Web Firewall Self service provides guides to create and operate web firewall instances to help protect web servers. This document introduces how to use the Web Firewall Self service.
To use the Web Firewall service, log in to NHN Cloud Console, and activate the service by clicking Security > Web Firewall in the service list.
[note] * Service fee will be charged as soon as the instance is created. * The minimum recommended instance specifications for WAPPLE SA (PENTA WAF) are 2 vCores / 4GB of memory. Using an instance with lower specifications than recommended may cause malfunctions. Therefore, you must use an instance type that meets or exceeds these specifications.
[Caution] * When configuring a web firewall, traffic goes through the web firewall, and service failure may occur if the instance is deleted while in use. * Ensure associated services are carefully reviewed before deleting a Web Firewall instance.
This guide provides detailed procedures to reference when creating a web firewall instance.
1. Select the 'PETNA WAF' image from the public image list.
[note] * The minimum recommended specification is 2vCore/4GB, but make sure to use an instance type with a specification above the minimum specfication. Otherwise, Web Firewall may not function properly.
Throughput (Mbps) | Instance type | vCPU | Memory(GB) |
---|---|---|---|
100 | m2.c2m4 | 2 | 4 |
300 | m2.c4m8 | 4 | 8 |
700 | m2.c8m16 | 8 | 16 |
1,500 | m2.c16m32 | 16 | 32 |
[Talbe 1. Web Firewall(WAPPLES SA) Recommended Instance Type]
Direction | IP Protocol | Port | Remote(CIDR) | Description |
---|---|---|---|---|
In | TCP | 80 (HTTP) | 0.0.0.0/0 | WAF Web Service Port |
In | TCP | 443 (HTTPS) | 0.0.0.0/0 | WAF Web Service Port *Refer to the note below |
In | TCP | 5001 | Admin IP | WAF Management Console(UI) Port(Allow Only Admin IP) |
In | TCP | 22 (SSH) | Admin IP | WAF SSH Terminal Port(Allow Only Admin IP) |
In | TCP | 5000 | IP of the LB located at the top of the WAF | Health Check Port of the LB located at the top of the WAF |
In | TCP | 5984 | Security group of the WAF or WAF IP range | WAF policy synchronization *Required for HA configuration |
*Out | ALL | - | 0.0.0.0/0 | Communication with external servers for purposes such as external licenses, signature updates, etc. of the WAF (When individual configuration is required, refer to [Table 3. WAF Outbound List]) |
[Table 2. Security Group Configuration Example]
[note] * When configuring HA and using the configuration synchronization feature, allowing port 5984 between WAFs is additionally required.
It is recommended to allow all outbound communication for the WAF *outbound rules as shown in [Table 2. Security Group Configuration Example]. If specific outbound rules need to be allowed, refer to [Table 3. WAF Outbound List] below.
Direction | IP Protocol | Port | Remote(CIDR) | Description |
---|---|---|---|---|
Out | TCP | 443 (HTTPS) | 218.145.29.166/32 | WAF License Update Server |
Out | TCP | 443 (HTTPS) | 218.145.29.101/32 | WAF License Update Server |
Out | TCP | 5001 | 218.145.29.168/32 | WAF Security Rule(Custom Rule) Update Server |
Out | UDP | 123 | 218.145.29.166/32 | Penta Security Time Server (Changeable) |
Out | UDP | 123 | 218.145.29.163/32 | Penta Security Time Server (changeable) |
Out | UDP,TCP | 53 | 164.124.101.2/32 | DNS Server - LG U+ (changeable) |
Out | UDP,TCP | 53 | 8.8.8.8/32 | DNS Server - Google (changeable) |
*Out | TCP | 5984 | Security group of the WAF or WAF IP range | WAF policy synchronization *Required for HA configuration |
[Table 3. WAF Outbound List]
[Caution] * If the TCP 443 (HTTPS) policy for the protected server is not configured on the web firewall, access to the web firewall's management console (UI) is possible via TCP 443 (HTTPS). Therefore, the 'Inbound TCP 443' rule in the security group ACL should be allowed in the security group after configuring the TCP 443 setting for the protected server on the web firewall.
Access the Web Firewall's Management Console(UI) in a Browser (Chrome Recommended)
Configuration > System > Time Sync
Security Settings > Network Settings > Proxy IP
Configure WAF Protection Target Servers
[note] * If the WAF needs to provide HTTPS, you can proceed by adding a certificate under [Network Settings > SSL Profile > SSL Profile Settings], and then configure SSL settings when adding each destination web server. * For more details, please refer to the user manual located under the 'WEB Firewall Operation' section below.
[notes when applying WAF] * Network routing needs to be modified to apply the WAF service to the customer's infrastructure environment. * Depending on the customer's infrastructure configuration, updating the DNS to the WAF floating IP or the load balancer floating IP above the WAF may be necessary.
[note] * In the 'Self' service, only the user guide is provided, while the 'Managed' service offers operation management and 24/7 security monitoring.