Deploy WAAS for Hosts

To deploy WAAS to protect a host running a non-containerized web application, create a new rule, specify the host(s) where the application runs, define protected HTTP endpoints, and select protections.

Create a WAAS rule for Hosts

  1. Open Console, and go to
    Defend > WAAS > Host
    .
  2. Click
    Add rule
    .
    1. Enter a
      Rule Name
    2. Enter
      Notes
      (Optional) for describing the rule.
    3. Select
      Operating system
    4. If necessary, adjust the
      Proxy timeout
      The maximum duration in seconds for reading the entire request, including the body. A 500 error response is returned if a request is not read within the timeout period. For applications dealing with large files, adjusting the proxy timeout is necessary.
  3. Choose the rule
    Scope
    by specifying the resource collection(s) to which it applies.
    Collections define a combination of hosts to which WAAS should attach itself to protect the web application:
    Applying a rule to all hosts using a wild card (*) is invalid and a waste of resources. WAAS only needs to be applied to hosts that run applications that transmit and receive HTTP/HTTPS traffic.
  4. (Optional) Toggle to enable
    Automatically detect ports
    for an endpoint.
    When you select this option, WAAS deploys its protection on ports identified in the unprotected web apps report in
    Monitor > WAAS > Unprotected web apps
    for each of the workloads in the rule scope. You can specify additional ports by specifying them in the protected HTTP endpoints within each app.
  5. (Optional) Toggle to enable
    API endpoint discovery
    .
  6. Save
    the rule.

Add an App (policy) to the Host rule

  1. Select a WAAS host rule to add an App in.
  2. Click
    Add app
    .
  3. In the App Definition tab, specify the endpoints in your web application that should be protected.
    Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import, and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.
  4. If you don’t have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    1. In the
      Endpoint Setup
      tab, click on
      Add Endpoint
    2. Specify endpoint details:
    3. Enter
      Port
      (optional, if you selected
      Automatically detect ports
      while creating the rule). When
      Automatically detect ports
      is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.
      Specify the TCP port protected app listens on, WAAS sends traffic to your app over this port.
      If your application uses
      TLS
      or
      gRPC
      , you must specify a port number.
    4. Enter
      WAAS Port (only required for Windows or when using "Remote host" option)
      .
      Specify the TCP port on which WAAS listens. WAAS receives traffic from your end-users on this port, processes it, and then sends it to your app on the App port.
      Protecting Linux-based hosts does not require specifying a since WAAS listens on the same port as the protected application. Because of Windows internal traffic routing mechanisms WAAS and the protected application cannot use the same . Consequently, when protecting Windows-based hosts the should be set to the port end-users send requests to, and the should be set to a
      different
      port on which the protected application would listen on and WAAS would forward traffic to.
    5. Enter
      HTTP host
      (optional, wildcards supported).
      HTTP host names are specified in the form of [hostname]:[external port].
      External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
    6. Enter
      Base path
      (optional, wildcards supported):
      Base path for WAAS to match on when applying protections.
      Examples: "/admin/", "/" (root path only), "/*", /v2/api/", etc.
    7. If your application uses TLS, set
      TLS
      to
      On
      .
      WAAS must be able to decrypt and inspect HTTPS traffic to function properly.
      To facilitate inspection, after creating all endpoints, click
      View TLS settings
      in the endpoint setup menu.
      TLS settings:
      1. Certificate
        - Copy and paste your server’s certificate and private key into the certificate input box (e.g. cat server-cert.pem server-key > certs.pem).
      2. Minimum TLS version
        - Minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).
      3. HSTS
        - HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS adds the HSTS response header to all HTTPS server responses (if not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
        • max-age=<expire-time> - Time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.
        • includeSubDomains (optional) - If selected, HSTS protection applies to all the site’s subdomains as well.
        • preload (optional) - For more details, refer to the following link.
    8. If your application uses gRPC, set
      gRPC
      to
      On
      .
    9. If your application uses HTTP/2, set
      HTTP/2
      to
      On
      .
    10. Click on the
      Response headers
      tab to add or override HTTP response headers in responses sent from the protected application.
    11. Click
      Create Endpoint
    12. If your application requires API protection, select the "API Protection" tab and define for each path allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
  5. Continue to
    App firewall
    tab, select protections to enable and assign them with actions.
  6. Continue to
    Access Control
    tab and select access controls to enable.
  7. Continue to
    DoS protection
    tab and configure DoS protection thresholds.
  8. Continue to
    Bot protection
    tab and select bot protections to enable.
  9. Click
    Save
    .
  10. You should be redirected to the
    Rule Overview
    page.
    Select the created new rule to display
    Rule Resources
    and for each application a list of
    protected endpoints
    and
    enabled protections
    .
  11. Test protected endpoint using the following sanity tests.
  12. Go to
    Monitor > Events
    , click on
    WAAS for hosts
    and observe events generated.
    For more information please see the WAAS analytics help page

Recommended For You