Deploy WAAS Out-of-band

Out-of-band WAAS rules inspect HTTP requests and responses through a mirror of the traffic to provide WAAS detections. VPC traffic mirroring can mirror the traffic for Out-of-band inspection to Prisma Cloud Compute Defenders without additional configurations.
In Out-of-band mode, WAAS does not proxy traffic to or from the protected application and all the detections are applied on a read-only copy of the traffic. As a result, there is no risk of interfering with the application flow.


  • You have installed a Container Defender in your workload environment.
  • The minimum version of Console and Defender is 22.06.
    Out-Of-Band WAAS is not supported on earlier versions of Console and Defender.

Create a WAAS rule for Out-of-band network traffic

To deploy WAAS for Out-of-band network traffic, create a new rule, define application endpoints, and select protections.
  1. Open Console, and go to
    Defend > WAAS
  2. Select
  3. Click
    Add rule
  4. Enter a
    Rule Name
    (Optional) for describing the rule.
  5. Choose the rule
    by specifying the resource collection(s) to which it applies.
    Collections define a combination of image names and one or more elements to which WAAS should attach itself to protect the web application:
  6. (Optional) Enable
    Automatically detect ports
    for an endpoint to deploy the WAAS’s protection on ports identified in the un-protected web apps report in
    Monitor > WAAS > Unprotected web apps
    for each of the workloads in the rule scope.
    As an additional measure, you can specify additional ports by specifying them in the protected HTTP endpoints within each app to also include the ports that may not have been detected automatically.
  7. (Optional) Enable
    API endpoint discovery
    When enabled, the Defender inspects the API traffic to and from the protected API. Defender reports a list of the endpoints and their resource path in
    Compute > Monitor > WAAS > API observations > Out-of-band observations
    By enabling both
    Automatically detect ports
    API endpoint discovery
    , you can monitor your API endpoints and ports without having to add an application and without configuring any policies.
  8. (Optional) Enable
    VPC traffic mirroring
    when using
    WAAS Out-of-band with VPC traffic mirroring
  9. Save
    the rule.

Add an App (policy) to the rule

  1. Select a WAAS rule to add an App in.
  2. Click
    Add app
  3. In the
    App Definition
    tab, specify the endpoints in your web application that should be protected. Each defined application can have multiple protected endpoints. If you have a Swagger or OpenAPI file, click
    , and select the file to load. Otherwise, skip to the next step to manually define your application’s endpoints.
  4. If you do not have a Swagger or OpenAPI file, manually define each endpoint by specifying the host, port, and path.
    1. In
      Endpoint Setup
      , click
      Add Endpoint
    2. Specify endpoint details:
    3. Enter
      (optional, if you selected
      Automatically detect ports
      while creating the rule). When
      Automatically detect ports
      is selected, any ports specified in a protected endpoint definition will be appended to the list of protected ports.
      Specify the TCP port listening for inbound HTTP traffic.
    4. Enter
      HTTP host
      (optional, wildcards supported).
      HTTP host names are specified in the form of [hostname]:[external port].
      External port is defined as the TCP port on the host, listening for inbound HTTP traffic. If the the value of the external port is "80" it can be omitted. Examples: "*", "", "", etc.
    5. Enter
      Base path
      (optional, wildcards supported):
      Base path for WAAS to match on, when applying protections.
      Examples: "/admin", "/" (root path only), "/*", /v2/api", etc.
    6. Click
      Create Endpoint
    7. If your application requires API protection, select the "API Protection" tab and define for each path the allowed methods, parameters, types, etc. See detailed definition instructions in the API protection help page.
  5. Continue to
    App Firewall
    tab, and select the protections as shown in the screenshot below:
    For more information, see App Firewall settings.
  6. Continue to
    DoS protection
    tab, and select DoS protection to enable.
  7. Continue to
    Access Control
    tab, and select access controls to enable.
  8. Continue to
    Bot protection
    tab, and select the protections as shown in the screenshot below:
    For more information, see Bot protections.
  9. Continue to
    Custom rules
    tab and select Custom rules to enable.
  10. Continue to
    Advanced settings
    tab, and set the options shown in the screenshot below:
    For more information, see Advanced settings.
  11. Click
  12. You should be redirected to the
    Rule Overview
    Select the created new rule to display
    Rule Resources
    and for each application a list of
    protected endpoints
    enabled protections
  13. Test protected endpoint using the following sanity tests.
  14. Go to
    Monitor > Events
    , click on
    WAAS for out-of-band
    and observe the events generated.
    For more information, see the WAAS analytics help page

WAAS Actions for Out-of-band traffic

The following actions are applicable for the HTTP requests or responses related to the
Out-of-band traffic
  • Alert
    - An audit is generated for visibility.
  • Disable
    - The WAAS action is disabled.

Recommended For You