Avi Load Balancer supports WAF for HTTP/HTTPS traffic for Horizon deployments. WAF rules are supported for L7 virtual service for primary protocol (XML/API) traffic.
It is recommended to use System-WAF-Policy-VDI and the default CRS rules. The other rules for response inspection are not required and these signatures or rules must not be enabled in CRS rules.
It is mandatory to add the WAF policy and allowed URI containing
/ice/tunnel/
and/ice/reconnect
to make sure the WAF feature works seamlessly with the Horizon application. Similarly, allow other/ice/
related URIs, if any. Allowing all URIs beginning with/ice
is a best practice.Use the following to add a pre-CRS rule as shown below. This rule is required to make sure that Avi Load Balancer parses the incoming payload as XML payload only.
SecRule REQUEST_METHOD "@streq POST" "phase:1,id:4099822,t:none,nolog,pass,chain" SecRule REQUEST_URI "@streq /broker/xml" "t:none,ctl:requestBodyProcessor=XML"
It is recommended to deactivate command injection rule(932105). This rule is not required for Horizon deployments.
Response based rules must not be enabled.
The missing user-agent rule must be deactivated. It is recommended to deactivate command injection rule(932105).
Avi Load Balancer supports the inbuilt WAF policy for VDI, that is, System-WAF-Policy-VDI. This includes all the required rule customizations. It is recommended to use System-WAF-Policy-VDI.
Configuring WAF for Horizon Deployments
You can either create a new virtual service or configure WAF for HTTP/HTTPS traffic using an existing virtual service. Follow the steps
Creating a WAF profile
Navigate to
.Click Create to create a new profile.
-
Enter a Name for the WAF Policy and retain the default settings for the other options as shown below:
Create the WAF Policy.
-
Navigate to. Select the WAF profile created for Horizon. Alternatively, you can select a default WAF policy.
Navigate to the Allow List tab to configure a rule to make sure WAF does not block requests of URI which contain
/ice/tunnel
.Click Add to view the ADD ALLOW LIST RULE.
-
Click Add under Match and configure as follows:
Click Save.
Note:To allow all URIs beginning with /ice, create the rule under Match section by configuring Criteria as Begins with and String as /ice.
-
-
To add a pre-CRS rule, navigate to the Signatures tab and click Add.
Associating with the required virtual service
Once the WAF profile is ready, navigate to
.-
Select the required L7 virtual service and associate the WAF policy created in the previous step and save the configuration.