Deploying the Native Node with All-in-One Installer¶
The Wallarm Native Node, which operates independently of NGINX, is designed for Wallarm connector self-hosted deployment and TCP traffic mirror analysis. You can run the Native Node on a virtual machine with a Linux OS using the all-in-one installer.
Use cases and deployment modes¶
-
When deploying a Wallarm node as part of a connector solution for MuleSoft, Cloudflare, Amazon CloudFront, Broadcom Layer7 API Gateway, Fastly on a self-hosted Linux OS machine.
Use the installer in
connector-server
mode. -
When you need a security solution for TCP traffic mirror analysis.
Use the installer in
tcp-capture
mode.
Requirements¶
The machine intended for running the Native Node with the all-in-one installer must meet the following criteria:
-
Linux OS.
-
x86_64/ARM64 architecture.
-
Executing all commands as a superuser (e.g.
root
). -
Outbound access to:
https://meganode.wallarm.com
to download the Wallarm installerhttps://us1.api.wallarm.com
orhttps://api.wallarm.com
for US/EU Wallarm Cloud-
IP addresses below for downloading updates to attack detection rules and API specifications, as well as retrieving precise IPs for your allowlisted, denylisted, or graylisted countries, regions, or data centers
-
When running the node in the
connector-server
mode, a trusted SSL/TLS certificate for the machine's domain should be issued and uploaded to the machine along with the private key. -
When running the node in the
tcp-capture
mode:- Traffic and response mirroring must be configured with both source and target set up, and the prepared instance chosen as a mirror target. Specific environment requirements must be met, such as allowing specific protocols for traffic mirroring configurations.
- Mirrored traffic is tagged with either VLAN (802.1q), VXLAN, or SPAN.
-
In addition to the above, you should have the Administrator role assigned in Wallarm Console.
Limitations¶
-
When using the all-in-one installer in
connector-server
mode, a trusted SSL/TLS certificate is required for the machine's domain. Self-signed certificates are not yet supported. -
Custom blocking page and blocking code configurations are not yet supported.
-
Rate limiting by the Wallarm rule is not supported.
-
Multitenancy is not supported yet.
Installation¶
1. Prepare Wallarm token¶
To install node, you will need a token for registering the node in the Wallarm Cloud. To prepare a token:
-
Open Wallarm Console → Settings → API tokens in the US Cloud or EU Cloud.
-
Find or create API token with the
Deploy
source role. -
Copy this token.
2. Download Wallarm installer¶
Download Wallarm installation script and make it executable:
3. Prepare the configuration file¶
Create the wallarm-node-conf.yaml
file on the machine with the following minimal configuration:
4. Run the installer¶
For the x86_64 installer version:
# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com
# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com
For the ARM64 installer version:
# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com
# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=connector-server --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com
For the x86_64 installer version:
# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com
# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.x86_64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com
For the ARM64 installer version:
# US Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host us1.api.wallarm.com
# EU Cloud
sudo env WALLARM_LABELS='group=<GROUP>' ./aio-native-0.12.0.aarch64.sh -- --batch --token <API_TOKEN> --mode=tcp-capture --go-node-config=<PATH_TO_CONFIG> --host api.wallarm.com
-
The
WALLARM_LABELS
variable sets group into which the node will be added (used for logical grouping of nodes in the Wallarm Console UI). -
<API_TOKEN>
specifies the generated API token for theDeploy
role. -
<PATH_TO_CONFIG>
specifies the path to the configuration file prepared before.
The provided configuration file will be copied to the path: /opt/wallarm/etc/wallarm/go-node.yaml
.
If needed, you can change the copied file after the installation is finished. To apply the changes, you will need to restart the Wallarm service with sudo systemctl restart wallarm
.
5. Finish the installation¶
After deploying the node, the next step is to apply the Wallarm code to your API management platform or service in order to route traffic to the deployed node.
- Contact sales@wallarm.com to obtain the Wallarm code bundle for your connector.
-
Follow the platform-specific instructions to apply the bundle on your API management platform:
Verifying the node operation¶
To verify the node is detecting traffic, you can check the logs:
-
The Native Node logs are written to
/opt/wallarm/var/log/wallarm/go-node.log
by default. -
Standard logs of the filtering node such as whether the data is sent to the Wallarm Cloud, detected attacks, etc. are located in the directory
/opt/wallarm/var/log/wallarm
.
For additional debugging, set the log.level
parameter to debug
.
Installer launch options¶
-
As soon as you have the all-in one script downloaded, you can get help on it with:
-
You can also run the installer in an interactive mode and choose the required mode in the 1st step:
-
You can use the node in API Discovery-only mode (available since version 0.12.0). In this mode, attacks - including those detected by the Node's built-in mechanisms and those requiring additional configuration (e.g., credential stuffing, API specification violation attempts, and malicious activity from denylisted and graylisted IPs) - are detected and blocked locally (if enabled) but not exported to Wallarm Cloud. Since there is no attack data in the Cloud, Threat Replay Testing does not work. Traffic from whitelisted IPs is allowed.
Meanwhile, API Discovery, API session tracking, and security vulnerability detection remain fully functional, detecting relevant security entities and uploading them to the Cloud for visualization.
This mode is for those who want to review their API inventory and identify sensitive data first, and plan controlled attack data export accordingly. However, disabling attack export is rare, as Wallarm securely processes attack data and provides sensitive attack data masking if needed.
To enable API Discovery-only mode:
-
Create or modify the
/etc/wallarm-override/env.list
file:Add the following variable:
-
Follow the node installation procedure.
With the API Discovery-only mode enabled, the
/opt/wallarm/var/log/wallarm/wcli-out.log
log returns the following message: -
Upgrade and reinstallation¶
-
To upgrade the node, follow the instructions.
-
If there is a problem with the upgrade or reinstallation process:
-
Remove the current installation:
-
Install the node as usual following the installation steps from above.
-