Vmware NSX Waf - Guide

VMware NSX Advanced
Load Balancer WAF Guide

VMware NSX Advanced Load Balancer 20.1.5
VMware NSX Advanced Load Balancer 20.1.5
VMware NSX Advanced Load Balancer WAF Guide
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
©
Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
1 Overview 5
2 Configuring WAF 7
WAF Profile 7
Configuring WAF Profile 8
WAF Policy 12
Configuring WAF Policy 12
WAF Mode 15
Application Learning for WAF 16
Allowlist 21
Configuring Allowlist Rules 21
Sampling Traffic to WAF Allowlist 27
Partial Buffering for Chuncked Mode Encoding 28
Support for IP Groups in Allowlist 28
Positive Security and Learning 31
Configuring Positive Security Group 31
Deploying WAF Signatures 43
Signatures CRS rules 46
Pre-CRS Rules 48
Post-CRS Rules 54
Mixed Mode and Enabling Mode Delegation 54
3 Best Practices for working with WAF 57

Creating Exclusions 57
Exclusions in WAF 57
Creating Exceptions 58
Examples for Creating Exclusions 58
Importing the CRS files and CRS Update from NSX Advanced Load Balancer Portal 59
Download the CRS File 59
Upload the CRS File 61
Custom Rules 62
Custom Rules Examples 62
Vulnerability Scanner (DAST) 67
Workflow 67
Limitations DAST scanner integration 68
WAF in Anomaly Score Mode 68
Anomaly Scoring 69
Setting Up WAF in Anomaly Scoring mode 70
VMware, Inc. 3
4 Analytics and Insights 73

WAF Log Analytics 73
Analyzing WAF Logs Analytics 74
WAF Analytics 76
WAF Metrics 79
Preview Exceptions 80
Preview Logs 81
5 FAQ's 83
VMware, Inc. 4
Overview
1
This section explains about NSX Advanced Load Balancer Web Application Firewall
Web application firewalls (WAFs) are intended to protect businesses from web app attacks and
proactively prevent threats.
Traditional web application security solutions do not provide visibility and security insights that
administrators can use to create an effective application security posture. Enterprises need real-
time visibility into application traffic, user experience, security and threat landscape, and
application performance to identify and protect against the most sophisticated attacks.
NSX Advanced Load Balancer leverages software-defined architecture and its strategic location
on the network to gain real-time application insights. The built-in WAF solution provides
application security and networking teams with an elastic and analytics-driven solution that
scales and simplifies policy customization and administration through central management.
NSX Advanced Load Balancer WAF plays an integral role in a defense-in-depth strategy that
does comprehensive threat analysis, mitigates risk, provides zero-day protection against
unpublished exploits and optimizes application security.
Architecture
NSX Advanced Load Balancer WAF is built on the core design principles shown below to ensure
that WAF is a simple yet comprehensive security solution.
VMware, Inc. 5
VMware, Inc. 6
Configuring WAF
2
This section discusses Web Application Firewall (WAF) configuration on NSX Advanced Load
Balancer
This chapter includes the following topics:
n WAF Profile
n WAF Policy
n Allowlist
n Positive Security and Learning
n Deploying WAF Signatures
n Mixed Mode and Enabling Mode Delegation
WAF Profile
This section explains the WAF Profile feature on NSX Advanced Load Balancer
A WAF profile contains the basic settings for WAF functionality and is attached to a WAF Policy.
As the WAF profile is independent of the policy and it is defined for a specific set of virtual
services. Therefore, it can be easily reused to a feasible extent.
Few examples for WAF Profiles are as given below:
n Application Java Profile: This profile contains all the necessary elements for any Java
applications.
n Application PHP Profile: This profile contains all necessary elements for any PHP applications.
n API Profile: This profile contains API specific settings.
VMware, Inc. 7
Configuring WAF Profile

This section discusses the configuring WAF Profile
Note
n Navigate to Templates > WAF > WAF Profile to locate the default profile.
n System-WAF-Profile is the default profile that contains most commonly used web application
settings served through a virtual service.
n For customizing a profile, it is highly recommended to create a new profile instead of editing
the default profile (System-WAF-Profile).
To create a new profile follow the below:
1 Navigate to Templates > WAF > WAF Profile.
2 Click on Create icon.
Settings Tab
Provide the following details to configure the WAF profile:
Field Description Additional Information
Name Enter a relevant name for the profile.
Allowed Versions Enter the allowed HTTP versions for 1.0, 1.1, 20.x and 2.0 are the default
the profile. entries.
Allowed Methods Enter the allowed HTTP method for Websites might use only the default
the profile. Different applications HTTP methods i.e. GET, HEAD, POST,
might need different methods. OPTIONS. APIs might use other HTTP
methods such as PUT, DELETE,
TRACE, CONNECT etc.
You can also choose from the
additional options provided below:
n PATCH
n PROPFIND
n PROPPATCH
n MKCOL
n COPY
n MOVE
n LOCK
n UNLOCK
Allowed Content Types Enter the accepted request content Default entry covers all standard
types for the profile. content types.
Restricted Extensions Enter extensions that should be Generally, these are files that do not
restricted and blocked. reside on a web server.
Restricted Headers Enter headers that will not be allowed

by WAF.
VMware, Inc. 8
Static Extensions Enter the list of static file extensions A GET request without any
that will bypass the WAF check. parameter or dynamic part is
classified as a static request. It does
not contain any attack vector.
Default Actions Request Header, Request Body, Phase: The Allowed values along with
Response Header, and Response the description for each phase are as
Body are the four WAF phases. Each given below:
of this phase has a default action. The phase:1 - Request Header phase
fields defined for this default action phase:2 - Request Body phase
are phase,action,status
phase:3 - Response Header phase
code,additional logging,WAF logs
phase:4 - Response Body phase.
Example- phase:1
action: Two options are permit and
deny. Example- deny
status code: In case the request is
denied by WAF then, by default a
403 status code is sent to the client.
However, the status code can be
customised (if required). Example-
status:403
additional logging: Enter the
additional logging level. Example- log
WAF logs: Enter the WAF logging
level.
Example- auditlog
To configure the General Settings, follow the below:
1 Select the WAF allowed HTTP versions in the field Allowed Versions. By default, 1.0, 1.1, 2.0
are selected.
2 Select the WAF allowed HTTP methods, as required. By default GET, HEAD, POST, OPTIONS
are selected.
3 Select the WAF allowed content types to restrict the content types that are accepted. By
default, standard content types are covered.
Note The other content types can be added easily.
4 Under Restricted Extensions enter WAF restricted file extensions to restrict access by
blocking. By default, it covers most use-cases.
5 Under Restricted Headers enter WAF restricted headers to be blocked. By default, it covers
most use-cases.
6 Enter the list of static file extensions that should bypass the WAF check in the field Static
Extensions.
The General section in the New WAF Profile screen is as shown below:
VMware, Inc. 9
Other Settings
Maximum client request size This is the maximum size for the client Example - 32
request body scanned by WAF.
Maximum backend response size Enter the maximum response size in Example - 128
KB allowed by WAF.
Argument Separator Enter the separator for specical Example - &

applications that have different
argument separators.
Regex Match Limit This is the Limit for CPU utilization for Example - 30000
each regular expression match when
the processing rules.
Max Execution Time This is the maximum time allowed for Example - 50
WAF processing for a single request.
Cookie Format Versions Select the preferred cookie format Version 1 cookies have been
version. deprecated. Therfore, Netscape
cookies are recommended.
XXE Protection Block or flag XML requests referring Check/Uncheck the Checkbox.
to External Entities.
The following screenshot displays a sample configuration:
VMware, Inc. 10
VMware, Inc. 11
Files Tab
The static input data in a WAF profile that is shared between virtual services is stored here. For
instance, the file name sql-errors.data has the default data set which contains strings for
examining HTTP responses for data leakage protection.
To create a new file, follow the below :
1 Go to the File Tab.
2 Scroll down to the bottom of the page and click on + Add File.
3 Provide a Name and enter the relevant Data.
These files can be referred in the custom WAF policy rules. For more information refer to Custom
Rules
WAF Policy
This section discusses the WAF Policy on NSX Advanced Load Balancer
WAF policy is a specific set of rules that protects the application. This policy is enabled by
associating it with a virtual service.
Configuring WAF Policy

