Configuring web application firewall

To configure web application firewall with the local management interface, use the Reverse Proxy management page.

Procedure

  1. From the top menu, select Secure Web Settings > Manage > Reverse Proxy.
  2. Select the Reverse Proxy instance to configure web application firewall for.
  3. Click Manage > Configuration > Web Content Protection.
  4. On the Operating Configuration tab, you can configure general Web Content Protection settings.
    1. Select the Enable Web Content Protection check box to turn on the web application firewall.
    2. To run the firewall in a simulation mode without actually affecting the client traffic, select the Enable Simulation Mode check box. When the simulation mode is enabled, any detected issues are audited and then ignored. You can preview the issues that are detected and adjust the settings if necessary before any real actions are taken against the offending requests.
    3. Select the Use Proxy HTTP Header check box as needed. This is used to control whether the audit log contains the IP address of the client as obtained from the network connection, or the IP address that is obtained from the x-forwarded-for HTTP header. This setting is useful when a network terminating firewall sits between the reverse proxy and the client.
    4. Provide a value in bytes for the Maximum Memory Size field. This defines the maximum memory that can be used by the PAM engine.
      Note: PAM has a pre-defined minimum memory size. If the configured value is set to less than the minimum, the allocated memory is automatically increased to this minimum size.
    5. Under Resource Actions:
      Note: Use this table to customize the actions that are taken when issues are encountered for a particular resource. This is a pattern-matched list that is searched in order. The resource name can contain the "*" and "?" pattern-matching characters. If no matching resource is found, the default actions, as recommended by the x-force team, are taken.
      • To add a resource:
        1. Click New.
        2. On the Add Custom Resource page, provide the resource name. All issues available to the resource are pre-populated.
          Note: Resource names can contain the "*" and "?" pattern-matching characters. For example, *.html.
        3. Select an issue that you want to modify and then click Edit.
        4. On the Edit Custom Resource Issue page, select the action to take against this issue in the Response field.
        5. Optional: If Quarantine is selected as the event response in the previous step, specify the quarantine time in the Quarantine Period field.
        6. Click Save on the Edit Custom Resource Issue page.
        7. Click Save on the Add Custom Resource page.
      • To edit a resource:
        1. Select the resource name to edit.
        2. Click Edit.
        3. On the Edit Custom Resource page, select the issue that you want to modify and then click Edit.
        4. On the Edit Custom Resource Issue page, modify the event response and quarantine time as needed.
        5. Click Save on the Edit Custom Resource Issue page.
        6. Click Save on the Edit Custom Resource page.
      • To delete a resource:
        1. Select the resource name to delete.
        2. Click Delete.
          Note: There is no confirmation window for this delete operation. Make sure that the selected resource is the one you want to delete before you click Delete.
    6. Under Registered Resources:
      Note: The registered resources are used to designate the requests that are passed to the inspection engine. When a request is received by the Web reverse proxy, the entries in the list is sequentially searched until a match is found. The action that is assigned to the matching resource controls whether the inspection is enabled or disabled. The resources can contain wildcard characters for pattern matching.
      • To add a registered resource:
        1. Click New.
        2. On the Add Protected Resources page that pops up, provide the Resource Name. For example, index.html, *.html or *.gif.
        3. Select Enabled or Disabled as needed.
        4. Click Save.
      • To edit a registered resource:
        1. Select the resource to edit from the list.
        2. Click Edit.
        3. On the Edit Protected Resources page that pops up, modify the resource name and whether it is enabled as needed.
        4. Click Save.
      • To delete a registered resource
        1. Select the resource to delete from the list.
        2. Click Delete.
          Note: There is no confirmation window for this delete operation. Make sure that the selected resource is the one you want to delete before you click Delete.
    7. Under Injection Tuning Parameters, modify the listed parameters by double-clicking a value in the Units column and editing inline as needed. To see a description of each parameter, hover your mouse cursor on that parameter and a pop-up message that contains the description is displayed.
  5. On the Issues tab, you can enable or disable certain issues.
    Note: The list of issues control the events that are monitored by the inspection engine. If an issue is disabled, the inspection engine no longer checks for this issue.
    • Approach 1:
      1. Select the event to edit.
      2. Click Edit.
      3. On the Edit Issue page, select Enabled or Disabled as needed.
      4. Click Save.
    • Approach 2:
      • Select or clear the Enabled check box to enable or disable a particular issue.
    • Approach 3:
      • Click Trust X-Force to automatically disable all issues for which there is not a default response.
  6. On the Audit tab, you can configure logging and auditing settings.
    1. Under Log detailed audit events, select the check box if you want to enable logging for detailed audit events.
    2. Under Log Audit Events, select one of the options to indicate where the audit events are sent.
    3. Under Log Audit Config, define the following parameters based on the selections made in the previous step.
      • If Log to File is selected:
        Parameter Description
        File Name The entry specifies the name of the log file.
        Rollover Size The maximum size to which a log file can grow before it is rolled over. The default value is 2000000 bytes.
        Buffer Size The maximum size of the message that is used when smaller events are combined.
        Queue Size There is a delay between events being placed on the queue and the file log agent removing them. This parameter specifies the maximum size to which the queue is allowed to grow.
        High Water Mark Processing of the event queue is scheduled regularly at the configured flush interval. It also is triggered asynchronously by the queue size reaching a high water mark on the event queue. The default value is two-thirds of the maximum configured queue size. If the maximum queue size is zero, the high water mark is set to a default of 100. If the event queue high water mark is set to 1, every event queued is relayed to the log agent as soon as possible.
        Flush Interval This entry controls the frequency with which the server asynchronously forces a flush of the file stream to disk. The value defined for this parameter is 0, < 0, or the flush interval in seconds.
      • If Log to Remote Authorization Server is selected:
        Parameter Description
        Compress To reduce network traffic, use this parameter to compress buffers before transmission and expand on reception. The default value is no.
        Buffer Size To reduce network traffic, events are buffered into blocks of the nominated size before they are relayed to the remote server. This parameter specifies the maximum message size that the local program attempts to construct by combining smaller events into a large buffer. The default value is 1024 bytes.
        Flush Interval This parameter limits the time that a process waits to fill a consolidation buffer. The default value is 20 seconds. A flush interval of 0 is not allowed. Specifying a value of 0 results in the buffer being flushed every 600 seconds.
        Queue Size There is a delay between events being placed on the queue and the file log agent removing them. This parameter specifies the maximum size to which the queue is allowed to grow.
        High Water Mark Processing of the event queue is scheduled regularly at the configured flush interval. It also is triggered asynchronously by the queue size reaching a high water mark on the event queue. The default value is two-thirds of the maximum configured queue size. If the maximum queue size is zero, the high water mark is set to a default of 100. If the event queue high water mark is set to 1, every event queued is relayed to the log agent as soon as possible.
        Error Retry Timeout If a send operation to a remote service fails, the system tries again. Before the system tries again, it waits for the error retry timeout in seconds. The default value is 2 seconds.
        Logging Port Configure the port parameter to specify the port that the remote authorization server listens on for remote logging requests. The default value is port 7136.
        Rebind Retry If the remote authorization server is unavailable, the log agent attempts to rebind to this server at this frequency in number of seconds. The default rebind retry timeout value is 300 seconds.
        Hostname The remote logging services are offered by the authorization service. The server parameter nominates the hosts to which the authorization server process is bound for event recording.
        DN To establish mutual authentication of the remote server, a distinguished name (DN) must be configured. A distinguished name must be specified as a string that is enclosed by double quotation marks.
      • If Log to Remote Syslog Server is selected:
        Parameter Description
        Remote Syslog Server The host to which the syslog server process is bound for event recording.
        Port The port on which the remote syslog server listens for remote logging requests.
        Application ID The name of the application, as it appears in the messages that are sent to the remote syslog server.
        Error Retry Timeout If a send operation to a remote service fails, the system tries again. Before the system tries again, it waits for the error retry timeout in seconds. The default value is 2 seconds.
        Flush Interval This parameter limits the time that a process waits to fill a consolidation buffer. The default value is 20 seconds. A flush interval of 0 is not allowed. Specifying a value of 0 results in the buffer being flushed every 600 seconds.
        High Water Mark Processing of the event queue is scheduled regularly at the configured flush interval. It also is triggered asynchronously by the queue size reaching a high water mark on the event queue. The default value is two-thirds of the maximum configured queue size. If the maximum queue size is zero, the high water mark is set to a default of 100. If the event queue high water mark is set to 1, every event queued is relayed to the log agent as soon as possible.
        Queue Size There is a delay between events being placed on the queue and the file log agent removing them. This parameter specifies the maximum size to which the queue is allowed to grow.
        Rebind Retry If the remote system log server is unavailable, the log agent attempts to rebind to this server at this frequency in number of seconds. The default rebind retry timeout value is 300 seconds.

