Configure App Firewall

Objective

This document provides instructions on how to deploy and configure a rule-based Web Application Firewall (WAF) on a virtual host. The Volterra WAF consists of rules that either allow or block requests based on the configuration. To know more about WAF and the WAF rules, ee App Firewall.

Using the instructions provided in this document, you can create WAF rules, WAF, and associate them with a virtual host to secure your applications.


Prerequisites

  • VES account

    Note: If you do not have an account, see Create a VES Account.

  • A Virtual Host in your edge/cloud site or in our global network cloud

    Note: If you do not have an existing virtual host, see Create a Virtual Host.

  • Optionally, one or more cloud or edge locations with Volterra Site

    Note: Install Volterra node or cluster image in your cloud or edge location. For more information, see Create a Site.


Configuration

The following image shows the configuration workflow for creating an application firewall:

Figure: Creating an AppFirewall

Configuration Sequence

Configuring application firewall requires performing the following sequence of actions:

Phase Description
Create WAF Rules Create WAF rules object in your namespace. This object contains rules selected from the Core Rules Set (CRS) and Volterra Rules Set (VRS).
Create WAF Create application firewall object and configure the application settings.
Attach WAF to Virtual Host Apply the firewall object to a virtual host.

Create WAF Rules

You can select rules in the core-rule-set or volterra-rule-set to be enabled or disabled by configuring the WAF rules object. You can specify the following settings:

  • If a rule is blocking or alerting
  • Hit thresholds for the rules
  • Exclude or include list of rule IDs

Step 1: Select the desired namespace or create a namespace where the application firewall needs to be created.

Figure: Navigate or Create new namespace

Step 2: Select Security from the configuration menu. Select App Firewall and Firewall Rules from the options pane.

Figure: Web App Firewall

Step 3: Click Add WAF rule to load the WAF rule creation form. Enter the configuration parameters as per the following guidelines:

  • Name: Enter a name for your rules object.
  • Mode: Supported options are BLOCK or ALERT_ONLY. Select an appropriate option as per your requirement.
  • Anomaly Score Threshold: The default value is 5. If the anomaly score is equal to or greater than the threshold, the response action is as per the configured value of the Mode field.
  • Paranoia Level: Specifies the strictness levels of configured rules. Value range is 1-3. The default value is 1.
  • Rule IDs: Select the desired rules for evaluation from the CRS and VRS offerings.
  • Rule List Type: Include or exclude the desired rules selected in the Rule IDs field.
Figure: Create App Firewall Rule

Create WAF

Instead of enabling all the rules or selecting individual rules, you can use WAF to just define the type of technologies used by their applications and types of attacks to be detected. The system then determines the course of action to be taken during the operation.

Step 1: Select Security from the configuration menu. Select App Firewall and Firewall from the options pane. Click Add WAF to load WAF creation form. Enter the configuration parameters as per the following guidelines.

  • Name: Enter a name for your WAF object.
  • Mode: Supported options are BLOCK or ALERT_ONLY. Select an appropriate option as per your requirement.
  • Language: Specify the application language type. This is optional parameter.
  • CMS: Specify which CMS the application is using.
  • Webserver: Specify which web server the application is using.
Figure: Create App Firewall

Attach WAF to Virtual Host

After creating one or more WAF rules object or using a simplified WAF object, attach it to a virtual host object. This example covers attaching the simplified WAF object.

Step 1: Go to the system namespace. Select Manage from configuration menu and Virtual Hosts from the options pane. Open the edit configuration form for the virtual host to which the WAF to be applied.

Step 2: Select the WAF config type for the WAF section. Select a type as per the following guidelines:

  • Select WAF for application firewall
  • Select WAF Rules for firewall rules

This example shows applying a WAF to the virtual host.

Figure: Virtual Host WAF Selection

Note: After attaching WAF to a virtual host, you can observe the WAF operation on the Volterra Console. See Monitor your Application Firewall for more information.


Concepts


API References

WAF
WAF Rules
Create WAF
Create WAF Rule