Table of Contents
Application Firewall Pack (AFP) services are natively integrated in the KEMP LoadMaster. This enables secure deployment of web applications, preventing Layer 7 attacks while maintaining core load balancing services which ensures superior application delivery and security. AFP functionality directly augments the LoadMaster’s existing security features to create a layered defence for web applications - enabling a safe, compliant and productive use of published services.
With the AFP-enabled LoadMaster, you can choose whether to use KEMP-provided rules (which can be set to automatically download), custom rules which can be uploaded or a combination of both. KEMP-provided rules are available when signed up to AFP Support
This document provides information and step-by-step instructions on managing custom rules.
For information on the other AFP features, refer to the Feature Description, Application Firewall Pack (AFP).
For further information on custom rules, please contact KEMP Support.
This document is intended to be read by anyone who is interested in finding out how to manage custom AFP rules in the LoadMaster.
Follow the steps below to find out how to add custom AFP rules in the Web User Interface (WUI) of the LoadMaster:
- In the main menu, select Virtual Services > WAF Settings.
Figure 2‑1: WAF Rule Management
- To upload custom rules, click Choose File in the Installed Rules section.
Individual rules can be uploaded as .conf files, or you can load a package of rules in a tar.gz file.
- Browse to and select the rules to be uploaded.
- To upload any additional data files, click Choose File in the Custom Rule Datasection.
The additional files are for the rules’ associated data files. If using a Tarball, the rules and data files can be packaged together.
- Browse to and select the additional data files.
- Click Add Ruleset.
The rules will now be available to assign within the Virtual Services modify screen (Virtual Services > View/Modify Services > Modify). Refer to the Section 3 to find out how to configure the Virtual Service.
Figure 2‑2: Custom Rules
Custom rules and data files can be deleted or downloaded by clicking the relevant buttons.
Custom rules can be assigned as needed to each individual Virtual Service. Follow the steps below to assign.
- In the main menu of the LoadMaster WUI, select Virtual Services >View/Modify Services.
Figure 3‑1: Virtual Services screen
- Click Modify on the relevant Virtual Service.
- Expand the WAF Options section.
Figure 3‑2: WAF Options
- Select Enabled.
- Assign rules by selecting them in the Available Rules section and clicking the right arrow to move them into the Assigned Rules section. Then, click Assign Rules.
Rules can be unassigned by selecting them, clicking the left arrow to move them into the Available Rules box, and clicking Assign Rules.
Figure 3‑3: WAF Misconfigured status
On the View/Modify Services screen in the LoadMaster WUI, the Status of each Virtual Service is displayed. If the AFP for a particular Virtual Service is misconfigured, for example if there is an issue with a rule file, the status changes to WAF Misconfigured and turns to red. If the Virtual Service is in this state, all traffic is blocked. AFP can be disabled for that Virtual Service to stop the traffic being blocked, if required, while troubleshooting the problem.
Figure 4‑1: Back Up and Restore
A backup of the LoadMaster configuration can be taken by going to System Administration > Backup/Restore and clicking Create Backup File.
The configuration can be restored from this screen also. Please keep in mind that the Virtual Service settings can be restored by selecting VS Configuration and the rules can be restored by selecting LoadMaster Base Configuration.
An AFP configuration can only be restored onto a LoadMaster with an AFP license.Feature Description, Application Firewall Pack (AFP) Web User Interface (WUI), Configuration Guide
Reason for Change
First draft of document