Deploy WAAS Out-Of-Band for Containers
Create a new rule to deploy WAAS Out-Of-Band for Containers.
Prerequisites
- You have installed a Container Defender in your workload environment.
- The minimum version of Console and Defender is 22.12.
- A TLS certificate in PEM format.
Create a WAAS rule for Out-Of-Band network traffic
To deploy WAAS for Out-Of-Band network traffic, create a new rule, define application endpoints, and select protections.
- Open Console, and go toDefend > WAAS > {Container|Host} > Out-of-Band.
- ClickAdd rule.
- Enter aRule Name
- EnterNotes(Optional) for describing the rule.
- Choose the ruleScopeby specifying the resource collection(s) to which it applies.Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.
- (Optional) EnableAPI endpoint discoveryWhen enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path inCompute > Monitor > WAAS > API discovery.
- (Optional) EnableAutomatically detect portsfor an endpoint to deploy the WAAS’s protection on ports identified in the unprotected web apps report inMonitor > WAAS > Unprotected web appsfor each of the workloads in the rule scope.As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.By enabling bothAutomatically detect portsandAPI endpoint discovery, you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
- Savethe rule.
Add an App (policy) to the rule
- Select a WAAS rule to add an App in.
- ClickAdd app.
- In theApp Definitiontab, enter anApp ID.The combination ofRule nameandApp IDmust be unique across In-Line and Out-Of-Band WAAS policies for Containers, Hosts, and App-Embedded.If you have a Swagger or OpenAPI file, clickImport, and select the file to load.If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
- InEndpoint Setup, clickAdd Endpoint.
- Specify endpoint in your web application that should be protected. Each defined application can have multiple protected endpoints.
- EnterHTTP host(optional, wildcards supported).HTTP hostnames are specified in the form of [hostname]:[external port].The external port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
- EnterApp portsas the internal port your app listens on (optional, if you selectedAutomatically detect portswhile creating the rule).WhenAutomatically detect portsis selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.Specify the TCP port listening for inbound HTTP traffic.If your application usesTLSorgRPC, you must specify a port number.
- EnterBase path(optional, wildcards supported):Base path for WAAS to match when applying protections.Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
- If your application uses TLS, setTLStoOn.You can select the TLS protocol (1.0, 1.1, 1.2, and 1.3 for WAAS In-Line, and 1.0, 1.1, and 1.2 for WAAS Out-Of-Band) to protect the API endpoint and enter the TLS certificate in PEM format.Limitations
- TLS connections using extended_master_secret(23) in the negotiation are not supported as part of this feature.
- DHKE is not supported due to a lack of information required to generate the encryption key.
- Out-of-Band does not support HTTP/2 protocol.
- TLS inspection for Out-of-Band WAAS is not supported on earlier versions of Console and Defender.
- If your application uses HTTP/2, setHTTP/2toOn.WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
- If your application uses gRPC, setgRPCtoOn.
- SelectCreate response header.
- To facilitate inspection, after creating all endpoints, clickView TLS settingsin the endpoint setup menu.WAAS TLS settings:
- Certificate- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
- If you application requires API protection, for each path define the allowed methods and the parameters.
- Continue toApp Firewallsettings, select the protections to enable and assign them with WAAS Actions.
- Configure the DoS protection thresholds.
- Continue toAccess Controltab and select access controls to enable.