By default, WAF is disabled. To enable WAF, select Enabled.

When WAF is enabled for a Virtual Service, the section heading in the Virtual Service options changes from WAF to WAF - Enabled.

The maximum number of WAF-enabled Virtual Services is the total (unused or available) RAM (in MB)/512 MB. For example: 8 GB/512 MB = 16 WAF-enabled Virtual Services. When the maximum is reached, no additional Virtual Services can be enabled with WAF.

A message displays if there is insufficient memory available to enable WAF.

Note: A message is displayed next to the Enabled check box displaying how many WAF-enabled Virtual Services exist and the maximum number of WAF-enabled Virtual Services that can exist. If the maximum number of WAF-enabled Virtual Services is reached, the Enabled check box is grayed out.

Audit mode

There are three audit modes:

  • No Audit: No data is logged.

  • Audit Relevant: Logs data that is of a warning level and higher. This is the default option for this setting.

  • Audit All: Logs all data through the Virtual Service.

Note: Selecting the Audit All option produces a large amount of log data. We do not recommend selecting the Audit All option for normal operation. However, the Audit All option can be useful when troubleshooting a specific problem.

Anomaly Scoring Threshold

For each request, every triggered detection raises the anomaly score, most rules having a score of 5. If the cumulative anomaly score per request hits the configured limit, the request will be blocked. The default value is 100 and allowable range is 1 to 10000.

Note: The Paranoia Level can be set in Advanced Settings, but the value is displayed here for informational purposes.

Manage Rules

Rules are grouped in the Request Rules section as per the OWASP numbering system. Rule groups or Individual rules within each ruleset can be enabled/disabled as required. To enable a rule or group of rules, select the relevant check box. If you have previously enabled/disabled rules in that ruleset, within that Virtual Service – the rules retain their previous settings.

Note: Some rules or rule sets may have dependencies on other rules. There is no dependency check in the LoadMaster when rules are disabled - before disabling any rule, be aware of any rule chains or dependencies.

If a user has created custom rules, they can be enabled or disabled within the Custom Rules section.

There is a Run First check box available for custom rules. If the Run First check box is enabled for a custom rule, the rule will be run first, before the OWASP Core Rule Set (CRS). If the Run First check box is disabled for a custom rule, the custom rule runs after the CRS. The Run First check box is disabled by default.

In the Workloads section there are several workloads available.

When finished making changes, click the Apply button.

Clicking Reset will reverse any changes that you have made that have not been applied.

To filter rules, enter text into the Rule Filter text box and only rules containing that text will be shown. You can select the filtered rules by clicking Set All or deselect the filtered rules by clicking Clear All. Click the Apply button to apply the changes.

Hourly Alert Notification Threshold

This is the number of incidents per hour before sending an alert. Setting this to 0 disables alerting.

IP Reputation Blocking

This rule set enables the checking of client addresses against the IP reputation database.

Enable IP Reputation Blocking

In Web Application Firewall > Access Settings you can download and install the latest IP reputation file. If Enable IP Reputation Blocking is selected for a Virtual Service, client addresses are checked against the IP access list file and are blocked if a match is found.