Starting with VMware Cloud Director 10.5.1, you can use the web application firewall feature of NSX Advanced Load Balancer within your VMware Cloud Director environment to protect your virtual services from attacks and to proactively prevent threats.
When you enable WAF for a virtual service in VMware Cloud Director, this creates a WAF policy, a WAF profile, and WAF signatures to attach to the virtual service.
Prerequisites
- Familiarize yourself with the NSX Advanced Load Balancer WAF Guide. See VMware NSX Advanced Load Balancer Documentation.
- Verify that you assigned a service engine group with a Premium feature set to the NSX edge gateway.
- Verify that you are logged in as an organization administrator.
Procedure
- From the top navigation bar, select Resources and click Cloud Resources.
- In the left panel, click Edge Gateways.
- Click the NSX edge gateway on which the virtual service is configured.
- Click the virtual service and click WAF.
- Under General, click Edit.
- Toggle on the WAF State option.
- Select a WAF mode.
Option Description Detection The WAF policy evaluates and processes the incoming request, but does not perform a blocking action. A log entry is created when the request is flagged. Enforcement The WAF policy evaluates the request and blocks the request based on the specified rules. The corresponding log entry is marked as REJECTED. - Click Save.
What to do next
If necessary, you can change the WAF mode for a virtual service later or deactivate the web application firewall.
After you enable WAF for your virtual service, you can create allowlist rules or edit WAF signatures as needed.
Configure Allowlist Rules for a Virtual Service
You can use the allowlist functionality to define match conditions and associated actions for the WAF to perform when processing a request.
When you create WAF allowlist rules, you instruct the WAF not to apply the WAF policy in specific cases, for example, if the request comes from a specific IP address or range, or if the request matches the URL pattern specified using the HTTP method match type. Configuring allowlist rules can help prevent flooding your logs with false positive WAF violations and reduces latency generated by WAF signature inspections.
Procedure
Edit the WAF Signatures for a Virtual Service
You can edit the WAF signatures for a virtial service - you can change a signature mode from Detection to Enforcement or the reverse, or, if necessary, deactivate a signature or a signature group.