Skip to content

Web Application Firewall (WAF)

Web protection profiles enable Web Application Firewall (WAF) rules within your Valtix Gateway instance.

Valtix supports the following WAF rule sets:

Rule Type Description
Core The OWASP ModSecurity CRS Project's goal is to provide an easily "plugable" set of generic attack detection rules that provide a base level of protection for any web application.
Commercial (Advanced) The ModSecurity Rules from Trustwave. These updates are available with a threat package subscription and are based on intelligence gathered from real-world investigations, penetration tests and research. The commercial rules package is normally updated bi-monthly to ensure that customers receive critical updates in a timely manner.

Create WAF Profile

  1. Navigate to Manage -> Profiles -> Web Protection
  2. Click Create Protection Profile
  3. Select Application Threat
  4. Provide a profile name and description
  5. Click Manual or Automatic mode for CRS Ruleset Version for core rules
  6. In Manual mode, select the CRS Ruleset Version from dropdown. The selected ruleset version is used by the Valtix datapath engine on all gateways which use this profile and is not automatically updated to newer ruleset versions.
  7. In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix. New rulesets are published daily by Valtix and the gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.
  8. Click Manual or Automatic mode for Trustwave Ruleset Version for advanced rules
  9. In Manual mode, select the Trustwave Ruleset Version from dropdown. The selected ruleset version is used by the Valtix datapath engine on all gateways which use this profile and is not automatically updated to newer ruleset versions.
  10. In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix. New rulesets are published daily by Valtix and the gateways using this profile are automatically updated to the latest ruleset version which is N days or older, where N is the "delay by days" argument selected from the dropdown. For example, if you select to delay the deployment by 5 days on Jan 10, 2021, the Valtix controller will select a ruleset version which was published on Jan 5th or before. Note that Valtix may not publish on some days if our internal testing with that ruleset version fails for some reason.
  11. Select Paranoia Level (select 1 initially)
  12. Set Request Anomaly and Response Anomaly (select 5 initially)
  13. Check PCAP box to create PCAP files when the traffic matches this profile. The PCAPs are saved in the PCAP profile associated with the gateway.
  14. Check API Logging as required.
  15. Select the desired rules from the Core and Advanced rule sets
  16. Select the Action (the default is Block)

Rule Event Filtering

You can add rule event filtering if a known rule repeats/triggers multiple times.

  1. Click Add under Rule Event Filtering
  2. Add a comma separated list of Rule IDs
  3. Choose the type as Rate and provide the Number of Events and Time duration (in seconds)
  4. Choose the type as Sample and provide the Number of Events

In case the WAF profile configuration generates a lot of events in the datapath, the Event Filtering module allows to filter events after the generation but before storing and making them available in investigate.

The type Rate allows to rate limit the event stream to a specific rate specified as Number of Events per Time Duration. For example, if Number of Events is 50 and Time Duration is 5 seconds, only 10 events per second are stored.

The type Sample allows the user to pick 1 event every Number of Events, dropping all other events. For example, if Number of Events is 10, then we pick 1 event every 10 events and drop the other 9.

Rule Suppression

Rules can be suppressed for a specific or a list of CIDRs.

  1. Click Rule Suppression tab and Add
  2. Provide a comma separated list of IP CIDRs for which you want to suppress the rules
  3. Provide a comma separated list of Rule IDs

Profile Event Filtering

Profile event filtering is similar to Rule Event Filtering. In this case the filtering is applied to the whole profile instead of specific rule(s) as configured earlier.

  1. Choose the type as Rate or Sample:
  2. If Rate, provide the number of Events and the Time duration (in seconds)
  3. If Sample, provide the number of Events

Associate Profile with a Policy Rule

Check this document to create/edit Policy Rules