This topic explains the application-specific rules for WAF. To secure applications with known vulnerabilities, WAF supports the use of Application Rules. These Application Rules are specifically designed to block attacks on known application vulnerabilities (many of them with Common Vulnerabilities and Exposures (CVEs)). They are automatically updated using the Application Rules of the NSX Advanced Load Balancer Cloud Services. When the admin enables this feature, more than 5000 applications can be selected, thereby activating specific rules for that application in the WAF Policy.

Important:

Following the discontinuation of the Trustwave commercial rule set, the Application rules feature will be marked deprecated on 2024-06-30.

The Application Rules protection will continue to work as before. There is no change to the functionality.

Any rules provided until the deprecation date will continue to protect their respective Applications. Upgrading to newer product versions will not impact the status of existing rules.

All existing rules can be downloaded through the Controler Cloud Services connection as before.

From the deprecation date 2024-06-30 onwards, no new rules will be added.

Reminders about this change have been added to the UI.

For more information on Application Rules for Cloud Services, see the Application Rules Service topic in the VMware NSX Advanced Load Balancer Cloud Services Guide.

For more information on WAF Policy, see WAF Policy.



Configuring Application Rules

To configure Application Rules, navigate to Templates > WAF > WAF Policy and click the Edit icon for the desired policy. Navigate to the Application Rules tab. You can choose the Application Rules by clicking the Application Rules drop-down menu. When an application is selected, it is added to the list of currently configured applications and will showcase the application name, the last update time stamp, and the number of rules for this application.



In this example, Drupal has been chosen as the Application to protect. The policy now contains 21 rules that are active and protect against specific exploits known for Drupal.

To remove an application from the list, click delete icon for that item.

Updating Application Rules

You need to register to the Application Rules of the NSX Advanced Load Balancer Controller using Cloud Services, for the Application Rules feature to work. For more information on configuring through Cloud Services, see the Application Rules Service topic in the VMware NSX Advanced Load Balancer Cloud Services Guide. After this initial configuration, Application Rules are updated automatically on a daily basis. Updates are applied to any WAF Policy with a configured application.

Note:

If a rule has been deactivated, this change is retained when an update is applied.

App Log Analytics

When an Application Rule is hit, the App Log Analytics captures the event.

It contains information about the type of attack that it has detected. It is seamlessly integrated with other parts of the WAF functionality.



Tuning of Application Rules

The nature of the specific protection provided by Application Rules makes it easy to deploy. There are no false positives because the Signatures target only specific attack vectors.

Note:

In contrast to rules, the rule text is not shown.

If there is a need to tune a rule, it can be disabled using CLI.



Steps to Configure through CLI

You can deactivate a rule using the rule ID 2100105 as shown in the following example.

ssh to Controller
shell (login)
configure wafpolicy System-WAF-Policy
application_signatures
where
CTRL/F or CMND/F for rule ID: 2100105 -> note index 
rules index 14160
no enable
save
save
save

The rule is deactivated.

 | rules[500]     |                                                               |
 |   index        | 14160                                                         |
 |   name         | SLR: Arbitrary File Upload in Wordpress Gravity Forms plugin  |
 |   rule_id      | 2100105                                                       |
 |   enable       | False                                                         |
 |   rule         | <sensitive>                                                   |
 |   tags[1]      | application-WordPress                                         |
 |   tags[2]      | language-php                                                  |
 |   tags[3]      | platform-multi                                                |
 |   tags[4]      | attack-remote file inclusion                                  |
 |   is_sensitive | True       								    | 

Troubleshooting

  • Application Rules template is empty.

    • Check if the Controller is registered with NSX Advanced Load Balancer Cloud Services.

    • Check if Enable auto-sync Application Rules DB updates opt-in is set.

    • Check config audit log for ALBSERVICES entries.

  • Application Rules block a Legitimate Request.

  • Application Rules are not getting updated.

    • Check ALBSERVICES config audit log for details.

    • Update interval is daily. Update checks can be done more frequently. You can check again the next day.

Note:

Individual Application rules are only updated once an Application has a new CVE. For more information on CVE, see What is a CVE?

For more information on Cloud Services connection, see Getting Started topic in the VMware NSX Advanced Load Balancer Cloud Services Guide.

Note:

Exceptions are not available for Application Rules. The main reason is that these rules are specific and normally only match a specific parameter on a specific URL. Excluding this parameter from the rule is the same as deactivate the rule and therefore entirely removing the protection.