the right threshold depends on your traffic patterns.

Going to Block Mode

Once you’re satisfied that false positives are resolved, switch your Security Configuration from Alert to Block. From this point, Akamai actively blocks XSS, SQL injection, and other OWASP Top 10 attacks at the edge.

Ongoing maintenance is minimal: Akamai updates the Kona Rule Set automatically, and your main recurring task is annual certificate renewal.

You May Also Enjoy