This section discusses how to configure WAF policy
Note
n Navigate to Templates > WAF > WAF Policy to locate the default policy.
n System-WAF-Policy is the default policy in NSX Advanced Load Balancer which contains
OWASP CRS rules. For more information refer Signatures CRS rules
n For customizing a policy, it is highly recommended to create a new policy instead of editing
the default policy (System-WAF-Policy).
n WAF policies that enable Application Learning cannot be shared between Applications.
VMware, Inc. 12
To create a New Policy, do the follow:
1 Navigate to Templates > WAF > WAF Policy.
2 Click on Create.
Note Create will clone the System-WAF-Policy and use it as the basis for the already
created WAF Policy.
3 Configure the new WAF policy under the following tabs:
a Settings
b Learning
c Allowlist
d Positive Security
e Application Rules
f Signatures
4 Click on Save button to create the WAF policy.
VMware, Inc. 13
Settings Tab
Provide the following details to configure the WAF policy:
Name Enter a relevant name for the policy.
WAF Profile Choose the WAF profile that should WAF Profile
be attached to this policy. The profile
contains common reusable settings
that complement the WAF policy.
Mode Click on the required mode. The It is recommended to use detection

supported modes are: only mode when onboarding a new
n Detection — In this mode, WAF Application. For more details, refer to
policy will evaluate the incoming WAF Mode
request. A log entry of type For more information on Mode
(WAF type) FLAG is created, delegation, refer to Mixed Mode and
when the request is FLAGGED. Enabling Mode Delegation
n Enforcement — In this mode,
WAF policy will evaluate and
block the request based on the
defined default action. This
default action is configured in the
WAF profile. If any action is
rejected, there will be a
corresponding log entry named
as REJECTED.
n Mode delegation — In this mode,
WAF rules can overwrite the
policy, where specific action
(detection or enforcement) can
be defined for a single rule,
irrespective of the action defined
for the rule set.
Paranoia Level Set the paranoia level for the WAF Paranoia Mode
policy. This is used to determine the
rigidity of the policy and has a direct
impact on potential false positive
rate.
The below screenshot displays a sample configuration:
VMware, Inc. 14
Note IPv6 is not supported for WAF as yet in NSX Advanced Load Balancer
WAF Mode
The following section discusses the differences between these two modes.
Detection only and enforcement are the two modes supported for a WAF policy in NSX
Advanced Load Balancer. Every policy runs in one of these modes to evaluate the requests and
responses.
Detection Only Enforcement
Policy Logs alerts during an attack, but no Rejects requests when a policy is
deny action is taken. matched and deny action is taken.
Operation Evaluates the whole policy without Matches the first rule that rejects the
stopping at the first rule hit. request and implements the default
action or returns a rule specific error
code.
VMware, Inc. 15
Detection Only Enforcement
Log files Contains the WAF log section where Contains specific WAF log section
the policy violation was found and which has the first rule that rejected
entries for every rule that is matched. the request.
Note This is to improve

performance. If a request is already
detected as an attack, further checks
are not required.
Response Code 200 OK Default is 403 Forbidden. This

response code can be modified.
Application Learning for WAF

This section discusses Application Learning for WAF
Application Learning enables the WAF feature on NSX Advanced Load Balancer in order to
analyze a set of incoming traffic processed by the WAF Policy.
When the Application Learning is enabled on a virtual service, the Service Engine collects data
and sends it to the Controller for Analysis. Therefore, all Learning takes place on the Controller.
The traffic selection for Application Learning is based on the WAF policy configured.
It parses all paths containing URI or BODY parameters of an HTTP request. This collection
continues during a specified duration or time interval. Once the timer is hit, the Service Engine
sends the data to the NSX Advanced Load Balancer Controller for analysis. These WAF
configuration parameters are distributed across WAF policies.
Learning option
To enable the Learning option, follow the below:
n Navigate to Template > WAF > WAF Policy.
n Select the policy for which App Learning should be enabled.
The below screenshot exhibits the option to enable App Learning :
VMware, Inc. 16
n Enable the App Learning for the selected WAF policy. Once the option is enabled, the
additional configuration options will be available to edit as below:
Sampling Percent of the requests subjected to Range (1 to 100%).

Application learning.
Enable Auto Rule Updates Enable Application Learning based Check/Uncheck the Checkbox.
rule updates on the WAF Profile.
Rules will be programmed in
dedicated WAF learning group.
Auto Promote Rules w/ Confidence Minimum confidence label required Low

for auto rule updates. Probable
Hoch
Very High (99.99 -100%)
Learning Interval Frequency with which SE publishes Range (1 to 60 min). Example- 30 min
Application learning data to
controller.
Max Parameters Maximum number of params to learn Range (10 to 1000). Example- 100
for an application.
VMware, Inc. 17
Min Hits to Learn Minimum number of occurances Range (10 to 1000). Example- 100
required for a Param to qualify for
learning.
Per URI Learning Learn the params per URI path. Check/Uncheck the Checkbox.
Max URI Maximum number of URI paths to Range (10 -10000).

learn for an application. This value
can be set higher for more complex
applications.
Note If the Per URI Learning is ENABLED, the learning algorithm will program URI and param
combinations when they reach the confidence score. If DISABLED the learning algortihm will
program params independently from the URI. This can be useful when URIs are generated for
each session.
Adaptive Application Learning

This section explains Adaptive Application Learning
Starting with NSX Advanced Load Balancer release 20.1.1, Adaptive Application Learning is
supported. In Adaptive Application Learning, the Controller takes control of adjusting these WAF
Learning parameters for the effective Application Learning while the SE just enforces it.
In the Adaptive Application Learning, the manual modification of sampling percentage and
learning interval is not required.
To improve user experience and optimize resource usage while maximizing the application
learning progress, a feedback system is created that tunes these parameters once learning is
enabled on an application. Using Positive Security Model (PSM) with Application learning enables
the end-user to automate the configuration changes.
For effective Adaptive Application Learning, the followings parameters are continuously adjusted
by the Controller:
n Sampling Percentage
n Learning Interval
For more information and recommendation on these parameters, refer to the below sections.
Sampling Percentage
For a WAF policy, sampling is assigning a percentage of the incoming requests to participate in
the Application Learning process.
The sampling rate controls the frequency of the Service Engine collecting data while Analyzing
happens in the Controller.
If the value of sampling frequency is set to 50%, the Service Engine will only collect 50% of the
incoming requests or every alternate request.
VMware, Inc. 18
It is recommended to use the sampling percentage of 100% in the initial phase of Application
Learning. This helps in collecting the fastest data aggregation, and efficient application learning.
Using a lower sampling rate conserve SE resources when no new data is available for learning.
When learning is in progress, the URI information is sent to NSX Advanced Load Balancer
Controller tend to peak or fall.
The NSX Advanced Load Balancer Controller sends the adjusted sampling percent (reduced) to
the SEs. After the sampling, The SEs have to inspect or evaluate only a small percentage of the
incoming traffic. The maximum sampling percent for the application learning is set to 100%, the
minimum percentage can be set as 1%.
To enable Adaptive learning, use the configuration knob enable_adaptive_config available under
the analytics profile.
By default, the value of the enable_adaptive_config parameter is set to true.
In the Adaptive Application Learning, when the new type of traffic is received by SEs, the NSX
Advanced Load Balancer Controller changes the sampling rate for the learning.
The option to set Sampling Percentage is available under the App Learning tab of WAF policy.
To change the sampling percentage for the incoming request for a WAF policy.
1 Navigate to Template > WAF > WAF Policy
2 Click on Learning Tab as shown below.
3 The value for this parameter can be set to any value between 1 and 100.
VMware, Inc. 19
Note It is recommended to use the automated adjustment of the sampling rate.
Learning Interval
This section discusses the Learning Interval
Learning interval is the time period or duration, after which the Service Engine sends data related
to Application Learning to the NSX Advanced Load Balancer Controller. By default, this duration
is set to 30 minutes. This means that the Service Engines sends data to NSX Advanced Load
Balancer Controller every half an hour for further processing. Based on the learning activities or
the amount of Application Learning data, the value of this parameter can be increased or
decreased.
VMware, Inc. 20
Allowlist
The Allowlist functionality allows the definition of match conditions for requests that will perform
associated actions.
Examples
Bypassing WAF when there is a match :
n The request comes from a specific IP range.
oder
n The request matches the URL pattern specified using the HTTP Method match type.
Use cases
n Allow access from the internal network.
n A security scanner that scans the application directly bypassing WAF protection.
n Do not check special parts of the URL space, for example “/upload/*”.
n Run parts of the application in Detection mode.
Configuring Allowlist Rules

This section discusses how to configure Allowlist Rules
To define Allowlist rules do the following:
1 From the NSX ALB UI, navigate to Templates > WAF > WAF Policy.
2 Click on Create Or Edit an existing WAF Policy.
3 Enter the required details under the Settings tab.
4 Click on the Allowlist tab.
VMware, Inc. 21
5 Click on the Add Rule button.
6 In the New Allowlist Rule screen, enter the details as shown below:
Table 2-1. General
Field Description
Rule Enabled By default, the Allowlist rule is enabled.

