Receive Web Application Firewall notifications using Service Connector Hub

Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI)-compliant, security service used to protect applications from malicious and unwanted internet traffic. WAF allows you to create access rules and response actions for requests that meet conditions that you specify. In this blog, we explore how to notify yourself when these conditions are met, allowing you to quickly react accordingly.

Concepts

To accomplish this task, we use the following OCI services:

• WAF: Regional and edge-based enforcement service attached to an enforcement point, such as a load balancer, or a web application domain name

• Logging: Fully managed single pane of glass for all logs in your tenancy

• Service Connector Hub: Cloud message bus platform for describing, running, and monitoring interactions when moving data between OCI services

• Notifications: Broadcasts messages to distributed components for applications hosted on OCI and externally

The following graphic shows how these services work together:

^{Figure 1: Flow Diagram}

When a request matches a condition set in our WAF, it gets logged. Using a service connector, we filter and send that log to a Notifications topic that we have subscribed to with the following steps:

1. Create the WAF and configure an access rule.

2. Turn on WAF service logs.

3. Create the Notifications topic and subscribe to it.

4. Create the service connector with WAF logs as the source and the Notifications topic as the target. Optionally, add a filter.

5. Test and receive notification!

This blog isn’t a deep dive into any of the services, so I don’t go into detail about configuring each one. However, if you struggle at any point, refer to the service’s documentation to get up to speed quickly.

Configuring WAF

1. Create your WAF and apply it to your enforcement point. I’m using the regional WAF, so I apply it directly to my load balancer.

2. Add a rule with whatever action that you want. I’m using an access rule called BlogRule with the preconfigured check action. Any request with the path "/LogRequest" is logged.

^{Figure 2: WAF access rule}

Configuring Logging

To active service logs for your WAF, use the following steps:

1. Navigate to Logging and create a log group.

2. Select Logs and Enable Service Log.

3. For your service, select WAF service and under Resource, find your WAF.

4. Name your log.

The following example shows the generated log when I send a request with "/LogRequest" in the path. It displays the request’s path and matched rule. View full details of the WAF log in the documentation.

^{Figure 3: Example WAF log}

Configuring Notifications

We use Notifications to send us the logs. Configure the setup with the following steps:

1. Navigate to Developer Services, and under Application Integration, select Notifications.

2. Create a topic.

3. Create a subscription. For simplicity, I’m using my email to subscribe to the topic.

4. To confirm that subscription is working, click Publish Message.

^{Figure 4: Notifications subscription test}

Configuring Service Connector Hub

Service Connector Hub orchestrates data movement between services in OCI. In each service connector, specify the source service containing the data to be moved, optional tasks, and the target service for delivery. Our setup uses the following parameters:

• Source: Logging group and WAF logs previously configured

• Task (Optional): Log filter task

• Target: Notifications topic previously configured

Log filter task

As the name suggests, log filters are used to filter log data from the source. They’re optional, but I add one to filter for the BlogRule access rule I created. So I’m only notified when this rule is matched.

The basic UI mode allows you to create the filter using menus. I’ve had issues with this setup in the past, so I prefer to write the filter query myself in advanced mode. I’m using the following example filter query:

search "ocid1.compartment.oc1..aaaaaaaaqugc7rtnekl7pfebeyykrlapbe43dqbmdsjtntrpck6bxmlnmtwa/ocid1.loggroup.oc1.iad.amaaaaaawe6j4fqaxmlck7ixpr2k7l4kwcrkvrsshja5lbfop6ffqhst3hta/ocid1.log.oc1.iad.amaaaaaawe6j4fqac4yygnjddmotnaewfddhxtbjmy5om6x2xodqhyn7u7tq" | data.requestAccessControl.matchedRules='BlogRule'

I encourage you to use Log Search to confirm your query works properly.

Testing

Send a request to "/LogRequest" on my load balancer.

Figure 5: Sending test request

Shortly, I receive an email.

Figure 6: Working log email

Conclusion

In this blog, we saw how we can use Logging, Service Connector Hub, and Notifications to send WAF logs to ourselves. We also added a log filter that allows us to specify which logs we want to be notified for. In many use cases, you want to understand and monitor your WAF’s behavior, and if you want a single pane of glass, I encourage you to check out Integration of Regional WAF with Logging Analytics. This process flow isn’t limited to WAF and you can configure it for any log-emitting service.

If you want to try this lab for yourself, check out Oracle Cloud Infrastructure’s Free Tier with US$300 credits for a 30-day free trial. Free Tier also includes several Always Free services that are available for an unlimited time, even after your credits expire.

For more information, see the following resources:

• WAF documentation

• Logging documentation

• Notifications documentation

• Service Connector Hub documentation

• Integration of regional WAF with Logging Analytics