WAF Policy

Overview

WAF policy is a specific set of rules that protects the application. This policy is enabled by associating it with a virtual service.

System-WAF-Policy is the default policy in Avi Vantage that contains the latest curated Avi release of the OWASP CRS rules.

Navigate to Templates > WAF > WAF Policy to find System-WAF-Policy.

Note: For customizing a policy, it is recommended to create a new policy instead of editing the default policy (System-WAF-Policy).

Creating a WAF Policy

To create a new policy,

  1. Navigate to Templates > WAF > WAF Policy.
  2. Click on Create.
    The New WAF Policy screen is as shown below:
    Create WAF
  3. Configure the new WAF policy under the following tabs:
  4. Click on the Save button to create the WAF policy.

Settings

Under the settings tab, basic information about the WAF policy is configured. This is where the WAF profile for the policy is selected. Note: The new WAF policy inherits the configuration of default policy System-WAF-Policy.

In the New WAF Policy screen, enter information as shown below:

Field Description
Name Enter a relevant name for the policy.
WAF Profile Choose a WAF Profile that should be attached to this policy. The profile contains common reusable settings that complement the WAF policy.
The drop down menu allows to create a new WAF Profile as well.
WAF Learning Disabled Click on the toggle button to switch to WAF Learning Enabled.
This will enable Application Learning for this policy as well as setup the Positive Security learning group.
Policy Mode Select a WAF policy mode:
  • Detection: The WAF rules are processed but HTTP transactions are not intercepted, even when the rules are configured to do so.
  • Enforcement: WAF rules are processed and HTTP transactions are intercepted, as per the rules.
Note: Individual rules can overwrite the WAF Policy mode if Allow Mode Delegation is configured.
Allow Mode Delegation Enable this option to allow rules to overwrite the policy mode selected.
Note: The Allow Mode Delegation check box is only enabled if the policy mode selected is Detection, since it is required for Enforcement mode.
Paranoia Level Set the paranoia level for the WAF policy. This is used to determine the rigidity of the policy and has a direct impact on potential false positive rate.
For more information, refer to the Paranoia Mode.

The New WAF Policy screen is as shown below:
Create WAF Policy

Learning

Starting with Avi Vantage release 20.1.1, the Learning option is available under the WAF Policy tab. Prior to Avi Vantage release 20.1.1, this option is available under the WAF Profile tab.
The screenshot below exhibits the option to enable Appl Learning under the WAF Policy tab. Navigate to Template > WAF > WAF Policy. Select the policy for which App Learning should be enabled.

20.1-learning
Enable the App Learning for the selected WAF policy. Once the option is enabled, the additional configuration options will be available to edit, as shown below.

20.1-learning-enabled

App Learning From Authenticated Clients Only

Starting with VMware NSX Advanced Load Balancer 22.1.1, the option to learn from authenticated clients only is available under the App learning parameters.
The default value for this parameter is set as false. If the value is set to true, the learning is performed only on the requests from clients who have passed the authentication process configured in the virtual service’s Auth profile.
The request learning data will not be sent if the configuration matches one of the following scenarios:

  • Learn_from_authenticated_clients_only is set as true, and the client is not authenticated.
  • Trusted IP group is configured, and the client IP address does not match the group.
  • Learn_from_authenticated_clients_only and Trusted IPs are configured, and the client is neither authenticated nor within the trusted IP group.

Note: You can restrict learning to a specific IP group, or to clients that have passed authentication configured in the virtual service authorization policy. With both Authenticated Clients Only and Trusted IPs configured, either being true for a given request will enable learning.

Configuring Trusted IP
Login to the CLI and select the learning_params options to set the learn_from_authenticated_clients_only to true.


[admin:ctr]: > configure wafpolicy Demo-WAF-Policy
[admin:ctr]: wafpolicy> learning_params
[admin:ctr]: wafpolicy:learning_params> learn_from_authenticated_clients_only
Overwriting the previously entered value for learn_from_authenticated_clients_only
[admin:ctr]: wafpolicy:learning_params> where
Tenant: admin
Cloud: Default-Cloud
+---------------------------------------+-----------+
| Field                                 | Value     |
+---------------------------------------+-----------+
| sampling_percent                      | 1 percent |
| update_interval                       | 30 min    |
| max_uris                              | 500       |
| max_params                            | 100       |
| enable_per_uri_learning               | True      |
| min_hits_to_learn                     | 10000     |
| learn_from_authenticated_clients_only | True      |
+---------------------------------------+-----------+

Set trusted IP groups to an existing IP group using the trusted_ipgroup_ref option :


[admin:ctr]: wafpolicy:learning_params> trusted_ipgroup_ref Internal
[admin:ctr]: wafpolicy:learning_params> where
Tenant: admin
Cloud: Default-Cloud
+---------------------------------------+-----------+
| Field                                 | Value     |
+---------------------------------------+-----------+
| sampling_percent                      | 1 percent |
| update_interval                       | 30 min    |
| max_uris                              | 500       |
| max_params                            | 100       |
| enable_per_uri_learning               | True      |
| min_hits_to_learn                     | 10000     |
| learn_from_authenticated_clients_only | True      |
| trusted_ipgroup_ref                   | Internal  |
+---------------------------------------+-----------+

Save the configuration.


