WAF Featurelist

Overview

Avi’s iWAF gives administrators an important point of security enforcement and intelligence. iWAF protects web applications from common vulnerabilities as identified by Open Web Application Security Project (OWASP), such as SQL Injection (SQLi) and Cross-site Scripting (XSS), while providing the ability to customize the rule set for each application. iWAF analyzes the security rules that match a particular transaction and provides that insight in real-time as applications and attack patterns are learned. This application intelligence, paired with intuitive one-click rule customization, allows iWAF to sharply reduce false-positives.

iWAf Features at a Glance

Core Security Threat Detection Application Protection
  • OWASP Top 10 attack protection including HTTP validation, injection, data leakage protection, automated attack blocking and application specific security.
  • Guided false-positive mitigation with customizable paranoia levels thatcontrol the strictness of the policy based on the logs and analytics.
  • Rate-limiting per app to limit L3/L4and L7 traffic based on parameters such as Client IP, URL and Path.
  • Point-and-click policy with central control and ease of use by enabling users to create custom policies quickly and efficiently.
  • RBAC support to control write access to WAF profiles and policies;read access to applications, pools, and clouds.
  • Accept-Listing rules that allow bypassing WAF for certain request properties. For example, to allow the DAST scanner IPs from WAF inspection, to exclude internal IP addresses from WAF inspection or to bypass WAFfor all POST requests.
  • Positive security for allowed application behavior in order toblock anomalies. Positive model engine is called before the signature engine, reducing false positives and time to reach a decision about thevalidity of the request.
  • Signatures protection against known threats through a blacklist approach by analyzing every part of the incoming and outgoing request sagainst SQLi, XSS and other threatsbased on Core Rule Set (CRS).
  • Learning mode for application behavior and structure helps profile applications, inform decisions and automatically create positive securityrules.
  • Per-app deployment for precision protection of specific applications with different security policy levels while ensuring application performance.
  • On-demand autoscaling to elastically scale the number of WAF instances and application servers to handle unpredictable traffic without impacting performance.
  • Application analytics for WAF events based on historical trend informationand real-time visibility into ongoing operations, application behavior analysis, and attack patterns.

Feature list

The following is a comprehensive feature list of iWAF, discussed under:

Web Security and Application Attack Protection

Avi iWAF provides a full application security stack to ensure web security and protection against application threats.

Security Stack

  • OWASP Top 10 attack protection including HTTP validation, injection, data leakage protection, automated attack blocking and application specific security.

  • Positive security rules check the application traffic for allowed application behaviour and block anomalous behaviour. This engine is called before signature engine, therefore reduces false positives and allows to reach a faster decision about the validity of the request.

  • Application behaviour and structure is learned and can later be reused for other analytics and to automatically create positive security rules through Application Learning.

  • Allow-Listing defines rules that allow to bypass WAF for some given request properties. For example,to allow the DAST scanner IPs from WAF inspection, to exclude internal IP addresses from WAF inspection or to bypass WAF for all POST request to /upload.php etc.

  • IP geolocation

  • HTTP RFC compliance

  • File upload scanning

  • DAST import

  • Scripting for application logic flaws

  • API protection for JSON XML. In addition to the protection of traditional HTTP Applications, iWAF can also protect APIs or AJAX applications, by analyzing JSON or XML payloads.

  • Support for multiple CRS versions

  • Rate-limiting per application

  • Brute force attack protection

  • Basic DDOS protection

  • HTTP Security policies

  • L3-L7 security rules including ACLs

Administration and Configuration

  • WAF admin RBAC support provides granular Role-Based Access Control (RBAC). User can have write access to WAF Profiles and Policies, read access to application VSs, pools and clouds etc.

  • SSH and Web GUI access for administration.

  • Avi platform is 100% REST API based, so deployment can be fully automated, and all functionality can be included into a CICD pipeline.

  • Customizable error codes and error pages.

  • Per-app deployment for precision protection of specific applications with different security policy levels while ensuring application performance

  • Easy to deploy rules

  • Easy to create Custom rules which could be added for the application specific use cases or any other custom requirement that might arise.

  • Point-and-click simplicity for policies with central control

  • Elastic scale with highly performant, automatic scale-out architecture

  • Easy to deploy exclusions

  • Guided false-positive mitigation with customizable paranoia levels that control the strictness of the policy based on the logs and analytics

  • Built in event and alert mechanisms

  • SNMP support

  • Avi Cloud Services provide live security threat updates, such as IP reputation, signatures and more are sourced from industry-leading threat analysis companies and curated through the Avi Cloud Services.

Logs and Analytics

  • Application analytics for WAF events based on historical trend information and real-time visibility into ongoing operations, application behaviour analysis, and attack patterns.

    • Granular security insights on traffic flows and rule matches to create precise and custom policies

  • Comprehensive log collection (pinpoint analysis of all security incidents that were blocked by iWAF).