Configuring Application Rules

To configure Application Rules, navigate to Templates > WAF > WAF Policy and click the Edit icon for the desired policy. Navigate to the Application Rules tab. You can choose the Application Rules by clicking the Application Rules drop-down menu. When an application is selected, it is added to the list of currently configured applications and will showcase the application name, the last update time stamp, and the number of rules for this application.

In this example, Drupal has been chosen as the Application to protect. The policy now contains 21 rules that are active and protect against specific exploits known for Drupal.

To remove an application from the list, click delete icon for that item.

Updating Application Rules

You need to register to the Application Rules of the NSX Advanced Load Balancer Controller using Cloud Services, for the Application Rules feature to work. For more information on configuring through Cloud Services, see Application Rules Service topic in the VMware NSX Advanced Load Balancer Cloud Services Guide. After this initial configuration, Application Rules are updated automatically on a daily basis. Updates are applied to any WAF Policy with a configured application.

App Log Analytics

When an Application Rule is hit, the App Log Analytics captures the event.

It contains information about the type of attack that it has detected. It is seamlessly integrated with other parts of the WAF functionality.

Tuning of Application Rules

The nature of the specific protection provided by Application Rules makes it easy to deploy. There are no false positives because the Signatures target only specific attack vectors.

If there is a need to tune a rule, it can be disabled using CLI.

Steps to Configure through CLI

You can deactivate a rule using the rule ID 2100105 as shown in the following example.

ssh to Controller
shell (login)
configure wafpolicy System-WAF-Policy
application_signatures
where
CTRL/F or CMND/F for rule ID: 2100105 -> note index 
rules index 14160
no enable
save
save
save

The rule is deactivated.

 | rules[500]     |                                                               |
 |   index        | 14160                                                         |
 |   name         | SLR: Arbitrary File Upload in Wordpress Gravity Forms plugin  |
 |   rule_id      | 2100105                                                       |
 |   enable       | False                                                         |
 |   rule         | <sensitive>                                                   |
 |   tags[1]      | application-WordPress                                         |
 |   tags[2]      | language-php                                                  |
 |   tags[3]      | platform-multi                                                |
 |   tags[4]      | attack-remote file inclusion                                  |
 |   is_sensitive | True       								    | 

Troubleshooting

• Application Rules template is empty.

  • Check if the Controller is registered with NSX Advanced Load Balancer Cloud Services.

  • Check if Enable auto-sync Application Rules DB updates opt-in is set.

  • Check config audit log for ALBSERVICES entries.

• Application Rules block a Legitimate Request.

  • Check steps on deactivating an Application Rule in Steps to Configure through CLI.

• Application Rules are not getting updated.

  • Check ALBSERVICES config audit log for details.

  • Update interval is daily. Update checks can be done more frequently. You can check again the next day.

For more information on Cloud Services connection, see Getting Started topic in the VMware NSX Advanced Load Balancer Cloud Services Guide.