Web Application Firewall

Objective

This document provides instructions on how to deploy and configure a rule-based Web Application Firewall (WAF) on a virtual host. The Volterra WAF consists of rules that either allow or block requests based on the configuration. To know more about WAF and the WAF rules, see App Firewall.

Using the instructions provided in this document, you can create WAF rules, WAF, and associate them with a virtual host to secure your applications.


Prerequisites

  • Volterra Account

    Note: If you do not have an account, see Create a Volterra Account.

  • A Virtual Host in your edge/cloud site or in our global network cloud

    Note: If you do not have an existing virtual host, see Create a Virtual Host.

  • Optionally, one or more cloud or edge locations with Volterra Site

    Note: Install Volterra node or cluster image in your cloud or edge location. For more information, see Site Management.


Configuration

The following image shows the configuration workflow for creating an application firewall:

image3
Figure: Creating an AppFirewall

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase Description
Create WAF Rules Create WAF rules object in your namespace. This object contains rules selected from the Core Rules Set (CRS) and Volterra Rules Set (VRS).
Create WAF Create application firewall object and configure the application settings.
Attach WAF to Virtual Host Apply the firewall object to a virtual host.

Create WAF Rules

You can select rules in the core-rule-set or volterra-rule-set to be enabled or disabled by configuring the WAF rules object. You can specify the following settings:

  • If a rule is blocking or alerting
  • Hit thresholds for the rules
  • Exclude or include list of rule IDs

Step 1: Log into VoltConsole and click on App option on the namespace selector. Select the desired namespace from the namespace drop-down list.

Note: You can also create a namespace where the application firewall needs to be created. Click on the General option on namespace selector, select Personal Management -> My Namespaces, click Add namespace, add a name, and click Save to create a namespace.

ns nav
Figure: Navigate or Create new namespace

Step 2: Select Security -> App Firewall from the configuration menu. Select App Firewall Rules from the options pane.

waf rule nav
Figure: Web App Firewall Rules

Step 3: Click Add Firewall rules to load the WAF rule creation form. Enter the configuration parameters as per the following guidelines:

  • Name: Enter a name for your rules object.
  • Mode: Supported options are BLOCK or ALERT_ONLY. Select an appropriate option as per your requirement.
  • Anomaly Score Threshold: The default value is 5. If the anomaly score is equal to or greater than the threshold, the response action is as per the configured value of the Mode field.
  • Paranoia Level: Specifies the strictness levels of configured rules. Value range is 1-4. The default value is 1.
  • Rule IDs: Select the desired rules for evaluation from the CRS and VRS offerings.
  • Rule List Type: Include or exclude the desired rules selected in the Rule IDs field.

add waf rule
Figure: Create App Firewall Rule


Create WAF

Instead of enabling all the rules or selecting individual rules, you can use WAF to just define the type of technologies used by their applications and types of attacks to be detected. The system then determines the course of action to be taken during the operation.

Step 1: Select Security -> App Firewall from the configuration menu. Select App Firewall from the options pane. Click Add Firewall to load WAF creation form. Enter the configuration parameters as per the following guidelines.

  • Name: Enter a name for your WAF object.
  • Mode: Supported options are BLOCK or ALERT_ONLY. Select an appropriate option as per your requirement.
  • Language: Specify the application language type. This is optional parameter.
  • CMS: Specify which CMS the application is using.
  • Webserver: Specify which web server the application is using.
  • Detection Tag: Select which security rules to be disabled.

add waf
Figure: Create App Firewall


Attach WAF to Load Balancer

After creating one or more WAF rules object or using a simplified WAF object, attach it to a load balancer object. This example covers attaching the simplified WAF object.

Step 1: Select Manage -> Load Balancers from the configuration menu and select HTTP Load Balancers in the options. Click ... -> Edit for the load balancer for which WAF is to be applied.

Step 2: Navigate to security configuration and enable Show Advanced Fields option. Select Specify WAF Intent for the Select Web Application Firewall (WAF) Config field. Click on the Specify WAF Intent field and elect the WAF you created in the previous step.

waf to lb
Figure: Load Balancer WAF Configuration

Note: You can use Specify WAF Rules option to attach individual WAF rules.

Step 3: Click Save and Exit to save changes.

Note: After attaching WAF to a load balancer, you can observe the WAF operation on the VoltConsole using the load balancer dashboard.


Concepts


API References