Power(Shell) your WAF deployment

Posted on

It is nice to develop scripts that you can use to configure your load balancer and Web Application Firewall (WAF).  The scripts can help integrate these services into your network orchestration plans.  They ensure consistency and can save you the time required to look up the commands and manually type them out.

Today, I will demonstrate the PowerShell commands for the Kemp LoadMaster WAF. This involves configuring a new Virtual Service with IP 10.35.56.50, assigning a Real Server with IP 10.35.56.24, and demonstrating the WAF settings and associated PowerShell commands. I used the Windows PowerShell (x86) with the latest PowerShell module here.

Create a Virtual Service

To create a new Virtual Service with IP 10.35.56.50, I use the New-AdcVirtualService command as shown in Figure 1.

Figure1: Create a Virtual Service

Add a Real Server

To assign a Real Server with IP 10.35.56.24 to this Virtual Service with IP 10.35.56.50, I use the New-AdcRealServercommand as shown in Figure 2.

Figure 2: Assigning Real Server to specific Virtual Service

Enable WAF

There are three settings available for enabling and disabling the WAF. These are set with the InterceptMode parameter and shown in Table 1.

InterceptMode ValueDescription
0Disable ‘Legacy WAF’ and WAF
1Enable ‘Legacy WAF’
2Enable WAF

I will enable the WAF with InterceptMode set to ‘2’ and I will use the Set-AdcVirtualService command as shown in Figure 3.

Figure 3: Enable WAF

At this point, we can check the LoadMaster and see the Virtual Service, Real Server and WAF enabled with the default profile, as shown in Figure 4.

So, what API options are available to be configured?

Now that I have WAF enabled on the Virtual Service, I will outline all the PowerShell API parameters that are available. To check the current settings of the PowerShell API parameters, I will use the Get-AdcVirtualService command as shown in Figure 5.

Figure5: WAF Settings

The following table outlines the specific API parameters, their description, and the corresponding entry on the LoadMaster UI. All LoadMaster UI Settings are under Virtual Services -> WAF or Virtual Services -> WAF -> Advanced Settings.

Table 2: PowerShell API Parameters

Here are some example commands from the parameters in Table 2:Set the Audit logging to audit all

Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OWASPOpts auditall

Enable Inspect HTTP POST Request Bodies

Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OwaspOpts reqdataenable

Disable JSON Parser

Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -OwaspOpts jsondisable

Block countries Ireland and Afghanistan

Set-AdcVirtualService -VirtualService 10.35.56.50 -VSPort 80 -VSProtocol tcp -BlockedCountries "IE,AF"

How do I manage the standard rules and workloads?

The LoadMaster uses the OWASP CRS 3.3.2 rules. By default, all request rule sets are enabled. The mapping between the LoadMaster UI Rule Set Name, the PowerShell API Rule Set Identifier and the associated rules is shown in Table 3.

Table 3: Rule Set Mappings

All Request Rule Sets are enabled by default. If you also have OwaspOps -> resdataenable set, then all Request and Response Rule Sets are enabled, as shown in Figure 6.

To disable a specific Rule Set, use the Rule Set Identifier from Table 3, in the Set-AdcVirtualService command. For this example, I am disabling Rule Set Identifier ‘911’ representing method-enforcement rules on the LoadMaster UI.

This is shown in Figure 7, with the LoadMaster UI after the command is executed.

To disable a specific rule, use the Rule Set Identifier and the Associated Rules Id from Table 3, in the Set-AdcVirtualServicecommand. For this example, I am disabling Rule Id ‘913110’ from Rule Set Identifier ‘913’ representing scanner-detection rules on the LoadMaster UI.

This is shown in Figure 8, with the LoadMaster UI after the command is executed.

Multiple Rule Sets with multiple rules can be disabled in a single Set-AdcVirtualService command. For example, with the parameters -RuleSets “913,920” -DisabledRules “913120,913110,920160,920171”.

Workloads from the LoadMaster UI operates in the same way as RuleSets. The Drupal, Workpress, Nextcloud, Dokuwiki, Cpanel and Xenforo workloads can be enabled/disable via PowerShell API. This is shown in Figure 9, with the LoadMaster UI after the command is executed.

To disable the WordPress workload, use the Set-AdcVirtualService command with the parameter -ExcludedWorkloads”drupal,nextcloud,dokuwiki,cpanel,xenforo”. This can be repeated for any of the Workloads are required.

What about rules that I write myself?

These are known as Custom Rules on the LoadMaster UI. Rules can have data associated with them, known as Custom Rule Data. These can be imported, exported, applied to Virtual Services, and removed from the LoadMaster via PowerShell API. This is accomplished with several commands as described in Table 4.

PowerShell API CommandDescription
New-OWASPCustomRuleSetUpload a custom rule file to the LoadMaster
Export-OWASPCustomRuleSetExport/Save locally a custom rule file from the LoadMaster
Uninstall-OWASPCustomRuleSetUninstall a custom rule file from the LoadMaster
New-OWASPCustomRuleDataUpload a custom rule data file to the LoadMaster
Export-OWASPCustomRuleDataExport/Save locally a custom rule data file from the LoadMaster
Uninstall-OWASPCustomRuleDataUninstall a custom rule data file from the LoadMaster

All uploaded Custom Rules and Custom Rule Data files will be shown under Web Application Service –> Custom Rules on the LoadMaster UI.

The following figures (Figure 10 and Figure 11) show working examples of these commands. 

Figure 10: Custom Rules

In the Export-OWASPCustomRuleSet command, I am exporting/saving locally the file to c:\temp\ps_work\exported_rules.conf.

Figure 11: Custom Rule Data

To enable this Custom Rule file for a specific Virtual Service, I am using the Set-AdcVirtualService command with the -CustomRule parameter.

This is shown in Figure 12, with the LoadMaster UI after the command is executed.

Figure 12: Virtual Service applied Custom Rule

Several custom rule files can be applied to a Virtual Service simultaneously e.g. -CustomRule ‘rule_file_1,rule_file_2’.Custom Rules can be fully disabled on the Virtual Service with -CustomRule ”.Download the latest and get started!

I hope you have found this article useful and I recommend bookmarking it for reference as you configure and build your PowerShell scripts for your LoadMaster WAF deployments. Before you start, I recommend that you download the LoadMaster PowerShell API wrapper and latest LoadMaster software. Enjoy!

Posted on

David O'Connor

David O’Connor is a Product Manager in Kemp working in Limerick, Ireland. He holds a bachelor’s degree in Computer Engineering from University of Limerick. David has a telecoms background with previous roles in development, customer support and presales with a focus on product-market fit and creating tech products that customers love.