Oracle Cloud Infrastructure (OCI) Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI)-compliant, security service used to protect applications from malicious and unwanted internet traffic. WAF allows you to create access rules and response actions for requests that meet conditions that you specify. In this blog, we explore how to notify yourself when these conditions are met, allowing you to quickly react accordingly.
To accomplish this task, we use the following OCI services:
WAF: Regional and edge-based enforcement service attached to an enforcement point, such as a load balancer, or a web application domain name
Logging: Fully managed single pane of glass for all logs in your tenancy
Service Connector Hub: Cloud message bus platform for describing, running, and monitoring interactions when moving data between OCI services
Notifications: Broadcasts messages to distributed components for applications hosted on OCI and externally
The following graphic shows how these services work together:
Figure 1: Flow Diagram
When a request matches a condition set in our WAF, it gets logged. Using a service connector, we filter and send that log to a Notifications topic that we have subscribed to with the following steps:
Create the WAF and configure an access rule.
Turn on WAF service logs.
Create the Notifications topic and subscribe to it.
Create the service connector with WAF logs as the source and the Notifications topic as the target. Optionally, add a filter.
Test and receive notification!
This blog isn’t a deep dive into any of the services, so I don’t go into detail about configuring each one. However, if you struggle at any point, refer to the service’s documentation to get up to speed quickly.
Create your WAF and apply it to your enforcement point. I’m using the regional WAF, so I apply it directly to my load balancer.
Add a rule with whatever action that you want. I’m using an access rule called BlogRule with the preconfigured check action. Any request with the path "/LogRequest" is logged.
Figure 2: WAF access rule
To active service logs for your WAF, use the following steps:
Navigate to Logging and create a log group.
Select Logs and Enable Service Log.
For your service, select WAF service and under Resource, find your WAF.
Name your log.
The following example shows the generated log when I send a request with "/LogRequest" in the path. It displays the request’s path and matched rule. View full details of the WAF log in the documentation.
Figure 3: Example WAF log
We use Notifications to send us the logs. Configure the setup with the following steps:
Navigate to Developer Services, and under Application Integration, select Notifications.
Create a topic.
Create a subscription. For simplicity, I’m using my email to subscribe to the topic.
To confirm that subscription is working, click Publish Message.
Figure 4: Notifications subscription test
Service Connector Hub orchestrates data movement between services in OCI. In each service connector, specify the source service containing the data to be moved, optional tasks, and the target service for delivery. Our setup uses the following parameters:
Source: Logging group and WAF logs previously configured
Task (Optional): Log filter task
Target: Notifications topic previously configured
As the name suggests, log filters are used to filter log data from the source. They’re optional, but I add one to filter for the BlogRule access rule I created. So I’m only notified when this rule is matched.
The basic UI mode allows you to create the filter using menus. I’ve had issues with this setup in the past, so I prefer to write the filter query myself in advanced mode. I’m using the following example filter query:
search "ocid1.compartment.oc1..aaaaaaaaqugc7rtnekl7pfebeyykrlapbe43dqbmdsjtntrpck6bxmlnmtwa/ocid1.loggroup.oc1.iad.amaaaaaawe6j4fqaxmlck7ixpr2k7l4kwcrkvrsshja5lbfop6ffqhst3hta/ocid1.log.oc1.iad.amaaaaaawe6j4fqac4yygnjddmotnaewfddhxtbjmy5om6x2xodqhyn7u7tq" | data.requestAccessControl.matchedRules='BlogRule'
I encourage you to use Log Search to confirm your query works properly.
Send a request to "/LogRequest" on my load balancer.
Figure 5: Sending test request
Shortly, I receive an email.
Figure 6: Working log email
In this blog, we saw how we can use Logging, Service Connector Hub, and Notifications to send WAF logs to ourselves. We also added a log filter that allows us to specify which logs we want to be notified for. In many use cases, you want to understand and monitor your WAF’s behavior, and if you want a single pane of glass, I encourage you to check out Integration of Regional WAF with Logging Analytics. This process flow isn’t limited to WAF and you can configure it for any log-emitting service.
If you want to try this lab for yourself, check out Oracle Cloud Infrastructure’s Free Tier with US$300 credits for a 30-day free trial. Free Tier also includes several Always Free services that are available for an unlimited time, even after your credits expire.
For more information, see the following resources:
Cody is an Enterprise Cloud Architect for Oracle Cloud.
Next Post