Click on the toggle button to disable it, if required.
Name Enter a relevant name for the rule.
Description Enter a description to define the rule.
Table 2-2. Match
Field Description
Add Match Type Select a Match Type from the options:

n Client IP
n HTTP Method
n Path
n Host Header
VMware, Inc. 22
Table 2-3. Action
Field Description
Action From the following options, select the action to be

performed when the request matches the criteria
specified:
n Bypass: When Bypass is selected, WAF does not
execute any further rules and the request is allowed.
n Continue: Selecting Continue, stops the allowlist
execution and directs WAF to continue its activity.
n Detection Mode: When set the WAF Engine will be set
to Detection Mode for that request.
The New Allowlist Rule screen is as shown below:
VMware, Inc. 23
VMware, Inc. 24
6. Click on Save
Match Type
This section discusses the Match Type
Client IP
Use this match type to select a trusted list of client IPs or client IP groups.
To configure a match rule for the client IPs:
1 Select the match type as Client IP under Add Match Type.
2 Select Is or Is Not to provide permissions accordingly.
3 Click on the drop down under Method.
4 Either select Custom Value and enter the IP Addresses manually or select Internal.
Note This client IP match type supports IP Groups. For more information refer to IP Group
article.
HTTP Method
Use this to select only specific types of HTTP requests using the HTTP request methods like GET,
CONNECT, DELETE, and more.
VMware, Inc. 25
To define allowlisting rules based on HTTP Method follow the below:
1 Select the match type as HTTP Method under Add Match Type.
2 Select Is or Is Not to provide permissions accordingly.
3 Select the Methods as shown below:
Path
To allowlist URLs follow the below :
1 Select the match type as Path under Add Match Type.
2 Select the Criteria which needs to be matched in the URL.
3 Enter the String Value in String group or custom string
4 Select Match Case to enable case sensitivity.
Host Header
Use this method to apply rules to only requests that match the specified host header criterion.
To allowlist Host Headers do the below :
1 Select the match type as Host Header under Add Match Type
2 Select the Criteria which needs to be matched in the URL
VMware, Inc. 26
3 Enter the String Value
Sampling Traffic to WAF Allowlist

This section discusses Sampling Traffic to WAF Allowlist
Sampling feature is used to enhance allowlist feature for the WAF traffic exposing only a
particular percentage of traffic for WAF allowlisting. It is beneficial only if we want to send a
subset of all traffic through WAF. The sampling_rate flag is used to allot a range for each allowlist
rule. The sampling_rate value can range from 0 to 100%.
If the request is in the sampling range, the configured action is applied to the request. For
example if sampling is set to 50 %, then every other request will trigger the action.
Examples
Example 1
Consider the following configuration:
n Match client IP address: 1.2.3.4
n Sampling percentage: 10
n Action: CONTINUE
For all traffic whose client IP address is 1.2.3.4, 10% of them will run action CONTINUE(executing
WAF), the other 90% of them will continue to the next allowlist rule.
Example 2
If the requirement is to subject 10% of traffic from a specific subnet other than the particular URI
to WAF, the rules can be written like this:
n Rule : !x.x.x.x/x
n Action: allow
n Rule: uri_path
n Action: allow
n Rule: All
VMware, Inc. 27
n Action: allow
The request, which misses the above rules, will continue with WAF.
Partial Buffering for Chuncked Mode Encoding

This section discusses Partial Buffering for Chuncked Mode Encoding
Prior to the NSX Advanced Load Balancer release 20.1.3, only full buffering for POST payloads
with chunked-encoding was supported.
Starting with NSX Advanced Load Balancer 20.1.3, partial buffering for chunked-encoded payload
is supported. The remaining payload is streamed while maintaining the original chunk boundaries
sent from the client.
Support for IP Groups in Allowlist

This section dicusses Support for IP Groups in Allowlist
Prior to NSX Advanced Load Balancer release 20.1.3, only ranges, prefixes or lists of IP addresses
were supported while configuring allowlist. Starting with NSX Advanced Load Balancer release
20.1.3, configuration using IP groups is also supported for allowlist.
Configuring Using NSX Advanced Load Balancer

This section explains how to configure an IP group and use it in a WAF allowlist for making all
requests from IPs in the IP group called Trusted IPs bypass WAF checks.
Procedure
1 To configure an IP group:
a Provide the required name.
b Use the Select by IP Address option and add the required IP address.
VMware, Inc. 28
2 Select the IP group created in the previous step as the value for the Match option while
creating a new allowlist rule.
VMware, Inc. 29
3 Select the desired action and save the WAF allowlist, as shown below.
VMware, Inc. 30
4 The following shows a complete WAF policy using IP group. As shown below, action is set as
bypass for any client IP address which is part of the IP address group created in the previous
step.
Positive Security and Learning

This section discusses Positive Security and Learning feature for WAF.
Positive Security rules define allowed application behaviour. These rules can be created by the
Learning Engine, scanner import or manually. A Positive Security rule will match when the request
(or parts of the request) matches the behaviour defined in the rules. This is in contrast to
Signatures, which describe attack patterns and will match when an attack pattern is found.
Both Positive Security and Signatures allow similar concepts for rules.
n Enable / Disable
n Mode (Detection / Enforcement) by rule
n Paranoia levels of rules
Reasons for Using the Positive Security Model

n As Positive Security is defining application behaviour it can reduce the attack surface by only
allowing known good traffic.
n Positive Security policy can result in better performance. Instead of checking a value against
a long list of known attacks, the validation is against a single expression.
Configuring Positive Security Group

This section discusses how to configure Positive Security Group
Configure Positive Security Group

To create a Positive Security group, follow the below steps:
VMware, Inc. 31
Procedure
2 Click on Create or Edit an existing WAF Policy.
4 Click on the Positive Security tab.
5 Click on Add Group to create the New Positive Security Group. Click on the Three dots
option avaiable next to Add Positive Security group
6 In the New Positive Security Group screen, enter the details as shown below:
Name Enter a relevant name for the

policy.
Description Enter a description to identify the

group.
Learning Group Select this option to enable the

group for learning.
VMware, Inc. 32
Hit Action Select either Allow parameter or If a rule in this group matches the
No operation from the drop down. match_value pattern, this action will
be executed. Allowed actions are
WAF_ACTION_NO_OP and
WAF_ACTION_ALLOW_PARAMETE
R.
Miss Action Select either Block or No Operation If a rule in this group does not
from the drop down. match the match_value pattern, this
action will be executed. Allowed
actions are WAF_ACTION_NO_OP
and WAF_ACTION_BLOCK.
Location Click on Add Location to create a Rules are created in locations.

new location. Locations are derived from URLs.
7 Click on Save.
Creating a Location
This section discusses Creating a Location
Enter details in the New Location screen as shown below:
Procedure
1 Enter a unique Name to identify the location.
2 Enter the Description.
3 Select a Match Type, for example: Path.
4 In the Criteria field, select the Criterion to use for matching the HTTP request in the URI.
5 Enter the String Value in String group or custom string.
6 Select Match Case to enable case sensitivity.
VMware, Inc. 33
7 To add another match type, select one from the Add Match Type drop-down list.
8 Click on Add Rule to create a new rule. The New Location screen is shown as below:
9 Click on Save.
Creating an Argument Rule

