Mulesoft with Wallarm Policy¶

MuleSoft is an integration platform that enables seamless connectivity and data integration between services with an API gateway serving as the entry point for client applications to access APIs. With Wallarm, you can secure APIs on the Mulesoft Anypoint platform using the Wallarm policy. This article explains how to attach and utilize the policy.

The Wallarm policy for MuleSoft supports both in-line and out-of-band modes. Below diagrams show the traffic flow for APIs on the MuleSoft Anypoint platform with Wallarm policy applied.

The solution involves deploying the Wallarm node externally and injecting custom code or policies into the specific platform. This enables traffic to be directed to the external Wallarm node for analysis and protection against potential threats. Referred to as Wallarm's connectors, they serve as the essential link between platforms like Azion Edge, Akamai Edge, Mulesoft, Apigee, and AWS Lambda, and the external Wallarm node. This approach ensures seamless integration, secure traffic analysis, risk mitigation, and overall platform security.

Use cases¶

Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:

• Securing APIs deployed on the MuleSoft Anypoint platform with only one policy.

• Requiring a security solution that offers comprehensive attack observation, reporting, and instant blocking of malicious requests (in the in-line mode).

Limitations¶

The MuleSoft integration does not allow the Wallarm node to fully analyze responses, which creates some limitations:

• In some environments, Wallarm API Discovery may generate additional endpoints. Consult Wallarm support for configuration options.

• Server responses are required for passive vulnerability detection.

• Protection against forced browsing.

When applying the policy for out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided link.

Requirements¶

To proceed with the deployment, ensure that you meet the following requirements:

• Understanding of the Mulesoft platform.

• Maven (mvn) 3.8 or an earlier version is installed. Higher versions of Maven may encounter compatibility issues with the Mule plugin.

• You have been assigned the Mulesoft Exchange contributor's role, enabling you to upload artifacts to your organization's Mulesoft Anypoint Platform account.

• Your Mulesoft Exchange credentials (username and password) are specified in the <MAVEN_DIRECTORY>/conf/settings.xml file.

• Your application and API are linked and running on Mulesoft.

Deployment¶

To secure APIs on the Mulesoft Anypoint platform using Wallarm policy, follow these steps:

1. Deploy a Wallarm node using one of the available deployment options.

2. Obtain the Wallarm policy and upload it to Mulesoft Exchange.

3. Attach the Wallarm policy to your API.

1. Deploy a Wallarm node¶

1. Choose one of the supported Wallarm node deployment solutions or artifacts for the in-line deployment and follow the provided deployment instructions.

2. Configure the deployed node using the following template:

   server {
       listen 80;
   
       server_name _;
   
       access_log off;
       wallarm_mode off;
   
       location / {
           proxy_set_header Host $http_x_forwarded_host;
           proxy_pass http://unix:/tmp/wallarm-nginx.sock;
       }
   }
   
   server {
       listen 443 ssl;
   
       server_name yourdomain-for-wallarm-node.tld;
   
       ### SSL configuration here
   
       access_log off;
       wallarm_mode off;
   
       location / {
           proxy_set_header Host $http_x_forwarded_host;
           proxy_pass http://unix:/tmp/wallarm-nginx.sock;
       }
   }
   
   
   server {
       listen unix:/tmp/wallarm-nginx.sock;
   
       server_name _;
   
       wallarm_mode monitoring;
       #wallarm_mode block;
   
       real_ip_header X-REAL-IP;
       set_real_ip_from unix:;
   
       location / {
           echo_read_request_body;
       }
   }
   

   Please ensure to pay attention to the following configurations:

   • TLS/SSL certificates for HTTPS traffic: To enable the Wallarm node to handle secure HTTPS traffic, configure the TLS/SSL certificates accordingly. The specific configuration will depend on the chosen deployment method. For example, if you are using NGINX, you can refer to its article for guidance.

   • Wallarm operation mode configuration.

