Table of Contents

Deploy WAAS In-Line for Hosts

To deploy WAAS to protect a host running a non-containerized web application, create a new rule, specify the host(s) where the application runs, define protected HTTP endpoints, and select protections.

Create a WAAS In-Line rule for Hosts

  1. Open Console, and go to
    Defend > WAAS > {Container|Host} > In-Line
  2. Select
    Add rule
    1. Enter a
      Rule Name
    2. Enter
      (Optional) for describing the rule.
    3. Select
      Operating system
    4. If necessary, adjust the
      Proxy timeout
      The maximum duration in seconds for reading the entire request, including the body. A 500 error response is returned if a request is not read within the timeout period. For applications dealing with large files, adjusting the proxy timeout is necessary.
  3. Choose the rule
    by specifying the resource collection(s) to which it applies.
    Collections define a combination of hosts to which WAAS should attach itself to protect the web application:
    Applying a rule to all hosts/images using a wild card (*) is invalid and a waste of resources. WAAS only needs to be applied to hosts that run applications that transmit and receive HTTP/HTTPS traffic.
  4. (Optional) Enable
    API endpoint discovery
    When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in
    Compute > Monitor > WAAS > API discovery
  5. (Optional) Enable
    Automatically detect ports
    for an endpoint to deploy WAAS protection on ports identified in the unprotected web apps report in
    Monitor > WAAS > Unprotected web apps
    for each of the workloads in the rule scope.
    As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.
    By enabling both
    Automatically detect ports
    API endpoint discovery
    , you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
    Automatically detect ports
    is not available for Windows Operating System.
  6. Save
    the rule.

Add an App (policy) to the rule

  1. Select a WAAS rule to add an App in.
  2. Select
    Add app
  3. In the
    App Definition
    tab, enter an
    App ID
    The combination of
    Rule name
    App ID
    must be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.
    If you have a Swagger or OpenAPI file, click
    , and select the file to load.
    If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    1. In
      Endpoint Setup
      , click
      Add Endpoint
      Specify endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
    2. Enter
      HTTP host
      (optional, wildcards supported).
      HTTP hostnames are specified in the form of [hostname]:[external port].
      The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*", "", "", etc.
    3. Enter
      App ports
      as the internal port your app listens on.
      (You can skip to enter App ports, if you selected
      Automatically detect ports
      while creating the rule).
      Automatically detect ports
      is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports. Specify the TCP port listening for inbound HTTP traffic.
      If your application uses
      , you must specify a port number.
    4. Enter
      Base path
      (optional, wildcards supported):
      Base path for WAAS to match when applying protections.
      Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
    5. Enter
      WAAS port (only required for Windows, App-Embedded or when using "Remote host" option)
      as the external port WAAS listens on. The external port is the TCP port for the App-Embedded Defender to listen on for inbound HTTP traffic.
      Protecting Linux-based hosts does not require specifying a since WAAS listens on the same port as the protected application. Because Windows has its own internal traffic routing mechanisms, WAAS and the protected application cannot use the same . Consequently, when protecting Windows-based hosts the should be set to the port end-users send requests to, and the should be set to a
      port on which the protected application will listen and to which WAAS will forward traffic.
    6. If your application uses TLS, set
      You can select the TLS protocol (1.0, 1.1, 1.2, and 1.3 for WAAS In-Line, and 1.0, 1.1, and 1.2 for WAAS Out-Of-Band) to protect the API endpoint and enter the TLS certificate in PEM format.
      1. TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
      2. DHKE is not supported due to a lack of information required to generate the encryption key.
      3. Out-of-Band does not support HTTP/2 protocol.
      4. TLS inspection for Out-of-Band WAAS is not supported on earlier versions of Console and Defender.
        • If your application uses HTTP/2, set
          WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
        • If your application uses gRPC, set
    7. You can select
      Response headers
      to add or override HTTP response headers in responses sent from the protected application.
    8. Select
      Create response header
    9. To facilitate inspection, after creating all endpoints, click
      View TLS settings
      in the endpoint setup menu.
      WAAS TLS settings:
      • Certificate
        - Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
      • Minimum TLS version
        - A minimum version of TLS can be enforced by WAAS In-Line to prevent downgrading attacks (the default value is TLS 1.2).
      • HSTS
        - The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
        1. max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
        2. includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
        3. preload (optional) - For more details, see the following link.
    10. If you application requires API protection, for each path define the allowed methods and the parameters.
  4. Continue to
    App Firewall
    settings, select the protections to enable and assign them with WAAS Actions.
  5. Configure the DoS protection thresholds.
  6. Continue to
    Access Control
    tab and select access controls to enable.
  7. Select the bot protections you want to enable.
  8. Select the required Custom rules.
  9. Proceed to Advanced settings for more WAAS controls.
  10. Select
  11. The
    Rule Overview
    page shows all the WAAS rules created.
    Select a rule to display the
    Rule Resources
    , and for each application a list of protected endpoints and the protections enabled for each endpoint are displayed.
  12. Test protected endpoint using the following sanity tests.
  13. Go to
    Monitor > Events
    , click on
    WAAS for containers/hosts/App-Embedded
    , and observe the events generated.
    For more information, see the WAAS analytics help page

Recommended For You