Add an App (policy) to the rule

Select a WAAS container rule to add an App in.
Click
Add app
.
In
App Definition
, specify the endpoints in your web application that should be protected.
Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click
Import
, and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.

If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
In the
Endpoint setup
tab, click
Add Endpoint
.


Enter
HTTP host
(optional, wildcards supported).
HTTP host names are specified in the form of [hostname]:[external port].
External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
Enter
App ports
(optional, if you selected
Automatically detect ports
while creating the rule).
When
Automatically detect ports
is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.
Specify the TCP port listening for inbound HTTP traffic.
If your application uses
TLS
or
gRPC
, you must specify a port number.
Enter
Base path
(optional, wildcards supported):
Base path for WAAS to match on, when applying protections.
Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
If your application uses TLS, set
TLS
to
On
.
If your application uses HTTP/2, set
HTTP/2
to
On
.
WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
If your application uses gRPC, set
gRPC
to
On
.
Click
Response headers
to add or override HTTP response headers in responses sent from the protected application.

Click
Create Endpoint
.
To facilitate inspection, after creating all endpoints, click
View TLS settings
in the endpoint setup menu.

TLS settings:

Certificate
- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
Minimum TLS version
- A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).
HSTS
- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
preload (optional) - For more details, see the following link.
If your application requires [API protection], select the
API Protection
tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions on the [API protection] help page.
Continue to
App Firewall
tab, select protections to enable and assign them with WAAS Actions.

Continue to
Access Control
tab and select access controls to enable.
Continue to
DoS protection
tab and configure DoS protection thresholds.
Continue to
Bot protection
tab and select bot protections to enable.
Click
Save
.
You should be redirected to the
Rule Overview
page.
Select the created new rule to display
Rule Resources
and for each application a list of
protected endpoints
and
enabled protections
.

Test protected endpoint using the following sanity tests.
Go to
Monitor > Events
, click on
WAAS for containers
and observe events generated.
For more information please see the WAAS analytics help page.