1 of 100

v5

Link11 WAAP Documentation

Link11 offers a network security software suite, including robust WAAP (Web Application and API Protection). This is the documentation for the Link11 WAAP ("L11WAAP") SaaS system.

Release Notes

November 24, 2025

Known Issues

Available .

User Guide

The manual is organized into the following sections, accessible through the sidebar table of contents:

Introduction to Link11 WAAP: general information about the system and its capabilities
How It Works: an overview of how L11WAAP filters traffic
Console UI Walkthrough: a detailed explanation of the user interface
Using the Product: some tips and best practices

Known Issues

For known issues or limitations in the current version of Link11 WAAP.

Log Exporters

Issue

Workaround/solution

The Log Exporter feature is not enabled by default. When trying to create a new Log Exporter, the Save procedure fails and an error message appears.

Before attempting to create a Log Exporter for the first time, to enable this feature on your planet.

User Guide

Introduction to Link11 WAAP

Product overview, architecture, and how it works

Welcome!

Link11 offers an all-in-one WAAP platform. It includes a next-gen Web Application Firewall (WAF), autoscaling Denial of Service (DoS)/Distributed Denial of Service (DDoS) protection, advanced bot management, real-time traffic monitoring & control, full historical logs & analytics, and more.

Link11 WAAP runs on the customer’s clouds of choice, whether the Link11 Network and Web Security solution, or any of the top-tier public cloud providers (AWS, Azure, and GCP). It protects web applications, services and microservices, and API endpoints.

Platform overview

L11WAAP deploys as a reverse proxy, continually analyzing incoming traffic. Benign traffic is passed through to the customer's origin, while hostile traffic is blocked and denied access.

The platform's overall architecture is as follows:

Cloud-based web security

L11WAAP deploys and runs in the customer's choice of clouds, whether private (Link11) or public (AWS, GCP, or Azure).
All incoming traffic is routed through L11WAAP and scrubbed as it passes through. Latency is negligible (generally 1.5 milliseconds or less).
Hostile traffic is blocked before it reaches the protected network. Legitimate traffic has normal access to the requested resources.

Full integration

L11WAAP is integrated with, and runs natively on, multiple cloud platforms. It leverages the advantages of each. Examples:

When L11WAAP runs on Link11, customers can use Secure CDN, Link11 load balancing, Infrastructure DDoS for offloading Layer 3 protection, and more.
On GCP, L11WAAP can act as the 'threat detection engine' for Cloud Armor, automating and extending its capabilities, and blocking attacks at the edges.
On Azure, L11WAAP integrates with Azure Security Center to fit smoothly into existing customer workflows.
On AWS, L11WAAP integrates with AWS WAF and Shield, adding granularity, control, and many other additional capabilities to AWS's native security features.

How Link11 WAAP Works

Console UI Walkthrough

Analytics

The Analytics section contains the UI for viewing traffic.

If you have not used Link11 WAAP before, read this first: Traffic Reporting and Analytics.

Otherwise, the Analytics UI is documented here:

Dashboard
Events Log

AI Management

Overview

As part of its security suite, Link11 includes robust bot management, including tracking of individual types of bots. There is some additional granularity for managing AI crawlers.

Security

The Security section of the UI provides configuration options for basic security rulesets and policies. The pages in this section document the configuration for these security settings.

If you are not yet familiar with how Link11 WAAP filters traffic, and how the various settings below fit into this process, it is recommended that you read this overview first: The traffic filtering process.

Global Filters
Flow Control Policies
Content Filter:

Quarantined

Display and manage the list of quarantined traffic sources

Overview

The Quarantined List page shows a list of traffic sources that have triggered one or more Dynamic Rules. While a traffic source is on this list, Link11 WAAP responds to all of its requests automatically with the Dynamic Rule's Action.

This is often used to ban a persistent violator of other security rulesets, but it can also be used merely to monitor a traffic source for a period of time. An explanation of the quarantining process is here.

Administration and Use

Viewing quarantines

Each quarantined traffic source will have an entry in the list. Long lists will be broken up across multiple pages, which can be navigated using the controls at the bottom of the page.

The overall list can be sorted according to the values in each column by using the Filter control at the top.

Cancelling quarantines and preventing False Positives

Traffic sources will be automatically removed from the Quarantine list when their quarantines have expired.

They can also be manually deleted. In the UI, this is done by selecting the trash icon at the end of an entry in the Quarantined List.

"Manual deletion" refers to deletion by an admin through either the UI or the API. Both methods produce the same results, as described below.

When a traffic source is manually deleted from the list, L11WAAP understands this to mean that the quarantine was a False Positive.

Therefore, when the next cycle of Dynamic Rule evaluation occurs, the Rule's corresponding Global Filter will be updated by removing the traffic source from its Rule list. Subsequent requests from that traffic source will not automatically receive the Rule's Tags and Action., unless/until that traffic source violates the Dynamic Rule again.

To exempt the traffic source from further Dynamic Rule enforcement, an admin should add appropriate tag(s) to the Dynamic Rule's Exclude list.

If L11WAAP has quarantined a traffic source and you wish to reverse this decision, the procedure above (editing the Quarantine list) should be performed. L11WAAP will update the corresponding Dynamic Rule and Global Filter automatically. Do not try to accomplish this by editing the Global Filter itself (which is non-editable in the UI, but could still be changed via API). Manually editing the Global Filter will not work; the next time Dynamic Rules are evaluated, the system will take everything that's currently quarantined and add it back to the Global Filter.

Content Filter

This section provides settings for content filtering:

Sites

This section of the console contains the following options:

Server Groups: properties of server(s) for sites(s).
Backend Services: the services that L11WAAP is protecting.
Edge Functions: for running custom Lua code.
: information about DNS configuration.
: managing SSL associated with load balancers.
: for managing SSL certificates.

DNS Records

An optional feature

DNS Management is an optional capability. Your DNS records do not need to be maintained within Link11, but they can be.

The user interface displays the records that are currently defined within Link11 WAAP. These records are not editable within the UI; they are configured outside of the UI, and are displayed here for informational purposes only.

For assistance in changing or configuring DNS records, within L11WAAP, .

SSL

This section is for SSL settings.

Load Balancers Certificates

Load Balancers

Overview

This page lists the load balancers currently set up within Link11 WAAP.

Load balancers are added and managed outside of the UI; for assistance in changing or configuring load balancers, .