This section discusses Creating an Argument Rule
In the New Argument Rule screen, do the following:
VMware, Inc. 34
Procedure
1 Click on the Rule Enabled toggle button to enable/disable the rule. The rule is enabled by
default. The Rule Enabled option is enabled by default
2 Enter a unique Rule ID.
3 Enter the rule Name.
4 Enter a Description for the rule.
5 Select a mode:
a Use Policy Mode: When Detection or Enforcement can not be applied, the policy mode is
used. For the policy mode to take effect, the WAF policy should allow delegation.
b Detection: WAF rules will be processed but HTTP transactions will not be intercepted.
Any rule configured to intercept HTTP transactions will be bypassed.
c Enforcement Mode: WAF rules are processed and HTTP transactions intercepted, as per
the rules configured.
6 WAF Ruleset paranoia mode is available to select Rules based on the paranoia-level. Creating
Paranoia level to the rule is optional. It is recommended to leave the paranoia level value at 1.
7 Define the Match Elements as shown below:
a Enter the Value Max Length to define the maximum length of the match value.
b Enter a Match Value Pattern to identify the expression which describes the expected
value. To know more about Match Value Pattern refer to String Groups Support.
c Enable Arguments Case Sensitive, if required. This will ensure the match value has the
same case as specified in the match value pattern.
VMware, Inc. 35
8 Click on Add Match Element and define the match elements as shown below:
a In the field Name, select the variable specification.
b Enter a Sub Element.
c Click on Excluded, if required. Use this option to Exclude, the element mentioned under
Name and Sub Element.
The New Argument Rule screen is as below:
VMware, Inc. 36
9 Click on Save.
Selecting a Paranoia Mode
This section discusses Selecting a Paranoia Mode
VMware, Inc. 37
The available paranoia modes are:
n 1- Low (Default and recommended mode)
n 2- Medium
n 3- High
n 4- Extreme
Two aspects that should be considered while setting the paranoia mode are:
n Risk level of an application.
n Resources available for policy tuning.
The following table maps paranoia modes to different risks levels and resource availability.
High application risk level High paranoia mode
Low application risk level Low paranoia mode
Resources available for tuning Higher paranoia mode
Limited resources available for tuning Lower paranoia mode
For more information on paranoia mode, refer to OWASP CRS Paranoia Mode.
String Groups Support
Starting with NSX Advanced Load Balancer release 20.1.3, string groups are supported in
addition to the match value pattern as mentioned in the previous section. The string group
consists of the followings:
n String Group – UUID of the string group containing key used in the match element.
n Key – PCRE-supported regular expression.
1 Navigate to Templates > WAF > WAF Policy > Positive Security tab.
2 The option to use string groups is available under Match Elements while creating a New
Argument rule is as shown below:
VMware, Inc. 38
3 For the string group, select the default System-PSMGroup-Types from the drop-down or
create a new string group.
4 For the default System-PSMGroup-Types, select one of the KEY NAMES as shown below.
VMware, Inc. 39
5 To create a new string group, select create from the drop-down as shown below.
VMware, Inc. 40
6 Provide the name, enable the checkbox for Key Value Pair.
7 Provide the name of new key and enter a PCRE supported expression under the Value field,
and click on the Add Map option as shown below:
VMware, Inc. 41
8 Provide the name of the key created in the previous step as shown below.
VMware, Inc. 42
Note The maximum value of the string groups that NSX Advanced Load Balancer supports is
100. A string group supports a maximum of 1000 key values.
Deploying WAF Signatures

WAF signatures is one of the security services delivered through Pulse. WAF signature service is
based on Opt-In basis, which is disabled by default.
n The NSX Advanced Load Balancer WAF protects web applications from common
vulnerabilities as identified by Open Web Application Security Project (OWASP), such as SQL
Injection (SQLi) and Cross-site Scripting (XSS), while providing the ability to customize the
rule set for each application.
n WAF Signatures are published (Core Rule Set) every quarter using a controlled release
management process.
n Once the WAF signatures are published, it is available on NSX Advanced Load Balancer Pulse
portal. For more information refer to Pulse and WAF Core Rule Set.
VMware, Inc. 43
You can deploy latest WAF signature data on to the Controller available for applications to utilize
it.
The following are the two ways to deploy WAF signature data on the Controller:
n Automated
n Manual
Automated WAF Signatures Update

You can check Auto Download WAF Signatures option in Opt-In settings window to deploy
automatically. It is required to register the controller to Avi Pulse to select the opt-in options to
enable the feature. For more information refer to Pulse.
Automated deployment of WAF signatures gets enabled only when it is explicitly opted in from
Pulse Opt-in page.
n Automated workflow gets enabled once WAF signature service is opted in.
VMware, Inc. 44
Manual WAF Signatures Update

You can check WAF Signatures Notifications option in Opt-In settings window to receive a
notification when new Signatures are available.
If you have not opted-in for auto deployment of WAF signature data on to the Controller, the
Controller will not deploy the latest data automatically on it, instead an event with download link
to download the data file will be generated.
1 You can click on this link to download the WAF signature data file on to the local system.
2 You need to upload the same file to the Controller manually by following the below:
n Navigate to Templates > WAF > CRS.
n Click on Upload File button to upload WAF signature files.
VMware, Inc. 45
Signatures CRS rules

In this section the NSX supplied OWASP CRS policy can be configured. It covers the OWASP Top
Ten attack protection.
If the CRS version is updated, all new CRS rules will be in Detection mode. With this, you can
update the CRS ruleset without any risk in production. However, these new rules must be moved
into Enforcement mode (or inherited policy mode) manually.
All updated rules will continue to remain in the same mode and the existing exclusions will be
applied to the rules.
To update CRS Rules do the following:
1 Under the Signatures tab, scroll down to the CRS Rules section.
VMware, Inc. 46
2 Click on the required CRS Version to select it.
3 The change log is displayed as shown below. Click on OK to confirm and update the CRS
version.
VMware, Inc. 47
Post and Pre-CRS Rules

The final step in WAF processing is a signature check. Core Rule Sets (CRS) can be configured
under the Signatures tab. You can configure to execute custom rules before CRS or after CRS as
well. For more information refer to the below section.
Pre-CRS Rules
This article shows how to configure pre-CRS.
The custom rules that are applied before the supplied OWASP Core Rule Set (CRS) are called
Pre-CRS rules. For more information refer to Custom Rule Examples.
To define Pre-CRS rules do the following:
4 Click on the Signatures tab.
5 Under Pre-CRS rules, click on Create Group.
VMware, Inc. 48
6 Enter the Group Name. Every rule is configured within a group.
7 Click on the Create Rule button.
8 Enter a Name for the rule.
9 Select a mode:
a Policy Mode: When Detection or Enforcement cannot be applied, the policy mode is
used. For the policy mode to take effect, the WAF Policy should allow delegation.
b Detection: WAF rules will be processed but HTTP transactions will not be intercepted.
Any rule configured to intercept HTTP transactions will be bypassed.
c Enforcement Mode:WAF rules are processed and HTTP transactions intercepted, as per
the rules configured.
10 Enter the Rule in the text box.
VMware, Inc. 49
11 Click on the Create Group button. The Pre-CRS rule is listed as shown below:
12 Click on the toggle button to enable the rule.
Exceptions
Exceptions are a common way of tuning a WAF policy to work with an application.
VMware, Inc. 50
These are normally created when an application’s regular traffic matches specific WAF rules. The
following are a few other reasons for creating exceptions are:
n For false-positive mitigation.
n For applications that do not confirm with the System-WAF-Policy.
n For applications transmitting data that might appear like an attack. For instance, transferring
HTML content in query parameters.
n For applications with special requirements that are not allowed in the policy. For instance,
accessing application on its direct IP address.
n You can use NSX Advanced Load Balancer’s recommendation system to create exceptions or
you can even add them manually.
To define an exception manually,
1 Click on +Add Exception to manually configure exceptions. For more information refer to
Exceptions.
2 Configure exceptions for IP address/subnet, path, or any match element. For example,
Subnet- 10.0.0.0/8, Path- /admin , Match Element - REQUEST_BODY.
3 Configure the following options for Path and Match Element, as required:
a Case Sensitive - The case of the characters have to match to create an exceptionii)
b Regex Match - The pattern of the string of characters should match to create an
exception.
Note Exceptions can be created on a group level or a rule level.
The rule configured with exceptions is as shown below:
VMware, Inc. 51
This is another example where if there is match element like say ARGS:xyz, a request matching the
IP and Path will just have ARGS:xyz removed while processing the rule.
VMware, Inc. 52
Here, the rule is processed, but the parameter ARGS:xyz is not used in running the rule.
Recommended Assisted Workflow

The following steps are for a recommended workflow to configure exceptions:
1 Using WAF Analytics and find possible false-positives.
a False-positives may occur in large numbers and for different client IP addresses.
b To understand the context for false-positives, consult the application owner if possible.
2 In the log, choose the WAF hit entry that you want to add the exception for, and click on +
Add Exception.
a The modal dialog will generate a set of suggested values.
b These values are pre-computed from the log entry and related findings.
3 Save the exception to apply it to the policy.
VMware, Inc. 53
Post-CRS Rules
The custom rules that are applied after the supplied OWASP Core Rule Set (CRS) are configured
under Post-CRS rules.
To configure post-CRS rules, do the following:
1 Under the Signatures tab, scroll down to the Post-CRS Rules section.
2 Create Groups and Rules as discussed in the Pre-CRS Rulessection.
3 Click on Save.
Mixed Mode and Enabling Mode Delegation

WAF Policy can be configured to operate in either detection only or in enforcement mode.
With Mode Delegation option on NSX Advanced Load Balancer , the policies can be enabled to
operate in any of the following three modes:
n Detection
n Enforcement
n Mode Delegation
While in Detection mode, if a request matches a rule, then the request is flagged with an
application log message and the request is allowed through.
While in Enforcement mode, if a request matches a rule it is blocked by the NSX Advanced Load
Balancer Service Engine, and an application log message is generated.
With Mode Delegation, WAF rules can overwrite the policy mode, where specific action can be
defined for a single rule, irrespective of the action defined for the rule set. This is also referred to
as the mixed mode, and allows fine tuning to avoid legitimate requests from being blocked, due
to enforcement mode.
Use Cases
The following section discusses a few use cases relevant for enabling Mode Delegation:
1 Test new rules – You can configure manually written rules or new CRS rule updates with
mixed mode enabled to avoid false positives. You will be able to introduce new rules to
operate in detection mode, so that legitimate requests are not rejected.
VMware, Inc. 54
2 Partial detection – You can configure a few rules in enforcement mode, while still retaining
the policy in detection mode. With this you will not need to entirely enforce WAF
implementation in detection mode.
Enabling Mode Delegation

