Application Firewall

• From the Console homepage, click Web App & API Protection.

• Select the desired namespace from the Namespace drop-down menu.

Note: You can also create a namespace where the application firewall needs to be created in. From the Console homepage, Select the Administration service, and then select Personal Management > My Namespaces. Click Add namespace, add a name, and then click Save.

• Click Manage > App Firewall.

• Click Add App Firewall to load the WAF creation form.

Fill in the required information marked with an asterisk (*) symbol:

• In the Name field under the Metadata section, enter a name for the WAF object.

• From the Enforcement Mode drop-down menu under the Enforcement Mode section, select whether you want the WAF to only monitor or block traffic:

  • Blocking: Malicious traffic is both logged and blocked.

  • Monitoring: Traffic is not blocked, but any malicious and suspicious traffic generates security events (logs).

Note: The Enforcement Mode option is with respect to your load balancer. It overrides your load balancer settings for all traffic.

In the Detection Settings section perform the following:

• From the Security Policy drop-down menu, select whether to apply default settings or a custom setting:

  • Default: This setting applies a broad mix of high and medium accuracy signatures, threat campaigns, and all violations.

  • Custom: This setting enables you to apply specific configurations for attack types, signature selections, automatic attack signatures, threat campaigns, and violations. You can change one or all of the configurations.

• If you choose the Custom option, perform the following:

  • Attack types: The Default setting detects all attack types. To configure this option to disable a specific attack type, select Custom. Select the attack type from the Disabled Attack Types drop-down menu. You can use the drop-down menu to select additional attack types to disable.

• From the Signature Selection by Accuracy menu, select from one of the available accuracy options. The High and Medium signatures are enabled by default.

• From the Automatic Attack Signatures Tuning menu, enable or disable the automatic attack signature tuning. This option is enabled by default and the WAF suppresses false positive triggers based on its probabilistic learning model.

• From the Attack Signatures Staging menu, choose whether new and updated signatures are treated differently from the firewall enforcement mode. When signatures are staged, those signatures will be in monitoring mode, even if your firewall is set to blocking mode. Choose one of the following options:

  • Disable: All signature updates will be enforced.

  • Stage new attack signatures: New signatures will be in monitoring mode for the Staging Period, meaning the new signature will not cause a request to be blocked, but you will see signature trigger details in the security event. Existing signatures that have been updated will still be enforced.

  • Stage new and updated attack signatures: New and updated signatures will be in monitoring mode for the Staging Period, meaning the new/updated signature will not cause a request to be blocked, but you will see signature trigger details in the security event.

• From the Threat Campaigns menu, enable or disable the threat campaign detection. When enabled, the WAF detects specific threat campaigns and takes action per the enforcement mode settings.

• From the Violations menu, select Custom to disable one or more violations. From the Disabled Violations menu, select a violation to disable.

Note the following file types are disallowed by default:

{"bak", "bat", "bck", "bin", "bkp", "cer", "cfg", "cgi", "cmd", "com", "conf", "config", "crt", "dat", "der", "dll", "eml", "exe", "hta", "htr", "htw", "ida", "idc", "idq", "ini", "key", "log", "msi", "nws", "old", "p12", "p7b", "p7c", "pem", "pfx", "pol", "printer", "reg", "sav", "save", "shtm", "shtml", "stm", "sys", "temp", "tmp", "wmz"}

To customize the list of file types disallowed, disable Illegal filetype (VIOL_FILETYPE) using the Violations menu option and use a custom rule in Service Policy to disallow specific file types.

Note: For a list of supported attack types, signatures, and violations, see the following guides:

• Signatures
• Violations
• Threat Campaigns

From the Signature-Based Bot Protection drop-down menu, select an option for bot defense:

• Default: By default, a malicious bot is blocked and generates a security event. Good and suspicious bot activity generates only security events, and the WAF does not block the activity.

• Custom: Custom protection enables you to specify what action (Block, Report, or Ignore) to take when the WAF detects a malicious bot, suspicious bot, or a good bot. Set the action in the Malicious Bot, Suspicious Bot, and Good Bot menus.

In the Advanced configuration section, enable the Show Advanced Fields option and perform the following:

• Allowed Response Status Codes: Select Custom to specify a list of HTTP response status codes that are allowed for the client. Any HTTP responses other than these are not allowed.

• Mask Sensitive Parameters in Logs: The Default option will mask the values of sensitive parameters (like credit card numbers) in request logs. You can disable this feature or use Custom to set parameters of your choice, to be masked. For the Custom option, click Add Item and choose an HTTP Header, Query Parameter, or Cookie and enter the name accordingly. After you finish, click Add Item. You can add more than one item using the Add Item option.

