Deploy WAAS for Hosts
To deploy WAAS to protect a host running a non-containerized web application, create a new rule, specify the host(s) where the application runs, define protected HTTP endpoints, and select protections.
Create a WAAS rule for Hosts
- Open Console, and go toDefend > WAAS > Host.
- ClickAdd rule.
- Enter aRule Name
- EnterNotes(Optional) for describing the rule.
- SelectOperating system
- If necessary, adjust theProxy timeoutThe maximum duration in seconds for reading the entire request, including the body. A 500 error response is returned if a request is not read within the timeout period. For applications dealing with large files, adjusting the proxy timeout is necessary.
- Choose the ruleScopeby specifying the resource collection(s) to which it applies.Collections define a combination of hosts to which WAAS should attach itself to protect the web application:
- (Optional) Toggle to enableAutomatically detect portsfor an endpoint.When you select this option, WAAS deploys its protection on ports identified in the unprotected web apps report inMonitor > WAAS > Unprotected web appsfor each of the workloads in the rule scope. You can specify additional ports by specifying them in the protected HTTP endpoints within each app.
- (Optional) Toggle to enableAPI endpoint discovery.
- Savethe rule.
Add an App (policy) to the Host rule
- Select a WAAS host rule to add an App in.
- ClickAdd app.
- In the App Definition tab, specify the endpoints in your web application that should be protected.Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click Import, and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.
- If you don’t have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
- In theEndpoint Setuptab, click onAdd Endpoint
- Specify endpoint details:
- EnterPort(optional, if you selectedAutomatically detect portswhile creating the rule). WhenAutomatically detect portsis selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.Specify the TCP port protected app listens on, WAAS sends traffic to your app over this port.If your application usesTLSorgRPC, you must specify a port number.
- EnterWAAS Port (only required for Windows or when using "Remote host" option).Specify the TCP port on which WAAS listens. WAAS receives traffic from your end-users on this port, processes it, and then sends it to your app on the App port.Protecting Linux-based hosts does not require specifying adifferentport on which the protected application would listen on and WAAS would forward traffic to.
- EnterHTTP host(optional, wildcards supported).HTTP host names are specified in the form of [hostname]:[external port].External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the value of the external port is "80" for non-TLS endpoints or "443" for TLS endpoints it can be omitted. Examples: "*.example.site", "docs.example.site", "www.example.site:8080", etc.
- EnterBase path(optional, wildcards supported):Base path for WAAS to match on when applying protections.Examples: "/admin/", "/" (root path only), "/*", /v2/api/", etc.
- If your application uses TLS, setTLStoOn.WAAS must be able to decrypt and inspect HTTPS traffic to function properly.To facilitate inspection, after creating all endpoints, clickView TLS settingsin the endpoint setup menu.TLS settings:
- Certificate- Copy and paste your server’s certificate and private key into the certificate input box (e.g. cat server-cert.pem server-key > certs.pem).
- Minimum TLS version- Minimum version of TLS can be enforced by WAAS to prevent downgrading attacks (the default value is TLS 1.2).
- HSTS- HTTP Strict-Transport-Security (HSTS) response header lets web servers tell browsers to use HTTPS only, not HTTP. When enabled, WAAS adds the HSTS response header to all HTTPS server responses (if not already present) with the preconfigured directives - max-age, includeSubDomains, and preload.
- If your application uses gRPC, setgRPCtoOn.
- If your application uses HTTP/2, setHTTP/2toOn.
- Click on theResponse headerstab to add or override HTTP response headers in responses sent from the protected application.
- ClickCreate Endpoint
- Continue toAccess Controltab and select access controls to enable.
- Continue toDoS protectiontab and configure DoS protection thresholds.
- Continue toBot protectiontab and select bot protections to enable.
- You should be redirected to theRule Overviewpage.Select the created new rule to displayRule Resourcesand for each application a list ofprotected endpointsandenabled protections.
- Test protected endpoint using the following sanity tests.
- Go toMonitor > Events, click onWAAS for hostsand observe events generated.
Recommended For You
Recommended videos not found.