Topic
  • 2 replies
  • Latest Post - ‏2016-06-30T01:24:20Z by manhar
shrirangkhare
shrirangkhare
3 Posts

Pinned topic Best Practices for WAF use

‏2013-09-11T18:17:03Z | application firewall; mpgw waf; web

Configs: data power XI50 4.0.

We have configured WAF for a  backend Web application. This application sets cookies, redirects the URLs. 

This is working as per expectation. But to expose this to outside world, requirement is to use MPGW and from MPGW route requests to WAF.

I have used Dynamic Routing, Non-XML in request/ response, ResetLocation.xsl for Server to Client Rule.

But 2 issues ares for setting up the cookies and URL redirection. The Cookies set up by Web Application are not seen while call going through MPGW and it gets redirected to WAF port/ url too. 

Is it a Good Practice to use WAF in DMZ and direct requests to internal network DP WAF? See diag. below

Internet    | FW|     DMZ DP (WAF)   |FW| I    nternal n/w DP (WAF) --> Backend Web Application

 

 

  • SriniDp
    SriniDp
    46 Posts

    Re: Best Practices for WAF use

    ‏2013-09-13T19:56:21Z  

    You should use WAF very carefully, i suggest to use WAF(Again it depends on your usecase)  with out any hop to it in datapower because it provides lot of benefits for web applciations. 

     

    Cookies:-

    When you proxy web applciations in datapower, you need to change the domain parameter of the cookies to datapower domain name so that browser wil send back the cookies to datapower.

     

    Redirects:-

    You have to handle redirects in stylesheet when you proxy web applciations by turning off  follow redirects in WAF.

     

    If you give me more details i can help you.(Have  Experience in proxying couple of web applications in datapower)

  • manhar
    manhar
    18 Posts

    Re: Best Practices for WAF use

    ‏2016-06-30T01:24:20Z  

    Hi Srini,

     

    I am facing issue with domain parameter of the cookies in my environment, can you please let me know how to change the domain parameter of the cookies to datapower domain.

     

    Thanks,

    MM