Creating the Web Application Firewall with the wizard

How to create a Web Application Firewall from the Services menu or Control Panel.

About this task

When you create the Web Application Firewall with the wizard, the configuration does not provide all available settings. To modify the Web Application Firewall that you created in this manner, use the Objects menu.

Without the wizard, you can manage the following properties.
  • Change the administrative state
  • Assign a URL rewrite policy
  • Change the behavior for presenting the Host header from the client to the service on the remote server and for chunked uploads
  • Change the value for the HTTP client IP label

Procedure

  1. From the Control Panel, click the Web Application Firewall icon.
  2. Click Add wizard.
  3. In the Name field, enter the name for the configuration.
  4. In the Comments field, enter a brief, descriptive summary for the configuration.
  5. From the XML Manager list, select the XML manager to associate with the service.
  6. Define the secure connection.
    1. From the TLS type list, select the TLS profile type to secure connections.
    2. Select a TLS client profile and a TLS server profile.
      1. Select the TLS profile to secure connections from clients to the service.
        • For a TLS server profile, select the TLS server profile from the TLS server profile list.
        • For a TLS SNI server profile, select the TLS SNI server profile from the TLS SNI server profile list.
      2. Select the TLS client profile from the TLS client profile list to secure connections from the service to the remote server.
  7. Optional: From the Default Error Policy list, select the policy to handle violations to the application service policy.
    This policy handles responses to clients. Without a policy, all policy violations generate an error. If the application security policy defines an error handling policy, the policy in the application security policy overrides this default policy.
  8. From the Application Security Policy list, select the security policy to enforce.
    Although this security policy can contain policies for requests and responses, you can disable them on the Advanced tab.
  9. Define service-to-server settings.
    1. Navigate to the Back side settings area.
    2. In the Remote Host field, enter the hostname or IP address of the remote server.
      To use a load balancer, enter the name of an existing load balancer group.
    3. In the Remote Port field, enter the listening port on the remote server.
  10. Define client-to-service settings.
    1. Navigate to the Front side settings area.
    2. Define source addresses.
      1. In the IP field, enter the local IP address or host alias on which the service listens.
      2. In the Port field, enter the DataPower listening port.
      3. Optional: Set the TLS property to enable HTTPS communication.
      4. Click Add.
    3. Repeat the previous step to create another source address.
  11. Optional: Click the Advanced tab to modify the default values in the following categories: Connection timeout, protocol, streaming, and security.
  12. Change connection timeout settings.
    Connection timeout settings set the maximum amount of time to maintain an idle connection during and between transactions. After the timeout is exceeded, the connection is torn down.
    1. In the Front Side Timeout field, enter the time to maintain an idle connection during a transaction with a client.
    2. In the Back Side Timeout field, enter the time to maintain an idle connection during a transaction with the server.
    3. In the Front Persistent Timeout field, enter the time to maintain an idle connection between transactions with a client.
    4. In the Back Persistent Timeout field, enter the time to maintain an idle persistent connection between transactions with the server.
  13. Change protocol settings.
    Protocol settings set the HTTP version to use, set the scheduling priority, and whether to attempt to resolve redirections.
    1. From the HTTP Response Version list, select the HTTP version for client responses.
    2. From the HTTP Version to Server list, select the HTTP version for server connections.
    3. From the Service Priority list, select the service scheduling priority.
    4. Set the Follow Redirects property to control whether to attempt to resolve redirects.
    5. Set the Allow Cache-Control Header property to control whether to allow the HTTP GET method to pass the Cache-Control header to the target server.
  14. Change streaming settings.
    Streaming settings indicate whether to stream or buffer messages.
    1. Set the Stream Output to Front property to control whether to stream responses to requesting clients.
    2. Set the Stream Output to Back property to control whether to stream requests to the remote server.
  15. Change security settings.
    Security settings control which profiles are enforced.
    1. Set the Normalize URI property to control whether to stream responses to requesting clients.
    2. Set the Rewrite Error Messages property to control whether to rewrite URI to make URI RFC-compliant to make checking for attack sequences more reliable.
    3. Set the Delay Error Messages property to control whether to delay error messages to avoid a padding oracle.
    4. In the Duration to Delay Error Messages field, enter the duration to delay error messages after the decryption of requests.
    5. Set the Request Security property to control whether to enforce request security policies in the application security policy.
    6. Set the Response Security property to control whether to enforce response security policies in the application security policy.
  16. Click Apply to save changes to the running configuration.
  17. Click Save to save changes to the persisted configuration.