Load balancer administration involves two primary activities:

System

This section of the console is for system-wide configuration.

: one of Link11 WAAP's mechanisms for human verification.
: for managing Single Sign-On for L11WAAP
: for clearing the cache(s) of Content Delivery Network nodes

Security Alerts

Overview

Security Alerts allow admins to configure email alerts to be sent when Dynamic Rules are triggered.

Usage within applications and APIs

Security Alerts operate at the system level. They can be defined for individual , or for multiple Server Groups simultaneously. When any of the specified Dynamic Rules is triggered for any of the specified Server Groups, an email alert will be sent to the designated recipient(s).

Each email alert includes:

The Dynamic Rule that was triggered: its name, description, "Limit" (a combination of the Rule's Number of events and Time frame), and "Type" (which corresponds to the Rule's setting)
A list of the violators of that Rule

In the email alerts, a Dynamic Rule enforcing limits on IP addresses will not be described as Type: IP; rather, the email body will say Type: remote_addr.

Administration

The main window (shown above) lists all currently defined Security Alerts.

The administration (addition/deletion/editing/versioning) of these Alerts follows the conventions described .

Parameters

Name

The name of this Security Alert, for use within the interface.

Server Groups

The Server Group(s) for which this Security Alert will be active.

Alert recipients

One or more recipients (specified as email addresses, separated by commas) to receive alerts when any of the listed Dynamic Rules are triggered.

Dynamic Rules

One or more Dynamic Rules which will, when violated, trigger the sending of email alerts to the specified recipients.

When adding Dynamic Rules to a Security Alert, ensure that each Rule is in "". Rules that are inactive will not trigger Security Alerts.

Version Control

Link11 WAAP maintains Git versions of data and configurations.

This page displays previous versions of configurations, and allows admins to:

Download a version by using the "Download" button at the top
Revert/restore the system to any saved configuration.

To revert/restore, hover the cursor over the desired configuration. The "Restore"

Publish Changes

This page pushes a selected system configuration to the proxy, and makes it active. This is necessary when:

Edits were recently made to the current configuration
Changing to a different system configuration on the page: either reverting to a previous version, or rolling forward to one that's different than the currently active one.

Account

Overview

If the user is logged into the planet directly (i.e., without using SSO), then selecting the user icon () at the top right of the UI will display a menu, including an option for opening the Account Details page.

This page displays the account details of the current user, allows configuration of MFA (multi-factor authentication), and provides keys for using the API. Its sections are described below.

Using the product

Best Practices

This section describes best practices for some common tasks.

Saving and Publishing Your Changes

Whenever you change the configuration of the Link11 WAAP platform within the UI, you must save your changes, and you must publish them to the cloud as well.

If you do not save your changes, they will be lost when you go to a different page within the user interface. You will not be prompted or asked to confirm the abandonment of your changes.

The Publishing process checks the saved changes for errors. If no errors are found, they are pushed to the cloud.

Saving Changes

The various Editor pages within the UI have "Save" buttons in the top row of controls. Select this button to save whatever changes have been ma.de

Note that the "Save" button only saves your changes within your local session. To push them to your planet in the cloud, you must publish the changes as well.

Publishing Your Changes

Follow the process described here: .

How Do I...

A task-based FAQ

This section answers questions that often arise about using Link11 WAAP.

Add custom messages to events

Sometimes it is desirable to add custom annotations to events in the traffic logs: perhaps for monitoring, visibility, or other purposes.

This can be done with .

Authenticate mobile app users

Link11 WAAP includes a Mobile SDK for authenticating mobile application clients. For more information, see .

Ban, unban, and allowlist traffic sources

The section shows a list of traffic sources (i.e., sources of incoming requests) that are currently banned, blocklisted, and allowlisted.

How to ban a requestor

A traffic source is banned automatically when it violates a .

You cannot manually move a traffic source into quarantine. Instead, you can create a Dynamic Rule to do it for you. The Dynamic Rule's parameters should be as follows:

Bypass Link11 WAAP for loadtesting or other purposes

Sometimes an admin needs to bypass the WAAP's traffic filtering, for example when "attacking" an application or server as part of a loadtest. Under normal circumstances, L11WAAP would prevent this, because it would enforce rate limits and block the excessive requests from reaching the backend.

Specific requests can be exempted from L11WAAP's traffic filtering (including rate limiting) by:

Creating a Global Filter with narrowly-defined Rules (which will only match those specific requests, and no others)
Selecting the Global Filter's Action to be one of type Skip
And ideally, defining a unique to assign to those requests, so they will be identifiable in the traffic logs.

Incoming requests that meet the criteria for the Global Filter will not subjected to filtering. They will be passed directly through to the backend.

Configure a new path/section of a site

Scenario: An admin has recently created a new section within an existing domain. (In this context, "section" means a path, or set of paths, that can be described in a single regex.) For example, perhaps a new API version is being exposed at /apiv3, which is a URL that did not previously exist.

How can the admin configure Link11 WAAP's security settings for the new path(s)?

As shown in the diagram below, the association between security settings and paths is done within a Security Policy.

Specifically, each Security Policy contains a Path Map: a list of paths, and the security settings assigned to each.

Thus, the process for configuring new paths within L11WAAP is as follows:

Determine the Security Policy currently in place for the domain
Within that Security Policy, clone an existing Path Map
Configure the new Path Map as appropriate, to contain the new settings.

These steps are described below.

Determining the Security Policy

Navigate to Sites -> Server Groups.
In the list that appears, select the for the domain in question.
On the Server Group Editor page, note the current selection in the Security Policy pulldown list.

Cloning an existing Path Map

Navigate to Security -> Security Policies
Select the Security Policy that is (as noted above) currently assigned to the domain's Server Group.
At the bottom of the Security Policies Editor page is the Path Mapping section. Expand one of the entries in this list.
Within the expanded display of the Path Map, at the bottom right, select the Fork Path Mapping

Configuring the new Path Map

Ensure that the new Path Map is displayed for editing, and then:

Edit its Name to something appropriate
Define the Match path with an expression that will match all the new path(s) being configured
Verify that the other security settings in this Path Map are appropriate. If not, existing security rulesets (such as Rate Limit Rules, Content Filter Profiles, etc.) are available for selection. If it is necessary to create one or more new rulesets, you will need to leave this page (be sure to select Save first!), create the new settings, and return here to select them.

Configure TCP passthrough

Sometimes end-to-end encryption is necessary, and client traffic must be kept encrypted until it reaches the backend server.

