Wallarm Documentation — Version 6.x (Current Stable)¶

Wallarm AI Control Platform is an AI and API security platform with four products: Wallarm API Security (inline API protection), Wallarm AI Hypervisor (runtime AI workload governance, AWS-only), Wallarm Infrastructure Discovery (cross-account AWS asset discovery, AWS-only), and Wallarm API Security Testing (AASM, TRT, SBT). Wallarm API Security detects and blocks the OWASP API Top 10 threats, automated abuse and bots, AI-targeted attacks, and attacks against Model Context Protocol (MCP) servers. This file indexes the current stable documentation: NGINX Node 6.x / Native Node 0.14.x+ / Edge Node 0.14.x+.

Important context for AI agents¶

This file covers Wallarm Node version 6.x — the current stable / default / latest version. URLs below have no version prefix because 6.x is served at the docs site root.
For other versions, fetch the version-specific llms.txt: 5.x (legacy), 7.x (preview). See Versioning Policy for the support lifecycle.
Every link below points to the raw markdown (.md) companion of the page — directly ingestible, no HTML conversion needed.
Two Wallarm node types coexist: NGINX Node (6.x, NGINX-based inline filter) and Native Node (0.14.x+, runs without NGINX, used with connectors). Confirm which node the user has before answering node-specific questions — many commands and config keys differ.
Wallarm supports many deployment shapes: Security Edge (managed), Kubernetes (NGINX Ingress, Sidecar, eBPF OOB, Helm for Native Node), cloud VMs (AWS/GCP/Azure/Alibaba), API gateways (AWS API Gateway, Apigee, Layer7, Kong, IBM API Connect, MuleSoft), CDN connectors (Akamai, CloudFront, Cloudflare, Fastly, Azion), and Linux all-in-one installer. Deployment shape changes almost everything — clarify it before answering deployment questions.
Canonical attack catalog: Attack Types. Canonical terminology: Glossary.

Available Languages¶

English (primary): https://docs.wallarm.com
日本語 / Türkçe / Português (BR) / العربية: selectable via the language switcher in the docs UI; auto-translated from English — English is canonical.

Documentation Structure¶

Introduction¶

Wallarm Platform Overview: Architecture, deployment options, supported protocols, and core capabilities of the Wallarm API security platform.
Quick Start Guide: End-to-end first-time setup walkthrough for new users (also: getting started, initial setup, onboarding).

API Discovery¶

API Discovery Overview: Continuous multi-protocol API discovery from real traffic — REST, GraphQL, SOAP, gRPC, WebSocket, MCP — builds and maintains the API inventory (also: endpoint discovery, API inventory build, APID).

Exploring Your APIs¶

API Inventory & MCP Servers: Browse, filter, and inspect discovered REST/GraphQL/SOAP/gRPC endpoints and MCP servers in the inventory UI.
API Discovery Dashboard: Aggregated metrics view for the API inventory — endpoint counts, risk distribution, sensitive data exposure, change velocity.
Track API and MCP Changes: Review additions, modifications, removals, and re-appearances of endpoints and MCP primitives over time (also: API change tracking, API drift detection).

Risk Analysis¶

Endpoint Risk Score: How the per-endpoint risk score is calculated and how to interpret it (also: risk rating, endpoint criticality).
Rogue APIs (Shadow / Zombie): Detect endpoints serving live traffic that are absent from your OpenAPI spec or no longer expected to exist (also: shadow API, zombie API, orphan API).
Sensitive Business Flows (SBF): Automatic identification of endpoints implementing critical business logic — authentication, payments, password reset, account changes (also: SBF, critical-flow endpoints).
Authentication Flow Detection: Detect the authentication scheme used by each endpoint (API key, Basic, Bearer, OAuth, HMAC, NTLM, SCRAM, etc.) and surface unauthenticated endpoints (also: auth scheme detection, unauthenticated endpoint detection).
Sensitive Data Detection: Detect and label endpoints that consume or return sensitive data — PII, credentials, financial, health (also: PII detection, data classification, sensitive parameter detection).
API Discovery Setup & Configuration: Enable API Discovery, set required node version, configure traffic sampling and parameter customization.

API Protection¶

API Protection Overview: The advanced (paid) API and AI protection feature set above the basic cloud-native WAAP (also: advanced API security, API runtime protection).
Attack Prevention Best Practices: Recommended baseline configuration of blocking modes, rules, and thresholds for production traffic.