• Blocking Response Page: The Default option returns an HTML response page with system settings to the client. To configure a custom response page, select Custom and perform the following:

  • From the Response Code menu, select a response that will be sent for blocked requests.

  • In the Custom Blocking Response Page Body field, enter a response string of your choice. You can specify the string in ASCII format or Base64 format.

Note: Use the base64 command to encode the response in Base64 format.

Click Save and Exit.

• From the Console homepage, click Multi-Cloud App Connect.

• Select the desired namespace from the Namespace drop-down menu.

• Click Manage > Load Balancers > HTTP Load Balancers.

• Find your load balancer and click ... > Manage Configuration.

• Click Edit Configuration to open the edit form.

In the Web Application Firewall section, perform the following:

• From the Web Application Firewall (WAF) menu, select Enable.

• From the Enable drop-down menu, select the WAF object you created in the previous section.

• Configure your routes per the instructions in the HTTP Load Balancer guide, if not yet configured.

• In the Advanced Options field, click Configure.

• In the Security section, perform the following:

  • From the Web Application Firewall (WAF) drop-down menu, select App Firewall.

• From the App Firewall drop-down menu, select the WAF policy for the route you configured.

• Select Apply.

• Select Apply to complete route configuration.

• Select Apply to close the route configuration form.

Click Save and Exit.

Confirm that the Enable option is set in the load balancer configuration.

• Under the Data Guard Rules field, click Configure.

• Click Add Item.

• In the Name field, add a name for this match rule.

• From the Action menu, select an option for Data Guard to take if the request matches the domain and path configured from the Domain and Path Match menus below, respectively:

  • Apply: Applies Data Guard processing for the matching criteria.

  • Skip: Skips Data Guard processing for the matching criteria.

• From the Domain menu, select whether the request is from any domain, an exact domain, or domains with suffixes.

• From the Path Match menu, select an option:

  • Prefix: Match paths using a prefix.

  • Path: Match an exact path.

  • Regex: Match paths using regular expressions (regex).

• Click Add Item.

Click Apply.

• Select the Web App & API Protection service from the Console homepage or from the Select service option located on the top left in any page.

• Select your desired namespace.

The threat insights include separate views for malicious users and threat campaigns. This section presents details for the threat campaigns.

• Select Overview > Threat Insights > Threat Campaigns. This opens a Sankey chart showing the threat campaigns run against load balancers and their source IP addresses.

Note: The threat campaigns insights also displays in graph view beneath the Sankey chart. Here, the graph shows allowed and blocked statistics.

• The data shown is by default for all HTTP load balancers in the namespace. You can use Add Filter on the top of the page to limit the view to allowed or denied requests. Similarly, you can use the time filter to display the insights for a specific time interval.

• Place the mouse pointer over any bar section in the middle of the chart to view name of threat campaign, associated source IP addresses, and destination load balancers highlighted in the chart. Click on the bar to view more details for that threat campaigns in a modeless window. Details include risk, attack type, description, references, etc.

• Click on any IP address to the left of the chart to display more details for that IP address. The following details are displayed:

  • Source IP address.
  • Total requests from the source.
  • Total security events from the source.
  • Breakdown of security events such as WAF events, Bot defense, service policy, etc.
  • HTTP Load Balancers to which the attacks are made.

• Click on an HTTP load balancer in the details window. This switches the view to Security Events view of load balancer security monitoring. The security events view displays filtered view of the event related to the source IP address for the time period set in the threat campaigns monitoring view.

• Click on the Add to Blocked Clients button on the details window to add user to deny list. This opens the associated load balancer's client blocking rule section with name and IP address populated. Click Apply to complete creating the client blocking rule.

• Click on the Filter Attack Analysis filter on top right of the threat campaigns monitoring page to display forensics view with advanced filters. The following is a list of guidelines to use these filters:

• Select any of the source IPs in the Top src_ip section and click Apply to filter the chart and the graph for that source IP. You can also click the edit option to change the metric from src_ip to country. The section changes to Top country and you filter the chart to display chart for specific country.

• Select any of the threat campaigns in the Top threat_campaigns.name section and click Apply to filter the chart and the graph for that threat campaign.

• Select any of the load balancers in the Top vh_name section and click Apply to filter the chart and the graph for that load balancer.

Navigate to Overview > Dashboards > Security Dashboard. This view provides for security metrics, such as threat intelligence, bot traffic, API classification, DDoS attack information, and security events for all load balancers with corresponding WAFs in a given namespace. All individual load balancers are listed at the bottom of the page.

The Threat Intelligence field provides summary information about any known attacks or campaigns for a given time range. The Bot Traffic field provides summary information about the percentage of bot traffic from normal and malicious bots. The API Classification field provides summary information about total API endpoints and any detected PII. The DDoS Attack Activity field provides summary information about the total number of layer 7 attacks across all load balancers in the given namespace.

You can also view summary information for all security events, view the source IP attack origin from the Top Attack Sources field, and view which paths and domains were attacked in the Top Attacked Paths field. The Events by Country field provides a graphical display of source countries where the attacks originated. The Active Configuration field provides the total number of load balancers in the namespace as well as the services enabled on each.

This view also displays WAF information which includes enforcement mode, bot attacks, security events, malicious users, and DDoS events.

Use the Export PDF option at the top of the dashboard to record and/or share the information on the Security Dashboard.

• Use the selector to select a specific load balancer. You can select up to five. The default view displays information for all load balancers in the selected namespace.

• From the bottom of the page, select a load balancer to load its security dashboard.

Note: You can also edit the load balancer configuration using the ... > Manage Configuration option in the Actions field.

• View the security information for the specific load balancer.

• Select any of the tabs at the top to view the corresponding information for API Endpoints, Malicious Users, Security Analytics, DDoS, Alerts, Requests, and Bot Defense.

• From the Console homepage, click Multi-Cloud App Connect.

• Select Manage > Load Balancers > HTTP Load Balancers.

• Select the desired namespace.

• Find your existing load balancer to edit its configuration, or click Add HTTP load balancer to create a new load balancer.

• Go to Web Application Firewall section. Under the WAF Exclusion Rules field, click Configure.

• Click Add Item.

• In the Name field, enter a name for the WAF exclusion rule. Optionally, add a description.

• From the Domain drop-down menu:

  • Select whether this rule applies to all domains, an exact domain, or a particular domain suffix. Any Domain is the default value. If you select Exact Value, enter a value in the field provided. If you select Suffix Value, enter a value with a suffix (for example, xzy.com).

• Configure the Path as per the following:

  • Select Any Path to match all paths.
  • Select Prefix and enter a prefix value in the Prefix field to match all paths that have the specified prefix.
  • Select Path Regex and in the Path Regex field, enter a directory path with regular expressions (regex) to match patterns to exclude from WAF processing.

• Optionally, select request methods to match from the Methods menu.

• Configure detection control from the Action section. Select Skip App Firewall Processing to skip processing or select App Firewall Detection Control and do the following:

  • For the Signature IDs, enter a signature ID to exclude from WAF processing. You can also supply a context to it by selecting a context from the Context drop-down and specifying a value in the Context Name field. Use the Add Item button to add more than one entry.

  • For the Violations, select a violation from the menu to exclude from WAF processing. You can also supply a context to it by selecting a context from the Context drop-down and specifying a value in the Context Name field. Use the Add Item button to add more than one entry.

  • For the Attack Types, select a type of attack to exclude from WAF processing. Use the Add Item button to add more than one entry.

  • For the Bot Names, enter the name of the bot that should not be affected by the WAF. Use the Add Item button to add more than one entry.

• Enter a timestamp in the Expiration Timestamp field if you want this rule to stop being used after the entered timestamp expires.

Note: You can exclude an attack type instead of excluding individual signatures. If you are excluding a particular attack type, you do not need to add signature IDs that belong to that attack type. When you exclude an attack type, this action automatically excludes all signatures under that attack type.

• After you finish, click Add Item.

• Click Apply.

Note: The order of the WAF exclusion rules matter. The WAF will process the rules starting from the top and work its way down. If there is a match on one rule, then the execution process stops and the subsequent rules are not evaluated. You can change the order of these rules by simply dragging and dropping the rules in the order you see fit. You can also click ... > Move to another spot, and then use the arrows to move the rule up or down the list.

• Continue to configure your load balancer, as needed.

• After you finish, click Save and Exit.

Note: For more information about creating or editing a load balancer, see HTTP Load Balancer.

• From the Console homepage, click Multi-Cloud App Connect.

• Select the application namespace.

• Click Manage > Load Balancers > HTTP Load Balancers.

• From the displayed list, find your load balancer and select ... > Manage Configuration.

• Select Edit Configuration.

• From the left pane menu, select Web Application Firewall.

• Under the WAF Exclusion Rules subsection, click Configure.

• Select Add Item.

• In the Name field, add a rule name.

• From the Domain menu, select wether this exclusion rule and match criteria will apply to all domains, a specific domain, or a grouping of domains. For a specific domain, select Exact Value and then enter the domain name. For a grouping of domains, select Suffix Value and then enter the value.

• In the Path Regex field, enter a regular expression to match incoming requests.

• From the Methods menu, select the type of request methods to be matched.

• From the WAF Exclusion Rule Action menu, select Skip App Firewall Processing.

• Select Apply to save the exclusion rule.

• Select Apply again to apply the exclusion rule.

Select Save and Exit to save the new configuration.