Add an App (policy) for App-Embedded

Select a WAAS App-Embedded rule to add an App in.
Click
Add app
.
In the App Definition tab, specify the endpoints in your web application that should be protected. Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import, and select the file to load. Otherwise, skip to the next step to manually define your app’s endpoints.

If you don’t have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
In the

Endpoint Setup

tab, click on

Add Endpoint

.



Specify endpoint details:



Enter

App port (required)

Specify the TCP port protected app listens on, WAAS sends traffic to your app over this port.

Enter

WAAS Port (required)

.

The external port is the TCP port for the App-Embedded Defender to listen on for inbound HTTP traffic.

Enter

HTTP host

(optional, wildcards supported).

HTTP host names are specified in the form of [hostname]:[external port].

The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.com", "docs.example.com", "www.example.com:8080", etc.

Enter

Base path

(optional, wildcards supported):

Base path for WAAS to match on when applying protections.

Examples: "/admin/", "/" (root path only), "/*", /v2/api/", etc.

If your application uses TLS, set

TLS

to

On

.

WAAS must be able to decrypt and inspect HTTPS traffic to function properly.

To facilitate that, after creating all endpoints click on

View TLS settings

in the endpoint setup menu



TLS settings:



Certificate
- Copy and paste your server’s certificate and private key into the certificate input box (e.g. cat server-cert.pem server-key > certs.pem).
Minimum TLS version
- A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is "1.2").
HSTS
- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS adds the HSTS response header to all HTTPS server responses (if not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
max-age=<expire-time> - The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains (optional) - If selected this HSTS protection applies to all of the site’s subdomains as well.
preload (optional) - for more details please refer to the following link.

If your application uses gRPC, set

gRPC

to

On

.

If your application uses HTTP/2, set

HTTP/2

to

On

.

Click

Create Endpoint

If your application requires API protection, select the "API Protection" tab and define for each path allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.

Click on the

Response headers

tab to add or override HTTP response headers in responses sent from the protected application.


Continue to
App Firewall
tab, select protections to enable and assign them with actions.

Continue to
Access Control
tab and select access controls to enable.
Continue to
DoS protection
tab and configure DoS protection thresholds.
Continue to
Bot protection
tab and select bot protections to enable.
Click
Save
.
You should be redirected to the
Rule Overview
page.
Select the new rule to display
Rule Resources
and for each application a list of
protected endpoints
and
enabled protections
.

Test protected container using the following sanity tests.
Go to
Monitor > Events
, click on
WAAS for App-Embedded
and observe the events generated.
For more information please see the WAAS analytics help page