7.6. Web Application Firewall (WAF)¶
- Web Application Firewall (WAF) is used via Service Interconnectivity. You need to apply separately for Service Interconnectivity.
7.6.1. Available Features¶
|Web Application Firewall||This feature detects attack traffic on Web applications, and blocks attack traffic which has a high probability of exerting a negative impact.|
7.6.2. Web Application Firewall Feature¶
- If NTT Communications judges it necessary, we will notify you via email, etc. regarding the detection and blocking status.
- The communication that is addressed to the IP address block that is assigned for connecting to the Web Application Firewall (WAF) is set so that it is routed by vFirewall/Integrated Network Appliance to the Service Interconnect Gateway used by Web Application Firewall (WAF).
- The communication from the Virtual Machine is set so that it is routed by the Virtual Machine on the Server Segment targeted for detection to the Service Interconnect Gateway used for Web Application Firewall (WAF).
- If you perform Ping monitoring on the Virtual Machine, you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance and the Virtual Machine.
- Please do not connect the Server Segments targeted for detection directly to vFirewall/Integrated Network Appliance.
|Item||Performance (maximum value)||Remarks|
|Traffic Processing Capacity||1 Gbps||The total value of uplink and downlink.|
|RPS(Request Per Sec)||75,000 rps||-|
|CPS (Connection Per Sec)||10,000 cps||-|
- You cannot use the SSLv3 protocol to connect from a client to the Web Application Firewall (WAF).
The customer is asked to acquire a certificate and to perform updates.
Use the PKCS#12 or the PEM format to submit a certificate.
A server certificate and key file are both required as a server certificate.
Do not include the route certificate of CA.
- If an intermediate certificate and a cross-route certificate are required, store those certificates as well.IIS and some systems include a route certificate when exporting an intermediate certificate etc. at the same time. In this case, please transfer the server certificate and the intermediate certificate/cross-route certificate separately.
When you send an intermediate certificate and a cross-route certificate separately, transfer each of them as one file where all necessary certificates are aligned in the correct order. In this case, you can use the PEM format to transfer them.
- When you create a server certificate, it is recommended to protect the file with a password. (When transferring the server certificate, send the password in a separate message.)Specify a password in the PKCS#12 type format at the time of creation. Alternatively, transfer it in the form of a ZIP file encrypted with a password.
7.6.3. Important Points¶Used IP Addresses
- In order to connect the Service Interconnect Gateway with the Web Application Firewall (WAF), you must have two IP address blocks available.
- NTT Communications will manage the assigned IP address blocks, and assign IP addresses to the devices that require them.
- When using Web Application Firewall (WAF), the following address bands cannot be used in customer networks that connect to Server Segments and Enterprise Cloud to communicate.
- The address block specified as the HA segment in the WAF redundant configuration
- When the actual traffic volume exceeds the contracted traffic volume, the excess traffic might be discarded.
- The following health check communication is sent from devices that provide the Web Application Firewall (WAF) feature to a Virtual Machine. In the Virtual Machine settings, allow communication.
- Health check to L4 (establishing a 3-way handshake)
- Web Application Firewall (WAF) does not guarantee that the feature that detects and blocks attack traffic on Web applications has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the signatures (algorithms that judge the degree of danger and attack traffic) provided by the developers or distributors of the devices making up the Web Application Firewall (WAF) feature is not guaranteed.
- The following information might be provided to the developers or distributors of the devices making up the Web Application Firewall (WAF) feature.
- Configuration information obtained from providing Web Application Firewall (WAF)
- Information obtained from Web Application Firewall (WAF) controls, etc.
- We cannot guarantee recovery from failures that might occur due to incompatibility between Web Application Firewall (WAF) and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
- There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.