It is nice to develop scripts that you can use to configure your load balancer and Web Application Firewall (WAF). The scripts can help integrate these services into your network orchestration plans. They ensure consistency and can save you the time required to look up the commands and manually type them out.
Today, I will demonstrate the PowerShell commands for the Kemp LoadMaster WAF. This involves configuring a new Virtual Service with IP 10.35.56.50, assigning a Real Server with IP 10.35.56.24, and demonstrating the WAF settings and associated PowerShell commands. I used the Windows PowerShell (x86) with the latest PowerShell module here.
Create a Virtual Service
To create a new Virtual Service with IP 10.35.56.50, I use the New-AdcVirtualService command as shown in Figure 1.
Add a Real Server
To assign a Real Server with IP 10.35.56.24 to this Virtual Service with IP 10.35.56.50, I use the New-AdcRealServercommand as shown in Figure 2.
There are three settings available for enabling and disabling the WAF. These are set with the InterceptMode parameter and shown in Table 1.
|0||Disable ‘Legacy WAF’ and WAF|
|1||Enable ‘Legacy WAF’|
I will enable the WAF with InterceptMode set to ‘2’ and I will use the Set-AdcVirtualService command as shown in Figure 3.
At this point, we can check the LoadMaster and see the Virtual Service, Real Server and WAF enabled with the default profile, as shown in Figure 4.
So, what API options are available to be configured?
Now that I have WAF enabled on the Virtual Service, I will outline all the PowerShell API parameters that are available. To check the current settings of the PowerShell API parameters, I will use the Get-AdcVirtualService command as shown in Figure 5.
The following table outlines the specific API parameters, their description, and the corresponding entry on the LoadMaster UI. All LoadMaster UI Settings are under Virtual Services -> WAF or Virtual Services -> WAF -> Advanced Settings.
Here are some example commands from the parameters in Table 2:Set the Audit logging to audit all
Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OWASPOpts auditall
Enable Inspect HTTP POST Request Bodies
Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OwaspOpts reqdataenable
Disable JSON Parser
Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OwaspOpts jsondisable
Block countries Ireland and Afghanistan
Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -BlockedCountries "IE,AF"
How do I manage the standard rules and workloads?
The LoadMaster uses the OWASP CRS 3.3.2 rules. By default, all request rule sets are enabled. The mapping between the LoadMaster UI Rule Set Name, the PowerShell API Rule Set Identifier and the associated rules is shown in Table 3.
All Request Rule Sets are enabled by default. If you also have OwaspOps -> resdataenable set, then all Request and Response Rule Sets are enabled, as shown in Figure 6.
To disable a specific Rule Set, use the Rule Set Identifier from Table 3, in the Set-AdcVirtualService command. For this example, I am disabling Rule Set Identifier ‘911’ representing method-enforcement rules on the LoadMaster UI.
This is shown in Figure 7, with the LoadMaster UI after the command is executed.
To disable a specific rule, use the Rule Set Identifier and the Associated Rules Id from Table 3, in the Set-AdcVirtualServicecommand. For this example, I am disabling Rule Id ‘913110’ from Rule Set Identifier ‘913’ representing scanner-detection rules on the LoadMaster UI.
This is shown in Figure 8, with the LoadMaster UI after the command is executed.
Multiple Rule Sets with multiple rules can be disabled in a single Set-AdcVirtualService command. For example, with the parameters -RuleSets “913,920” -DisabledRules “913120,913110,920160,920171”.
Workloads from the LoadMaster UI operates in the same way as RuleSets. The Drupal, Workpress, Nextcloud, Dokuwiki, Cpanel and Xenforo workloads can be enabled/disable via PowerShell API. This is shown in Figure 9, with the LoadMaster UI after the command is executed.
To disable the WordPress workload, use the Set-AdcVirtualService command with the parameter -ExcludedWorkloads”drupal,nextcloud,dokuwiki,cpanel,xenforo”. This can be repeated for any of the Workloads are required.
What about rules that I write myself?
These are known as Custom Rules on the LoadMaster UI. Rules can have data associated with them, known as Custom Rule Data. These can be imported, exported, applied to Virtual Services, and removed from the LoadMaster via PowerShell API. This is accomplished with several commands as described in Table 4.
|PowerShell API Command||Description|
|New-OWASPCustomRuleSet||Upload a custom rule file to the LoadMaster|
|Export-OWASPCustomRuleSet||Export/Save locally a custom rule file from the LoadMaster|
|Uninstall-OWASPCustomRuleSet||Uninstall a custom rule file from the LoadMaster|
|New-OWASPCustomRuleData||Upload a custom rule data file to the LoadMaster|
|Export-OWASPCustomRuleData||Export/Save locally a custom rule data file from the LoadMaster|
|Uninstall-OWASPCustomRuleData||Uninstall a custom rule data file from the LoadMaster|
All uploaded Custom Rules and Custom Rule Data files will be shown under Web Application Service –> Custom Rules on the LoadMaster UI.
The following figures (Figure 10 and Figure 11) show working examples of these commands.
In the Export-OWASPCustomRuleSet command, I am exporting/saving locally the file to c:\temp\ps_work\exported_rules.conf.
To enable this Custom Rule file for a specific Virtual Service, I am using the Set-AdcVirtualService command with the -CustomRule parameter.
This is shown in Figure 12, with the LoadMaster UI after the command is executed.
Several custom rule files can be applied to a Virtual Service simultaneously e.g. -CustomRule ‘rule_file_1,rule_file_2’.Custom Rules can be fully disabled on the Virtual Service with -CustomRule ”.Download the latest and get started!
I hope you have found this article useful and I recommend bookmarking it for reference as you configure and build your PowerShell scripts for your LoadMaster WAF deployments. Before you start, I recommend that you download the LoadMaster PowerShell API wrapper and latest LoadMaster software. Enjoy!