Managed WAF

Alert Logic Web Security Manager provides two offerings:

  • Web Security Manager—Out-of-Band web application firewall (WAF) that monitors your web traffic and logs web violations but does not block any requests. For more information about Web Security Manager, see Web Security Manager.
  • Managed WAF—Inline WAF that actively blocks attacks.

The Managed WAF appliance is not customer facing; the Alert Logic Security Operations Center addresses all possible threats.

For more information, see the Web Security Manager administration manual.

Access Web Application IDS options

To access the Cloud DefenderWeb Application IDS dashboard page in the Alert Logic console, click OVERVIEW, click Dashboards, and then click Web Application IDS.

To access the Cloud DefenderWeb Application IDS configuration page in the Alert Logic console, click CONFIGURATION, and then click Web Application IDS.

Search and work with deny logs

On the Deny Logs page, you can use two major features to help you search and sort through deny logs. You can use these features alone or in combination to suit your workflow. For a more detailed explanation of the search features available, view the following table:

Search Features Description
Search box

You can perform a full text search across all deny logs using the search box. See Search deny logs.

Filters

You can apply filters based on time range, customer, appliance, risk level, attack class, and violation. Search deny logs with filters

Search deny logs with filters

You can apply any combination of the following filters to a deny log search:

  • Time range
  • Customer
  • Appliance
  • Risk level
  • Attack class
  • Violation

To define filters for deny logs:

  1. Click the Search tab, and then click Deny Logs.
  2. If you need to view deny logs by time range, in the Show messages from list, select a time range, and then click Go.
  3. If you need to view deny logs by customer, appliance, risk level, attack class, and violation, click Filters. A filters area will expand and display choices where you can combine custom search parameters. In each section, select the parameter from the list, then select whether to include (In) or exclude (Not In), and then click Filter.

Click Clear Filters to reset the filter default.

Search deny logs

The Search field allows you to perform a full text search across all displayed deny logs.

To search deny logs with the Search box:

  1. Click the Search tab, and then click Deny Logs.
  2. In Search, type the search term for the deny log you want to investigate, and then click Search.

Customize columns in the table of deny logs

By default, the list of deny logs includes the following columns:

  • Time
  • Website
  • Source IP
  • Risk
  • Attack Class
  • Violation
  • Method
  • Page Requested

To customize columns in the table of deny logs:

  1. Click the Search tab, and then click Deny Logs.
  2. Click Columns. A columns area will expand and display.
  3. Select the check box for each column you want to show in your table view.
  4. Click Update Columns.

When you customize your column view, the Deny Log page displays columns based on your changes only for the current login session. If you navigate away from the Deny Logs page, or if you log out, deny log columns reset to the default.

Export deny log data to CSV

You can export the current view of your deny log data to a CSV file format.

To export deny log data:

  1. Click the Search tab, and then click Deny Logs.
  2. Click Export to CSV.
  3. After the deny log data is successfully exported, click Download CSV Export.

Search and work with websites

The WAF Websites page allows you to perform a search in several ways. Depending on the complexity of the search you need to conduct and what your goals are, you can search using the Search box and/or filters.

Website search features

The WAF website page includes two major features to help you search and sort through websites. You can use these features individually or in combination to suit your workflow.

Search Features Description
Search box

You can perform a website or IP address search across all displayed websites using the Search box.

Filters

You can combine custom search parameters.

Search websites with filters

The most thorough way to conduct an investigation into websites is to apply filters based on customer and/or appliance. You can daisy-chain together these custom search parameters.

To define filters for websites:

  1. Navigate to the WAF Configuration page, and then click Websites.
  2. Click Filters. A filters area will expand and display choices.
  3. In the All Appliances list, select the appliance, then select whether to include (In) or exclude (Not In).
  4. Click Filter.

To reset customer and appliance filters to default, click Clear Filters.

Search websites with the search box

You can perform a website or IP address search across all displayed websites using the Search box.

To search websites with the search box:

  1. Navigate to the WAF Configuration page, and then click Websites.
  2. In Search, type the website or IP address you want to investigate, and then click Search.

Manage a website

You can manage website options regarding WAF, ADC, learning, log, and reports.

To manage a website:

  1. Navigate to the WAF Configuration page, and then click Websites.
  2. In the table of websites, within the corresponding row, click Manage Website.

For more information, see the Web Security Manager administration manual.

Work with appliances

To search appliances with filters:

  1. Navigate to the Web Application IDS Configuration page, and then click Appliances.
  2. Click Filters. A filters area will expand and display choices.
  3. In the All Appliances list, select the appliance, then select whether to include (In) or exclude (Not In).
  4. Click Filter.

To reset customer and appliance filters to default, click Clear Filters.

Define appliance configuration filters

You can use filters to customize which configuration sections are shown for appliances listed on the WAF Appliances page. Viewable sections include network, date/time settings, logging to external host, and more.

To define appliance configuration filters:

  1. Navigate to the Web Application IDS Configuration page, and then click Appliances.
  2. In the table of appliances, within the corresponding row, click View Config.
  3. Click the configuration section you want to view. (Click the configuration section again to hide it.)

To view all configuration sections, click Show All. To hide all configuration sections, click Hide All.

Manage an appliance

You can manage Web Security Manager appliance options such as WAF operating modes.

To manage a Web Security Manager appliance:

  1. Navigate to the Web Application IDS Configuration page, and then click Appliances.
  2. In the table of appliances, within the corresponding row, click Manage Appliance.

For more information, see the Web Security Manager administration manual.

Manage SSL certificates

When you create a website proxy for an existing HTTPS web server, you must export the SSL certificate from the web server and import it into Managed WAF.

Managed WAF supports importing PKCS12 and PEM encoded server certificates.

To import PKCS12 encoded SSL certificates:

  1. Navigate to the Web Application IDS Configuration page, and then click Appliances.
  2. In the table of appliances, within the corresponding row, click Manage Appliance.
  3. In the Websites list, click the website you want.
  4. In the main menu, point to ADC, and click Virtual host.
  5. In the SSL certificate section, click Manage certificates.
  6. Select Import SSL certificate (PKCS12 format).
  7. Type the path to the certificate file, or browse to choose your file.
  8. Type your passphrase.
  9. Click Save settings.
  10. Click Apply settings.

To import PEM encoded SSL certificates:

  1. Navigate to the Web Application IDS Configuration page, and then click Appliances.
  2. In the table of appliances, within the corresponding row, click Manage Appliance.
  3. In the Websites list, click website you want.
  4. In the main menu, point to ADC, and click Virtual host.
  5. In the SSL certificate section, click Manage certificates.
  6. Select Import SSL certificate (PEM format).
  7. In a text-editor, open the PEM file(s). When obtained from the web server, the following extension convention is usually used: *.crt—public keys, both server and CA chain; *.key—the private key.
  8. In the SSL public key/certificate field, copy and paste the contents of SSLCertificateFile /path/to/your_domain_name.crt.
  9. In the SSL private key field, copy and paste the contents of SSLCertificateKeyFile /path/to/your_private.key.
  10. (Optional) If the original private key was encrypted, enter the passphrase for the private key.
  11. If a certificate authority chain is provided with your certificate, in the SSL authority certificate(s) chain field, copy and paste the contents of SSLCertificateChainFile /path/to/CA_chain.crt.
  12. Click Save settings.
  13. Click Apply settings.

Related topics