Apply WAF Rules List on a Load Balancer

Objective

This guide provides instructions on how to configure a WAF Rule List object for a service policy. A WAF Rules List is created with rule IDs to exclude certain rules from WAF processing, on the load balancer. The rule IDs vary and you can select more than one rule ID for your list.

You can create a WAF Rules List, add it to the service policy, and then make the service policy an active one. By default, the load balancer applies any active service policy.

You can also create a WAF Rules List, forgo making a service policy active, but apply the WAF Rules List on the load balancer during security configuration.

For more information, see Application Firewall.

Using the instructions provided in this document, you can create a WAF rules list, and then apply those rules to a load balancer to help secure your applications from attacks.

---

Prerequisites

• An F5 Distributed Cloud Account. If you do not have an account, see Getting Started with Console.

• An HTTP or HTTPS load balancer in your edge/cloud site or in the Volterra global network cloud. If you do not have an existing virtual host, see HTTP Load Balancer.

• A service policy in your edge/cloud site or in the Volterra global network cloud. If you do not have an existing service policy, see Service Policy.

---

Create a WAF Rules List

Create a WAF Rules List object using the rule IDs provided. You have the option to add as many rule IDs as you need to a single WAF Rules List object.

Step 1: Navigate to the namespace in VoltConsole.

• Log into VoltConsole.
• From the App namespace, select a namespace using the drop-down menu.
• Click Security -> App Firewall -> App Firewall Rule Lists.
  

  Figure: Add Firewall Rule Lists

Step 2: Start creating the WAF Rules List.

• Click Add firewall rule list.
• In the form that appears:
  • In the Name field, provide a name for the object. Optionally, add a description and select a label.
  • From the WAF Rule List drop-down menu, select a rule for the list object. You can select multiple rule IDs.
  • After you finish, click Save and Exit.
    

    Figure: Rule List Form

---

Activate the Service Policy

Ensure the WAF Rules List is enabled within the service policy before activating the service policy.

Note: This procedure assumes you have an existing service policy. To create a new service policy, see the instructions at Service Policy.

Step 1: Enable the WAF Rules List in the service policy.

• In your namespace, click Security -> Service Policy -> Service Policies.
• Click Select Active Service Policies.
• Click Select Service Policy.
• From the list, find your service policy and then click ....
• In the form that appears:
  • From the Select Policy Rules drop-down menu, select Custom Rule List.
  • In the Name field, enter a name for the WAF Rules List.
  • Click Edit.
  • From the App Firewall Action drop-down menu, select App Firewall Rule Control.
  • Click Select Exclude Rule Id.
    

    Figure: App Firewall Rule Control

  • Select the WAF Rules List, and then click Select Exclude Rule Id.
    

    Figure: Rule List to Exclude

  • Click Apply.
• Click Save and Exit.

Step 2: Activate the service policy.

• Click Security -> Service Policy -> Active Service Policies.
• Click Select Active Service Policies.
• In the form that appears:
  • Click Select Service Policy.
    

    Figure: Select Active Service Policy

  • Select the service policy, and then click Select Service Policy.
  • Click Save and Exit.
    

    Figure: Select Active Service Policy

---

Enable the WAF Rules List in the Load Balancer

If you did not activate the service policy, you can use the steps below to configure your load balancer to use the WAF Rules List. If you enabled and activated the service policy that contained the WAF Rules List, then the load balancer will automatically use the WAF Rules List.

Note: This procedure assumes you have an existing load balancer. To create a new load balancer, see the instructions at HTTP Load Balancer.

Step 1: Navigate to your load balancer.

• In your namespace, click Manage -> Load Balancers -> HTTP Load Balancers.
• From the list, find your load balancer, and then click ....
• Click Edit.
  

  Figure: Select Load Balancer to Edit

Step 2: Add the WAF Rules List.

• In the form that appears, click Security Configuration, and then click Show Advanced Fields.
• From the Service Policies drop-down menu, select a service policy for the load balancer. The options include:
  • Apply Namespace Service Policies: This option uses the active service policy that contains the WAF Rules List. The rules mentioned in the rules list are excluded from WAF processing for the traffic handled by the load balancer.
  • Do Not Apply Service Policies: This option prevents WAF processing from using the WAF Rules List.
  • Apply Specified Service Policies: This option uses the service policy for this load balancer traffic only, and not on the entire namespace.
• If you selected Apply Namespace Service Policies:
  • From the Select Web Application Firewall (WAF) Config drop-down menu, select Specify WAF Rules.
  • From the Specify WAF Rules drop-down menu, select your WAF Rules List.
• If you selected Apply Specified Service Policies:
  • From the Select Web Application Firewall (WAF) Config drop-down menu, select Specify WAF Rules.
    

    Figure: Select WAF Rules List

  • From the Specify WAF Rules drop-down menu, select your WAF Rules List.
• Click Save and Exit.

---

Concepts

Service Policy

---

References

Service Policy Web Application Firewall HTTP Load Balancer