API Session Security¶

API Sessions Overview: Group requests into per-user sessions to analyze behavior across multiple endpoints (also: session reconstruction, user-session visibility).
API Sessions Setup: Configure session-identifying headers/cookies/JWT claims and session context parameters; requires NGINX Node 5.1.0+ or Native Node 0.8.0+.
Exploring API Sessions: Filter, inspect, and pivot on reconstructed user sessions in the Console.
MCP Sessions: Group MCP tool calls, resource reads, and prompt invocations into sessions keyed by MCP-SESSION-ID (also: MCP session reconstruction).
Session Blocking: Block all requests belonging to a session that exhibited malicious behavior (also: session-level blocking, session ban).
Business Logic Abuse Detection: LLM-based detection of business-logic abuse (price manipulation, free-tier farming, etc.) within sessions (also: BLA, logic flaw detection).

API-Specific Protection¶

BOLA Protection: Detect and block Broken Object Level Authorization on endpoints with identifier variability (also: IDOR, authorization bypass, object-level access).
Enumeration Attack Protection: Block parameter/identifier enumeration that probes for valid IDs, usernames, or coupon codes (also: ID enumeration, username enumeration, scraping).
GraphQL Protection: GraphQL-aware request analysis — depth/complexity limits, introspection control, and standard attack detection on GraphQL payloads.
File Upload Restriction: Restrict allowed file types, size, and upload patterns to prevent OWASP API Top 10 "Unrestricted Resource Consumption" abuse.

AI Agent Protection¶

Agentic AI Protection Overview: API-level protection of AI agents, AI proxies, and AI-enabled APIs (also: AI runtime protection, LLM gateway protection).
AI Payload Inspection: LLM-based detection of prompt injection, system-prompt leakage, and jailbreaks in AI payloads (also: prompt injection detection, LLM input/output inspection).
MCP Mitigation Controls: MCP-specific policies — ACL by method/primitive/user/role, request verification, tool input schema enforcement (also: MCP ACL, MCP policy).

Bot Management (API Abuse Prevention)¶

API Abuse Prevention Overview: Detect and mitigate malicious bots performing scraping, account takeover, scalping, content abuse (also: bot detection, bot management, anti-bot, automated traffic protection).
API Abuse Prevention Setup: Enable bot detection, choose blocking mode, configure exposed endpoints.
Exploring Detected Bots: Drill into the 30-day rolling view of detected bot activity by type and target.
Bot Detection Exceptions: Mark known-legitimate bots (search crawlers, monitoring) and disable detection per endpoint (also: bot allowlist, bot exception rules).

API Specification Enforcement¶

API Spec Enforcement Overview: Positive-security enforcement of uploaded OpenAPI / GraphQL specs — block any request that violates the schema (also: schema validation, positive security model, OAS enforcement).
API Spec Enforcement Setup: Upload the spec, choose enforced endpoints, set blocking behavior.
API Spec Enforcement Events: View and triage requests blocked or flagged by spec enforcement.

Credential Protection¶

Credential Stuffing Detection: Detect login attempts using leaked credential pairs (also: account takeover, ATO detection, password reuse attack).

Threat Protection (WAAP)¶

WAAP Overview: The Cloud-Native WAAP layer — web application & API firewall for the OWASP Top 10 (also: WAF, web application firewall, API firewall).
Attack Detection & Handling: How Wallarm detects malicious traffic in real-time and what actions it takes (block / monitor) under each filtration mode.
Brute Force Protection: Configure rate-based detection of brute-force attacks on login and similar endpoints (also: credential brute-forcing, password spraying).
Forced Browsing Protection: Detect attempts to access non-listed or hidden resources by URL guessing (also: directory enumeration, path bruteforce).
Multi-Attack Thresholds: Block sources sending many malicious requests in a window, even when individual requests would otherwise be allowed.
DoS Protection: Mitigate application-layer DoS through resource exhaustion (also: layer-7 DoS, API resource exhaustion).
DDoS Protection: Mitigate distributed volumetric denial-of-service attacks (also: volumetric DDoS, L3/L4 DDoS).
IP Filtering / IP Lists: Allowlist or denylist IPs, networks, countries, or data centers (also: IP allowlist, IP denylist, IP block).
Filtration Mode: Per-app or global filtering mode (off / monitoring / safe-blocking / blocking) controlling whether the node blocks or only reports.