        Maximum Event Length

        		 The maximum length of an event to be transmitted to the remote syslog server. If the event text is longer than the configured length, it is truncated to the maximum event length. If the maximum event length is zero, the event text is never truncated. If transmitting the event to the remote syslog server in clear text, set the maximum event length to less than the maximum transmission unit (MTU) for the network path to the server. This avoids fragmentation of the event.
        Enable SSL Communication Whether SSL is be used for communication.
        SSL Keyfile The name of the GSKit key database file that contains the CA certificate. It is used when the system establishes a secure connection with the remote syslog server over TLS. If the Enable SSL Communication check box is selected, this field is required.
        SSL Certificate Label The name of the certificate to be presented to the remote syslog server, upon request, when the system establishes a secure connection. If no value is set for this field, the default certificate from the key database is used.
  7. On the Advanced Configuration tab, you can configure coalescer, inspection engine, issues, and custom actions.
    1. Under Coalescer Configuration:
      Note: The coalescer is used to correlate audit events. The administrator can use these configuration settings to fine-tune the processing of the coalescer and thus reduce the number of messages that are sent to the audit log.
      • To add a coalescer parameter:
        1. Click New.
        2. On the Add Coalescer Parameter page that pops up, provide the parameter name and value.
        3. Click Save.
      • To edit a coalescer parameter:
        1. Select the parameter to edit from the list.
        2. Click Edit.
        3. On the Edit Coalescer Parameter page that pops up, modify the parameter name and value as needed.
        4. Click Save.
      • To delete a coalescer parameter:
        1. Select the parameter to delete from the list.
        2. Click Delete.
          Note: There is no confirmation window for this delete operation. Make sure that the selected parameter is the one you want to delete before you click Delete.
    2. Under Inspection Engine Configuration:
      • To add a inspection engine configuration parameter:
        1. Click New.
        2. On the Add Inspection Parameter page that pops up, provide the parameter name and value.
        3. Click Save.
      • To edit a inspection engine configuration parameter:
        1. Select the parameter to edit from the list.
        2. Click Edit.
        3. On the Edit Inspection Parameter page that pops up, modify the parameter name and value as needed.
        4. Click Save.
      • To delete a inspection engine configuration parameter:
        1. Select the parameter to delete from the list.
        2. Click Delete.
          Note: There is no confirmation window for this delete operation. Make sure that the selected resource is the one you want to delete before you click Delete.
  8. Click Save.
Parent topic: Reverse proxy instance management