1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. WAAS
    6. Deploying WAAS
    End-of-Life (EoL)

    Deploying WAAS

    WAAS (Web-Application and API Security) can secure both containerized and non-containerized web applications. To deploy WAAS, create a new rule, and declare the entity to protect.
    Although the deployment method varies slightly depending on the type of entity you’re protecting, the steps, in general, are:
    1. Define rule resource.
    2. Define application scope.
    3. Enable relevant protections.

    Understanding WAAS rule resources and application scope

    The WAAS rule engine is designed to let you tailor the best-suited protection for each part of your deployment. Each rule has two scopes:
    • Rule resources.
    • Application list.

    Rule Resources

    This scope defines, for each type of deployment, a combination of one or more elements to which WAAS should attach itself in order to protect the web application:
    In the event of scope overlap (when multiple rules are applied to the same resource scope), the first rule by order will apply and all others will not apply. You can reorder rules via the Order column in WAAS rule tables by dragging and dropping rules.

    Application List

    This scope defines the protected application’s endpoints within the deployment as a combination of one or more of the following:
    • - For containerized applications, the internal port on which the application is listening. For all other types, the externally facing port.
    • - Default setting is set to * (wildcard indicating all hostnames)
    • - Lets you apply protection policy on certain paths of the application (e.g. "/admin", "/admin/*", etc.)
    • - TLS certificate to be used when expecting encrypted inbound traffic.
    To better illustrate, consider the following deployment scenario for a web application running on-top of an NGINX cluster:
    In this example, different policies apply for different parts of the application. The steps for deploying a WAAS rule to protect the above described web application would be as follows:
    1. Define rule resources
       - Specify the resource collection the rule applies to. Collections are comprised of image names and one or more elements to which WAAS should attach itself in order to protect the web application. In the following example, the rule will apply to all containers created by the nginx image. 
    2. Define protection policy for 'login', 'search' and 'product' endpoints
       - Set OWASP Top 10 protection to "Prevent" and geo-based access control to "Alert".
    3. Define protection policy for the application’s API endpoints
       - Set OWASP Top 10 and API protection to "Prevent" and HTTP header-based access control to "Alert".
    Once the policy is defined, the rule overview shows the following rule resource and application definitions:
    • - Protection is applied to all NGINX images
    • - We deployed two policies each covering a different endpoint in the application (defined by HTTP hostname, port and path combinations)

    Protection evaluation flow

    WAAS offers a range of protection targeted at different attack vectors. Requests inspected by WAAS will be inspected in the following order of protections:
    • Bot protection
    • App firewall (OWASP Top-10)
    • API protection
    • DoS protection
    WAAS will continue to inspect a request until "Prevent" or "Ban" actions are triggered, at which point the request will be blocked, and the evaluation flow will be halted.
    For instance, assume all protections in bot protection are set to "Prevent". An incoming request originating from a bot and containing a SQL injection payload would be blocked by the bot protection (since it precedes the app firewall in the evaluation flow), and the SQL injection payload will not be assessed by the app firewall.
    In a different scenario, suppose that all bot protections are set to "Alert" and all app firewall protections are set to "Prevent". A request originating from a bot containing a command injection payload will generate an alert event by bot protection and will be blocked by the app firewall protection.

    Deploying WAAS

    Deploying WAAS for Containers

    To deploy WAAS for containerized web applications, create a new rule, specify the image name, define application endpoints and select protections. WAAS only needs to be applied to images that receive HTTP/HTTPS traffic.
    1. Open Console, and go to
      Defend > WAAS
      .
    2. Select the
      Container
       tab.
    3. Click
      Add Rule
      .
    4. Enter a
      Rule Name
       and
      Notes
       (Optional) for describing the rule.
    5. Choose the rule
      Scope
       by specifying the resource collection(s) to which it applies.
      Collections define a combination of image names and one or more elements to which WAAS should attach itself in order to protect the web application:
      Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.
    6. Click
      Add New App
      .
    7. In the
      App Definition
       tab, specify the endpoints in your web application that should be protected. Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click
      Import
      , and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.
    8. If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
      1. In the
        General App Setup
         tab, click
        Add Endpoint
        .
      2. Specify endpoint details:
      3. Enter
        Port (required)
        Specify the TCP port listening for inbound HTTP traffic.
      4. Enter
        HTTP host
         (optional, wildcards supported).
        HTTP host names are specified in the form of [hostname]:[external port].
        External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
      5. Enter
        Base path
         (optional, wildcards supported):
        Base path for WAAS to match on, when applying protections.
        Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
      6. If your application uses TLS, set
        TLS
         to
        On
        .
        WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
        To facilitate inspection, after creating all endpoints, click
        View TLS settings
         in the endpoint setup menu.
        TLS settings: