Deploy WAAS for Containers

Create a WAAS rule for Containers

  1. Open Console, and go to
    Defend > WAAS > *Container
    .
  2. Click
    Add Rule
    .
  3. Enter a
    Rule Name
    and
    Notes
    (Optional) for describing the rule.
  4. Choose the rule
    Scope
    by specifying the resource collection(s) to which it applies.
    Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:
    Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.
  5. (Optional) Enable
    Automatically detect ports
    for an endpoint to protect the ports identified in the unprotected web apps report
    Monitor > WAAS > Unprotected web apps
    for each of the workloads in the rule scope.
    As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.
  6. (Optional) Enable
    API endpoint discovery
    .
    When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in Compute > Monitor > WAAS > API observations > Out-of-band observations.
    By enabling both
    Automatically detect ports
    and
    API endpoint discovery
    , you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
  7. Save
    the rule.

Add an App (policy) to the rule

  1. Select a WAAS container rule to add an App in.
    1. Click
      Add app
      .
    2. In
      App Definition
      , specify the endpoints in your web application that should be protected.
      Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click
      Import
      , and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.
      If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    3. In the
      Endpoint setup
      tab, click
      Add Endpoint
      .
      • Enter
        HTTP host
        (optional, wildcards supported).
        HTTP host names are specified in the form of [hostname]:[external port].
        External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
      • Enter
        App ports
        (optional, if you selected
        Automatically detect ports
        while creating the rule).
        When
        Automatically detect ports
        is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.
      • Specify the TCP port listening for inbound HTTP traffic.
        If your application uses
        TLS
        or
        gRPC
        , you must specify a port number.
      • Enter
        Base path
        (optional, wildcards supported):
        Base path for WAAS to match on, when applying protections.
        Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
      • If your application uses TLS, set
        TLS
        to
        On
        .
      • If your application uses HTTP/2, set
        HTTP/2
        to
        On
        .
        WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
      • If your application uses gRPC, set
        gRPC
        to
        On
        .
    4. Click
      Response headers
      to add or override HTTP response headers in responses sent from the protected application.
    5. Click
      Create Endpoint
      .
    6. To facilitate inspection, after creating all endpoints, click
      View TLS settings
      in the endpoint setup menu.
      TLS settings:
      • Certificate
        - Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
      • Minimum TLS version
        - A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).
      • HSTS
        - The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
        1. max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
        2. includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
        3. preload (optional) - For more details, see the following link.
    7. If your application requires [API protection], select the
      API Protection
      tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions on the [API protection] help page.
  2. Continue to
    App Firewall
    tab, select protections to enable and assign them with WAAS Actions.
  3. Continue to
    Access Control
    tab and select access controls to enable.
  4. Continue to
    DoS protection
    tab and configure DoS protection thresholds.
  5. Continue to
    Bot protection
    tab and select bot protections to enable.
  6. Click
    Save
    .
  7. You should be redirected to the
    Rule Overview
    page.
    Select the created new rule to display
    Rule Resources
    and for each application a list of
    protected endpoints
    and
    enabled protections
    .
  8. Test protected endpoint using the following sanity tests.
  9. Go to
    Monitor > Events
    , click on
    WAAS for containers
    and observe events generated.
    For more information please see the WAAS analytics help page.

Recommended For You