NSX Advanced Load Balancer supports WAF for HTTP/HTTPS traffic for Horizon deployments. WAF rules are supported for L7 virtual service for primary protocol (XML/API) traffic.

Note:

  • It is recommended to use System-WAF-Policy-VDI and the default CRS rules. The other rules for response inspection are not required and these signatures or rules must not be enabled in CRS rules.

  • It is mandatory to add the WAF policy and allowed URI containing /ice/tunnel/ and /ice/reconnect to make sure the WAF feature works seamlessly with the Horizon application. Similarly, allow other /ice/ related URIs, if any. Allowing all URIs beginning with /ice is a best practice.

  • Use the following to add a pre-CRS rule as shown below. This rule is required to make sure that NSX Advanced Load Balancer parses the incoming payload as XML payload only.

    SecRule REQUEST_METHOD "@streq POST" "phase:1,id:4099822,t:none,nolog,pass,chain"
SecRule REQUEST_URI "@streq /broker/xml" "t:none,ctl:requestBodyProcessor=XML"

  • It is recommended to deactivate command injection rule(932105). This rule is not required for Horizon deployments.

  • Response based rules must not be enabled.

  • The missing user-agent rule must be deactivated. It is recommended to deactivate command injection rule(932105).

  • NSX Advanced Load Balancer supports the inbuilt WAF policy for VDI, that is, System-WAF-Policy-VDI. This includes all the required rule customizations. It is recommended to use System-WAF-Policy-VDI.

Configuring WAF for Horizon Deployments

You can either create a new virtual service or configure WAF for HTTP/HTTPS traffic using an existing virtual service. Follow the steps

  1. Creating a WAF profile

    1. Navigate to Templates > WAF > WAF Profile.

    2. Click Create to create a new profile.

    3. Enter a Name for the WAF Policy and retain the default settings for the other options as shown below:

  2. Create the WAF Policy.

    1. Navigate to Template > WAF > WAF Policy. Select the WAF profile created for Horizon. Alternatively, you can select a default WAF policy.

    2. Navigate to the Allow List tab to configure a rule to make sure WAF does not block requests of URI which contain /ice/tunnel.

    3. Click Add to view the ADD ALLOW LIST RULE.

    4. Click Add under Match and configure as follows:

    5. Click Save.

    Note:

    To allow all URIs beginning with /ice, create the rule under Match section by configuring Criteria as Begins with and String as /ice.

  3. To add a pre-CRS rule, navigate to the Signatures tab and click Add.

  4. Associating with the required virtual service

    1. Once the WAF profile is ready, navigate to Application > Virtual Service.

    2. Select the required L7 virtual service and associate the WAF policy created in the previous step and save the configuration.