CAUTION: The Legacy WAF rules were retired on 29th June 2021, and no further updates will be available. It is recommended to migrate your configuration to the new WAF services.

The Web Application Firewall (WAF) feature must be enabled before you can configure these options.

Note: WAF is not available on all Support tiers. Refer to the following page for details on what features are included in the different Support tiers: LoadMaster Support Subscriptions

Note: To enable WAF, select the Enabled check box. A message is displayed next to the Enabled check box displaying how many WAF-enabled Virtual Services exist and it also displays the maximum number of WAF-enabled Virtual Services that can exist.
Note: If the maximum number of WAF-enabled Virtual Services have been reached, the Enabled check box is grayed out.A message displays if there is insufficient memory available to enable WAF.
CAUTION: Utilizing WAF can have a significant performance impact on your LoadMaster deployment. Please ensure that the appropriate resources are allocated.
Note: For virtual and bare metal LoadMaster instances, a minimum of 2GB of allocated RAM is required for operation of WAF. The default memory allocation for Virtual LoadMasters and LoadMaster Bare Metal instances prior to LoadMaster Operating System version 7.1-22 is 1GB of RAM. If this default allocation has not been changed please modify the memory settings before attempting to proceed with WAF configuration.

Default Operation

Select the default operation of the WAF:

  • Audit Only: This is an audit-only mode – logs are created but requests and responses are not blocked.
  • Block Mode: Either requests or responses are blocked.

Audit mode

Select what logs to record:

  • No Audit: No data is logged.
  • Audit Relevant: Logs data which is of a warning level and higher. This is the default option for this setting.
  • Audit All: Logs all data through the Virtual Service.
Note: Selecting the Audit All option produces a large amount of log data. We do not recommend selecting the Audit All option for normal operation. However, the Audit All option can be useful when troubleshooting a specific problem.

Inspect HTTP Post Request Content

Enable this option to also process the data supplied in POST requests.

Note: Three additional options (Enable JSON Parser, Enable XML Parser, and Enable Other Content Types) only become available if Inspect HTTP Post Request Content is enabled.

Enable JSON Parser

Enable verification of JavaScript Object Notation (JSON) POST requests.

Enable XML Parser

Enable verification of XML POST requests.

Enable Other Content Types

Enable verification of POST content types (other than XML/JSON).

CAUTION: Enabling the inspection of any other content types may increase system resource utilization (CPU and memory). A specific list of content types should be considered.

When this option is enabled, a text box is provided to enter a comma-separated list of POST content types allowed for WAF analysis. By default, all types (other than XML/JSON) are enabled.

Process Responses

Enable this option to verify responses sent from the Real Servers.

CAUTION: This can be CPU and memory intensive.
CAUTION: If a Real Server is gzip encoding, WAF will not check that traffic, even if Process Responses is enabled.

Hourly Alert Notification Threshold

This is the threshold of incidents per hour before sending an alert. Setting this to 0 disables alerting. This threshold also relates to the Events over Limit Today number which is displayed on the WUI home page. For example, if the threshold is set to 10 and there has been 20 events, the counter is set to 2.

Rules

This is where you can assign/un-assign generic, application-specific, application-generic and custom rules to/from the Virtual Service.

Note: You cannot assign application-specific and application-generic rules to the same Virtual Service.

Individual rules within each ruleset can be enabled/disabled as required. To enable a ruleset, tick the relevant check box. If you have not enabled/disabled rules in that ruleset previously, all rules are enabled by default in the right box. If you have previously enabled/disabled rules in that ruleset, within that Virtual Service – the rules will retain their previous settings.

You can enable/disable individual rules as needed by ticking the relevant ruleset on the left and ticking/unticking the rules on the right.

Note: Some rules or rule sets may have dependencies on other rules. There is no dependency check in the LoadMaster when rules are disabled - before disabling any rule, please be aware of any rule chains or dependencies.

When finished making changes, click the Apply button.

Clicking the Clear All button will disable all rules for the selected ruleset.

Clicking the Set All button will enable all rules for the selected ruleset.

Text can be entered in the Rule Filter text box to filter the rules to only show rules which contain the filter text.

Clicking Reset will disable all rulesets and rules.