# Broadcom Layer7 API Gateways
Broadcom's [Layer7 API Gateways](https://www.broadcom.com/products/software/api-management/layer7-api-gateways) provide a robust solution for controlling and securing an organization's API traffic. Wallarm can function as a connector to enhance the security of APIs managed through Broadcom Layer7 API Gateways.
To use Wallarm as a connector for Broadcom Layer7 API Gateway, you need to **deploy the Wallarm Node externally** and **configure Wallarm policies on the gateway** to route traffic to the Wallarm Node for analysis.
The Broadcom connector supports only [in-line](https://docs.wallarm.com/installation/inline/overview.md) traffic flow.
## Use cases
This solution is recommended in case when you manage your APIs with the Layer7 API Gateways.
## Limitations
* When deploying the Wallarm service with the `LoadBalancer` type using the [Helm chart](https://docs.wallarm.com/installation/native-node/helm-chart.md), a **trusted** SSL/TLS certificate is required for the domain. Self-signed certificates are not yet supported.
* [Custom blocking page and blocking code](https://docs.wallarm.com/admin-en/configuration-guides/configure-block-page-and-code.md) configurations are not yet supported.
All [blocked](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md) malicious traffic is returned with status code `403` and the default block page.
* [Rate limiting](https://docs.wallarm.com/user-guides/rules/rate-limiting.md) by Wallarm rules is not supported.
Rate limiting cannot be enforced on the Wallarm side for this connector. If you need rate limiting, use the features built into your API gateway or cloud platform.
* [Multitenancy](https://docs.wallarm.com/installation/multi-tenant/overview.md) is not supported on Security Edge hosting, but it is supported for a self-hosted node deployed with the connector.
## Requirements
To proceed with the deployment, ensure that the following requirements are met:
* Understanding of the Broadcom Layer7 API Gateways product.
* Your application and API are linked and running on Broadcom Layer7 API Gateways.
* Broadcom Policy Manager is installed and connected to the Broadcom Gateway.
## Deployment
### 1. Deploy a Wallarm Node
The Wallarm Node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats.
You need to deploy it in your own infrastructure as a separate service using one of the following artifacts:
* [All-in-one installer](https://docs.wallarm.com/installation/native-node/all-in-one.md) for Linux infrastructures on bare metal or VMs
* [Docker image](https://docs.wallarm.com/installation/native-node/docker-image.md) for environments that use containerized deployments
* [AWS AMI](https://docs.wallarm.com/installation/native-node/aws-ami.md) for AWS infrastructures
* [Helm chart](https://docs.wallarm.com/installation/native-node/helm-chart.md) for infrastructures utilizing Kubernetes
### 2. Add the Node's SSL/TLS certificate to the Policy Manager
To enable the Broadcom Gateway to route traffic to the Wallarm Node over HTTPS, add the Node's SSL/TLS certificate to the Policy Manager:
1. Open Broadcom Policy Manager → **Tasks** → **Certificates, Keys and Secrets** → **Manage Certificates**.
1. Click **Add** → **Retrieve via SSL** and specify the [Wallarm Node's address](#1-deploy-a-wallarm-node).
### 3. Obtain and deploy Wallarm policies
To configure the Broadcom Gateway to route traffic through the Wallarm Node:
1. Contact sales@wallarm.com to get the Wallarm policy code bundles.
1. Open Broadcom Policy Manager → your Broadcom Gateway's menu → **Create Policy** and add 2 policies:
* **Request forwarding policy**: Assign the `Global Policy Fragment` type and `message-received` tag.
* **Response forwarding policy**: Assign the `Global Policy Fragment` type and `message-completed` tag.
1. For the request forwarding policy (`forward-requests-to-wallarm` in this example):
1. Import the `wallarm-request-blocking.xml` file.
1. Specify the [Wallarm Node instance](#1-deploy-a-wallarm-node) address in the `wlrm-node-addr` parameter.
1. **Save and Active** the policy.
1. For the response forwarding policy (`forward-responses-to-wallarm` in this example):
1. Import the `wallarm-response.xml` file.
1. **Save and Active** the policy.
## Testing
To test the functionality of the deployed policy, follow these steps:
1. Send the request with the test [Path Traversal](https://docs.wallarm.com/attacks-vulns-list.md#path-traversal) attack to your Gateway address:
```
curl http:///etc/passwd
```
1. Open Wallarm Console → **Attacks** section in the [US Cloud](https://us1.my.wallarm.com/attacks) or [EU Cloud](https://my.wallarm.com/attacks), or [ME Cloud](https://me1.my.wallarm.com/attacks) and make sure the attack is displayed in the list.
If the Wallarm Node mode is set to [blocking](https://docs.wallarm.com/admin-en/configure-wallarm-mode.md), the request will also be blocked.
## Upgrading the Wallarm policies
To upgrade the Wallarm policies deployed on Broadcom to a [newer version](https://docs.wallarm.com/installation/connectors/code-bundle-inventory.md#broadcom-layer7-api-gateway):
1. Contact sales@wallarm.com to get the updated code bundle.
1. Import the updated policy files into the existing policy instances in Policy Manager as described in the [deployment steps](#import-new-broadcom-policies).
1. Configure the policy parameters with the correct values.
1. **Save and Activate** the updated policies.
Policy upgrades may require a Wallarm Node upgrade, especially for major version updates. See the [Wallarm Native Node changelog](https://docs.wallarm.com/updating-migrating/native-node/node-artifact-versions.md) for release updates and upgrade instructions. Regular node updates are recommended to avoid deprecation and simplify future upgrades.