1 In NSX ALB UI, navigate to Templates > WAF > WAF Policy.
3 In the Settings tab, under Policy Mode, click on the checkbox for Allow Mode Delegation to
enable mixed mode.
Enabling Policy Mode for a Rule

To enable policy mode for a certain rule, follow the below steps:
1 Navigate to the Signatures tab and select the CRS version.
2 Under RULE MODE, select the option as Use policy mode.
VMware, Inc. 55
VMware, Inc. 56
Best Practices for working with
WAF 3
This section discusses about Best practices for working with WAF.
n Creating Exclusions
n Importing the CRS files and CRS Update from NSX Advanced Load Balancer Portal
n Custom Rules
n Vulnerability Scanner (DAST)
n WAF in Anomaly Score Mode
Creating Exclusions
This section explains Creating Exclusions.
Overview
WAF rules monitors and controls all requests carried out to the server in order to identify any
malicious content and protect the web application from any potential threat. This process
establishes a barrier, it may restrict authorized users from accessing valuable services.
For most of the IPs, in case a violation is flagged then, it is a false positive. However, if a violation
is flagged for a particular IP then, it is most likely a threat that needs to be blocked or removed.
Exclusions in WAF
This section discusses Exclusions in WAF.
Exclusions includes tuning a policy to work with an application. Exclusions are generated when
the regular traffic of an application and the WAF rules configured matches. Exclusions creates a
balance between paranoia and neglecting real threats caused due to false positives.
The below are the few reasons for creating exclusions:
1 Applications do not confirm with the Default-System-Policy.
2 The application transmits data that resembles an attack to the WAF. For example,
transferring HTML content in query parameters.
VMware, Inc. 57
3 The application has special requirements that are not allowed in the policy. For example,
accessing the application on their direct IP address.
Recommended Assisted Workflow

The steps in mitigating a false positive are as given below:
1 Identify a potential false positive.
Note False-positives may occur in large numbers for different client IP addresses.
2 Eliminate the false positive by adding an Exception to the rule.
3 Exceptions can be created either in a group level or in a rule level. The exceptions created
will be activated immediately.
Creating Exceptions
This sections discusses Creating Exceptions for WAF policies.
To Create Exceptions follow the below steps:
Procedure
1 From the NSX ALB UI, navigate to Applications > Virtual Services.
2 Click on the Virtual Service mapped to the WAF policy and navigate to Logs.
3 Filter the WAF log analytics . You can analyse the WAF log analytics based on parameters
like the client IP, URI, the type of request, etc.
4 WAF Hits displays all the rules that were matched.
5 Click on +Add Group Exceptionsor +Add Rule Exception to create an exception for a false-
positive remediation.
6 Save the exception, so that it can be applied to the policy.
Alternatively, exceptions can be manually defined for a group or a rule within the WAF policy.
This can be done at the Pre-CRS, CRS, or Post CRS levels.
Examples for Creating Exclusions

This sections discusses the examples for Creating Exclusions.
In the below example, the HTML is added through the parameters.
Request Match Element False Positive Reason
POST /foo/bar_form.php HTTP/1.1 ARGS:img XSS rules match "<img...

Host: boofar.com
name1=value1&name2=value2&img=<i
mg+src='/images/foo.png'>
VMware, Inc. 58
Workflow for Mitigation

In order to mitigate, exclude the parameters from being checked for XSS (at the rule group level).
The listed below are few examples :
1 Admin is aware that the Security Threat level is high.
2 Reason is that many requests are denied.
3 Scanning the App log analytics shows requests from many IPs that got blocked because of
the offending ARGS:img.
4 Clicking on the offending parameter opens Analytics and it shows that this ARGS:img had n
number of denied requests in last day.
5 Admin identifies this as a standard functionality within the application (may ask Dev team).
6 Admin clicks "Generate Exclude"
7 Admin chooses one of the suggestions: "exclude parameter", "exclude IP" and more "exclude
parameter"
8 New exclusion is put in place (NONE, "foo/bar_form.php", ARGS:img) in front of XSS rule group.
Importing the CRS files and CRS Update from NSX

Advanced Load Balancer Portal
This article shows the steps to download the CRS JSON file from the customer portal and upload
it to NSX Advanced Load Balancer. Give the below link
Multiple CRS versions are supported in NSX Advanced Load Balancer. The NSX ALB only
supports currated CRS files that can be downloaded from the customer portal.
Download the CRS File

This section describes how to Download the CRS File
Procedure
1 Log in to the NSX customer portal with your credentials.
VMware, Inc. 59
2 Navigate to Software > CRS. Different versions of CRS files are listed as shown below:
3 Click on the CRS Details icon
VMware, Inc. 60
4 The CRS Details screen lists the Name, Version, Release Date of the CRS file and more as
shown below:
5 Choose the CRS file and click on the Download icon.
6 The downloaded file is available on your system. This can now be uploaded into NSX
Advanced Load Balancer.
Upload the CRS File

This section describes how to Upload the CRS File
To upload the CRS file do the following:
Procedure
1 Navigate to Templates > WAF > CRS.
2 Click on the Upload button to upload the CRS file.
VMware, Inc. 61
3 Click on Open.
You can configure to execute custom rules before CRS or after CRS as well.
For more information refer to configuring Pre-CRS Rules and Post-CRS Rules
Custom Rules
This article lists out possible use cases for configuring custom rules
WAF supports custom rules that can be added for any application specific use cases or any other
custom requirements. Custom security rules are based on the ModSecurity language. For more
information, refer to OWASP ModSecurity Core Rule Set.
Custom rules can be configured and executed Pre-CRS and Post-CRS. For more information, refer
to Pre-CRS Rules and Post-CRS Rules.
Custom Rules Examples

This section provides a list of examples for Custom Rules.
Bypassing WAF
You can bypass certain requests from going through WAF.
The below are the few ways to bypass WAF:
Via Content Length

To bypass WAF if the content length is greater than the defined value.
Custom Rule Syntax
SecRule'Variable"value"'"phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off"
Example
In this example, if the value of the content-length header is greater than 1048576, then the rule
request skips WAF.
SecRule REQUEST_HEADERS:Content-Length "@gt 1048576"

"phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off"
Via Chunked Transfer Encoding

To bypass WAF based on the transfer encoding type.
Custom Rule Syntax
SecRule 'Variable "@match criteria"'""
Example
VMware, Inc. 62
In this example, if the form of encoding used to transfer is chunked, then the request skips WAF.
SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked"

"phase:1,id:4000101,nolog,pass,ctl:ruleEngine=off"
Based on Specific Patterns of the Requested Path

To bypass WAF according to certain patterns of the requested path.
Custom Rule Syntax
SecRule'Variable“@value”';jsessionid=""id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off"
Example
In this example, any request that begins with the string “/IDMProv/login.do” will bypass WAF.
SecRule REQUEST_URI “@beginsWith /IDMProv/login.do;jsessionid=”

“id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off”
Allowlisting Requests
To whitelist all requests that match certain conditions.
Custom Rule Syntax
SecRule 'Variable "@match criteria"'"id:4000104,phase:1,t:none,pass,ctl:ruleEngine=off,chain" SecRule

REMOTE_ADDR "@ipMatch 10.0.0.0/8" "t:none"
Example
In this example, all requests from 10.0.0.0/8 to all URL’s starting with “/admin” are whitelisted.
Since there are two conditions to be fulfilled, a chain rule is used.
SecRule REQUEST_URI "@beginsWith /admin" "id:4000104,phase:1,t:none,pass,ctl:ruleEngine=off,chain"

SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" "t:none"
Enabling Customisable XSS keywords

WAF protects against XSS attacks. This rule helps to perform a case-insensitive match of the XSS
keywords and blacklist them.
Custom Rule Syntax
SecRule 'variable "@pmfromfile xss-keywords.data"' "msg:'Node-Validator Blacklist Keywords',

id:4099802, severity:'CRITICAL', phase:request,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNu
lls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E,
capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss',
tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%
{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%
{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
VMware, Inc. 63
Example
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/*
"@pmfromfile xss-keywords.data" "msg:'Node-Validator Blacklist Keywords', id:4099802,
severity:'CRITICAL', phase:request,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNu
lls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E,
capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss',
tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%
{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%
{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
Create the data file xss-

keywords.datadocument.cookiedocument.write.parentnode.innerhtmlwindow.location-moz-binding<![cdata[
In this example:
Keyword = document.cookieRemove document.cookie from the xss-keywords data file and send the DVWA
file shown below:<%code>curl -v -b cookies -X GET ‘http://172.20.0.49/vulnerabilities/xss_r/?name=
%3Cscript%3Edocument.location%3D%27http%3A%2F%2F172.20.0.49%2Flogin.php%3F+%27%2520%2Bdocument.cookie
%3C%2Fscript%3E#’</code>
Note Alternatively, to leave it in place, remove the exceptions / enable the rules above and
empty (not delete) the xss-keywords.data.
Enabling Special Mode for Specific Applications

