Oracle Cloud Infrastructure Documentation

Getting Started with WAF

If you're new to Oracle Cloud Infrastructure WAF, this topic gives guidance on how to proceed.

Before You Begin

To begin using the WAF service, you must have the following available if you plan to run your site on HTTPS/443:

  • Public certificate for the fully qualified domain name (FQDN) of the application.
  • Corresponding private key for the site.
  • IP address of the LBaaS or other public facing endpoint of application.
  • Ability to update DNS records for the domain.

Securing Your WAF

To secure your WAF, you must configure your servers to accept traffic from the WAF servers. Configure your origin's ingress rules to only accept connections from the following CIDR ranges:

  • 192.157.18.0/23
  • 205.147.88.0/21
  • 192.69.118.0/23
  • 198.181.48.0/21
  • 199.195.6.0/23

Create a Policy to Route Traffic Through the WAF

To begin, create a policy to route traffic through the WAF without rules enabled. Creating a policy without rules enabled ensures that there are no regressions by having a reverse proxy in front of the application.

To create a policy

Update DNS to Enable WAF

In this step, you update the CNAME for your zone to route requests from internet clients to WAF. Use the following instructions to make this DNS change in the Console. If your DNS setup resides with another provider, refer to their documentation for instructions.

To update the CNAME for your zone

Upload Your Certificate and Key

This step assumes that your site runs on HTTPS/443.

To upload your certificate and key

Test Your Application

In this step, you ensure that requests are being routed to the WAF and that your application continues to function normally with a reverse proxy in the topology.

To test your application

Enable WAF to Passively Detect Rules

In this step, you enable WAF to detect protection rules without blocking requests. Enabling WAF to passively detect rules helps you visualize the traffic that may pose a threat to your site and help you tune the WAF to exclude false positives.

To enable WAF to detect protection rules
To enable WAF to detect access rules

Test the Rules

When the policy is active, you can test that your rules are detected by WAF.

To initiate requests
To verify that WAF is detecting requests

View Recommendations

To view protection rule recommendations

  1. Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.

  2. Click the name of the WAF Policy you want to view protection rule recommendations for. The WAF Policy overview appears.
  3. Click Protection Rules.
  4. Click the Recommendations tab. This list is generated based on the traffic the WAF detects flowing through the WAF. If nothing appears in this list, keep testing the FQDN of your application and check back later.
  5. Select the protection rules with a Detect recommended action and then click Accept Recommendations.

Tip

You can use the Recommended Action filter to locate a recommendation by Detect.

Enable WAF to Actively Block Requests

After you verify that requests are being detected, you can start blocking the undesired traffic.

  1. Open the navigation menu. Under Governance and Administration, go to Security and click WAF Policies.

  2. Click the name of the WAF Policy you want to configure rule settings for. The WAF Policy overview appears.
  3. Click Protection Rules.
  4. Enter rule ID 941140 in the Rule ID filter.
  5. (Optional) To search for rules with a Detect action, select the Detect check box from the Rule Action filter.
  6. Select Block from the Actions drop-down menu for rule ID 941140 and any other protection rules you filtered.
  7. Under WAF Policy, click Unpublished Changes.
  8. Click Publish All.
  9. In the Publish Changes dialog box, click Publish All.
  10. Test the rules again by initiating requests. You should get 403 Forbidden errors when testing with the JavaScript on the URL.