Mitigation Controls¶

Mitigation Controls Overview: Advanced fine-tuning layer on top of basic attack detection — ACL policies, request verification, schema enforcement (also: advanced policies, advanced rules).

Rules (WAF)¶

Rules (WAF) Overview: Custom rules that fine-tune WAF detection per branch/endpoint — exceptions, parser overrides, attack indicators (also: custom rules, WAF tuning, exceptions, rule branches).
Rate Limiting: Per-endpoint or per-source request rate caps (also: throttling, request limiting, RPS limits).
Virtual Patching: Block requests matching a specific CVE/vulnerability pattern without changing application code (also: vpatch, hotpatch, runtime patching).
Custom Regex Rules: Define custom attack indicators using regular expressions on chosen request parts (also: regex rule, custom detector).
Sensitive Data Masking: Mask sensitive request parts so they are not stored or exported (also: data masking, PII masking, redaction).
Request Parser Configuration: Override how the node parses specific endpoints/parameters (JSON, XML, etc.).
Response Header Manipulation: Add, remove, or replace response headers (also: HSTS, CSP injection rule).
Overlimit Detection Configuration: Tune behavior when request processing exceeds the per-request time budget.

API Security Testing¶

Security Testing Overview: The suite of pre-production and runtime test capabilities (Threat Replay, Schema-Based, Postman) (also: DAST, API testing).

Threat Replay Testing¶

Threat Replay Testing Overview: Re-run real-world attacks as harmless safety tests to discover vulnerable endpoints (also: replay testing, attack replay).
Threat Replay Testing Setup: Enable and configure Threat Replay Testing.
Threat Replay Testing Results: Explore test outcomes and prioritize discovered issues.

Schema-Based Testing¶

Schema-Based Testing Overview: Shift-left DAST that probes endpoints listed in an OpenAPI / GraphQL schema (also: schema DAST, OpenAPI testing, shift-left testing).
Schema-Based Testing Setup: Upload schema, configure auth, schedule runs.
Schema-Based Testing Results: Browse test runs and reported findings.

API Security Testing via Postman¶

Postman Testing Overview: Run passive security tests on Postman collections (also: Postman tests, passive API testing).
Postman Testing Setup: Connect Postman to Wallarm and authorize collections.
Postman Testing Results: View results in Postman AI Mode or in Wallarm Console.

API Attack Surface Management (AASM)¶

AASM Overview: Agentless external attack surface management for APIs (also: EASM, external attack surface, API ASM).
AASM Setup: Configure domains, scope, and scan cadence.
API Surface Discovery (AASD): External enumeration of hosts and API endpoints reachable from the internet (also: subdomain enumeration, exposed API discovery).
AASM Security Issues: Misconfigurations and risks found on discovered external hosts.
Detecting Vulnerabilities: How Wallarm passively detects application vulnerabilities from live traffic (also: passive vulnerability detection, vuln detection).

Deployment¶

All Deployment Options: Decision matrix of all supported deployment shapes — start here when choosing how to deploy.

Security Edge (Managed)¶

Security Edge Overview: Wallarm-managed deployment of nodes in geographically distributed PoPs — no infrastructure to run (also: managed edge, SaaS deployment).
Security Edge Free Tier: Free Security Edge tier — up to 500,000 requests per month.

Security Edge Inline¶

Security Edge Inline Overview: Inline managed Edge Nodes proxying traffic to your origin.
Security Edge Inline Deployment Guide: Step-by-step onboarding of an inline Edge deployment.
Edge Inline Access Control Lists: Edge ACLs by IP / network / country / data center.
Edge Inline Cache Rules: Configure response caching at the Edge.
Edge Inline Custom Block Page: Customize the HTTP 403 block page served when Edge blocks a request.
Edge Inline Host Redirection: Redirect requests between hosts at the Edge to unify entry points.
Edge Inline mTLS Configuration: Mutual TLS between the Edge Node and your origin (client certificate auth).
Edge Inline Multi-Region Deployment: Deploy Edge Nodes across multiple regions / cloud providers for geo-redundancy.
Edge Inline NGINX Overrides: Override NGINX directives on Edge at server / location level.
Edge Inline Upgrade & Management: Manage Edge configuration and upgrade Edge Nodes from the Console.

Security Edge Telemetry Portal¶

Edge Telemetry Portal Overview: Grafana dashboards with real-time Edge metrics — overview.
Edge Telemetry Main Dashboard: "Portal Inline Main" dashboard — traffic, latency, blocks.
Edge Telemetry Logs Dashboard: "Portal Inline Logs" dashboard — request and access logs.
Security Edge Connectors: Managed connector deployments via Security Edge for non-inline integrations.

Kubernetes¶

Istio Connector: Secure Istio-managed APIs via the Wallarm Connector for Istio Ingress.
Gloo Gateway Connector: Secure Gloo Gateway (Gloo Edge) APIs via the Wallarm Connector.

NGINX Ingress Controller¶

Wallarm NGINX Ingress Deployment: Deploy the F5 NGINX-based Wallarm Ingress controller on Kubernetes (also: K8s ingress, kubernetes installation, Helm install).
NGINX Ingress Configuration Options: Full Helm chart values reference for the Wallarm Ingress controller.
NGINX Ingress High Availability: HA / resilience guidance for the Wallarm Ingress controller.
NGINX Ingress Monitoring: Monitoring guidance specific to the Wallarm Ingress controller.
NGINX Ingress Real Client IP: Configure the controller to extract the originating client IP behind proxies.
Chaining Wallarm with Other Ingress Controllers: Run the Wallarm Ingress controller alongside an existing primary ingress.
Kong Ingress Controller Connector: Secure Kong Ingress-managed APIs via the Wallarm connector.

Helm Chart for Native Node¶

Native Node Helm Chart Deployment: Deploy the standalone Native Node on Kubernetes via Helm.
Native Node Helm Chart Configuration: values.yaml reference for the Native Node Helm chart.

Sidecar Proxy¶

Sidecar Proxy Deployment: Run the NGINX-based Wallarm node as a per-pod sidecar (also: K8s sidecar, ambient mode).
Sidecar Proxy Helm Chart: Helm chart reference for the Wallarm sidecar.
Sidecar Proxy Customization: Safe customization patterns for the sidecar solution.
Sidecar Pod Annotations: Per-pod sidecar configuration via Kubernetes annotations.
Sidecar Scaling Guide: Scaling, HA, and resource allocation for the sidecar.

eBPF (Out-of-Band)¶

eBPF OOB Deployment: eBPF-based out-of-band traffic inspection on Kubernetes (Beta) (also: OOB inspection, traffic mirror, kernel-level capture).
eBPF OOB Helm Chart: Helm chart reference for the eBPF OOB deployment.
eBPF OOB Packet Selection: Scope the traffic mirror by pod / namespace / protocol.

Cloud Platforms¶

AWS¶

Wallarm NGINX Node AMI for AWS: Pre-built EC2 AMI of the NGINX Wallarm Node — fastest way to launch on AWS.
Wallarm Native Node AMI for AWS: Pre-built EC2 AMI of the Native Node, intended for use with connectors and TCP traffic mirror.
NGINX Node Docker on AWS ECS: Deploy the NGINX Node Docker image to Amazon ECS.

Terraform Module (AWS)¶

Terraform Module Overview: Wallarm-provided Terraform module for deploying the node to AWS (also: IaC, terraform deploy).
Terraform — Wallarm in a VPC: Deploy Wallarm as an inline proxy in an existing AWS VPC.
Terraform — Wallarm in front of API Gateway: Protect Amazon API Gateway with Wallarm deployed inline in a VPC.
AWS WAF Integration: Layered protection combining AWS WAF (perimeter) with Wallarm (API security).
AWS Cost Estimation: Typical AWS infrastructure costs for running Wallarm NGINX Nodes via AMI.

AWS Autoscaling¶

AWS Autoscaling Overview: Auto-scale Wallarm filtering nodes on EC2 to match traffic.
Create AWS AMI Image: Build a custom Wallarm AMI for use in an Auto Scaling Group.
AWS Autoscaling Group Setup: Create and configure the Auto Scaling Group for Wallarm nodes (requires Wallarm "Administrator" or "Deploy" rights).
AWS Load Balancing for Wallarm: Create an AWS load balancer in front of the Wallarm ASG.
Routing Traffic to the Wallarm Node on AWS: Configure ALB, NLB, CloudFront, or API Gateway to send all traffic through the Wallarm Node and lock down direct origin access.

GCP¶

Wallarm NGINX Node Machine Image for GCP: Pre-built Compute Engine image of the NGINX Wallarm Node.
NGINX Node Docker on GCE: Deploy the NGINX Node Docker image on Google Compute Engine.

GCP Autoscaling¶

GCP Autoscaling Overview: Auto-scale Wallarm nodes on GCP Managed Instance Groups.
Create GCP Image: Build a custom Wallarm Compute Engine image.
GCP Instance Template: Define the instance template used by the Managed Instance Group.
GCP Managed Instance Group: Create the MIG and configure its autoscaling policy.
GCP Load Balancing for Wallarm: Configure a Google load balancer in front of the Wallarm MIG.

Azure¶

Azure Container Instances Deployment: Deploy the NGINX Node Docker image to Azure Container Instances.

Alibaba Cloud¶

Alibaba Docker on ECS: Deploy the NGINX Node Docker image to Alibaba Cloud ECS.
Heroku Deployment: Deploy Wallarm in front of a Heroku-hosted application via Docker image.
Private Cloud Deployment: Run Wallarm in a private / dedicated cloud environment.
Cloud-Init Script: Bootstrap Wallarm nodes via cloud-init for IaC workflows.

API Gateways¶

AWS API Gateway Connector: Build an API inventory and protect APIs managed by Amazon API Gateway.
Broadcom Layer7 API Gateway Connector: Secure Layer7-managed APIs via the Wallarm connector.
Kong API Gateway Connector (Standalone): Lua-plugin connector for standalone Kong API Gateway.

CDN¶

Akamai EdgeWorkers Connector: Forward traffic from Akamai EdgeWorkers to a Wallarm Node for inspection.
AWS CloudFront Connector (Lambda@Edge): Wallarm connector for CloudFront via Lambda@Edge.
Azion Edge Connector: Wallarm connector for Azion Edge.
Cloudflare Connector: Wallarm connector for Cloudflare (Workers-based).
Fastly Connector: Wallarm connector for Fastly Compute@Edge.

API Management Platforms¶

MuleSoft¶

MuleSoft Flex Gateway Connector: Secure MuleSoft Flex Gateway-managed APIs (Mule and non-Mule).
MuleSoft Mule Gateway Connector: Secure Mule APIs managed by Mule Gateway.
Azure API Management Connector: Secure APIs managed by Azure API Management (APIM).
Apigee Connector: Secure APIs managed by Apigee API Management.
IBM API Connect Connector: Proxy IBM API Connect traffic through an external Wallarm node.

TCP Traffic Mirror¶

TCP Traffic Mirror Deployment: Wallarm filtering node deployment for OOB analysis of mirrored TCP traffic (also: SPAN, port mirror, OOB inspection).

Packages & Containers¶

Linux (All-in-One Installer)¶

All-in-One Installer for NGINX Node: One-command Linux installer for the NGINX Wallarm Node — supported on major distributions.
All-in-One Installer for Native Node: One-command Linux installer for the standalone Native Node.

Docker¶

Docker Image for NGINX Node: Run the NGINX Wallarm Node from the official Docker image (x86_64 and ARM64).
Docker Image for Native Node: Run the standalone Native Node from the official Docker image.
NGINX Node Configuration Reference: Full directive reference for the self-hosted NGINX Wallarm Node.
Native Node Configuration Reference: Full .yaml reference for the self-hosted Native Node (all-in-one / Docker / AMI).

Special Setups¶

Multi-Tenant Node¶

Multi-Tenant Node Overview: One Wallarm node protecting multiple isolated tenants (also: multitenancy, MSSP deployment).
Multi-Tenant Configure Accounts: Correctly configure tenant accounts in the Cloud.
Deploy Multi-Tenant Node: Deploy the multi-tenant node.
Separate Postanalytics Module: Run the postanalytics (statistics) stage on a separate server from the filtering node.
Custom NGINX Version: Build Wallarm for an NGINX version not covered by the standard packages.
Request a Custom Deployment Option: Request support for a deployment shape not currently listed.

Deployment Reference¶

Inline Traffic Flow: Conceptual overview of inline deployments — Wallarm in the request path.
Out-of-Band Traffic Flow: Conceptual overview of out-of-band deployments — Wallarm inspecting mirrored traffic.
NGINX vs. Native Node Comparison: Architecture comparison of the NGINX Node and the Native Node — critical reading before choosing a node type.
Connector Architecture Overview: How connectors integrate Wallarm with external gateways and CDNs.

Maintenance¶

Maintenance Overview: Index of maintenance, monitoring, and upgrade topics for a running deployment.

Nodes & Infrastructure¶

Nodes Section of the Console: Manage self-hosted nodes from Wallarm Console.
Resource Allocation for the Node: CPU and memory sizing guidance for the NGINX Wallarm Node (also: capacity planning, node sizing).
Control over Export to Cloud: What request data leaves the node and how to restrict it (also: data export control, request-data privacy).
Cloud Synchronization: How the node syncs configuration and rules with Wallarm Cloud.
Proxy Configuration for Wallarm API: Route node-to-Cloud traffic through an HTTP/HTTPS proxy.
Block Page Configuration: Customize the page and HTTP code returned when the node blocks a request.
Handling Invalid Headers: Preserve headers with characters NGINX considers invalid (e.g. .).
JA3 Fingerprinting: Enable JA3 TLS client fingerprinting on the Wallarm Node.
Wallarm Terraform Provider: Manage Wallarm Cloud configuration as code via the official Terraform provider (also: IaC, terraform).

Monitoring & Metrics¶

NGINX Node Metrics¶

NGINX Node Prometheus Metrics — Overview: The metrics exposed by the NGINX Node in Prometheus format.
NGINX Node — Postanalytics Metrics: Postanalytics module / service runtime metrics for the NGINX Node.
NGINX Node — wcli Controller Metrics: Metrics of the wcli controller component of the NGINX Node.
NGINX Node — API Firewall Metrics: Metrics exposed by the API Firewall component of the NGINX Node.

Native Node Metrics¶

Native Node Prometheus Metrics — Overview: The metrics exposed by the Native Node in Prometheus format.
Native Node — Postanalytics Metrics: Postanalytics module / service runtime metrics for the Native Node.
Native Node — Runtime Metrics: Native Node runtime metrics (Go-process metrics).
Statistics Service (wallarm-status): Local wallarm-status service exposing node statistics.
Node Logging: Where node log files live and how to configure logging.
Failover Configuration: High-availability and failover patterns for the filtering node.
Post-Install Health Check: Checklist to confirm correct operation after a new node deployment (also: UAT checklist, post-install verification).

Upgrades & Migration¶

Wallarm Node Versioning Policy: Versioning scheme, release cadence, support window for NGINX / Native / Edge nodes.
Upgrade General Recommendations: Recommended pre-upgrade safety steps and rollback considerations.
What's New in 6.x: Notable changes when upgrading to 6.x — including Ingress Controller artifact changes.
NGINX Node Changelog (Artifact Inventory): Available NGINX Wallarm Node 6.x versions across form factors (also: NGINX node release notes).
Native Node Changelog (Artifact Inventory): Available Native Wallarm Node 0.14.x+ versions across form factors (also: Native node release notes).

NGINX Node Upgrade Instructions¶

Upgrade — DEB/RPM Packages: Upgrade Wallarm NGINX modules installed from DEB/RPM packages to the latest 6.x.
Upgrade — Separate Postanalytics Module: Upgrade a standalone postanalytics server to the latest 6.x.
Upgrade — All-in-One Installer: Upgrade a Wallarm node installed via the all-in-one installer to the latest 6.x.
Upgrade — Docker Image: Upgrade a running NGINX-based Docker image to the latest 6.x.
Migrate to the Wallarm NGINX Ingress Controller: Migrate off the Community Ingress NGINX controller onto the Wallarm-maintained one.
Community Ingress NGINX Retirement: Background and timeline for the November 2025 retirement of the Community Ingress NGINX project.
Upgrade — Sidecar Proxy: Upgrade the Wallarm Sidecar solution to the latest 6.x.
Upgrade — Cloud Image: Upgrade cloud node images deployed on AWS / GCP to the latest 6.x.
Upgrade — Multi-Tenant Node: Upgrade the multi-tenant node to the latest 6.x.

Native Node Upgrade Instructions¶

Upgrade — Native All-in-One Installer: Upgrade a Native Node installed via the all-in-one installer.
Upgrade — Native Helm Chart: Upgrade a Native Node deployed via Helm.
Upgrade — Native Docker Image: Upgrade a Native Node deployed from the Docker image.
Connector Code Bundle Release Notes: Versions of connector code bundles compatible with the Native Node (MuleSoft, Cloudflare, etc.).

Operations¶

Learning Request Volume: Measure incoming request volume — needed for licensing/billing decisions.
Wallarm Scanner IP Addresses: The fixed list of US/EU/ME Cloud IPs Wallarm uses for active scans (allowlist these on origin).

Troubleshooting¶

Troubleshooting Overview: Index of common troubleshooting scenarios.
Troubleshooting — Detection & Blocking: Diagnose why expected attacks are not showing in the Cloud or not being blocked.
Troubleshooting — Detection Tools Tuning: Tune Wallarm detection tools for false positives / negatives.
Troubleshooting — Performance: Diagnose high CPU / latency / slow request processing on the Wallarm node.
Real Client IP Behind a Proxy: NGINX configuration to extract the originating client IP behind another proxy / LB.
End-User Problems After Install: Common end-user-visible errors after installing the NGINX Wallarm node.
Wallarm Ingress Controller Troubleshooting: Common issues during Wallarm NGINX Ingress installation.
Wallarm Cloud Outage Behavior: How Wallarm nodes behave when the Wallarm Cloud is unavailable (also: cloud down, cloud outage).
OWASP Dashboard Alerts: Node sync error messages shown on the OWASP dashboards.
Wallarm Lines in NGINX Error Log: Decode common Wallarm-related lines in the NGINX error log.
Dynamic DNS Resolution in NGINX: Configure NGINX dynamic DNS resolution for upstreams (vs. resolve-once-at-start behavior).

Integrations¶

Integrations Overview: The catalog of available outbound integrations from Wallarm (also: webhooks, SIEM connectors, messaging).

Messaging & Alerts¶

Email Integration: Send scheduled reports and instant notifications via email.
Slack Integration: Send Wallarm notifications to a Slack channel.
Microsoft Teams Integration: Send Wallarm notifications to a Microsoft Teams channel.
Telegram Integration: Send scheduled reports to a Telegram chat.

Incident Management¶

PagerDuty Integration: Page on-call via PagerDuty (also: on-call paging, incident escalation).
Opsgenie Integration: Page on-call via Opsgenie.
Jira Integration: Create Jira issues from Wallarm events (supported Jira versions noted in the article).
ServiceNow Integration: Create ServiceNow tickets from Wallarm events.
Rapid7 InsightConnect Integration: Send Wallarm events to Rapid7 InsightConnect playbooks.

SIEM & Analytics¶

Splunk Integration: Forward Wallarm events to Splunk (also: SIEM, log forwarding).
Sumo Logic Integration: Forward Wallarm events to Sumo Logic.
Microsoft Sentinel / Azure Monitor Logs: Forward Wallarm events to Microsoft Sentinel / Azure Monitor.
Datadog Integration: Forward Wallarm events to Datadog via the Datadog API key.

Log Collectors¶

Fluentd Integration: Send Wallarm JSON webhooks to Fluentd.
Logstash Integration: Send Wallarm JSON webhooks to Logstash.

Integration Examples (Webhook Recipes)¶

IBM QRadar via Fluentd: Wallarm → Fluentd → IBM QRadar.
IBM QRadar via Logstash: Wallarm → Logstash → IBM QRadar.
Splunk via Fluentd: Wallarm → Fluentd → Splunk.
Splunk via Logstash: Wallarm → Logstash → Splunk.
ArcSight via Fluentd: Wallarm → Fluentd → Micro Focus ArcSight.
ArcSight via Logstash: Wallarm → Logstash → Micro Focus ArcSight.
Datadog via Fluentd / Logstash: Wallarm → Fluentd or Logstash → Datadog.

Cloud Storage¶

Amazon S3 Integration: Export hit data to an S3 bucket every 10 minutes.
MinIO Integration: Export hit data to an S3-compatible MinIO bucket every 10 minutes.

Webhooks¶

Generic Webhook Configuration: Send instant notifications via HTTPS webhook to any system.

DevSecOps¶

Verify Docker Image Signature: Verify the cryptographic signature of Wallarm Docker images.
Generate SBOM for Docker Images: Generate a Software Bill of Materials for Wallarm Docker images.

Platform Management¶

Platform Management Overview: Index of platform admin topics — users, dashboards, monitoring, triggers, settings.

Dashboards¶

Threat Prevention Dashboard: Top-level malicious-traffic dashboard for a chosen time window.
API Discovery Dashboard (Platform): API inventory dashboard in the Platform Management section.
OWASP API Top 10 Dashboard: Measure exposure to each OWASP API Top 10 risk category.
Business Intelligence Dashboards: Build custom dashboards from Wallarm telemetry (also: BI, custom dashboards).

Monitoring & Events¶

Event Overview: How Wallarm's Threat Management surfaces attacks and incidents in real time.
Analyzing Attacks: Investigate a single attack record in the Console.
Analyzing Incidents: Investigate an incident — an attack that hit a known vulnerability.
Hit Grouping & Sampling: How hits are grouped into attacks and how Wallarm samples for storage.
Security Issues (Vulnerabilities): Passively detected application vulnerabilities (also: vulnerabilities, security issues).

Triggers & Alerts¶

Trigger Configuration: Define event-driven actions (notify / block IP / create issue) (also: alerting rules, automations).

Search & Reports¶

Search & Filters: Query syntax for searching attacks, hits, incidents (also: search query language, Wallarm search syntax).
Custom Reports (PDF / CSV): Generate scheduled or on-demand PDF / CSV reports.

Account Settings¶

User Profile Settings: Settings → Profile tab — personal account preferences.
Applications: Group protected services into logical applications and view per-app stats.
Audit Log / Activity Log: Settings → Activity log — history of user actions in the Wallarm Console (also: audit trail, activity log).

Users & Access¶

User Management: Invite users and assign roles (also: RBAC, role assignment, team management).
API Tokens: Manage tokens for Wallarm API authentication and node filtration (also: API keys, authentication tokens).

SSO Configuration¶

SSO Overview: SAML SSO support overview (also: single sign-on, SAML).
SSO Setup (Generic): Generic flow for enabling SAML SSO.
SSO — Google Workspace (G Suite): SAML SSO via Google Workspace as IdP.
SSO — Okta: SAML SSO via Okta as IdP.
SSO Troubleshooting: Troubleshoot common SAML SSO problems.
LDAP Integration: Authenticate Console users via LDAP / Active Directory.

Plans & Pricing¶

Subscription Plans: The Wallarm subscription plans and what each one includes (also: pricing, plans, tiers).

Reference¶

Reference Section Overview: Index of reference material (API, attack catalog, glossary).

API Reference¶

Wallarm API Overview: Overview of the Wallarm REST API (also: REST API, public API).
Wallarm API Request Examples: Worked examples of Wallarm API calls.
Attack Types Catalog: Canonical list of attacks and vulnerabilities Wallarm detects, with descriptions and CWE/OWASP mapping (also: attack catalog, vulnerability list, supported attacks).
Glossary: Canonical terminology used across Wallarm documentation.
Data Retention Policy: Retention periods per data type stored in the Wallarm Cloud.
Shared Responsibility Model: What Wallarm is responsible for and what the customer is responsible for.
Comparing Wallarm to Other Solutions: How to compare Wallarm against other WAF / API security solutions.
SLA: Service-level agreement — availability commitments and credits.

Optional¶

The pages below are linked here rather than in the main tree because they are less directly useful for an LLM agent answering a question — videos can't be ingested as text, and legacy / EOL material is unlikely to be relevant to questions about the current product.

Video Guides (not ingestible by text-only agents)¶

EOL Node Upgrades (nodes 3.6 and lower — out of support)¶

EOL — What's New: Changes when upgrading from EOL versions to current.
EOL — NGINX Modules Upgrade: Upgrade EOL NGINX modules (3.6 and lower).
EOL — Postanalytics Upgrade: Upgrade EOL standalone postanalytics module.
EOL — Docker Image Upgrade: Upgrade EOL NGINX-based Docker image.
EOL — Ingress Controller Upgrade: Upgrade EOL Wallarm Ingress Controller.
EOL — Cloud Image Upgrade: Upgrade EOL cloud node images.
EOL — Multi-Tenant Upgrade: Upgrade EOL multi-tenant node.
Migrate IP Lists to Node 3.x+ Format: One-time IP allowlist/denylist format migration.