For this purpose, Link11 supports TCP passthrough. When this is configured, neither the Link11 load balancer nor L11WAAP will terminate or decrypt the TCP connection. The specified traffic will be passed through to the backend as-is.

Caution: If TCP passthrough is enabled, we recommend using it with the narrowest possible scope. This traffic is not decrypted, and therefore, cannot be inspected by Link11.

Passed-through requests are not filtered for hostile content, rate limit violations, ACL enforcement, etc. They also are not logged by Link11.

Control caching behavior

Web clients can cache resources from a server. Afterwards, a client can access its local cache, which reduces the number of requests sent to the server.

Servers can instruct clients to implement caching in certain ways. Servers can also set separate caching policies for any intermediary proxies in-between the server and the client.

Link11 WAAP is a proxy between the clients and the backend. When the backend responds to clients, the outgoing responses pass through L11WAAP. You can instruct the system to preserve or alter the caching instructions in those responses.

This can be done through . Out of the box, L11WAAP includes several cache policy Edge Functions for this purpose. If you need additional assistance in customizing L11WAAP's caching behavior, .

Customize responses to clients

Blocked requests can receive customized response headers, status codes, and content, by configuring the appropriate Actions.

Admins can also run custom Lua code via Edge Functions. Edge Functions with a phase of Response Pre Processing or Response Post Processing will be run after the backend has responded to the request, but before the response is sent to the client.

Enable GraphQL traffic

Motivation

By default, Link11 WAAP will block GraphQL traffic, for two reasons:

The size of the argument
number 600110, which contains this Match string: ([$@{}()\[\]].*){8,})

Enabling GraphQL traffic

To allow GraphQL traffic, create a with:

An Argument Max Length that will accommodate the maximum size of the queries
This tag in the Ignore Content Filter Tags list: cf-rule-name:600110

Then assign this Content Filter Profile to the location (i.e., the site or path) of the GraphQL queries via an appropriate .

Generate or renew my own SSL certificates

By default, Link11 supports communication between customer backends and .

When a backend system requests a new or renewed certificate from LE, Let's Encrypt responds initially with a challenge. Because Link11 WAAP is a proxy for the backend, this challenge will be sent to L11WAAP.

Under normal circumstances, L11WAAP will forward this to the customer system. If this is not occurring, something in L11WAAP's default configuration might have been changed.

To correct this, perform the following two-step process.

Step 1: Verify the necessary Global Filter

Improve Events Log performance for large argument volumes

When a web application or API frequently receives incoming requests with excessively large arguments, or a large number of arguments, this can adversely impact the performance of the Events Log.

To address this, Link11 WAAP can defer the retrieval of arguments until an admin specifically requests it. More info on this feature is .

Load balance traffic across my origin servers

Link11 WAAP provides inherent capabilities for load-balancing across origin/backend servers.

This is configured in .

Protect sensitive information in logs and analytics

Sometimes, incoming requests contain sensitive or Personally Identifiable Information that should not be included in logs and other forms of analytics.

Link11 WAAP provides the ability to mask specific types of information. This is configured using the Masking Seed and Mask? fields within Content Filter Profiles.

Note that you should ensure that the relevant requests are always subjected to the Content Filtering process.

Redirect or block HTTP traffic

Under most circumstances, a session over unencrypted HTTP should not be accepted. Using Link11 WAAP, admins can refuse HTTP requests by either:

Redirecting them to HTTPS
Or simply blocking them.

Admins must also choose whether to refuse HTTP traffic:

Globally, throughout the entire planet, or

Run custom code

To run custom Lua code before or after Link11 WAAP processes a request, use an .

To define code for customizing nginx's behavior or parameters, use .

Set rate limits and exemptions

Restricting consumption of resources and rate of requests

Different types of rate limits are defined in different parts of the Link11 WAAP interface.

Static rate limits for entire sites/applications: A static rate limiting capability is available via the within . This is simple, IP-based rate limiting that applies globally to every site/application based upon that Proxy Template.

Granular rate limiting: More powerful capabilities are available through , including variable scope, multiple criteria for tracking requestors, actions, and more. These Rules are then associated with specific locations/URLs through .

Global enforcement by traffic source: Requestors who submit excessive requests across the planet can be banned for configured lengths of time. This can be done via .

Stream event data to a SIEM solution or other destination

Link11 WAAP integrates with a wide range of SIEM [Security Information and Events Management] solutions. Most of our enterprise clients stream L11WAAP events to ArcSight, RSA, IBM, Splunk, and other solutions.

To stream traffic event data to one or more of these destinations, create one or more .

The lengths of Log Exporter data values can be controlled using the .

Overview

Link11 WAAP includes an API that provides full coverage of the system's capabilities.

Using the API will require familiarity with the following:

L11WAAP's
The API's namespaces and endpoints, which are documented in two locations:
- In the reference section of this manual

Internal data structures

Overview

Link11 WAAP maintains most of its security parameters as Entries, which are contained in Documents, which are contained in Configurations.

A Configuration is a complete definition of L11WAAP's behavior for a specific environment. An organization can maintain multiple Configurations (e.g., development, staging, and production).

Each Configuration contains multiple Documents of various types (Global Filters, ACL Profiles, etc.) Each Document contains at least one Entry, i.e., an individual security rule or definition.

A Configuration also includes data blobs, which currently are used to store the geolocation database. This is where L11WAAP obtains its geolocation data and ASN for each request it processes.

Using Swagger UI

The Link11 WAAP API is available in . This tool provides design documentation, and can also be used to submit API calls directly to your planet.

Location

By default, the API is available in Swagger UI at:

{your planet name}/api/v4.0/openapi.

Reference Information

API

API access to traffic data Types of namespaces Namespace reference

Namespace reference

ACL Profiles

Actions

Certificates

Content Filter Profiles

Content Filter Rules

Data queries

Two of the Data queries routes below manage . The rest are for retrieving traffic data; for instructions on using them, see .

Dynamic Rules

Log Exporters

Mobile Application Groups

Traffic Filtering Process

Introduction

Link11 WAAP subjects incoming requests to a multi-stage filtering process.

Below is a high-level description of the overall process. For a more in-depth review of the various stages and how to configure them, see their detailed discussion in the Console UI Walkthrough section of this manual, as linked to below in each description.

