SBN

NSFOCUS WAF Running Modes

NSFOCUS WAF supports multiple running modes. You can modify the running mode based on the network topology.

Deployment Topology

Deployment Topology can be set to In-Path, Out-of-Path, Reverse Proxy, Mirroring or Plugin-enabled.

  • In-Path Deployment: Deployed between the client end and the Web server, WAF checks traffic destined for the Web server, ensuring the security of applications on the Web server.
  • Out-of-Path Deployment: Traffic is directed to WAF for cleaning via a static route, and then cleaned traffic is injected to the original destination Web server. If Protection Mode is selected, traffic returned from the Web server to clients is also directed to WAF for checking; if Forwarding Mode is selected, such traffic is sent directly without being directed to WAF.
  • Reverse Proxy Deployment: The public IP address of a Web server is configured on WAF. After DNS resolution, a client directly connects to WAF. WAF cleans traffic from the client and then connects to the target Web server.
  • Mirroring: Configure a switch or router to mirror traffic passing through the web server to WAF for analysis and security checks.
  • Plug-in Deployment: Traffic flows to the WAF for detection through the plug-in module on nginx. Nginx uses WAF’s detection results to determine whether to block the connection between the client and the server.

Mode Configuration

Mode Configuration can be set to one of the following values (modes vary with deployment topologies):

  • Forwarding Mode: In this mode, the engine forwards traffic without processing, and thus has no protection effect. This mode is unavailable in reverse proxy deployment.
  • Protection Mode: In this mode, WAF implements protection for servers.
  • Debugging Mode: In this mode, WAF provides protection for servers as it functions in protection mode, but more debugging information is available on the backend. This mode is usually used for WAF debugging.

Emergency Mode

After entering the emergency mode, WAF continues handling traffic on established TCP connections, but directly forwards new requests. Emergency Mode can be set to Disable, Permanently Enable, or Auto-Switching.

Claroty

If Permanently Enable is selected, WAF will always be in emergency mode.

If Auto-Switching is selected, WAF determines whether to activate the emergency mode based on the number of TCP connections, CPU usage, or memory usage. In this case, one of the three triggering conditions must be enabled. If more than one condition is enabled, when finding that the number of TCP connections, CPU usage, or memory usage becomes lower than the deactivation threshold and stays at that level for a period longer than the relaxation time, WAF deactivates the emergency mode.

Parameters for setting the emergency mode:

Relaxation Time (second) When finding that the number of TCP connections, CPU usage, or memory usage becomes lower than the deactivation threshold and stays at that level for a period longer than the relaxation time, WAF deactivates the emergency mode.
Connections  
Enable emergency mode Controls whether to enable the emergency mode based on the number of connections.
Activation Threshold When finding that the number of connections exceeds this threshold, WAF activates the emergency mode.
Deactivation Threshold When finding that the number of connections becomes lower than the threshold and stays at that level for a period longer than the relaxation time, WAF deactivates the emergency mode.
CPU  
Enable emergency mode Controls whether to enable the emergency mode based on the CPU usage.
Activation Threshold When finding that the CPU usage exceeds this threshold, WAF activates the emergency mode.
Deactivation Threshold When finding that the CPU usage becomes lower than the threshold and stays at that level for a period longer than the relaxation time, WAF deactivates the emergency mode.
Memory  
Enable emergency mode Controls whether to enable the emergency mode based on the memory usage.
Activation Threshold When finding that the memory usage exceeds this threshold, WAF activates the emergency mode.
Deactivation Threshold When finding that the memory usage becomes lower than the threshold and stays at that level for a period longer than the relaxation time, WAF deactivates the emergency mode.

The post NSFOCUS WAF Running Modes appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

*** This is a Security Bloggers Network syndicated blog from NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. authored by NSFOCUS. Read the original post at: https://nsfocusglobal.com/nsfocus-waf-running-modes/