Add an App (policy) to the rule

Select a WAAS rule to add an App in.
Select
Add app
.
In the
App Definition
tab, enter an
App ID
.
The combination of
Rule name
and
App ID
must be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.
If you have a Swagger or OpenAPI file, click
Import
, and select the file to load.
If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
In
Endpoint Setup
, click
Add Endpoint
.
Specify endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
Enter
HTTP host
(optional, wildcards supported).
HTTP hostnames are specified in the form of [hostname]:[external port].
The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
Enter
App ports
as the internal port your app listens on.
(You can skip to enter App ports, if you selected
Automatically detect ports
while creating the rule).
When
Automatically detect ports
is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports. Specify the TCP port listening for inbound HTTP traffic.
If your application uses
TLS
or
gRPC
, you must specify a port number.
Enter
Base path
(optional, wildcards supported):
Base path for WAAS to match when applying protections.
Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
If your application uses TLS, set
TLS
to
On
.
You can select the TLS protocol (1.0, 1.1, 1.2, and 1.3 for WAAS In-Line, and 1.0, 1.1, and 1.2 for WAAS Out-Of-Band) to protect the API endpoint and enter the TLS certificate in PEM format.
Limitations
TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
DHKE is not supported due to a lack of information required to generate the encryption key.
Out-of-Band does not support HTTP/2 protocol.
TLS inspection for Out-of-Band WAAS is not supported on earlier versions of Console and Defender.
If your application uses HTTP/2, set
HTTP/2
to
On
.
WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
If your application uses gRPC, set
gRPC
to
On
.
Select
Create response header
.
To facilitate inspection, after creating all endpoints, click
View TLS settings
in the endpoint setup menu.
WAAS TLS settings:

Certificate
- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
If you application requires API protection, for each path define the allowed methods and the parameters.
Continue to
App Firewall
settings, select the protections to enable and assign them with WAAS Actions.
Configure the DoS protection thresholds.
Continue to
Access Control
tab and select access controls to enable.
Select the bot protections you want to enable.
Select the required Custom rules.
Proceed to Advanced settings for more WAAS controls.
Select
Save
.
The
Rule Overview
page shows all the WAAS rules created.
Select a rule to display the
Rule Resources
, and for each application a list of protected endpoints and the protections enabled for each endpoint are displayed.
Test protected endpoint using the following sanity tests.
Go to
Monitor > Events
, click on
WAAS for containers/hosts/App-Embedded
, and observe the events generated.
For more information, see the WAAS analytics help page