When processing an incoming request, L11WAAP enforces the applicable security rulesets. As shown above, some types of rulesets are applicable to all requests, while others will vary depending on each request's destination URL and/or the tags attached to the request. To see how L11WAAP decides which rulesets are applicable to a request, see the Policy Mapping page.

Overview

Link11 WAAP acts as a proxy for the backend that it protects. It receives incoming requests, and examines them for potential threats. Requests that pass inspection are passed through to the backend. Those that do not pass inspection trigger an , which often is either a blocking action or a . Along the way, L11WAAP logs the request and the actions that occur, which are available to admins via analytics and dashboards.

The diagram above shows the progression of incoming requests through this process, shown from left to right. When a request successfully passes a stage, it proceeds to the next stage, as designated by a green arrow. When it does not, it follows the red arrow instead. Black arrows show activities that occur independent of a request's evaluation.

Stages/components of traffic filtering

"Request Pre-Processing" Edge Functions

Before any other processing occurs, L11WAAP can execute one or more . An Edge Function consists of custom Lua code; it allows admins to extend the system's capabilities as desired.

Each Edge Function contains a parameter. When this is set to Request Pre Processing, the Function is executed immediately, before other processing occurs.

Initialization

L11WAAP uses a when processing and evaluating requests. At various points during processing, tags are attached to a request based on its source, content, and other characteristics.

Subsequently, the attached tags can be the basis for decisions about the disposition of the request.

In this stage of processing, each request receives a . For example, every request will be tagged with all, along with tags for the geolocation of the traffic source.

This stage is also when L11WAAP performs : determining which security rulesets should be enforced upon the request.

Global Filters

The stage has two primary purposes:

Attaching tags when the request matches specified criteria.
Executing an depending on the tags that were attached. In some situations, admins will decide to stop ths system's processing at the Global Filter stage. For example, an admin can decide that if the traffic source is found on a hostile IP list, there is no point in analyzing it further; it should just be blocked.

Flow Control

In this stage, are evaluated. Flow Control allows admins to define and enforce sequences (flows) of requests submitted by traffic sources.

Example: a web application has a login page. A legitimate user will submit a GET request to access the page, followed by a POST request with login credentials. Conversely, a threat actor waging a brute-force attack might conserve resources by submitting a series of POSTS, without any GETs. A Flow Control Policy can allow the legitimate user to access the page, while excluding the threat actor.

Global Rate Limits

Rate limiting restricts the rate at which the system will accept requests from traffic sources. When a limit is exceeded, an action can be taken.

In this stage, rate limiting is enforced upon incoming requests, regardless of their destination URLs. The limits are defined in with enabled.

Rate Limits

In this stage, path-specific rate limiting is enforced. Admins can define different parameters for the limits, depending on the request's destination URL.

Path-specific rate limiting can be configured in two places within the system:

that do not have enabled.
, which allow for IP-based rate limiting to be defined for all applications based upon them.

ACL Profiles

An defines what will happen to a request, based on the tags that it contains. Admins can assign a variety of available actions that will be performed.

As shown in the diagram above, three outcomes are possible:

The request triggers an .
The request is passed, and then subjected to content filtering.
The request is passed, but is exempted from content filtering.

Content Filtering

In this stage, the applicable is used to evaluate the request. Each Profile defines the applicability of various .

This stage fulfills the traditional role of a WAF, which is to examine the content of a request for threat signatures and take action when a match is found.

However, Content Filtering within L11WAAP is much more powerful than this. Admins can configure Content Filter Profiles to allow or block requests if they do have specific characteristics, or if they don't.

"Request Post-Processing" Edge Functions

When an has a setting of Request Post Processing, L11WAAP will execute it as the final step in its processing, before sending the request to the backend.

Customer Backend

When a request has passed all of the system's processing, it is forwarded to the backend. The backend's response is then obtained, and returned to the client. L11WAAP's interaction with the backend is configured in and .

After the request is received from the backend, additional Edge Functions can be run: those with Phase settings of Response Pre Processing and Response Post Processing.

Actions

Various stages of processing can result in an being executed. Often, this is a blocking action, but as well, including the acceptance of the request and bypassing the remainder of the filtering process.

Logging

L11WAAP stores all requests and their details, and makes them accessible in the .

Analytics and Dashboards

The and provide customizable displays of traffic and events.

Dynamic Rules and Quarantines

L11WAAP periodically reviews the most recent tranche of incoming requests and evaluates them using . Unlike the other stages of analysis described above, this is done after the requests have been processed, and the resulting responses have been returned to the user.

Dynamic Rules are not meant to pass or block specific requests. Instead, they are used to analyze the overall behavior of traffic sources, as shown in the requests they have recently submitted.

When a traffic source violates a Dynamic Rule, the traffic source is quarantined. Until the quarantine expires, two things occur:

The traffic source is added to the list, where admins can monitor it.
The traffic source can also be banned, which means that future requests will be blocked. (As shown in the diagram above, this is done by adding the traffic source to an internal system-maintained Global Filter, automatically.)

Flow Control Policies

Tagging valid or invalid session flow patterns

Overview

Flow Control Policies allow admins to define "flow" sequences of submitted requests. As incoming traffic is received, the requests are evaluated against the active Policies. If a defined sequence is completed--in other words, if the listed requests are received in the specified order--the Policy will attach one or more tags to the final request in the sequence. The tags can subsequently trigger an action (allow, block, challenge, etc.)

Link11 WAAP includes several types of behavioral profiling and control. Flow Control Policies are one type of behavioral control that are defined by admins. They can allow, or disallow, traffic sources that display specific patterns of behavior.

Use case example: A web application has a login page. A legitimate user session will begin with a GET request, followed by a POST. However, threat actors who are waging brute-force login attacks will typically just send a series of POSTs. A Flow Control Policy can be the basis for blocking every POST request that was not preceded by a GET.

Usage within applications and APIs

A Flow Control Policy's purpose is to assign its defined Tags to the last request in defined flow sequences. The Tags can then be used in or to trigger specific actions. Usually, a is involved in the process as well (see the implementation example below).

Unlike some other types of security settings, Flow Control Policies are not assigned to paths in , because a Flow Control Policy can incorporate multiple paths within an application or API.

Instead, each Policy has its applicable scope defined by the Active, Include, and Exclude parameters, as described below.

Implementation example

To implement the GET/POST example mentioned above, an admin would create the following configuration:

A Global Filter would assign a tag (e.g., method-post) to all POST requests sent to /login.
A Flow Control Policy would assign a tag (e.g., login-flow) to each POST that was preceded by a GET.

