Broadcom Layer7 API Gateways¶
Broadcom's Layer7 API Gateways is a robust solution to control and secure organization's API traffic. With Wallarm, you can additionally secure APIs controlled by Layer7 API Gateways. This article explains how to integrate Layer7 API Gateways with Wallarm by deploying the Wallarm policy.
The Wallarm policy for Layer7 API Gateways supports the out-of-band mode. Diagram below shows the traffic flow for APIs on the Layer7 API Gateways with Wallarm policy applied.
Use cases¶
Among all supported Wallarm deployment options, this solution is the recommended one for the following use cases:
- Managing your APIs with the Layer7 API Gateways.
Limitations¶
The Layer7 API Gateways integration supports only the out-of-band traffic analysis, be aware that this method has certain limitations, which also apply to the policy. More details can be found at the provided link.
Requirements¶
To proceed with the deployment, ensure that you meet the following requirements:
-
Understanding of the Layer7 API Gateways product.
-
Your application and API are linked and running on Layer7 API Gateways.
Deployment¶
To secure APIs on the Layer7 API Gateways using Wallarm, follow these steps:
-
Deploy a Wallarm node using one of the available deployment options.
-
Retrieve certificate.
-
Create Wallarm policy.
1. Deploy a Wallarm node¶
-
Choose one of the supported Wallarm node deployment solutions or artifacts for the out-of-band deployment and follow the provided deployment instructions.
-
Configure the deployed node using the following template:
server { listen 443 ssl; ### SSL configuration here wallarm_mode monitoring; real_ip_header $http_x_wallarm_real_ip; set_real_ip_from <gateway address>; proxy_set_header Host $http_x_wallarm_forwarded_host; location / { proxy_pass http://localhost:8080; } } server { listen 8080; location / { return 200; } }Please ensure to pay attention to the following configurations:
- TLS/SSL certificates for HTTPS traffic: To enable the Wallarm node to handle secure HTTPS traffic, configure the TLS/SSL certificates accordingly. The specific configuration will depend on the chosen deployment method. For example, if you are using NGINX, you can refer to its article for guidance.
-
Once the deployment is complete, make a note of the node instance IP as you will need it later to set the address for incoming request forwarding.
2. TLS configuration (if needed)¶
This step is only needed if the node is deployed externally (for example, Cloud node). If the node is deployed inside your own infrastructure, you may just use HTTP (depending on your own security policies).
-
Access Layer7 API Gateways UI.
-
Go to Tasks → Certificates, Keys and Secrets → Manage Certificates.
-
To retrieve the certificate from the node, use the Retrieve via SSL option with the node URI.
-
If you use a self-signed certificate, access the certificate options and select Certificate is a Trust Anchor.
3. Create Wallarm policy¶
-
Access Layer7 API Gateways UI.
-
For the corresponding server, select Create policy from the menu.
-
Set Policy Type to Included Policy Fragment. Name it
wallarm-mirror.
-
Create the following XML file and import its content into the included policy fragment using the Import Policy button:
wallarm-mirror-failsafe.xml<?xml version="1.0" encoding="UTF-8"?> <exp:Export Version="3.0" xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:exp="http://www.layer7tech.com/ws/policy/export" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <exp:References/> <wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wsp:All wsp:Usage="Required"> <L7p:CommentAssertion> <L7p:Comment stringValue="Policy Fragment: wallarm-mirror"/> </L7p:CommentAssertion> <L7p:AddHeader> <L7p:HeaderName stringValue="x-wallarm-forwarded-host"/> <L7p:HeaderValue stringValue="${cluster.hostname}"/> <L7p:RemoveExisting booleanValue="true"/> </L7p:AddHeader> <L7p:AddHeader> <L7p:HeaderName stringValue="x-wallarm-real-ip"/> <L7p:HeaderValue stringValue="${request.tcp.remoteAddress}"/> <L7p:RemoveExisting booleanValue="true"/> </L7p:AddHeader> <L7p:AddHeader> <L7p:HeaderName stringValue="x-wallarm-response-code"/> <L7p:HeaderValue stringValue="${response.http.status}"/> <L7p:RemoveExisting booleanValue="true"/> </L7p:AddHeader> <wsp:OneOrMore wsp:Usage="Required"> <L7p:HttpRoutingAssertion> <L7p:FailOnErrorStatus booleanValue="false"/> <L7p:ForceIncludeRequestBody booleanValue="true"/> <L7p:ProtectedServiceUrl stringValue="${wallarm_node_addr}/${request.url.path}?${request.url.query}"/> <L7p:ProxyPassword stringValueNull="null"/> <L7p:ProxyUsername stringValueNull="null"/> <L7p:RequestHeaderRules httpPassthroughRuleSet="included"> <L7p:ForwardAll booleanValue="true"/> <L7p:Rules httpPassthroughRules="included"> <L7p:item httpPassthroughRule="included"> <L7p:Name stringValue="Cookie"/> </L7p:item> <L7p:item httpPassthroughRule="included"> <L7p:Name stringValue="SOAPAction"/> </L7p:item> </L7p:Rules> </L7p:RequestHeaderRules> <L7p:RequestParamRules httpPassthroughRuleSet="included"> <L7p:ForwardAll booleanValue="true"/> <L7p:Rules httpPassthroughRules="included"/> </L7p:RequestParamRules> <L7p:ResponseHeaderRules httpPassthroughRuleSet="included"> <L7p:ForwardAll booleanValue="true"/> <L7p:Rules httpPassthroughRules="included"> <L7p:item httpPassthroughRule="included"> <L7p:Name stringValue="Set-Cookie"/> </L7p:item> </L7p:Rules> </L7p:ResponseHeaderRules> <L7p:ResponseMsgDest stringValue="wallarm_response"/> <L7p:SamlAssertionVersion intValue="2"/> </L7p:HttpRoutingAssertion> <L7p:TrueAssertion/> </wsp:OneOrMore> </wsp:All> </wsp:Policy> </exp:Export> -
Select Create policy for your server once again.
-
Set Policy Type to Global Policy Fragment.
-
Set Policy Tag to message-completed.
Using
message-completedtagIt is important to use the
message-completedtag instead of themessage-receivedto avoid putting the added headers into the actual user request. Themessage-completedis called after it was already processed, but the response was not sent to the client yet. -
Name global policy fragment
message-completed.
-
For the created global policy fragment, use Set Context Variable, set Variable Name to
wallarm_node_addr, and Expression to the URL of the Wallarm node. -
Use Include Policy Fragment to include the previously created
wallarm-mirrorincluded policy fragment into your global policy fragment.
-
Save and activate the policy.
Testing¶
To test the functionality of the deployed policy, follow these steps:
-
Send the request with the test Path Traversal attack to your API:
-
Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.
Need assistance?¶
If you encounter any issues or require assistance with the described deployment of Wallarm's policy in conjunction with Layer7 API Gateways, you can reach out to the Wallarm support team. They are available to provide guidance and help resolve any problems you may face during the implementation process.