[admin:ctrl]: wafpolicy:learning_params> save
[admin:ctr]: wafpolicy> save
+-----------------------------------------+------------------------------------------------+
| Field                                   | Value                                          |
+-----------------------------------------+------------------------------------------------+
| uuid                                    | wafpolicy-e3bcd2bd-afcf-43ec-97cc-c33a978b3ebf |
| name                                    | Demo-WAF-Policy                                |
| tenant_ref                              | admin                                          |
| mode                                    | WAF_MODE_DETECTION_ONLY                        |
| waf_profile_ref                         | System-WAF-Profile                             |
| paranoia_level                          | WAF_PARANOIA_LEVEL_LOW                         |
| waf_crs_ref                             | CRS-2021-2                                     |
| failure_mode                            | WAF_FAILURE_MODE_OPEN                          |
| allow_mode_delegation                   | True                                           |
| positive_security_model                 |                                                |
|   group_refs[1]                         | Demo-WAF-Policy-PSM-Learning-Group             |
| enable_app_learning                     | True                                           |
| application_signatures                  |                                                |
|   provider_ref                          | System-WafApplicationSignatures-Trustwave      |
| learning_params                         |                                                |
|   sampling_percent                      | 1 percent                                      |
|   update_interval                       | 30 min                                         |
|   max_uris                              | 500                                            |
|   max_params                            | 100                                            |
|   enable_per_uri_learning               | True                                           |
|   min_hits_to_learn                     | 10000                                          |
|   learn_from_authenticated_clients_only | True                                           |
|   trusted_ipgroup_ref                   | Internal                                       |
| min_confidence                          | CONFIDENCE_VERY_HIGH                           |
| confidence_override                     |                                                |
|   confid_very_high_value                | 9999                                           |
|   confid_high_value                     | 9500                                           |
|   confid_probable_value                 | 9000                                           |
|   confid_low_value                      | 7500                                           |
| enable_auto_rule_updates                | True                                           |
| enable_regex_learning                   | False                                          |
| bypass_static_extensions                | True                                           |
+-----------------------------------------+------------------------------------------------+

Logging
With the DEBUG_WAF flag enabled, se_debug.INFO shows that a client’s request will not be learned due to failed authentication.

Allowlist

A allowlist is a set of conditions which when matched by a request, directs WAF to skip parts or the whole of the WAF policy. Under the Allowlist tab, configure allowlist rules and set match types.

Refer to the Allowlist article for more information.

Positive Security

The Positive Security rules describe how valid application behaviour should look like. Under the Positive Security tab positive security groups can be defined that consist of locations and argument rules.

Refer to the Positive Security article for more information.

Signatures

The final step in WAF processing is a Signature check. Under the Signatures tab, configure Pre-CRS, CRS, and Post-CRS rules.

Refer to the WAF Policy Signatures article for more information.

Changes introduced in Avi Vantage release 21.1.1

Starting with Avi Vantage release 20.1.6 and 21.1.1, the following two fields are deprecated while creating the WAF policy using the CLI and the API:

  • crs_groups
  • application_signatures.rules The above mentioned groups and rules are now taken directly from the referenced wafcrs and the respective wafapplicationsignatureprovider object.

The following new fields are available instead of the deprecated fields as mentioned above:

  • crs_overrides
  • application_signatures.rule_overrides

These fields are used to perform configuration changes, like setting the mode attribute or adding the exclude_list settings for a rule or group.

Refer to the below snippet to check the overrides.


{
    "name": "Example Policy 1",
    "waf_mode": "WAF_MODE_ENFORCEMENT",
    "waf_profile_ref": "/api/wafprofile?name=System-WAF-Profile",
    "waf_crs_ref": "/api/wafcrs?name=CRS-2020-3",
    "crs_overrides": [
        {
            "name": "CRS_903.9002_Wordpress_Exclusion_Rules",
            "enable": true
        },
        {
            "name": "CRS_920_Protocol_Validation",
            "rule_overrides": [
                {
                    "rule_id": "920310",
                    "enable": false                             
                },
                {
                    "rule_id": "920311",
                    "enable": false                             
                }
            ]
        },
        {
            "name": "CRS_930_Application_Attack_LFI",
            "rule_overrides": [
                {
                    "rule_id": "930120",                       
                    "exclude_list": [
                        {
                            "match_element": "ARGS:path",
                            "match_element_criteria": {
                                "match_case": "INSENSITIVE"
                            }
                        }
                    ]
                }
            ]
        } 
    ]
}

Document Revision History

Date Change Summary
July 15, 2022 Support for App learning from authenticated clients only(Version 22.1.1)