Administration

The main page (shown above) lists all current Flow Control Policies.

The administration (addition/deletion/editing/versioning) of Policies follows the conventions described .

Components

Each Flow Control Policy consists of:

A flow sequence: A list of two or requests that are expected to be received in the sequence shown, within the specified Time frame.
Tag(s) to assign to the final request in the defined flow sequence.
Include/Exclude: Tags to define the scope within which this Policy is enforced.

Each of these is described in depth below.

Individual parameters

Name

A name for this Policy, to be used within the interface. A (shown below the Tags field) will include it as well.

Active

When this toggle is selected, the Policy will be enforced within its defined scope.

Time Frame

This defines the time available for the flow sequence to be completed. When the first request in the sequence is received, an internal timer begins. The final request must be received within the Time Frame in order for the Tags to be assigned.

Count by

At any given time, an application might receive a variety of incoming requests from different users simultaneously, each of which might be at a different stage of a flow sequence. For Flow Control Policies to work successfully, the system must be able to differentiate among all the various streams of incoming traffic, and perform stateful evaluations of each one separately.

The Count by parameter allows admins to define how this differentiation is done. For example, a common configuration is Attribute / IP Address. When the application is receiving requests from multiple IP addresses simultaneously, the requests from each IP will be considered as a separate and distinct set for Flow Control purposes. On the other hand, if it is possible that users will sometimes share IP addresses, then a better choice might be Attribute / Session ID.

Admins have a variety of configuration options for this parameter. Incoming requests can be processed according to specific headers, cookies, arguments, or attributes.

Multifactorial Count by definitions can be set up by selecting "New entry" and editing the controls that appear. When incoming requests are evaluated, the Count by definitions are combined with a logical AND.

Description

Information about this Policy, for use within the interface.

Include and Exclude

These are lists of tags that can limit the applicable scope for this Policy. Their use is described on the page.

Flow Control Sequence

This is an admin-defined sequence of at least two steps.

The system maintains stateful histories of each traffic stream defined by the Count by parameter. When a series of incoming requests matches the Flow Control Sequence exactly, the final request has the defined Tags attached.

Each step in the sequence is defined by a Method, Host, and Path, along with any optional parameters added by an admin.

A new Flow Control Policy includes a two-step sequence by default. To add additional steps, select the "Add Step" button.

Enabling Passive Challenges

As described here, out of the box Link11 WAAP includes an Active Challenge process. This is very useful in distinguishing humans from bots.

Active Challenges work well, but an even better option is Passive Challenges.

Active Challenges temporarily redirect the user's browser. This can affect site metrics gathered by products such as Google Analytics. (Specifically, the initial referrer information is lost.) Passive Challenges are simple pieces of Javascript. They do not redirect the user's browser; they merely ask it to solve a challenge, and then insert the L11WAAP cookies.
Active Challenges will not occur when site content is served from a CDN. Passive Challenges can still detect bots in this situation.

Most importantly, Passive Challenges allow L11WAAP to use Biometric Bot Detection—an advanced and sophisticated means of distinguishing humans from automated traffic sources.

Biometric Bot Detection

With Biometric Bot Detection, L11WAAP continually gathers and analyzes stats such as client-side I/O events, triggered by the user’s keyboard, mouse, scroll, touch, zoom, device orientation, movements, and more. Based on these metrics, the platform constructs and maintains behavioral profiles of legitimate human visitors. L11WAAP learns and understands how actual humans interact with the web apps it is protecting. Continuous multivariate analysis verifies that each user is indeed conforming to expected behavioral patterns, and is thus a human user with legitimate intentions.

We recommend that all customers enable Passive Challenges if it is possible to do so. Biometric Bot Detection provides much more robust detection of automated traffic than is possible without it.

Implementation

Implementing Passive Challenges is simple. Place this Javascript code within the pages of your web applications:

The code snippet can go into the header or at the end of the page. The best practice is to place it within the header. This ensures that subsequent calls contain authenticating cookies.

(This matters for the first page served to a visitor. Subsequent pages will already have the authenticating cookies to include with their requests.)

Most customers set up the code snippet as a tag within their tag manager. This makes it simple to install it instantly across their entire site/application.

If desired, the script code can include async and/or defer attributes:

These usually are not necessary, and their effect will depend on the placement of the script within the page. Their use is left to your discretion.

Testing

To test the implementation, use a browser to visit a page containing the Javascript snippet. Once it runs, the browser should have a cookie named waap_id.

Disabling Active Challenges (Optional)

There are two primary situations where customers sometimes want to disable Active Challenges:

When a customer needs site analytics to correctly reflect all referrers. (Active Challenges can interfere with this.)
For API endpoints. Active Challenges are designed to verify the client's browser environment; for most API calls, there is no browser environment to verify. (For users of our , this is not a problem. They can still use active challenges for these endpoints.)

Other than those situations, Active Challenges can be very beneficial.

We recommend that you keep Active Challenges enabled if possible. They automatically eliminate almost all DDoS traffic, scanning tools, and other hostile bot traffic.

If you wish to turn off Active Challenges, do the following.

Decide which paths/URLs should have Active Challenges disabled.
Make a list of the that are enforced upon those paths/URLs.
Ensure that this combined list of Security Policies does not apply to any paths/URLs where you wish to keep Active Challenges enabled. If there are some undesired paths/URLs included, split them off into separate Security Policies that are not part of the list. When you are done, the list of Policies should include all desired paths/URLs, and only those paths/URLs.

Note that the acl-deny-bot ACL Profile includes the all tag in its Bot Challenge / Apply column. As described above, for all Security Policies that use this Profile, you could exempt some traffic sources from Active Challenges by adding tags to the Bot Challenge / Skip column, or all traffic sources by removing the all tag.

However, if this were done, then this Profile would not behave in the way that its name implies. This can cause confusion later: not only during administration, but also when viewing events in the Dashboard and Events Log. To avoid this situation, we recommend that this default Profile should not be edited. Instead, admins should create a separate one for use in the relevant Security Policies.

Turning off Active Challenges will disable the direct blocking of bots (where a requestor is blocked merely for being identified as a bot). However, automated traffic will still be excluded via all other relevant means.

If you have not enabled Passive Challenges (and successfully tested them), disabling Active Challenges is not recommended.