Some rules will create false positives for certain known applications. To allow the application to
coexist with the CRS, the following rule is used.
Custom Rule Syntax
SecRule 'variable"@unconditionalMatch"' "id:4099803,phase:1,pass,setvar:'TX:crs_exclusions_=1'"</code>
Example
VMware, Inc. 64
In this example, Wordpress is added to the CRS exclusion list.
SecRule REMOTE_ADDR "@unconditionalMatch"

"id:4099803,phase:1,pass,setvar:'TX:crs_exclusions_wordpress=1'"
Note In addition to this, enable the CRS_903_Application_Specific_Exclusions group. For

example, the CRS_903_Wordpress_Exclusion_Rules as shown below:
Allow Other HTTP Methods in WAF

To overwrite the list of HTTP methods allowed in a WAF profile and allow more methods.
Custom Rule Syntax
SecRule <variable “@unconditionalMatch">"id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET HEAD

POST PUT OPTIONS DELETE PATCH'"
Example
In this example, the allowed HTTP methods are GET HEAD POST PUT OPTIONS DELETE PATCH .
“@unconditionalMatch” forces the rule to always return true.
SecRule REMOTE_ADDRESS "@unconditionalMatch" "id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET

HEAD POST PUT OPTIONS DELETE PATCH'"
Note You can overwrite the list of methods in the pre CRS rules of WAF policy, if needed.
VMware, Inc. 65
More Examples for Custom Rules

This section provides more examples for Custom Rules
n To all host header entries not in the list.
SecRule REQUEST_HEADERS:Host "!@pm ct-vs1.local ct-vs2.local" "msg:'Found bad hostname in request',

severity:'CRITICAL', id:4913102, rev:'2', phase:request, block, t:none, t:lowercase, ver:'OWASP_CRS/
3.0.0', maturity:'9', accuracy:'9', capture, logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-
multi', tag:'attack-reputation-scanner', tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER', tag:'WASCTC/
WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/
SECURITY_SCANNER-%{matched_var_name}=%{matched_var}, setvar:ip.reput_block_flag=1,
expirevar:ip.reput_block_flag=%{tx.reput_block_duration}, setvar:'ip.reput_block_reason=%{rule.msg}'"
n To bypass WAF engine for a specific IP address or subnet.
SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" "id:10000,phase:1,nolog,pass,ctl:ruleEngine=Off"
n To check the length of an input parameter.
SecRule ARGS:foo "@ge 24" "id:10001,t:length,phase:2,block,log,auditlog,msg:'Size of foo parameter

too big'"
n To check for java runtime and getruntime for specific CVE.
SecRule ARGS "@rx java\.lang\.runtime|getruntime" "id:4050100, phase:request, t:none, t:lowercase,

block, msg:'Java Injection found', tag:'application-multi', tag:'language-java', tag:'framework-
spring',tag:'CVE-2018-1273', severity:'CRITICAL'"
n To bypass a special parameter for a specific rule.
SecRule REQUEST_URI "@contains /vulnerabilities/fi/"

id:4000088,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetById=930120;ARGS:page
n To configure positive rule in modsec.
SecRule ARGS:id "!@rx ^[0-9]+$" id:12345,phase:2,t:none,block,log,auditlog,msg:'id is not a number'
n To test XXE via Custom Rule.
SecRule REQBODY_PROCESSOR "@streq xml" id:4099801,phase:2,t:none,t:trim,t:lowercase,block,chain

SecRule REQUEST_BODY "@rx <!ENTITY\s+[^>\s]*\s+SYSTEM"
n To use detectSQL Operator on last path element.
<%code> SecRule REQUEST_FILENAME “@rx ^/(?:[^/]/)(.*)$” \ “id:4099819,\ phase:2,\ block,\ capture,\

t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ msg:’SQL Injection Attack Detected via
libinjection’,\ logdata:’Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,\
tag:’application-multi’,\ tag:’language-multi’,\ tag:’platform-multi’,\ tag:’attack-sqli’,\
tag:’OWASP_CRS/WEB_ATTACK/SQL_INJECTION’,\ tag:’WASCTC/WASC-19’,\ tag:’OWASP_TOP_10/A1’,\
tag:’OWASP_AppSensor/CIE1’,\ tag:’PCI/6.5.2’,\ tag:’paranoia-level/3’,\ ver:’OWASP_CRS/3.1.0’,\
severity:’CRITICAL’,\ chain” SecRule TX:1 “@detectSQLi” \ “setvar:’tx.anomaly_score_pl3=+%
VMware, Inc. 66
{tx.critical_anomaly_score}’,\ setvar:’tx.sql_injection_score=+%{tx.critical_anomaly_score}’,\
setvar:’tx.msg=%{rule.msg}’,\ setvar:’tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%
{MATCHED_VAR_NAME}=%{MATCHED_VAR}’” </code>
n To Detect HTTP DeSync attack.
SecRule &REQUEST_HEADERS:Content-Length "@gt 0" "id:4099820,phase:1,t:none,block,msg:'HTTP Desync

attack detected',chain" SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked"
"t:none,t:lowercase"
Vulnerability Scanner (DAST)

A Dynamic Application Security Testing (DAST) scanner is a tool to identify potential security
issues in applications.
NSX Advanced Load Balancer provides a script called avi-iwaf-vpatch.py that imports a DAST
scanner results. The imported results are used to construct WAF Policy that protects from the
security threats found by the scanner. The technique is often called virtual patching.
NSX Advanced Load Balancer supports the following DAST scanners:
n OWASP ZAP Attack Proxy
n Qualys Web App Scanning
The supported scanner format is an XML file containing scanner result report.
Workflow
This section discusses the steps to integrate DAST
The following are the steps to integrate DAST:
1 Run a scan against a web application not protected by WAF.
2 If you find any issues, the avi-iwaf-vpatch.py uses the output of the scan to generate WAF
Policy rules. Enable WAF.
3 Scan again. The subsequent scans will not report issues for problems handled by WAF Policy.
The avi-iwaf-vpatch.py generates NSX Advanced Load Balancer WAF Policy Positive Security
rules. It creates a WAF Policy Positive Security group containing all the rules covering DAST scan
issues. The avi-iwaf-vpatch.py automatically creates Positive Security locations for each
vulnerable URL reported by the scanner, and Positive Security rules for each supported issue.
Note The avi-iwaf-vpatch.py does not generate rules to protect from all the potential issues
found. The script will generate rules related to parameter security, for instance, URL parameters,
HTML form fields and XML or JSON attributes.
The script is delivered as part of NSX SDK, available on NSX Advanced Load Balance Controller
in the DAST directory.
VMware, Inc. 67
Usage
You can use the following format for python:
avi-iwaf-vpatch.py PARAMETERS FILENAME
Therefore, the PARAMETERS are as below:
n -c — hostname or IP address of the Avi Controller to connect to
n -u — username to log in to Avi Controller
n -p — password
n -t — tenant
n -g — (optional) iWAF Policy PSM group name
n -v — verbose output
n -f — force apply changes
FILENAME is a DAST scan output in XML format.
When you run the script without -foption, the system will only print what it would do. Only after
–force is set, the system will attempt to connect to the NSX Advanced Load Balance Controller
and write WAF Policy. If group name is not specified using -g then the system will create a group
named zap or qualysweb, depending on the scanner being used. Scanner type is auto detected
based on the XML file format.
Example
python ./avi-iwaf-vpatch.py -c 127.0.0.1 -g zap_group ./zap_results.xml --verbose
Limitations DAST scanner integration

This section explain the limitation of the import script and manual changes that can be applied.
DAST scanners can report multiple issues that are not handled by the avi-iwaf-vpatch.py script.
Many of them may be beyond the scope of WAF. However, some of them can be mitigated by
appropriate settings in NSX Advanced Load Balancer. The examples are as below :
1 Issues related to clickjacking can be mitigated by adding a X-Frame-Options HTTP header.
2 In NSX admin UI, navigate to Virtualservice/Policies/HTTP Response action and select Add
Header option.
3 Issues related to cookies can be like “A cookie has been set without the HttpOnly flag” or
“Cookie Does Not Contain The ‘secure’ Attribute”. These could be set by selecting
appropriate options in the Application Profile/Security.
WAF in Anomaly Score Mode

