You can get to the Virtual Service WAF Options by selecting Virtual Services > View/Modify Services in the main menu, clicking Modify on the relevant Virtual Service and expanding the WAF Options (Legacy) section.

By default, WAF is disabled. To enable WAF on this Virtual Service, select the Enabled check box. This must be enabled to configure any further options.

Default Operation

Specify the Default Operation type:

  • Audit Only: This is an audit-only mode – logs are created, but requests and responses are not blocked. It is recommended when first using WAF to enable Audit Only mode for a while. During this time you should analyze the logs and adjust the rules and settings as needed before enabling Block Mode . This ensures that no legitimate traffic is blocked.
  • Block Mode: Either requests or responses are blocked based on the assigned rules.

Audit mode

Audit logs are produced according to the specifications on the following website: https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats

Select what logs to record:

  • No Audit: No data is logged.
  • Audit Relevant: Logs data which is of a warning level and higher. This is the default option for this setting.
  • Audit All: Logs all data through the Virtual Service.
Note: Selecting the Audit All option produces a large amount of log data. We do not recommend selecting the Audit All option for normal operation. However, the Audit All option can be useful when troubleshooting a specific problem.

Inspect HTTP POST Request Content

Enable this option to also process the data supplied in POST requests.

Note: The Inspect HTTP POST Request Content option is disabled by default. If you enable this option, three more check boxes become available that allow you to enable the processing of JavaScript Object Notation (JSON), XML requests, and other content types.

Enable verification of JavaScript Object Notation (JSON) POST requests.

Enable XML Parser

Enable verification of Extensible Markup Language (XML) POST requests.

Enable Other Content Types

Enable verification of POST content types (other than XML/JSON).

CAUTION: Enabling the inspection of any other content types may increase system resource utilization (CPU and memory). A specific list of content types should be considered.

When the Enable Other Content Types option is enabled, there is a text box to enter a comma-separated list of POST content types allowed for WAF analysis. By default, all types (other than XML/JSON) are enabled.

Note: WAF does not block attack requests if the POST request does not contain the 'content-type' header, even if Inspect HTTP POST Request Content , Enable JSON Parser, Enable XML Parser, and Enable Other Content Types check boxes are all enabled. This is a WAF rule issue and can be solved by having a rule to check if there is no 'content-type' present in the request header and forcing the URL-encoded parser in the WAF rules.

Process Responses

Enable this option to verify response data sent from the Real Servers.

Note: This can be CPU and memory-intensive, so only enable this if necessary.
Note: If a Real Server is gzip encoding, WAF will not check that traffic, even if Process Responses is enabled.

Hourly Alert Notification Threshold

This is the threshold of incidents per hour before sending an alert email. Setting this to 0 disables alerting.

Rules

This is where you can assign/un-assign generic, application-specific, application-generic, and custom rules to and from the Virtual Service.

Note: You cannot assign application-specific and application-generic rules to the same Virtual Service.

Individual rules within each ruleset can be enabled/disabled as required. To enable a ruleset, select the relevant check box. If you have not enabled/disabled rules in that ruleset previously, all rules are enabled by default in the right box. If you have previously enabled/disabled rules in that ruleset, within that Virtual Service – the rules retain their previous settings.

You can enable/disable individual rules as needed by selecting the relevant ruleset on the left and selecting/clearing the rules on the right.

Note: Some rules or rule sets may have dependencies on other rules. There is no dependency check in the LoadMaster when rules are disabled - before disabling any rule, be aware of any rule chains or dependencies.

When finished making changes, click Apply.

Clicking the Clear All button disables all rules for the selected ruleset.

Clicking the Set All button enables all rules for the selected ruleset.

Text can be entered in the Rule Filter text box to filter the rules to only show rules that contain the filter text.

Clicking Reset disables all rulesets and rules.

Note: Only assign the rules that are required. All assigned rules will be checked against, so a large number of assigned rules can lead to high CPU usage.