UI Overview and Common Elements

Features and conventions found throughout the user interface

The Link11 WAAP UI has several main parts:

In the left-hand sidebar, there is the console menu. By default, it is collapsed; it will slide out when clicked on, or the ">" button is selected.
The right-hand part of the window varies, depending on what the user has selected. If traffic analytics are not currently displayed, typically this will be a List page or an Editor page.
Most pages have common UI elements, described below.
Most pages have a section for .

These parts are described below, along with a discussion of how L11WAAP is configured and administered through the UI, and some common UI elements that are found throughout the interface.

This consists of the following sections:

Analytics
Security
Sites
System

The first section contains L11WAAP's reporting capabilities. The others are for configuring L11WAAP.

Configuration and Administration

The configuration sections use a common structure for administration, with two types of pages:

List page: Displays all the entries for that configuration type.
Editor page: Provides the ability to edit a specific entry.

List page administration

Most L11WAAP settings are collections of individual entries. The List page allows admins to manage these collections.

Viewing entries

When a configuration type is selected in the sidebar menu (e.g., , shown above), its List page is shown. By default, it shows all the current entries for that configuration type.

The display can be filtered by selecting the funnel icon on the upper right. The list can be downloaded by selecting the download button next to the funnel.

Adding an entry

To add a new entry, select the "+ New" button at the top right of the list.

After adding an entry, .

Deleting an entry

Deleting an entry can be done from the list of entries, or from the entry's Editor page.

From the list, hover the cursor over the entry, then select the trash icon that appears at the end of the entry.
From the Editor page, select the "Delete" button at the top.

You will be asked to confirm the deletion.

After deleting an entry, .

Editing an entry

Hovering the cursor over an entry in the list will reveal an "edit" icon at the right end of the entry. Select this to open that entry in the appropriate Editor page.

Editor pages

Editor pages allow admins to manage individual entries within a collection of configuration settings.

Selecting the "<-" button on the upper left will navigate back to the .

Selecting the entry being displayed

Within an Editor page, the entry being displayed can be changed by selecting the pulldown list at the upper left. (The name shown for the currently-displayed entry is part of the pulldown list.)

Modifying an entry

After editing an entry, be sure to save your changes with the "Save" button at the top of the Editor page, and then .

Note that if you make configuration changes, but do not select the "Save" button before navigating to a different page, your changes will not be retained, and you will not be prompted or asked to confirm.

Duplicating an entry

To clone the entry being displayed, select the "Duplicate" button on the upper right.

Downloading an entry

To download the information in the entry being displayed, select the "Download" button on the upper right.

Deleting an entry

To delete the entry being displayed, select the "Delete" button on the upper right. As mentioned above, entries can also be deleted from the appropriate List page.

Versions and Branches

L11WAAP maintains versions for most of its configuration data. Admins can roll back or forward to a different version at any time.

Versioning

Within the UI, most pages contain a Version History section at the bottom.

This section displays previous versions of configurations, and allows you to revert/restore the system to any saved configuration. By default, it is collapsed:

Expanding it reveals its contents:

To select a different version, hover the cursor over the end of the desired configuration's entry. A button will appear with an icon representing the "restore" operation.

Select this button. Once the process is complete, .

List and Table Filters

Throughout the interface, there are various lists and tables. Most of them have filter fields: text boxes at the top of each column, which will accept expressions to filter the displayed entries.

Here's an example of the Global Filters list, with crawler entered into the filter for the Name column:

As shown here, entering an expression will filter the results to display only matching entries, if any. Multiple filter fields can be used simultaneously; they will be combined with a logical AND.

The filter fields support regex.

Tag selector

Many settings include , as in this Security Policy example:

The dropdown list allows admins to add one or more . Below the list, the are displayed.

Administration and management of tags is described in detail here: .

Include and Exclude Filter Lists

The Editor pages for some types of security rules (, , and ) contain two lists labeled Include and Exclude.

By default, a security rule will be enforced for all incoming requests within its scope. The Include and Exclude lists can be used to limit the scope of this enforcement.

Each list can contain one or more tags:

If the Exclude list contains any tags, a request is exempted from enforcement if it matches the list.
If the Include list contains any tags, a request is exempted from enforcement unless it matches the list.

What it means to "match" the list

Rate Limit Rules and Dynamic Rules have or/and selectors for their Include and Exclude tag lists. These selectors become visible when more than one tag has been added to a list.

When a list is set to or, a request will match if it contains any of the tags in the list.
When a list is set to and, a request will match only if it contains all of the tags in the list.

Note that for any security rule, its two lists are separate, and can be set to different modes.

Flow Control Policy tag lists do not have or/and selectors. These lists operate in or mode; therefore, a request will match a list if it contains any of the tags in the list.

Important details about the Include/Exclude process

The Exclude list is evaluated before the Include list, and takes priority. See example below.
The Include list is not exhaustive. In other words, for the security rule to be enforced, all of the request's tags do not need to be listed in Include. However, if the Include list contains any tags, the request must have at least one (in OR mode) or all (in AND mode) of them, for it to be subjected to enforcement.
An empty Include list is treated as if it contains all. This is a system tag that all requests have. In other words, by default, the security rule will be enforced on every request (unless the request matches the

As mentioned above, Exclude takes priority over Include. Example: a request has been tagged withfoo. A security rule has Includefooand Excludeall. The request will be excluded from evaluation by this rule.

To add a tag to a list, select the "+" button. To remove a tag, hover the cursor over it and select the "x" that appears on it. To remove all tags, hover the cursor over the tag list and select the "X" that appears at the end of the list.

Connections to Security Policies

map security rulesets to paths within . The connections can be made within the Security Policies Editor.

These 'parent-to-child' relationships can also be configured within some of the Editor pages for the 'child' entities: , and .

The Connections to Security Policies list contains all of the paths within that use the child entity, and it allows admins to link the entity to additional Security Policies. In this context, a "connection" defines the scope within which the entity will be executed/enforced (assuming the entity is otherwise configured appropriately, e.g. the Rate Limit Rule is in Active mode).

Connections are created by adding entries to the list, confirming them by selecting the checkbox at the end of the entry, saving the changes, then publishing.

Admins can define individual connections, or multiple connections at once:

When Security Policies Name is set to a specific Security Policy, three options are available:
- Match path creates one connection to the path(s) defined in the Path or Expression field. See note below about multiple path definitions.
- Site Level creates a single connection to all paths within the site. This option is unavailable when an existing connection to this Policy contains a value in the Path or Expression field.