This section explains how anomaly scoring mode works.
VMware, Inc. 68
WAF Policy can be configured to operate in either detection only or in enforcement mode by
default. Here, the policy flags or rejects a request based on the match of a rule. Alternatively, the
anomaly scoring mode can be used. For more information refer to WAF Mode and WAF Policy
Anomaly Scoring
All the rules that match add up to a request-based threshold. If that threshold is reached, the
request will be blocked.
Within the Service Engine, by default, multiple thresholds are set and can be changed.
Default thresholds
setvar:tx.sql_injection_score_threshold=15,
setvar:tx.xss_score_threshold=15,
setvar:tx.rfi_score_threshold=5,
setvar:tx.lfi_score_threshold=5,
setvar:tx.rce_score_threshold=5,
setvar:tx.command_injection_score_threshold=5,
setvar:tx.php_injection_score_threshold=5,
setvar:tx.http_violation_score_threshold=5,
setvar:tx.trojan_score_threshold=5,
setvar:tx.session_fixation_score_threshold=5,
setvar:tx.inbound_anomaly_score_threshold=5,
setvar:tx.outbound_anomaly_score_threshold=4
The most frequently used threshold is inbound_anomaly_score_threshold, which is used to deny in

the default CRS rule 949110 - inbound anomaly score.
setvar:tx.critical_anomaly_score=5,
setvar:tx.error_anomaly_score=4,
setvar:tx.warning_anomaly_score=3,
setvar:tx.notice_anomaly_score=2"
When the WAF policy is executed, rules that match are adding to their match value to the
specific thresholds.
For example: 931120. Check for RFI (3/4).
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}
setvar:tx.rfi_score=+%{tx.critical_anomaly_score}
Finally, when all rules are evaluated, the rule 949110 - inbound anomaly score will check the
threshold tx.anomaly_score and trigger a deny if it was reached.
SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}"

"msg:'Inbound Anomaly Score Exceeded (Total Score:
%{TX.ANOMALY_SCORE})', severity:CRITICAL, phase:request,
id:949110, t:none, deny, log, tag:'application-multi',
tag:'language-multi', tag:'platform-multi', tag:'attack-generic',
VMware, Inc. 69
setvar:tx.inbound_tx_msg=%{tx.msg},
setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"
A log file entry is created.
To view the log, follow the below steps:

1 Navigate to Applications > Virtual Services.
2 Click on the virtual service mapped to the WAF policy.
3 Click on Logs.
Setting Up WAF in Anomaly Scoring mode

This section discusses Setting Up WAF in Anomaly Scoring mode.
Changing the Default Behaviour of WAF Profile
Note A rule can have different disruptive actions. Most of the rules use block as the disruptive
action. Block will trigger the rule engine to execute the default action mentioned in the WAF
profile attached to the policy. This default action contains the deny action that will then trigger
the flag (detection) or reject (enforcement) of the request.
For example: Default Action: phase:1,pass,status:403,log,auditlog.
Therefore, the new default action needs to be pass. It needs to be changed for all phases of the
WAF handling.
To modify the default action follow the below steps:
1 From the NSX ALB UI, navigate to Templates > WAF > WAF Profile.
VMware, Inc. 70
2 Click on the Edit icon against the required policy.
3 Modify the Default Actions in the Edit WAF Profile screen as shown below:
Changing individual thresholds and blocking of different threshold variables (by

group, for example)
Every threshold or score variable can be changed by using Pre-CRS custom rule.
SecRule REMOTE_ADDR "@unconditionalMatch" "id:4099803,phase:1,pass,setvar:tx.rfi_score_threshold=2"
For blocking by using different thresholds, a custom Post-CRS rule is required.
Note It is recommended to disable the CRS rule 949110, which denies the request on the overall
score.
This rule is a good example for the blocking rule.
SecRule TX:RFI_SCORE "@ge %{tx.rfi_score_threshold}""msg:'Inbound

RFI-Anomaly Score Exceeded (Total Score: %{tx.rfi_score})',
severity:CRITICAL,phase:request,id:1949110,t:none,
deny,log,tag:'application-multi',tag:'language-multi',
tag:'platform-multi',tag:'attack-generic',
setvar:tx.inbound_tx_msg=%{tx.msg}"
This rule blocks only on the tx.rfi_score_threshold and the accumulated tx.rfi_score variable.
Similar rules can be created for all other groups of attacks.
Caveat
Note Within ModSecurity language, the variable (for example, TX:RFI_SCORE) to be written with a
“:” (colon).
In the Actions list and in the Operator, it is written using a . (dot). (For example, tx.rfi_score) If
this is not done correctly, the rule will not match as intended.
VMware, Inc. 71
Sample Test Case

Create any request with the ARGS payload, for example, https://abc-eval-test.net/am-test
This will trigger 931120. Check for Remote File Inclusion (3/4) as shown below:
VMware, Inc. 72
Analytics and Insights
4
This document discusses options available on NSX Advanced Load Balancer to monitor intelligent
web application firewall (WAF) under the following sections:
n WAF Logs
n WAF Log Analytics
n WAF Metrics
n WAF Log Analytics
n WAF Analytics
n WAF Metrics
WAF Log Analytics

This section discusses the WAF Logs Analytics available for virtual service on NSX Advanced
Load Balancer.
When a WAF policy is attached to a virtual service, a specific WAF logs are generated. To view
the log files follow the below:
2 ClickVirtual Service mapped to the WAF policy and navigate to Logs.
3 The logs can be filtered to view specific WAF entries. Type WAF on the search bar to
populate the available options.
VMware, Inc. 73
These filters can be used for WAF Analytics as well.
Analyzing WAF Logs Analytics

The following are the fields in WAF Logs Analytics entry:
n Timestamp: Time of capturing the log.
n WAF: Result of WAF evaluation. For more details, refer to the WAF Status section.
n Client IP: IP address of the client.
n URI: URL of the evaluated traffic.
n Request: Request type
n Response: Response code.
n Length: Size of the response body.
n Duration/Timeline: Duration of the traffic.
WAF Status
This column in the WAF Logs Analytics entry refers to the result of WAF evaluation. The
following are the possible outcomes:
n REJECTED: Policy is in enforcement mode and the request was rejected.
n FLAGGED: Policy is in detection only mode and the request was logged, but not rejected.
n PASSED: Request passed the WAF policy without any match.
n Not applicable :The request was not evaluated by WAF.
n BYPASSED: When the request matches with the Allowlist and the Allowlist handles the request.
VMware, Inc. 74
Detailed log information

Clicking on the + sign at the end of each log entry will expand the panel to provide more details.
n Significance: Indicates WAF policy match.
Note This is the first indicator of a matched WAF policy and does not indicate if the request was
rejected or not.
n WAF response time: Displays the execution time for all four WAF evaluation phases.
n WAF Hits : Displays the rules that were matched. All rules that were matched will have an
entry consisting of the following fields:
n Group name
n Rule name
n Rule ID
n Rule message
n Part of the request or response that was matched, along with the offending string
n Match phase
n All tags assigned to the rule
VMware, Inc. 75
n Add Exceptions: Under the WAF Hits section, click on + Add Exceptions, to create an
exception for a false-positive remediation.
n Exceptions can be created either at a group or a rule level. The exceptions created will be
activated immediately.
WAF Analytics
The section explains WAF Analytics
2 Click on the virtual service mapped to the WAF policy.
3 Navigate to Logs and click right side panel to access Log Analytics.
The Log Analytics tab provides an option for WAF analytics under the following sections:
n WAF Tags
n WAF Rules
n WAF Groups
n WAF Latency
Each section provides an insight into the currently filtered traffic. Analytics can be generated
based on the time frame chosen, such as Displaying Past Week, Displaying Past 6 Hours, etc. The
new WAF log analytics items can now be used in conjunction with the already existent analytics.
VMware, Inc. 76
The following screenshot shows a sample of logs displayed on choosing FLAGGED WAF status
filter along with CRS_949_Anomaly_Evaluations rule group under WAF Groups in the Analytics
tab.
WAF Tags
Overview of the tags that were hit during the selected time frame.
WAF Rules
Overview of the rules that were hit during the selected time frame.
VMware, Inc. 77
WAF Groups
Overview of the groups that were hit during the selected time frame. Groups can be expanded to
show the distribution by rule.
VMware, Inc. 78
WAF Latency
Summary of the latency in microsecond for the log entries in a given time frame.
WAF Metrics
This section discusses WAF Metrics.
To view WAF related metrics do the follow:
2 Click on the Virtual Service mapped to the WAF policy and navigate to WAF.
The chart in this tab displays WAF rule hits against the chosen time frame. This helps analyze
denied requests and their corresponding trigger.
VMware, Inc. 79
The following fields show specific hit counts for each listed element:
n Group
n Rule
n Tag
n Client IP
n Path
n Match Element
All elements in each field are displayed with the corresponding hit count. On discovering a false
positive, any rule or group can be disabled, by using the toggle button.
You can click on any element in each field to create a specific filter. Then, the field Popular
Combinations displays the known combinations and their hit counts related to the chosen filter.
The filter can be reset by clicking on Reset filters.
Preview Exceptions
This section discusses Preview Exceptions
On choosing a specific filter under Client IP, Path, and Match Element, you can add an exception
for the selected combination.
1 Click Preview Exception to view the exception on the right-side pane.
2 To add this exception, click on the Add Exceptionsicon. The policy will be updated
immediately.
Note For previewing and creating exceptions, ensure that the required rule is selected as a part
of the filter.
For instance, clicking onARGS:ip under Match Element, provides a preview exception option as
shown below:
You could choose multiple field elements to create a more specific exception entry.
VMware, Inc. 80
Preview Logs
This section explains Preview logs
1 You can filter preview logs for a particular combination by clicking on the Preview Logs
button.
2 In the below example, the grayed out elements in the screenshot represents the filter
elements that are selected.
3 Click the Preview Logs button to view a log table as shown below.
Viewing Events for Debugging WAF Signature

