Web Application Firewall (WAF)
The Xelon HQ Web Application Firewall protects your web applications from common attacks such as SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. WAF inspects HTTP/HTTPS traffic at the application layer and blocks malicious requests before they reach your servers.
The Web Application Firewall is managed from the WAF sub-tab within the Networking page. Navigate to Virtual Datacenter > Networking and click the WAF tab.
Creating a WAF Instance
Navigate to Virtual Datacenter > Networking, then click the WAF tab. Click Create WAF. The WAF creation is similar to a load balancer, with the addition of OWASP CRS rule configuration. Configure the following:
| Field | Description |
|---|---|
| Name | A descriptive name for the WAF instance (lowercase letters, numbers, and hyphens only). |
| Tenant / Cloud | Select the tenant and cloud location. |
| Type | Device WAF or Kubernetes WAF. |
| Network / IP | Select the network and configure IP addressing. |
| Apply to... | Select the backend devices or cluster. |
OWASP Security Rules
Xelon HQ WAF includes built-in rule sets based on the OWASP Core Rule Set (CRS). These rules provide protection against the most common web application vulnerabilities:
| Rule Category | Protection |
|---|---|
| SQL Injection | Detects and blocks SQL injection attempts in query parameters, headers, and request bodies. |
| Cross-Site Scripting (XSS) | Blocks reflected and stored XSS payloads. |
| Remote Code Execution | Prevents OS command injection and code execution attempts. |
| Local File Inclusion | Blocks path traversal and file inclusion attacks. |
| Protocol Violations | Enforces HTTP protocol compliance and blocks malformed requests. |
| Scanner Detection | Identifies and blocks automated vulnerability scanners and bots. |
OWASP CRS rules are enabled by default. You can exclude individual rules by clicking the CRS button on each forwarding rule to open the rule exclusion dialog.
Forwarding Rules
WAF forwarding rules define how traffic is routed through the WAF to your backend services. Each rule specifies:
- OWASP CRS rules: Select which OWASP Core Rule Set rules to apply or exclude.
- URL: The incoming URL pattern to match (e.g.,
https://domain.com/example). - Destination nodes IP and Ports: Backend server addresses with ports.
- Maintenance mode: Enable to display a maintenance placeholder on the website.
- SSL Generate: Auto-generate an SSL certificate or upload a custom one.
To add a forwarding rule, navigate to the WAF details page and click Add Rule.
Updating WAF Configuration
Modify your WAF configuration from the details page. You can:
- Include or exclude individual OWASP CRS rules per forwarding rule.
- Add, edit, or remove forwarding rules.
- Manage connected devices.
- Enable or disable maintenance mode per rule.
Configuration changes take effect after saving. Monitor your application after making changes to verify the expected behavior.
Deleting a WAF Instance
To delete a WAF instance, navigate to its details page and click Delete. Confirm the action when prompted.
Deleting a WAF instance removes all protection from the associated resource. Web traffic will no longer be inspected for threats. Ensure alternative security measures are in place.
Use Cases and Best Practices
- Public web applications: Deploy a WAF in front of any internet-facing web application to protect against automated attacks and vulnerability exploitation.
- API protection: Use custom rules to validate API request formats and block malformed payloads.
- Compliance: WAF helps meet security compliance requirements (PCI DSS, SOC 2) by demonstrating application-layer protection.
- Layered security: Combine WAF with network firewalls for defense in depth. Network firewalls handle Layer 3/4 filtering while WAF handles Layer 7.
- Regular tuning: Review WAF logs regularly and adjust rules to minimize false positives while maintaining strong protection.
- Test before enforcing: Always run new rules in detection mode first, then switch to prevention mode after verifying they do not block legitimate traffic.