08-Configuration Examples

HomeSupportConfigure & DeployH3C Firewall Products Comware 7 Web Configuration Guide-6W40208-Configuration Examples
Table of Contents
Related Documents
42-WAF Configuration Examples
Title Size Download
42-WAF Configuration Examples 86.81 KB

WAF configuration examples

Introduction

 

The following information provides WAF configuration examples.

 

This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of the WAF feature.

Restrictions and guidelines

 

The WAF feature requires a license to run on the device. After the license expires, WAF can use the existing WAF signature library on the device, but the library cannot be updated.

Network configuration

As shown in Figure 1, the device acts as the security gateway of the internal network. Configure the WAF feature on the device to protect the internal network against Web application attacks from the Internet.

Figure 1 Network diagram

 

Software versions used

This configuration example was created and verified on F9345 of the F1060 device.

Procedure

1.     Assign IP addresses to interfaces:

# On the top navigation bar, click Network.

# From the navigation pane, select Interface Configuration > Interfaces.

# Click the Edit icon for GE 1/0/1.

# In the dialog box that opens, configure the interface:

a.     Select the Trust security zone.

b.     On the IPv4 Address tab, enter the IP address and mask of the interface. In this example, enter 10.1.1.1/24.

c.     Use the default settings for other parameters.

d.     Click OK.

# Add GE 1/0/2 to the Untrust security zone and set its IP address to 20.1.1.1./24 in the same way you configure GE 1/0/1.

2.     Configure settings for routing:

This example configures a static route.

# On the top navigation bar, click Network.

# From the navigation pane, select Routing > Static Routing.

# On the IPv4 Static Routing tab, click Create.

# In the dialog box that opens, configure a static IPv4 route to reach 0.0.0.0:

a.     Enter destination IP address 0.0.0.0.

b.     Enter mask length 0.

c.     Enter next hop address 20.1.1.2.

d.     Use the default settings for other parameters.

e.     Click OK.

3.     Update the WAF signature library to the latest version. (Details not shown.)

4.     Configure a WAF profile:

# On the top navigation bar, click Objects.

# From the navigation pane, select APPSecurity > WAF > Profiles.

# Click Create.

# In the dialog box that opens, configure a WAF profile:

¡     Enter the name waf.

¡     In the Signature filtering criteria area, perform the following settings:

-     Select All for the protected targets.

-     Select All for the attack categories.

-     Set To-server and To-client for the direction.

-     Set the default actions to drop, permit, reset, and blacklist.

-     Set the severity levels to critical, high, medium, and low.

Figure 2 Signature filtering criteria configuration

 

# In the Global profile action area, perform the following settings:

¡     Set drop as the action.

¡     Enable logging.

¡     Use the default settings for other parameters.

Figure 3 Global profile action configuration

 

# Click OK.

5.     Create security policies:

# On the top navigation bar, click Policies.

# From the navigation pane, select Security Policies > Security Policies.

# Click Create, and then click Create a policy.

# In the dialog box that opens, configure a security policy named untrust-trust to permit the specified traffic from the Untrust to Trust security zones:

¡     Enter policy name untrust-trust.

¡     Select source zone Untrust.

¡     Select destination zone Trust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select destination IP address 10.1.1.0/24.

¡     Select WAF profile waf in the Content security area.

¡     Use the default settings for other parameters.

# Click OK.

# Create security policy trust-untrust to permit the specified traffic from the Trust to Untrust security zones:

¡     Enter policy name trust-untrust.

¡     Select source zone Trust.

¡     Select destination zone Untrust.

¡     Select type IPv4.

¡     Select action Permit.

¡     Select source IP addresses 10.1.1.0/24.

¡     Select WAF profile waf in the Content security area.

¡     Use the default settings for other parameters.

# Click OK.

# Click Submit to have the WAF profile configuration take effect.

Verifying the configuration

Verify that WAF can protect the internal network from known Web application layer attacks.

You can view the threat logs generated for these events from log hosts. (Details for configuring log hosts are not shown.)

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become A Partner
  • Partner Policy & Program
  • Global Learning
  • Partner Sales Resources
  • Partner Business Management
  • Service Business
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网