The Path or Expression field can contain multiple path definitions. The pulldown offers a list of previously-created definitions; to create a new one, enter it into the textbox. When all necessary definitions are available, select their corresponding checkboxes.

When a Policy has been connected at the Site Level, it will no longer appear for additional connections in the dropdown list of Policies.

SSO Configuration

Link11 WAAP provides the ability to log in using SSO (single sign-on). Configuration varies depending on the type of SSO: Okta, Microsoft, or Google.

Set up Okta SSO

Step 1: register on , and create an application

Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active

Click Add Application → Create New App

Choose Platform: Web, sign-in method OIDC (OAuth 2.0)

Set these attributes:

Sign-in redirect URIs:

https://<planet-name>.app.reblaze.io/auth/okta-oauth2-<planet-name>/authorization-code/callback

Federation Broker mode: disabled

Step 2: Create group

In order to pass the Admin group ID, we need to add a custom attribute to the user groups. Directory > Profile Editor > Apps > Click on Profile

Now map it:

Directory > Profile Editor > Apps > Click on Mappings

Assign group reblazeadmin to your app.

Copy the values for Client ID and a new client secret:

Step 3: Add parameters to Reblaze

On the Reblaze SSO page (System -> SSO Configuration):

Fill in the requested values. For Issuer, use your Okta account. For IDP Group Claim, use the group you created above in Step 2.

Set up Microsoft Entra ID SSO

Step 1: Go to → `Enterprise applications`

Step 2. Create the application

Choose + New Application → + Create your own application:

Step 3: Create the SSO app

Select Integrate any other application you don't find in the gallery (Non-gallery)

Step 4: Select SAML method

Go to Single sign-on section and choose SAML:

Step 5: Set up appropriate links

Edit the Basic SAML Configuration:

Set Azure's Identifier (Entity ID) to <planet-name>.app.reblaze.io. Alternately, a unique identifier can be entered (e.g., customer_domain.com?sso=123), without any "https://" prefix. In either case, save a copy of this value somewhere; it will be needed again later.
Set Azure's Reply URL to https://<planet-name>.app.reblaze.io/auth/azure-saml2-<planet-name>/authorization-code/callback

Step 6: Add a user group claim

Edit user.groups:

Click on +Add a group claim, and choose:

All groups
Source attribute: Group ID

Step 7: Add a user as a member of the application:

Step 8: Get admin group ID

Go to Azure Active Directory → Groups, and create a group.

And assign a user to the group:

Step 9: Get SAML 2 data for Reblaze

From Azure's Single sign-on section, copy the Entity ID (entered during a previous step) and Login URL:

And from the Groups Overview section, copy the Object Id. This should be the same ID from Step 8.)

Add these parameters to the Reblaze SSO page. For Reblaze's IDP group claim, use Azure's Object Id.

Set up Google SSO

Step 1: Generate new OAuth credentials

Go to Google APIs & Services Credentials:
Click Create Credentials (shown below) -> OAuth client ID

Step 2: Configure the new OAuth client ID

For Application type, select Web application
Specify a Name for this client ID. (This name is only shown in the Google Cloud console.)

Step 3: Add authorized URIs

Define the domains and endpoints used by your planet to communicate with the OAuth 2.0 server:

Authorized JavaScript origins: https://<planet-name>.app.reblaze.io
Authorized redirect URIs: https://<planet-name>.app.reblaze.io/auth/google-oauth2-<planet-name>/authorization-code/callback

Step 4: Create and get credentials

When you are done with the above steps, select Create. The new client ID will be created and displayed to you.
Copy the credentials (client id + client secret) for use in the following steps below.

Step 5: Enable the Admin SDK API

Navigate to
In the APIs & Services menu, select Library
Search for "Admin SDK API", and select the result. The Admin SDK page will appear.
Select ENABLE if it isn't already enabled.

Step 6: Authorize the API client

Navigate to
Select Security -> Settings
At the bottom of the page, select API access control
Select Domain wide delegation -> Manage domain wide delegation

Step 7: Configure Reblaze SSO

Within the Reblaze console, go to the SSO page (System -> SSO Configuration).

Enabled: if not already "on", toggle it
SSO login name: choose a name for display within the console
Provider: select google
OAuth2 Client id: enter the client id obtained in Step 4

Step 8: Map groups

Every Reblaze user account has a role, with an Access Level that defines permissions. There are available, with varying capabilities.

When a user logs in via Google SSO, the system uses their Google Groups to determine which role they will have within Reblaze.

In this step, you will define (if necessary) and connect Google groups to Reblaze roles.

Determine how many roles are being used within your planet. (Some organizations will use all four, while others might not.)
Navigate to . Consider the Groups that currently exist; would any map well to a Reblaze role? For each role that does not currently have an appropriate Google Group, select Create Group and define one.
Return to the Reblaze SSO Configuration page. For each role being used, create a group map with:

API access to traffic data

The page below describes how to retrieve traffic data via the API. It contains these main sections:

Introduction
The filters parameter (which specifies the traffic data that will be retrieved)
The four API routes that retrieve traffic data, and how to use them

Introduction

The provides access to traffic data, via these four routes:

GET /api/v4.0/data/topx
GET /api/v4.0/data/stats
GET /api/v4.0/data/timeline
GET /api/v4.0/data/logs

Each includes an input parameter named filters. This parameter specifies the traffic data that will be retrieved.

Below, we begin by discussing this parameter's usage, syntax, and construction. Then we discuss the four API routes that require it, and the different types of data they return.

The filters parameter

filters is a string that specifies one or more conditions. A database query is constructed from those conditions, and the results are returned to the user.

Usage of the filters parameter depends on the context:

When using Swagger UI, this value is supplied directly in the filters input field.
When using curl to call the Link11 WAAP API, this value is encoded into the destination URL, preceded by "filters=". See for more information.

A short example

Here is an example of a filters specification in JSON format:

This will return requests which:

were received in a five-minute time period (from 2024-06-06 09:31:00 to 2024-06-06 09:36:00), and...
have a containing the string unrecognized . (In this example, the admin wanted to retrieve requests tagged with unrecognized-host-header.)

Format

The filters parameter can be supplied as a query string, or as JSON.

Query string format

This format is used in the first input field in the UI's and . For example, this query string will display all requests with a 301 response code within a certain time period:

status=301, timestamp between 2024-06-06 09:31:00 and 2024-06-06 09:36:00

For more information on this format, see .

