The WAF (Web Application Firewall) in NG-UTM provides advanced protection for external-facing web servers.
The typical aim of hackers attacking web servers is to disable or steal important database information from the web server.
Common attack methods include SQL Injection, Cross-site Scripting Attack, etc. All of them can be blocked by WAF outside the web server.
There are 2 protocols for web servers, HTTP and HTTPS.
The operation of WAF is similar to a proxy server. If the backend web server uses the HTTPS protocol, its certificate data needs to be imported into the WAF server.
Otherwise, users that browse the website from outside will encounter certificate errors. HTTP protocol does not require additional configuration.
There are 3 steps to enable WAF:
1. In 4-1. Security Policy, creating policy under Incoming or Advance direct HTTP/HTTPS traffic to internal web servers and enable WAF functionality.
2. NG-UTM will list servers with WAF mechanism enabled under “WAF > Website Management”. HTTPS requires importing the certificate of the website server, while HTTP does not require any additional settings.
3. Go to “WAF > WAF Settings” to enable WAF and select control items and rules.
NG-UTM’s WAF has 19 categories, with the number in parentheses indicating the quantity of sub-items in each category. Administrators can choose to record/block actions for entire categories or individual items.
Recording logs records the behavior that matches the rules and allows it to pass, while blocking directly blocks the behavior that matches the rules, so the backend web server will not receive service requests from external sources.
When enabling WAF for the first time, if there are concerns about mistakenly blocking user browsing of web servers, recording can be enabled first, and then triggered rules can be queried in WAF records.
【Anomaly Connection Block】: Temporarily block the source IP address if it triggers more than the set times per minute. The range is from 0 to 9999, where 0 means no blocking.
【IP Blocking Period】: How long the system takes to unblock after triggering an abnormal connection from a source IP address. The range is from 0 to 9999, where 0 means no unblocking.
【Block Forever】: After exceeding a certain number of abnormal connection blocking times, permanently block the IP address. The range is from 0 to 9999, where 0 means no limit.
【Blocking IP】: Click to view the currently blocked source IP addresses. Administrators can unblock individual or all blocked IPs.
List each web server with WAF service enabled in the control rules, according to the actual internal web server IP address list providing the service, rather than based on externally imported IPs.
For example, if there are 2 rules enabling WAF functionality in the control rules:
www.def.com (Legitimate IP: 1.1.1.1) Internal web server (Virtual IP: 192.168.1.1)
www.def.com (Legitimate IP: 2.2.2.2) Internal web server (Virtual IP: 192.168.1.1)
For a website www.def.com providing external service with 2 external IP addresses due to load balancing, namely 1.1.1.1 / 2.2.2.2, they both ultimately lead to an internal web server 192.168.1.1. In the website management, only the server IP 192.168.1.1 will appear.
【Server IP】: The actual IP address of the internal web server.
【Server Port】: The port used by the web server. Generally, 80 is for http, and 443 is for https. Administrators can also change the port based on the network environment, such as 8080, 8000, 8443, etc.
【Protocol】: The communication protocol used by the web server. Generally, 80 is for http, and 443 is for https. HTTPS protocol requires importing the certificate used by the original web server. If the certificate is not imported, users’ browsers will display certificate errors.
【Security】: The TLS versions supported by the website server after importing WAF can be selected, including TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3.
【Server Name】: The name of the web server. If it is blank, external connection requests are directly forwarded to the web server. If the backend web server supports multiple Virtual Hosts, the actual Virtual Host used needs to be filled in to enable the backend web server to distinguish with SNI.
【Certificate Information】: HTTPS protocol requires importing the certificate of the backend server into WAF.
Click in the “Server, Certificate List” to modify. Each Virtual Host requires importing the corresponding certificate. There are 2 sources for the backend server’s certificate: Local Certificate and User Define. User Define imports the existing certificate of the backend server, while Local Certificate uses the certificate file of NG-UTM.
Figure 9-5 HTTPS Website Name and Certificate Import¶
When WAF is in operation, there are often many servers in the backend, and the content of each server may not be the same. Therefore, the data presented to users during blocking will also differ. These blocking messages can be configured here.
• Default Block Page Setting
You can set the theme and content of the default blocking page. After entering and saving, you can click 【View】 to preview whether the page meets expectations.
Below, you can view and modify custom blocking pages in the custom blocking page list.
Click below the define block page list to enter the new block page:
Enter the name of this block page, and the theme and content will be pre-filled with the settings of the default block page, which can be modified.
You need to select the customed block page server, and the system will automatically list the servers that have been created for administrators to check.
Because WAF is more rigorous, the programming of some websites is more likely to trigger WAF rules. If the violation is a low-risk rule, administrators can set it as a whitelist, and the system will not apply it when comparing.
【Action】: There are two types of actions: record and block. The system distinguishes them with colors. Pink for block and white for record.
【Source IP】: The source IP address of the attacker.
【URL】: The URL being attacked. If it’s a false attack event caused by improper programming of one’s own web application, it can be discovered and adjusted through this.
【Destination Server】: The actual IP address of the web server with WAF service enabled.
【Category】: Which category of WAF attack classification this belongs to.
【Event】: Which sub-event within the category.
【Connection Count】: The number of attacks from the same source IP address.
【Whitelist】: If the administrator confirms it as a false block by WAF, clicking the whitelist icon will set this rule as whitelist.
in the list:
in the “Server, Certificate List” to modify. Each Virtual Host requires importing the corresponding certificate. There are 2 sources for the backend server’s certificate: Local Certificate and User Define. User Define imports the existing certificate of the backend server, while Local Certificate uses the certificate file of NG-UTM.
below the define block page list to enter the new block page:
