Skip to content

What is new in Wallarm node (if upgrading node 2.18 or lower)

This page lists the changes available when upgrading the node 2.18 up to version 3.6. Listed changes are available for both the regular (client) and multi-tenant Wallarm nodes.

Wallarm nodes 2.18 and lower are deprecated

Wallarm nodes 2.18 and lower are recommended to be upgraded since they are deprecated.

Node configuration and traffic filtration have been significantly simplified in the Wallarm node of version 3.6. Some settings of node 3.6 are incompatible with the nodes of older versions. Before upgrading the modules, please carefully review the list of changes and general recommendations.

Supported installation options

  • Wallarm Ingress controller based on the latest version of Community Ingress NGINX Controller, 1.1.3.

    Instructions on migrating to the Wallarm Ingress controller 3.6 →

  • Added support for AlmaLinux, Rocky Linux and Oracle Linux 8.x instead of the deprecated CentOS 8.x.

    Wallarm node packages for the alternative operating systems will be stored in the CentOS 8.x repository.

  • Added support for CloudLinux OS 6.x

  • Added support for Debian 11 Bullseye

  • Dropped support for the operating system Ubuntu 16.04 LTS (xenial)

  • Version of Envoy used in Wallarm Envoy-based Docker image has been increased to 1.18.4

See the full list of supported installation options →

System requirements for the filtering node installation

Starting with version 3.x, the filtering node supports IP address allowlisting, denylisting, and graylisting. Wallarm Console allows adding both single IPs and countries or data centers to any IP list type.

The Wallarm node downloads an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers from GCP storage. By default, access to this storage can be restricted in your system. Allowing access to GCP storage is a new requirement for the virtual machine to install the filtering node.

Range of GCP IP addresses that should be allowed →

Filtration modes

  • New safe blocking filtration mode.

    This mode enables a significant reduction of false positive number by blocking only malicious requests originating from graylisted IP addresses.

  • Analysis of request sources is now performed only in the safe_blocking and block modes.

    • If the Wallarm node operating in the off or monitoring mode detects the request originating from the denylisted IP, it does not block this request.
    • Wallarm node operating in the monitoring mode uploads all the attacks originating from the allowlisted IP addresses to the Wallarm Cloud.

More details on Wallarm node modes →

Request source control

The following parameters for request source control have been deprecated:

There are the following new features for request source control:

  • Wallarm Console section for full IP address allowlist, denylist and graylist control.

  • Support for new filtration mode safe_blocking and IP address graylists.

    The safe blocking mode enables a significant reduction of false positive number by blocking only malicious requests originating from graylisted IP addresses.

    For automatic IP address graylisting there is a new trigger Add to graylist released.

  • Automated allowlisting of Wallarm Vulnerability Scanner IP addresses. Manual allowlisting of Scanner IP addresses is no longer required.

  • Ability to allowlist, denylist, or graylist a subnet, Tor network IPs, VPN IPs, a group of IP addresses registered in a specific country, region or data center.

  • Ability to allowlist, denylist, or graylist request sources for specific applications.

  • New NGINX directive and Envoy parameter disable_acl to disable request origin analysis.

    Details on the disable_acl NGINX directive →

    Details on the disable_acl Envoy parameter →

Details on adding IPs to the allowlist, denylist, and graylist →

New module for API inventory discovery

New Wallarm nodes are distributed with the module API Discovery automatically identifying the application API. The module is disabled by default.

Details on the API Discovery module →

Support of the libdetection library in the Envoy-based nodes

The libdetection library is now supported in the Envoy-based Wallarm nodes. This library additionally validates the SQL Injection attacks to confirm detected malicious payloads. If the payload is not confirmed by the libdetection library, the request is considered to be legitimate. This library reduces the number of false positives among the SQL Injection attacks.

By default, the library libdetection is disabled. To improve the attack detection, we recommend enabling it.

Details on the libdetection library →

The rule enabling the overlimit_res attack detection fine-tuning

We have introduced the new rule allowing the overlimit_res attack detection fine-tuning.

The overlimit_res attack detection fine-tuning via the NGINX and Envoy configuration files is considered to be the deprecated way:

  • The rule allows setting up a single request processing time limit as the wallarm_process_time_limit NGINX directive and process_time_limit Envoy parameter did before.

  • The rule allows to block or pass the overlimit_res attacks in accordance with the node filtration mode instead of the wallarm_process_time_limit_block NGINX directive and process_time_limit_block Envoy parameter configuration.

The listed directives and parameters have been deprecated and will be deleted in future releases. It is recommended to transfer the overlimit_res attack detection configuration from directives to the rule before. Relevant instructions are provided for each node deployment option.

If the listed parameters are explicitly specified in the configuration files and the rule is not created yet, the node processes requests as set in the configuration files.

New blocking page

The sample blocking page /usr/share/nginx/html/wallarm_blocked.html has been updated. In the new node version, it has new layout and supports the logo and support email customization.

New blocking page with the new layout looks as follows by default:

Wallarm blocking page

More details on the blocking page setup →

New parameters for basic node setup

Renamed parameters, files and metrics

  • The following NGINX directives and Envoy parameters have been renamed:

    Parameters with previous names are still supported but will be deprecated in future releases. The parameter logic has not changed.

  • The Ingress annotation nginx.ingress.kubernetes.io/wallarm-instance has been renamed to nginx.ingress.kubernetes.io/wallarm-application.

    The annotation with the previous name is still supported but will be deprecated in future releases. The annotation logic has not changed.

  • The file with the custom ruleset build /etc/wallarm/lom has been renamed to /etc/wallarm/custom_ruleset. In the file system of new node versions, there is only the file with the new name.

    Default values of the NGINX directive wallarm_custom_ruleset_path and Envoy parameter custom_ruleset have been changed appropriately. New default value is /etc/wallarm/custom_ruleset.

  • The collectd metric gauge-lom_id has been renamed to gauge-custom_ruleset_id.

    In new node versions, the collectd service collects both the deprecated and new metrics. The deprecated metric collection will be stopped in future releases.

    All collectd metrics →

Parameters of the statistics service

  • The number of requests originating from denylisted IPs is now displayed in the statistic service output, in the new parameter blocked_by_acl and in the existing parameters requests, blocked.

  • The following node statistics parameters have been renamed:

    • lom_apply_timecustom_ruleset_apply_time
    • lom_idcustom_ruleset_id

    In new node versions, the http://127.0.0.8/wallarm-status endpoint temporarily returns both the deprecated and new parameters. The deprecated parameters will be removed from the service output in future releases.

Details on the statistics service →

Increasing the performance by omitting attack search in requests from denylisted IPs

The new wallarm_acl_access_phase directive enables you to increase the Wallarm node performance by omitting the attack search stage during the analysis of requests from denylisted IPs. This configuration option is useful if there are many denylisted IPs (e.g. the whole countries) producing high traffic that heavily loads the working machine CPU.

Upgrade process

  1. Review recommendations for the modules upgrade.

  2. Upgrade installed modules following the instructions for your Wallarm node deployment option:

  3. Migrate allowlist and denylist configuration from previous Wallarm node versions to 3.6.


Other updates in Wallarm products and components →