Skip to content

Deploying the Native Node with All-in-One Installer

The Wallarm Native Node, which operates independently of NGINX, is designed for Wallarm connector self-hosted deployment and TCP traffic mirror analysis. You can run the Native Node on a virtual machine with a Linux OS using the all-in-one installer.

Use cases and deployment modes

Requirements

The machine intended for running the Native Node with the all-in-one installer must meet the following criteria:

  • Linux OS.

  • x86_64/ARM64 architecture.

  • Executing all commands as a superuser (e.g. root).

  • Outbound access to:

    • https://meganode.wallarm.com to download the Wallarm installer
    • https://us1.api.wallarm.com or https://api.wallarm.com for US/EU Wallarm Cloud
    • IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers

      34.96.64.17
      34.110.183.149
      35.235.66.155
      34.102.90.100
      34.94.156.115
      35.235.115.105
      
      34.160.38.183
      34.144.227.90
      34.90.110.226
      
  • When running the node in the connector-server mode, a trusted SSL/TLS certificate for the machine's domain should be issued and uploaded to the machine along with the private key.

  • When running the node in the tcp-capture mode:

    • Traffic and response mirroring must be configured with both source and target set up, and the prepared instance chosen as a mirror target. Specific environment requirements must be met, such as allowing specific protocols for traffic mirroring configurations.
    • Mirrored traffic is tagged with either VLAN (802.1q), VXLAN, or SPAN.
  • In addition to the above, you should have the Administrator role assigned in Wallarm Console.

Limitations

  • When using the all-in-one installer in connector-server mode, a trusted SSL/TLS certificate is required for the machine's domain. Self-signed certificates are not yet supported.

  • Custom blocking page and blocking code configurations are not yet supported.

  • Rate limiting by the Wallarm rule is not supported.

  • Multitenancy is not supported yet.

Installation

1. Prepare Wallarm token

To install node, you will need a token for registering the node in the Wallarm Cloud. To prepare a token:

  1. Open Wallarm Console → SettingsAPI tokens in the US Cloud or EU Cloud.

  2. Find or create API token with the Deploy source role.

  3. Copy this token.

2. Download Wallarm installer

Download Wallarm installation script and make it executable:

curl -O https://meganode.wallarm.com/native/aio-native-0.12.0.x86_64.sh
chmod +x aio-native-0.12.0.x86_64.sh
curl -O https://meganode.wallarm.com/native/aio-native-0.12.0.aarch64.sh
chmod +x aio-native-0.12.0.aarch64.sh

3. Prepare the configuration file

Create the wallarm-node-conf.yaml file on the machine with the following minimal configuration:

version: 2

mode: connector-server

connector:
  address: ":5050"
  tls_cert: path/to/tls-cert.crt
  tls_key: path/to/tls-key.key

In the connector.tls_cert and connector.tls_key, you specify the paths to a trusted certificate and private key issued for the machine's domain.

version: 3

mode: tcp-capture

goreplay:
  filter: 'enp7s0:'
  extra_args:
    - -input-raw-engine
    - vxlan

In the goreplay.filter parameter, you specify the network interface to capture traffic from. To check network interfaces available on the host:

ip addr show

All configuration parameters

4. Run the installer

For the x86_64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com

For the ARM64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com

For the x86_64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com

For the ARM64 installer version:

# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com

# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com
  • The WALLARM_LABELS variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI).

  • <API_TOKEN> specifies the generated API token for the Deploy role.

  • <PATH_TO_CONFIG> specifies the path to the configuration file prepared before.

The provided configuration file will be copied to the path: /opt/wallarm/etc/wallarm/go-node.yaml.

If needed, you can change the copied file after the installation is finished. To apply the changes, you will need to restart the Wallarm service with sudo systemctl restart wallarm.

5. Finish the installation

After deploying the node, the next step is to apply the Wallarm code to your API management platform or service in order to route traffic to the deployed node.

  1. Contact sales@wallarm.com to obtain the Wallarm code bundle for your connector.
  2. Follow the platform-specific instructions to apply the bundle on your API management platform:

Verifying the node operation

To verify the node is detecting traffic, you can check the logs:

  • The Native Node logs are written to /opt/wallarm/var/log/wallarm/go-node.log by default.

  • Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory /opt/wallarm/var/log/wallarm.

For additional debugging, set the log.level parameter to debug.

Installer launch options

  • As soon as you have the all-in one script downloaded, you can get help on it with:

    sudo ./aio-native-0.12.0.x86_64.sh -- --help
    
    sudo ./aio-native-0.12.0.aarch64.sh -- --help
    
  • You can also run the installer in an interactive mode and choose the required mode in the 1st step:

    sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh
    
    sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh
    
  • You can use the node in API Discovery-only mode (available since version 0.12.0). In this mode, attacks - including those detected by the Node's built-in mechanisms and those requiring additional configuration (e.g., credential stuffing, API specification violation attempts, and malicious activity from denylisted and graylisted IPs) - are detected and blocked locally (if enabled) but not exported to Wallarm Cloud. Since there is no attack data in the Cloud, Threat Replay Testing does not work. Traffic from whitelisted IPs is allowed.

    Meanwhile, API Discovery, API session tracking, and security vulnerability detection remain fully functional, detecting relevant security entities and uploading them to the Cloud for visualization.

    This mode is for those who want to review their API inventory and identify sensitive data first, and plan controlled attack data export accordingly. However, disabling attack export is rare, as Wallarm securely processes attack data and provides sensitive attack data masking if needed.

    To enable API Discovery-only mode:

    1. Create or modify the /etc/wallarm-override/env.list file:

      sudo mkdir /etc/wallarm-override
      sudo vim /etc/wallarm-override/env.list
      

      Add the following variable:

      WALLARM_APID_ONLY=true
      
    2. Follow the node installation procedure.

    With the API Discovery-only mode enabled, the /opt/wallarm/var/log/wallarm/wcli-out.log log returns the following message:

    {"level":"info","component":"reqexp","time":"2025-01-31T11:59:38Z","message":"requests export skipped (disabled)"}
    

Upgrade and reinstallation

  • To upgrade the node, follow the instructions.

  • If there is a problem with the upgrade or reinstallation process:

    1. Remove the current installation:

      sudo systemctl stop wallarm && sudo rm -rf /opt/wallarm
      
    2. Install the node as usual following the installation steps from above.