Forum Discussion
CirrostratusIntegrate mobile application with WAF
EmployeeDoes traffic pass through VS to backend without ASM policy?
If no, then most probably this is not WAF issue and you need to configure VS in specific way.
Thanks, Ivan
CirrostratusActually I have test that with ASM (not blocking mode) , but I noticed that the public ip does not reach the backend server. Cuz the first page in app is a login page, when I try to enter my user and pass there is a message show "user name or pass not correct" this is when the public ip placed in api url . But when i replace public ip with the backend ip in api url the app works fine.
The idea from adding public ip in api url is to pass traffic through WAF and that public ip should reach the backend ip . I don't know of this the way doing that or not.
Thanks
- Ivan_Chernenkii
Sorry, I am not sure, that I fully understand your use case. Could you provide some examples of request - what you send and what you expect?
I understand, that you want to protect your mobile APP with WAF, but again - does this configuration work without WAF? Could you check it? It will help us better to understand on what side we have an issue.
Thanks, Ivan
- THE_BLUE
without WAF it is working fine since the server ip is placed in api url..
my scenario is , i want to protect my application with WAF , i follow the normal process i have create virtual server , node, pool , policy ..
i have assign public ip in virtual server , placed server ip in node and assign it to pool , then assign pool to virtual server with policy, and the change i did i have replace server ip with public ip in api url ex:
old api url : https://10.x.x.x/api
new api url : https://82.x.x.x/api
82.x.x.x : it is the public ip in virtual server.
but this scenario does not work.
the app idea , is you have to login then you can request for annual leave .
but when i start the integration with WAF , when i try to access the app by enter username and password it show error and can not verify user/password.
and there is no block in WAF block mode not applied . so i think because i placed public ip in api url and that is why can not reach server.
- Ivan_Chernenkii
So, now you have VS with public api with WAF. Right?
- What does happen if you remove ASM policy from this VS? Does traffic pass to your server through VS or you have the same problem?
- What error do you see in case of enter username/password with WAF?
- Do you see any requests on "Security ›› Event Logs : Application : Requests" page? If yes, then with what status (legal, alarmed, blocked)?
- THE_BLUE
So, now you have VS with public api with WAF. Right? yes
- What does happen if you remove ASM policy from this VS? Does traffic pass to your server through VS or you have the same problem? i have not try it
- What error do you see in case of enter username/password with WAF? validation issue
- Do you see any requests on "Security ›› Event Logs : Application : Requests" page? If yes, then with what status (legal, alarmed, blocked)? no traffic
but if i try to access the api url through browser ex : https://82.x.x.x/api , i can see traffic in event log but with mobile application no traffic is showing.
- Ivan_Chernenkii
OK, it seems I got you...
If you want to protect your mobile application with WAF policy, then:
- You need to configure Mobile Application at Bot profile (starting from v14.1.0) or at DOS profile (starting from v13.1.0 to v14.1.0).
- You need to attach this profile to the Virtual Server with WAF policy.
For additional protection you can integrate Anti-Bot Mobile SDK into your application.
Thanks, Ivan