You can view events for debugging WAF signature issues as follows:
VMware, Inc. 81
VMware, Inc. 82
FAQ's
5
Frequently Asked Questions and Answer are as below :
What are the traditional WAF’s challenges that NSX ALB

has tried to solve?
The WAF solutions to secure customer's application are as follows:
n Security: Combine different verification methods to provide a comprehensive security layer

(Signatures, Positive Rules, Client Reputation, Machine Learning, Outlier analysis and others).
n Automation: WAF solution that can be driven by any of the current automation frameworks
(Ansible, Terraform etc) and can be integrated into a SDLC (Secure Development Life Cycle).
n Observability: WAF solution that provides deep insights into the traffic, application behaviour
and clients • Ease of use & Simplicity: WAF solution gathers data, learns from the data and
auto-tunes the policy or helps the admin to adjust the policy quickly. That is, WAF solution
has a "Make me secure" button in green.
n Scalability: WAF solution that caters to small and large applications in a similar manner.
n Performance: WAF solution that uses the resources to the best effort and provides
measurements to validate it.
What are the features provided as part of WAF ?

The WAF features are as follows:
n OWASP Top 10 Protection
n Input Validation – XSS, SQLi etc.
n Positive security Model via Application Learning
n Scripting for application logic flaws - Using Data Scripts
n API protection for JSON, XML
n Simplified Policy Definition
n Real-time Insights
n Elasticity and Automation
VMware, Inc. 83
Also, the security module includes more features as listed below:
n Application Rate Limiting
n DDoS Protection
n L3/L4 ACLs
n L7 Rules/Policies etc.
Does NSX ALB provide WAF as a service?

As of today, the WAF (or LB) is not offered as a cloud service and is deployed to the customer
environment. However, As-a-service offering is planned in the near future. The WAF (or LB) is
similar to a physical WAF in terms of on-prem deployment and has better operational, scale,
performance, and visibility. Also, NSX ALB offers Saas that includes WAF as part of LB offering.
For more information about SaaS refer to https://avinetworks.com/saas/
What is the sizing recommendation for WAF ?

The performance and sizing recommendation for WAF is based on the type of application,
number of Headers, POST vs GET and so on. Due to this insufficient information, it is suggested
that an average number is considered as 800 RPS per Service Core and about 1600 RPS for two
Service Cores.
What is the HA recommendation for WAF ?

As WAF solution is part of a large LB/ADC offering, the HA is definitely recommended for any
LB/WAF deployment. By default, it supports Active/Active HA and the other supported HA types
are Active/Standby and N+M.
Do we need seperate license for WAF ?

Since WAF solution is part of a large LB/ADC offering, a separate license for WAF is not required.
However, make sure the SE sizing is adjusted based on the WAF.
What is Positive Security Model ?

The "Positive Security Model" is also called as “Application specific policy”. It describes the
application behaviour and provides an input validation by setting an accepted range (and length)
of characters. If the input validation specification is not as expected then, it reports as a policy
violation.
Example: product_id=[0-9]{0..63}
The Positive Security Model describes the configuration which informs WAF about "how the
request should look like (Part of)".
VMware, Inc. 84
What does Signature Engine do ?

The Signature engine performs input validation by observing the input pattern that searches for
attack vectors.
Example (simple XSS): attack="><script>alert(1)</script>
It describes "how does an attack look like" which can be formulated as "how the request should
not look like".
What is Allowlisting?
The component "Allowlist" ensures if a request should either be checked or not by the WAF. For
example: the customers may prefer to bypass WAF for all POST requests to /upload.php.
What is Learning?
In a system, Learning is a method of collecting statistical information of an application's normal
usage in order to generate a "Positive Security Model".
What is WAF processing flow ?

The WAF processing flow is as follows:
1 First, for an incoming request, the Allowlist policies are checked. If there is any matching
condition then, the request is whitelisted i.e., WAF processing is turned off for that request.
2 In case none of the conditions match then, the positive security engine checks if the request
is in line with the learnt data.
3 If a request is marked as illegitimate by the positive security engine then, it is flagged/blocked

immediately.
4 If Positive Security marks the request as legitimate then, the request is sent to the Signature
engine which verifies by matching parts of the request against a valid signature in order to
identify the attack vector.
5 If WAF finds an attack vector then, it blocks the request. If not,the request is passed.
6 If WAF is in Enforcement mode then, it block the requests.
7 If WAF is in Detection mode then, it flags the requests but does not block them.
What is False Positive ?

Sometimes a legitimate request is flagged as an attack. This may affect the business and also
develop fear among customers.
VMware, Inc. 85
What is False negative ?

When an attack is not detected it is called as False negative. This affects the security but not the
business (in the perception of the user). However, the site continues to work.
What is an exclusion for false positive mitigation ?

An exclusion adds a matching condition of <IP, URL, parameter> in front of a signature rule or a
rule group. In this way, a false positive that exists within the policy and application are not
triggered.
VMware, Inc. 86

Vmware NSX Waf - Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Vmware NSX Waf - Guide

Uploaded by

Copyright:

Available Formats

VMware NSX Advanced

Load Balancer WAF Guide

3 Best Practices for working with WAF 57

4 Analytics and Insights 73

This chapter includes the following topics:

n Positive Security and Learning

n Deploying WAF Signatures

n Mixed Mode and Enabling Mode Delegation

Few examples for WAF Profiles are as given below:

n API Profile: This profile contains API specific settings.

Configuring WAF Profile

To create a new profile follow the below:

1 Navigate to Templates > WAF > WAF Profile.

2 Click on Create icon.

Field Description Additional Information

Name Enter a relevant name for the profile.

Restricted Headers Enter headers that will not be allowed

Field Description Additional Information

To configure the General Settings, follow the below:

Note The other content types can be added easily.

Argument Separator Enter the separator for specical Example - &

The following screenshot displays a sample configuration:

To create a new file, follow the below :

1 Go to the File Tab.

3 Provide a Name and enter the relevant Data.

Configuring WAF Policy

To create a New Policy, do the follow:

1 Navigate to Templates > WAF > WAF Policy.

3 Configure the new WAF policy under the following tabs:

4 Click on Save button to create the WAF policy.

Field Description Additional Information

Name Enter a relevant name for the policy.

Mode Click on the required mode. The It is recommended to use detection

The below screenshot displays a sample configuration:

Detection Only Enforcement

Detection Only Enforcement

Note This is to improve

Response Code 200 OK Default is 403 Forbidden. This

Application Learning for WAF

n Navigate to Template > WAF > WAF Policy.

n Select the policy for which App Learning should be enabled.

The below screenshot exhibits the option to enable App Learning :

Field Description Additional Information

Sampling Percent of the requests subjected to Range (1 to 100%).

Auto Promote Rules w/ Confidence Minimum confidence label required Low

Field Description Additional Information

Max URI Maximum number of URI paths to Range (10 -10000).

Adaptive Application Learning

By default, the value of the enable_adaptive_config parameter is set to true.

1 Navigate to Template > WAF > WAF Policy

2 Click on Learning Tab as shown below.

Note It is recommended to use the automated adjustment of the sampling rate.

n The request comes from a specific IP range.

n Run parts of the application in Detection mode.

Configuring Allowlist Rules

To define Allowlist rules do the following:

2 Click on Create Or Edit an existing WAF Policy.

3 Enter the required details under the Settings tab.

4 Click on the Allowlist tab.

5 Click on the Add Rule button.

Table 2-1. General

Rule Enabled By default, the Allowlist rule is enabled.

Name Enter a relevant name for the rule.