JSON format

The JSON equivalent of the query string above is:

(This is provided as an example only. A full discussion of JSON syntax is below.)

Converting from query string to JSON

The POST /api/v4.0/data/timeline/parse API route accepts query strings and returns the same query in JSON format.

JSON structure

The discussion below will focus on building the filters parameter in JSON format, for two reasons. First, text query strings are discussed elsewhere (in the links given above). Second, for complex queries, JSON is more powerful.

A JSON filters parameter is structured as follows:

The first condition: a range of dates/times

The first condition must be included, and must be a range of dates/times. It is structured as follows:

where $TIMESTAMP1 and $TIMESTAMP2 are timestamps: specifications of date and time.

For timestamps, any ISO format is supported. Nevertheless, both timestamps must include year, month, and day.

If hours, minutes, or seconds are not included in a timestamp, the time will be rendered as the beginning of the day/hour/minute, respectively. Examples: "2022-07-14" -> "2022-07-14 00:00:00", "2022-07-14 06:52" -> "2022-07-14 06:52:00", etc.

Subsequent conditions

After the first condition, additional conditions can be specified if desired. They are structured as follows:

They must meet these requirements:

Multiple conditions are combined with a logical AND. (A logical OR is not supported, as this could potentially retrieve unexpectedly large amounts of data.)
When multiple conditions are provided, all are followed by commas, except for the final one.
The "key" line is optional; see discussion .

Here in the documentation, spaces and carriage returns are included in JSON filter examples for clarity. In usage, they are optional.

Also, the order of a condition's components (its field/op/key/value) does not matter.

Field names

Available fields include those inherent to HTTP requests, along with additional data added by L11WAAP during processing.

Some of the added information consists of internal IDs for the security settings that are relevant to the request.
Some requests will not contain all possible information. When L11WAAP blocks a request, processing usually stops immediately, and later stages in the do not occur.

Field name

Comments

Key

For some types of data, it might not be enough to specify the field, because there could be multiple parameters in the request that match it. For example, a field name of "cookies" or "headers" does not tell the system which cookie or header to inspect.

The key field supplies this information; it is the name of the specific parameter to evaluate. If this parameter is not defined, the system will inspect all instances of the specified field (all cookies, all headers, etc.).

Some examples are in the below.

Values

Values should be specified in the appropriate data type: strings as quote-delimited strings, integers as numbers, etc. Arrays of values can be supplied.

Operators

Operator

Data Type

Description

Negative operators

Operators can be inverted by adding not. For example, not eq means "does not equal".

Inverting a condition

It's possible to invert an entire condition by adding NOT, like this:

JSON filter examples

Retrieve PUT and POST requests:

Retrieve requests containing a tag that matches "geo" or "location":

Retrieve requests where certain cookies' values match a regex:

Retrieve requests where any cookie's value matches a regex:

Retrieve requests according to a subfield (the acl_active subfield of security_config must be greater than 11).

Retrieve requests according to an array of subfields:

Retrieve requests according to a combination of conditions (there is no limit on the number of conditions):

API access to traffic data

As noted previously, there are four API routes that use the filters parameter to retrieve traffic data:

GET /api/v4.0/data/topx
GET /api/v4.0/data/stats
GET /api/v4.0/data/timeline
GET /api/v4.0/data/logs

Their typical uses are as follows.

Quickly discover the most important factors in the traffic stream (e.g., the countries sending the most blocked requests, the URLs receiving the most bot traffic, etc.): use the topx route.

Get a summary of traffic statistics (total requests, bandwidth, and latency): use the stats route.

Get a summary of security metrics (total requests, blocked requests, status codes returned, number of human clients, activity of the origin, etc.): use the timeline route.

Get complete data for all requests matching certain criteria (often used for drilling down into trends discovered from the other routes): use the logs route.

Below, we discuss each route in detail.

GET /api/v4.0/data/topx

This route provides API access to the same available in the Dashboard. Here's an example of Top Countries in the Dashboard:

Calling this route returns all metrics of data: all results for "top applications", all results for "top countries", all items for "top sources", and so on. They are combined into a single continuous list:

...where the list of $RESULTs looks something like this (incomplete) example:

We see that in the time period specified in the filters parameter, there were three IP addresses in two countries that sent requests to a single URL.

Some points to note:

The results are organized and grouped together in the list according to their label.
Labels are ordered alphabetically.
Labels can differ in their number of results.
The route returns the "top" results for each label (for example, results with the "ip" label show the IPs that sent the most blocked requests). When there are only a few results for a given label, all are retrieved. When there are many, only the "top" results are retrieved.

Actual usage

The example above is oversimplified. In actual use, the topx route:

Returns much more data per result, not just key and label (see the list of fields below)
Returns more categories than just country, ip, and url (see the discussion of the label field below)

A detailed discussion of topx follows.

Contents of each result

Each result contains the fields listed below.

The _time fields are in seconds. These are floats, but can appear at various precisions: zero decimal places, several decimal places, or scientific notation (e.g., 1.6210818451802098e-9).

Result field name

Type

Comments

Organization of results: the label and key fields

The topx route returns results in a specific order:

Results are grouped together according to their label (i.e., their category).
Labels are ordered alphabetically (see full list below)
Within each label, results are ordered by num_of_blocked_requests, in descending order.

Notice that this is unlike the UI's Dashboard Top Metrics, where some types of results have other default orders.

The topx route returns twelve categories of results, each with its own label. The label determines the contents of the key field.

Label

'Key' field contains

GET /api/v4.0/data/stats

This route returns traffic metrics for the requested time period, broken down into shorter segments of time.

Data structures

The retrieved metrics are structured like this:

...where each $RESULTS-TIMESEGMENT-x has this structure:

Contents of each result

Field name

GET /api/v4.0/data/timeline

This route returns security metrics for the requested time period, broken down into shorter segments of time.

Data structures

The retrieved metrics are structured like this:

...where each $RESULTS-TIMESEGMENT-x has this structure:

...and each $STATUS-DATA-x contains the number of responses with a specific status:

Contents of each result

Field name

GET /api/v4.0/data/logs

This route returns all requests that match the filter parameters, up to the number of requests specified. The results are returned like this:

Each $REQUEST has this structure:

...where the $FIELDs are the Field names listed in the filters discussion, and the $VALUEs are their values, if any. So a request looks like this: