Wallarm Connector for MuleSoft Flex Gateway¶

This guide describes how to secure your Mule and non-Mule APIs managed by MuleSoft Flex Gateway using the Wallarm connector.

To use Wallarm as a connector for Flex Gateway, you need to deploy the Wallarm node externally and apply the Wallarm-provided policy in MuleSoft to route traffic to the Wallarm node for analysis.

The Wallarm connector for Flex Gateway supports both synchronous (in-line) and asynchronous (out‑of‑band) traffic analysis:

Synchronous traffic flowAsynchronous traffic flow

Use cases¶

Among all supported Wallarm deployment options, this solution is the recommended one for securing APIs managed by Flex Gateway.

Limitations¶

When deploying the Wallarm service with the LoadBalancer type using the Helm chart, a trusted SSL/TLS certificate is required for the domain. Self-signed certificates are not yet supported.
Custom blocking page and blocking code configurations are not yet supported.
Rate limiting by the Wallarm rule is not supported.
Multitenancy is not supported yet.

Requirements¶

To proceed with the deployment, ensure that you meet the following requirements:

Understanding of the MuleSoft platform.
Your application and API are linked and running on Flex Gateway.
Your MuleSoft user is enabled to upload artifacts to the MuleSoft Anypoint Platform account.
Access to the Administrator account in Wallarm Console for the US Cloud or EU Cloud.
Node.js 16.0.0+ and npm 7+ installed on your host system.
make installed on your host system.
Anypoint CLI 4.x installed on your host system.
Prerequisites for PDK CLI installed on your host system.
Docker installed and running on your host system.
Native Node version 0.16.0 or higher.

Deployment¶

1. Deploy a Wallarm node¶

The Wallarm node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats.

For the Flex Gateway connector, you can deploy the node only in your own infrastructure.

Choose an artifact for a self-hosted node deployment and follow the attached instructions:

All-in-one installer for Linux infrastructures on bare metal or VMs
Docker image for environments that use containerized deployments
Helm chart for infrastructures utilizing Kubernetes

Required Node version

Please note that the MuleSoft Flex Gateway connector is supported only by the Native Node version 0.16.0+.

2. Obtain and upload the Wallarm policy to MuleSoft Exchange¶

To acquire and upload the Wallarm policy to MuleSoft Exchange, follow these steps:

Contact sales@wallarm.com to get the code bundle.
Ensure the machine you will use to publish the policy meets all necessary requirements.
Extract the policy archive.
Navigate to MuleSoft Anypoint Platform → Access Management → Business Groups → choose your organization → copy its business group ID.

In the extracted policy directory → Cargo.toml → [package.metadata.anypoint] → group_id, specify the copied group ID:

...
[package.metadata.anypoint]
group_id = "<BUSINESS_GROUP_ID>"
definition_asset_id = "wallarm-custom-policy"
implementation_asset_id = "wallarm-custom-policy-flex"
...

Authenticate with Anypoint CLI in the same terminal session where you are working with the policy:
```
anypoint-cli-v4 conf username <USERNAME>
anypoint-cli-v4 conf password '<PASSWORD>'
```

Build and publish the policy:

make setup      # Installs dependencies and PDK CLI
make build      # Builds the policy
make release    # Publishes a new production version of the policy to Anypoint
# or
# make publish  # Publishes a development version of the policy to Anypoint

Your custom policy is now available in your MuleSoft Anypoint Platform Exchange.

3. Attach the Wallarm policy to your API¶

You can attach the Wallarm policy to either an individual API or all APIs.

To apply the policy to an individual API, navigate to Anypoint Platform → API Manager → select the desired API → Policies → Add policy.
To apply the policy to all APIs, go to Anypoint Platform → API Manager → Automated Policies → Add automated policy.
Choose the Wallarm policy from Exchange.
Specify the Wallarm node URL including http:// or https:// in the wallarm_node parameter.
If necessary, modify other parameters.
Apply the policy.

Configuration options¶

In the Wallarm policy settings for Flex Gateway, you can specify the following parameters:

Parameter	Description	Required?
`wallarm_node`	Sets the address of your Wallarm Node instance.	Yes
`real_ip_header`	Specifies which header to use to determine the original client IP address when behind a proxy or load balancer. Default: `X-Forwarded-For`.	Yes
`wallarm_mode`	Determines traffic handling mode: `sync` processes traffic through the Wallarm Node directly, while `async` analyzes a copy of the traffic without affecting the original flow. Default: `sync`.	Yes
`fallback_action`	Defines request handling behavior when the Wallarm node is down. Can be: `pass` (all requests are allowed through) or `block` (all requests are blocked with the 403 code). Default: `pass`.	Yes
`parse_responses`	Controls whether to analyze response bodies or not. It enables response schema discovery and enhanced attack and vulnerability detection capabilities. Default: `true`.	Yes
`response_body_limit`	Limits the size of the response body sent to the Wallarm node. Default: `4096` bytes.	No

Testing¶

To test the functionality of the deployed policy, follow these steps:

Send the request with the test Path Traversal attack to your API:
```
curl http://<GATEWAY_URL>/etc/passwd
```
Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

If the Wallarm node mode is set to blocking and the traffic flows in-line, the request will also be blocked.

Troubleshooting¶

If the solution does not perform as expected, refer to the logs of your API by accessing MuleSoft Anypoint Platform → Runtime Manager → your application → Logs.

You can also verify whether the policy is applied to the API by navigating to your API in the API Manager and reviewing the policies applied on the Policies tab. For automated policies, you can use the See covered APIs option to view the APIs covered and the reasons for any exclusions.

Upgrading the policy¶

To upgrade the deployed Wallarm policy to a newer version:

Download the updated Wallarm policy and upload it to MuleSoft Exchange, as described in Step 2.
Once the new version appears in Exchange, go to API Manager → your API → Policies → Wallarm policy → Edit configuration → Advanced options and choose the new policy version from the dropdown.
If the new version introduces additional parameters, provide the necessary values.
Save changes.

If the Wallarm policy is applied as an automated policy, direct upgrades may not be possible. In such cases, remove the current policy and reapply the new version manually.

Policy upgrades may require a Wallarm node upgrade, especially for major version updates. See the Native Node changelog for the self-hosted Node release notes. Regular node updates are recommended to avoid deprecation and simplify future upgrades.

Uninstalling the policy¶

To uninstall the Wallarm policy, use the Remove policy option in either the automated policy list or the list of policies applied to an individual API.