Getting Started with Web Application Firewall Policies

Get started with creating and managing a web application firewall policy.

Before You Begin

Refer to Required IAM Service Policy for important concepts about the web application firewall.

To begin using the WAF service, you must have the following available:

  • Ensure that you have the Required IAM Service Policy permissions.

  • We recommended that you use a separate compartment for your web application firewall policy so that management is easier and more secure. See Managing Compartments for more information.

  • A load balancer with an HTTP listener.

You can make changes to your web application firewall policy only when the policy status is ACTIVE.

Ways to Access the Web Application Firewall Service

You can access Oracle Cloud Infrastructure (OCI) by using the Console (a browser-based interface), REST API, or OCI CLI. Instructions for using the Console, API, and CLI are included in topics throughout this documentation. For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You are prompted to enter your cloud tenant, your user name, and your password.

Web Application Firewall Service Capabilities and Limits

The Web Application Firewall (WAF) service has the following capabilities and limits:

  • Web Application Firewall policies: 100 per tenant.

  • Network address lists: 100 per tenant.

    For a list of applicable limits and instructions for requesting a limit increase, see Service Limits. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.
    Note

    The WAF service allows a total run time of 10 minutes for upload and download processes through the web application firewall.
  • WAF policy doesn't support Network Load Balancer. WAF policy supports only Load Balancer.
  • TCP Listener is not compatible with WAF policy. WAF policy supports only HTTP listeners.
  • WAF policy supports IPv6. WAF policy is attached directly to the load balancer where you can select IPv6 Support.

    After you create a load balancer and choose the type, select Enable IPv6 Address Assignment.

    When you create a load balancer, you can choose to use an IPv4/IPv6 dual-stack configuration. When you choose the IPv6 option, the Load Balancer service assigns both an IPv4 and an IPv6 address to the load balancer. The load balancer receives client traffic sent to the assigned IPv6 address. The load balancer uses only IPv4 addresses to communicate with backend servers. No IPv6 communication exists between the load balancer and the backend servers.
    Note

    IPv6 address assignment occurs only during load balancer creation. You can't assign an IPv6 address to an existing load balancer.
  • WAF policies are regional only. One WAF policy can't be used in multiple regions simultaneously.
  • A single policy can be used with multiple load balancers. You can use a policy with multiple load balancers as long as all load balancers are in the same region as the policy.
  • WAF policy rules are run in the following order:
    1. WAF requestAccessControl
    2. WAF requestRateLimiting
    3. WAF requestProtection
      1. requestProtection rule 1
        1. header inspection CHECK mode protectionCapabilities
        2. header inspection BLOCK mode protectionCapabilities
        3. body inspection CHECK mode protectionCapabilities
        4. body inspection BLOCK mode protectionCapabilities
      2. requestProtection rule 2
      3. requestProtection rule N
    4. <request forwarded to backend and response is received>
    5. WAF responseAccessControl
    6. WAF responseProtection
      1. responseProtection rule 1
        1. header inspection CHECK mode protectionCapabilities
        2. header inspection BLOCK mode protectionCapabilities
        3. body inspection CHECK mode protectionCapabilities
        4. body inspection BLOCK mode protectionCapabilities
      2. responseProtection rule 2
      3. responseProtection rule N

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be given access in a policy  for waas-policy. If you try to perform an action and get a message that you do not have permission or are unauthorized, confirm with your administrator the type of access you have been granted and which compartment  you should work in.

Mandatory permissions list:

Allow group-id to manage waas-family in compartment_ocid

Allow group-id to manage web-app-firewall in compartment_ocid

Allow group-id to manage waf-policy in compartment_ocid

Allow group-id to use waf-network-address-list in compartment_ocid

Policy examples:

  • To allow a specific user group to manage web application firewalls in your tenancy:
    Allow group-id to manage web-app-firewall in tenancy
  • To allow a specific user group to inspect web application firewall policies in a specific compartment:
    Allow group-id to inspect waf-policy in compartment_ocid
  • To allow a specific user group to use web application firewall network address lists in your tenancy:
    Allow group-id to use waf-network-address-list in tenancy

If you are new to policies, see Getting Started with Policies and Common Policies. For more details about policies for WAF, see Details for the WAF service.