Deploy WAAS for Containers
Create a WAAS rule for Containers
- Open Console, and go toDefend > WAAS > *Container.
- ClickAdd Rule.
- Enter aRule NameandNotes(Optional) for describing the rule.
- Choose the ruleScopeby specifying the resource collection(s) to which it applies.Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:Applying a rule to all images using a wild card (*) is invalid - instead, only specify your web application images.
- (Optional) EnableAutomatically detect portsfor an endpoint to protect the ports identified in the unprotected web apps reportMonitor > WAAS > Unprotected web appsfor each of the workloads in the rule scope.As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.
- (Optional) EnableAPI endpoint discovery.When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in Compute > Monitor > WAAS > API observations > Out-of-band observations.By enabling bothAutomatically detect portsandAPI endpoint discovery, you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
- Savethe rule.
Add an App (policy) to the rule
- Select a WAAS container rule to add an App in.
- ClickAdd app.
- InApp Definition, specify the endpoints in your web application that should be protected.Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, clickImport, and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
- In theEndpoint setuptab, clickAdd Endpoint.
- EnterHTTP host(optional, wildcards supported).HTTP host names are specified in the form of [hostname]:[external port].External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
- EnterApp ports(optional, if you selectedAutomatically detect portswhile creating the rule).WhenAutomatically detect portsis selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.
- Specify the TCP port listening for inbound HTTP traffic.If your application usesTLSorgRPC, you must specify a port number.
- EnterBase path(optional, wildcards supported):Base path for WAAS to match on, when applying protections.Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
- If your application uses TLS, setTLStoOn.
- If your application uses HTTP/2, setHTTP/2toOn.WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
- If your application uses gRPC, setgRPCtoOn.
- ClickResponse headersto add or override HTTP response headers in responses sent from the protected application.
- ClickCreate Endpoint.
- To facilitate inspection, after creating all endpoints, clickView TLS settingsin the endpoint setup menu.TLS settings:
- Certificate- Copy and paste your server’s certificate and private key into the certificate input box (e.g., cat server-cert.pem server-key > certs.pem).
- Minimum TLS version- A minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).
- HSTS- The HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS would add the HSTS response header to all HTTPS server responses (if it is not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
- max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
- includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
- If your application requires [API protection], select theAPI Protectiontab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions on the [API protection] help page.
- Continue toAccess Controltab and select access controls to enable.
- Continue toDoS protectiontab and configure DoS protection thresholds.
- Continue toBot protectiontab and select bot protections to enable.
- ClickSave.
- You should be redirected to theRule Overviewpage.Select the created new rule to displayRule Resourcesand for each application a list ofprotected endpointsandenabled protections.
- Test protected endpoint using the following sanity tests.
- Go toMonitor > Events, click onWAAS for containersand observe events generated.For more information please see the WAAS analytics help page.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.