Starting with VMware Cloud Director 10.5.1, you can use the web application firewall feature of NSX Advanced Load Balancer within your VMware Cloud Director environment to protect your virtual services from attacks and to proactively prevent threats.

When you enable WAF for a virtual service in VMware Cloud Director, this creates a WAF policy, a WAF profile, and WAF signatures to attach to the virtual service.

Prerequisites

  • Familiarize yourself with the NSX Advanced Load Balancer WAF Guide. See VMware NSX Advanced Load Balancer Documentation.
  • Verify that your system administrator assigned a service engine group with a Premium feature set to your NSX edge gateway.
  • Verify that you are logged in as an organization administrator.

Procedure

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.
  2. Click the NSX edge gateway on which the virtual service is configured.
  3. Click the virtual service and click WAF.
  4. Under General, click Edit.
  5. Toggle on the WAF State option.
  6. Select a WAF mode.
    Option Description
    Detection The WAF policy evaluates and processes the incoming request, but does not perform a blocking action. A log entry is created when the request is flagged.
    Enforcement The WAF policy evaluates the request and blocks the request based on the specified rules. The corresponding log entry is marked as REJECTED.
  7. Click Save.

What to do next

If necessary, you can change the WAF mode for a virtual service later or deactivate the web application firewall.

After you enable WAF for your virtual service, you can create allowlist rules or edit WAF signatures as needed.

Configure Allowlist Rules for a Virtual Service

You can use the allowlist functionality to define match conditions and associated actions for the WAF to perform when processing a request.

When you create WAF allowlist rules, you instruct the WAF not to apply the WAF policy in specific cases, for example, if the request comes from a specific IP address or range, or if the request matches the URL pattern specified using the HTTP method match type. Configuring allowlist rules can help prevent flooding your logs with false positive WAF violations and reduces latency generated by WAF signature inspections.

Procedure

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.
  2. Click the NSX edge gateway on which the virtual service is configured.
  3. Click the virtual service and click WAF.
  4. Under Allowlist Rules, click New.
  5. Enter a name for the rule.
  6. To activate the rule upon creation, turn on the Active toggle.
  7. Select match criteria.
    Option Description
    Client IP Address
    1. Select Is or Is Not to indicate whether to perform an action if the client IP matches or doesn't match the value that you enter.
    2. Enter an IPv4 address, or an IPv6 address, or a range, or a CIDR notation.
    3. (Optional) To add more IP addresses, click Add IP.
    HTTP Method
    1. Select Is or Is Not to indicate whether to perform an action if the HTTP method matches or doesn't match the value that you enter.
    2. From the drop-down menu, select one or more HTTP methods.
    Path
    1. Select a criterion for the path.
    2. Enter a path string.
      Note: The path doesn't need to begin with a forward slash (/).
    3. (Optional) To add more paths, click Add Path.
    Host Header
    1. Select a criterion for the host header.
    2. Enter a value for the header.
    You can add one criterion of each type.
  8. Select an action to apply upon a match.
    Option Description
    Bypass The WAF does not execute any further rules and the request is allowed.
    Continue Stops the allowlist execution and proceeds with WAF signature evaluation.
    Detection Mode The WAF evaluates and processes the incoming request, but does not perform a blocking action. A log entry is created when the request is flagged.
  9. Click Add.

Edit the WAF Signatures for a Virtual Service

You can edit the WAF signatures for a virtial service - you can change a signature mode from Detection to Enforcement or the reverse, or, if necessary, deactivate a signature or a signature group.

Procedure

  1. In the top navigation bar, click Networking and click the Edge Gateways tab.
  2. Click the NSX edge gateway on which the virtual service is configured.
  3. Click the virtual service and click WAF.
    Under the Signature Groups section, you can see the signature groups that are included in your WAF policy. You can see if they are actively in use or not. You can also see the number or the rules in each group that are active and the number of rules that have been overriden manually.
  4. Under Signature Groups, click the expand button on the left of the signature group that you want to edit.
  5. To edit the signatures of a group, click Edit Signatures.
  6. Click the expand button on the left of the signature name and select an action.
  7. Click Save.
  8. To disable a signature group, click the expand button on the left of the signature group and click Deactivate.