NSX Advanced Load Balancer supports WAF for HTTP/HTTPS traffic for Horizon deployments. WAF rules are supported for L7 virtual service for primary protocol (XML/API) traffic.

Note:

  • It is recommended to use System-WAF-Policy-VDI It is recommended to use the default CRS rules. The other rules for response inspection are not required and these signatures or rules must not be enabled in CRS rules.

  • It is mandatory to add the WAF policy and allowed URI containing /ice/tunnel/ and /ice/reconnect to make sure the WAF feature works seamlessly with the Horizon application. Similarly, allow other /ice/ related URIs, if any. Allowing all URIs beginning with /ice is a best practice.

  • Use the following to add a pre-CRS rule as shown below. This rule is required to make sure that NSX Advanced Load Balancer parses the incoming payload as XML payload only.

    SecRule REQUEST_METHOD "@streq POST" "phase:1,id:4099822,t:none,nolog,pass,chain"
SecRule REQUEST_URI "@streq /broker/xml" "t:none,ctl:requestBodyProcessor=XML"

  • It is recommended to deactivate command injection rule(932105). This rule is not required for Horizon deployments.

  • Response based rules must not be enabled.

  • The missing user-agent rule must be deactivated. It is recommended to deactivate command injection rule(932105).

  • NSX Advanced Load Balancer supports the inbuilt WAF policy for VDI, that is, System-WAF-Policy-VDI. This includes all the required rule customizations. It is recommended to use System-WAF-Policy-VDI.

Recommendations

For versions prior to 21.1.3, the following points needs to be considered while creating a WAF policy for VDI traffic:

  • It is recommended to use the default CRS rules. The other rules for response inspection are not required and these signatures or rules must not be enabled in CRS rules.

  • It is mandatory to add the WAF policy and allowed URI containing /ice/tunnel/ and /ice/reconnect to make sure the WAF feature works seamlessly with the Horizon application. Similarly, allow other /ice/ related URIs, if any. Allowing all URIs beginning with /ice is a best practice.

  • Use the following to add a pre-CRS rule as shown below:

    • SecRule REQUEST_METHOD “@streq POST” “phase:1,id:4099822,t:none,nolog,pass,chain”

    • SecRule REQUEST_URI “@streq /broker/xml” “t:none,ctl:requestBodyProcessor=XML”

  • Response based rules must not be enabled.

  • The missing user-agent rule must be deactivated.

  • It is recommended to deactivate command injection rule (932105).

Create an L7 virtual service (or use the existing virtual service) and follow the steps mentioned below:

  1. Creating a WAF profile

    1. Navigate to Template > WAF > WAF Profile. Click Create to create a new profile. Provide the desired name and leave the remaining fields as default.

  2. Create the WAF Policy.

    1. Navigate to Template > WAF > WAF Policy. Select the WAF profile created in the previous step. The default profile can be used too.

  3. Add an allowlist rule

    1. This allowlist makes sure WAF does not block the request having URI which contains /ice/tunnel. This is a mandatory step.

    2. Select theAllowlist tab, click Add Rule.

    3. Provide the following attributes:

      1. Criteria: Contains

      2. String Value: /ice/tunnel/

      3. Action: ALLOW

    4. To allow all URIs beginning with /ice, create the rule under Match section by specifying:

      1. Criteria: Begins with

        String Value: /ice

    5. Similarly, you can create another allowlist rule for /ice/reconnect.

    6. To add pre-CRS rule, click Save and click Signatures tab > Add PRE-CRS Rules.

  4. Associating with the required virtual service

    1. Once the WAF profile is ready, navigate to Application > Virtual Service.

    2. Select the required L7 virtual service and associate the WAF policy created in the previous step and save the configuration.