     When using out-of-band traffic analysis, Wallarm can only operate in monitoring mode because it cannot block malicious requests. Regardless of the wallarm_mode directive's setting, except for off, the node will continue to monitor and record only malicious traffic.

3. Once the deployment is complete, make a note of the node instance IP as you will need it later to set the address for incoming request forwarding.

2. Obtain and upload the Wallarm policy to Mulesoft Exchange¶

To acquire and upload the Wallarm policy to Mulesoft Exchange, follow these steps:

1. Contact support@wallarm.com to obtain the Wallarm Mulesoft policy.

2. Extract the policy archive once you receive it.

3. Navigate to the policy directory:

   cd <POLICY_DIRECTORY/wallarm
   

4. Within the pom.xml file → groupId parameter at the top of the file, specify your Mulesoft Business Group ID.

   You can find your organization ID by navigating to Mulesoft Anypoint Platform → Access Management → Business Groups → choose your organization → copy its ID.

5. In your Maven .m2 directory, update the settings.xml file with your Exchange credentials:

   <?xml version="1.0" encoding="UTF-8"?>
   <settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
     <servers>
       <server>
         <id>exchange-server</id>
         <username>myusername</username>
         <password>mypassword</password>
       </server>
     </servers>
   </settings>
   

6. Deploy the policy to Mulesoft using the following command:

   mvn clean deploy
   

Your custom policy is now available in your Mulesoft Anypoint Platform Exchange.

3. Attach the Wallarm policy to your API¶

You can attach the Wallarm policy to either all APIs or an individual API.

Attaching the policy to all APIs¶

To apply the Wallarm policy to all APIs using Mulesoft's Automated policy option, follow these steps:

1. In your Anypoint Platform, navigate to API Manager → Automated Policies.

2. Click Add automated policy and select the Wallarm policy from Exchange.

3. Specify WLRM REPORTING ENDPOINT which is the IP address on the Wallarm node instance including the http:// or https://.

4. If necessary, modify the maximum time period for Wallarm to process a single request by changing the value of WALLARM NODE REQUEST TIMEOUT.

5. Apply the policy.

Attaching the policy to an individual API¶

To secure an individual API with the Wallarm policy, follow these steps:

1. In your Anypoint Platform, navigate to API Manager and select the desired API.

2. Navigate to Policies → Add policy and select the Wallarm policy.

3. Specify WLRM REPORTING ENDPOINT which is the IP address on the Wallarm node instance including the http:// or https://.

4. If necessary, modify the maximum time period for Wallarm to process a single request by changing the value of WALLARM NODE REQUEST TIMEOUT.

5. Apply the policy.

Testing¶

To test the functionality of the deployed policy, follow these steps:

1. Send the request with the test Path Traversal attack to your API:

   curl http://<YOUR_APP_IP_OR_DOMAIN>/etc/passwd
   

2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

   

   If the Wallarm node mode is set to blocking and the traffic flows in-line, the request will also be blocked.

If the solution does not perform as expected, refer to the logs of your API by accessing Mulesoft Anypoint Platform → Runtime Manager → your application → Logs.

You can also verify whether the policy is applied to the API by navigating to your API in the API Manager and reviewing the policies applied on the Policies tab. For automated policies, you can use the See covered APIs option to view the APIs covered and the reasons for any exclusions.

Updating and uninstalling¶

To update the deployed Wallarm policy, follow these steps:

1. Remove the currently deployed Wallarm policy using the Remove policy option in either the automated policy list or the list of policies applied to an individual API.

2. Add the new policy following the steps 2-3 above.

3. Restart attached applications in the Runtime Manager to apply new policy.

To uninstall the policy, simply perform the first step of the update process.

Need assistance?¶

If you encounter any issues or require assistance with the described deployment of Wallarm's policy in conjunction with MuleSoft, you can reach out to the Wallarm support team. They are available to provide guidance and help resolve any problems you may face during the implementation process.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send