This section discusses how to configure WAF Policy.

Note:

  • Navigate to Templates > WAF > WAF Policy to locate the default policy.

  • System-WAF-Policy is the default policy in NSX Advanced Load Balancer which is the recommended starting point for all new applications. For example, it contains the NSX Advanced Load Balancer OWASP CRS Signatures. For more information, see Signatures CRS rules.

  • For customizing a policy, it is highly recommended to create a new policy instead of editing the default policy (System-WAF-Policy).

  • When using features like Anomaly Detection, the CRS Group CRS_901_Initialization must be enabled, without which required anomaly thresholds are not configured to the defaults. It is generally recommended to keep this group enabled.

  • WAF policies that enable Application Learning cannot be shared between applications, as they contain configuration tailored to that specific application.

The following are the steps to create a new policy:

  1. Navigate to Templates > WAF > WAF Policy.

  2. Click Create.

    Note:

    Create will clone the System-WAF-Policy and use it as the basis for the newly created WAF Policy.

  3. Configure the new WAF Policy under the following tabs:

    1. Settings

    2. Learning

    3. Allowlist

    4. Positive Security

    5. Application Rules

    6. Signatures

  4. Click Save to create the WAF Policy.

Settings Tab

Provide the following details to configure the WAF Policy:

Field

Description

Additional Information

Name

Enter a relevant name for the policy.

WAF Profile

Choose the WAF Profile that should be attached to this policy. The profile contains common reusable settings that complement the WAF Policy.

For more information, see WAF Profile.

Policy Mode

Select one of the following modes:

  • Detection

  • Enforcement

For more information, see Selecting a WAF Policy Mode.

It is recommended to use Detection mode when onboarding a new application. For more details, see WAF Mode.

For more information on Mode delegation, see Mixed Mode and Enabling Mode Delegation.

Allow Mode Delegation

Enable this option to allow WAF rules to overwrite the Policy Mode selected, where specific action (Detection or Enforcement) can be defined for a single rule, irrespective of the action defined for the rule set.

Allow Mode Delegation check box is only enabled if the Policy Mode selected is Detection, since it is required for Enforcement mode.

Bypass Static Extension

Enable this option to bypass WAF for static file extensions.

For more information on Bypassing, see Bypassing WAF.

Paranoia Level

Set the paranoia level for the WAF Policy. This is used to determine the rigidity of the policy and has a direct impact on potential false positive rate.

For more information, see What are the Paranoia Modes available in WAF? What are the considerations for choosing the mode?.

Geo DB

Geo Location Mapping Database used by the WAF Policy.

Mode Delegation

With Mode Delegation option, the policies can be enabled to operate in the following two modes:

  • Detection: In Detection mode, if a request matches a rule, the request is flagged with an application log message (marked FLAGGED) and allowed through.

  • Enforcement: In Enforcement mode, if a request matches a rule, it is blocked by the Service Engine, and an application log message (marked REJECTED) is generated.

If Mode Delegation is enabled, individual WAF rules can override the Policy Mode, resulting in different behavior from the rest of the rules. This is also called mixed mode and is another way of fine-tuning to avoid legitimate requests from being blocked due to Enforcement mode.

A few relevant use cases for enabling Mode Delegation are:

  • Test new rules: You can configure manually written rules or new CRS rule updates with mixed mode enabled to avoid false positives. You will be able to introduce new rules to operate in Detection mode to ensure that legitimate requests are not rejected.

  • Partial detection: You can configure a few rules in Enforcement mode, while still retaining the whole WAF Policy in Detection mode.

You can enable Mode Delegation through the following steps:

  1. In the NSX Advanced Load Balancer UI, navigate to Templates > WAF > WAF Policy.

  2. Click Create or edit an existing WAF Policy.

  3. In the Settings tab, under Policy Mode, select the check box for Allow Mode Delegation to enable mixed mode.



    To enable Policy Mode for a certain rule.

  1. Navigate to the Signatures tab and select the CRS Version.

  2. Expand the Group that the Rule to be edited is part of.

  3. Click the edit icon for the Rule to be edited.

  4. Under Rule Mode, select the option Use Policy Mode.

  5. Click Save.