Web Application Firewall (WAF) Signatures

Overview

This guide explains the security threat intelligence feature of Avi Pulse.

Deploying WAF Signatures

WAF signature is one of the security services delivered through Pulse. WAF signature service is based on Opt-In basis, which is disabled by default.

  • The Avi WAF protects web applications from common vulnerabilities as identified by Open Web Application Security Project (OWASP), such as SQL Injection (SQLi) and Cross-site Scripting (XSS), while providing the ability to customize the rule set for each application.

  • Avi Vantage publishes WAF signature (Core Rule Set) every quarter using a controlled release management process. The artifacts are pushed to AWS S3 Buckets.

  • Once the WAF signature is published, it is available on Avi Pulse portal.

  • The API is provided with the link to download WAF signature. The link has pre-signed URL with validity of 1 hour

You can deploy latest WAF signature data on to the Controller available for applications to utilize it.

The following are the two ways to deploy WAF signature data on the Controller:

  • Automated

  • Manual

Automated

You can check WAF Config option in Opt-In settings window to deploy automatically.

Automated deployment of WAF signatures gets enabled only when it is explicitly opted in by enabling ALBServicesConfig->waf_config-> enable_auto_download_waf_signatures code.

The following is the CLI to enable WAF signatures:


controller]: > configure albservicesconfig
controller]: albservicesconfig> waf_config
controller]: albservicesconfig:waf_config> enable_auto_download_waf_signatures 
Overwriting the previously entered value for enable_auto_download_waf_signatures 
controller]: albservicesconfig:waf_config> save
controller]: albservicesconfig> save
+---------------------------------------------------+------------------------------------+
| Field                                             | Value                              |
+---------------------------------------------------+------------------------------------+
| uuid                                              | default                            |
| portal_url                                        | https://portal.avipulse.vmware.com |
| polling_interval                                  | 10                                 |
| feature_opt_in_status                             |                                    |
|   enable_ip_reputation                            | False                              |
|   enable_appsignature_sync                        | False                              |
|   enable_user_agent_db_sync                       | False                              |
|   enable_pulse_waf_management                     | True                               |
|   enable_pulse_case_management                    | True                               |
| use_split_proxy                                   | False                              |
| ip_reputation_config                              |                                    |
|   ip_reputation_sync_interval                     | 60 min                             |
|   ip_reputation_file_object_expiry_duration       | 3 days                             |
| use_tls                                           | True                               |
| mode                                              | MYVMWARE                           |
| app_signature_config                              |                                    |
|   app_signature_sync_interval                     | 1440 min                           |
| user_agent_db_config                              |                                    |
|   allowed_batch_size                              | 500                                |
| waf_config                                        |                                    |
|   enable_auto_download_waf_signatures             | True                               |
|   enable_waf_signatures_notifications             | True                               |
| case_config                                       |                                    |
|   enable_auto_case_creation_on_controller_failure | False                              |
|   enable_auto_case_creation_on_se_failure         | False                              |
|   enable_cleanup_of_attached_files                | True                               |
+---------------------------------------------------+------------------------------------+
  • Automated workflow gets enabled once WAF signature service is opted in. This can be done at any time.

  • You can provide the consent to acknowledge the auto deployment of latest WAF signature data on to the Controller.

  • Whenever the new version of WAF signature data is available and is not deployed on the specific Controller, then that data is deployed, and the Controller UI is informed about the status of deployment.

Manual

  • If you have not opted-in for auto deployment of WAF signature data on to the Controller, the Controller will not deploy the latest data automatically on it, instead an event with download link to download the data file will be generated.

  • You can click on this link to download the WAF signature data file on to the local system.

  • You need to upload the same file from the Controller manually by navigating to Templates > WAF > CRS. Click on Upload File button to upload WAF signature files.

You can deploy WAF signature date using the following CLI:


controller]: > configure albservicesconfig
controller]: albservicesconfig> waf_config
controller]: albservicesconfig:waf_config> enable_waf_signatures_notifications
Overwriting the previously entered value for enable_waf_signatures_notifications
controller]: albservicesconfig:waf_config> save
controller]: albservicesconfig> save
+---------------------------------------------------+------------------------------------+
| Field                                             | Value                              |
+---------------------------------------------------+------------------------------------+
| uuid                                              | default                            |
| portal_url                                        | https://portal.avipulse.vmware.com |
| polling_interval                                  | 10                                 |
| feature_opt_in_status                             |                                    |
|   enable_ip_reputation                            | False                              |
|   enable_appsignature_sync                        | False                              |
|   enable_user_agent_db_sync                       | False                              |
|   enable_pulse_waf_management                     | True                               |
|   enable_pulse_case_management                    | True                               |
| use_split_proxy                                   | False                              |
| ip_reputation_config                              |                                    |
|   ip_reputation_sync_interval                     | 60 min                             |
|   ip_reputation_file_object_expiry_duration       | 3 days                             |
| use_tls                                           | True                               |
| mode                                              | MYVMWARE                           |
| app_signature_config                              |                                    |
|   app_signature_sync_interval                     | 1440 min                           |
| user_agent_db_config                              |                                    |
|   allowed_batch_size                              | 500                                |
| waf_config                                        |                                    |
|   enable_auto_download_waf_signatures             | False                              |
|   enable_waf_signatures_notifications             | True                               |
| case_config                                       |                                    |
|   enable_auto_case_creation_on_controller_failure | False                              |
|   enable_auto_case_creation_on_se_failure         | False                              |
|   enable_cleanup_of_attached_files                | True                               |
+---------------------------------------------------+------------------------------------+

Viewing Events for Debugging WAF Signature

You can view events for debugging WAF signature issues as follows:

event_for_update_notifictaion_of_waf