What is new in Wallarm node (if upgrading an EOL node)¶
This page lists the changes available when upgrading the node of the deprecated version (3.6 and lower) up to version 4.4. Listed changes are available for both the regular (client) and multi-tenant Wallarm nodes.
Wallarm nodes 3.6 and lower are deprecated
Wallarm nodes 3.6 and lower are recommended to be upgraded since they are deprecated.
Node configuration and traffic filtration have been significantly simplified in the Wallarm node of version 4.x. Some settings of node 4.x are incompatible with the nodes of older versions. Before upgrading the modules, please carefully review the list of changes and general recommendations.
Breaking changes due to the deleted metrics¶
Starting from version 4.0, the Wallarm node does not collect the following collectd metrics:
curl_json-wallarm_nginx/gauge-requests- you can use the
Detection of the new attack type IDOR / BOLA¶
Broken Object Level Authorization (BOLA), also known as Insecure Direct Object References (or IDOR), became one of the most common API vulnerabilities. When an application includes an IDOR / BOLA vulnerability, it has a strong probability of exposing sensitive information or data to attackers. All the attackers need to do is exchange the ID of their own resource in the API call with an ID of a resource belonging to another user. The absence of proper authorization checks enables attackers to access the specified resource. Thus, every API endpoint that receives an ID of an object and performs any type of action on the object can be an attack target.
To prevent exploitation of this vulnerability, Wallarm node 4.2 and above contain a new trigger which you can use to protect your endpoints from BOLA attacks. The trigger monitors the number of requests to a specified endpoint and creates a BOLA attack event when thresholds from the trigger are exceeded.
Checking JSON Web Token strength¶
JSON Web Token (JWT) is a popular authentication standard used to exchange data between resources like APIs securely. JWT compromisation is a common aim of attackers as breaking authentication mechanisms provides them full access to web applications and APIs. The weaker JWTs, the higher chance for it to be compromised.
Starting from version 4.4, you can enable Wallarm to detect the following JWT weaknesses:
JWTs signed using compromised secret keys
To enable, use the Weak JWT trigger.
Checking JSON Web Tokens for attacks¶
JSON Web Token (JWT) is one of the most popular authentication methods. This makes it a favorite tool to perform attacks (for example SQLi or RCE) that are very difficult to find because the data in the JWT is encoded and it can be located anywhere in the request.
Supported installation options¶
Wallarm Ingress controller based on the latest version of Community Ingress NGINX Controller, 1.5.1.
Added support for AlmaLinux, Rocky Linux and Oracle Linux 8.x instead of the deprecated CentOS 8.x.
Wallarm node packages for the alternative operating systems will be stored in the CentOS 8.x repository.
Added support for Debian 11 Bullseye
Added support for Ubuntu 22.04 LTS (jammy)
Dropped support for CentOS 6.x (CloudLinux 6.x)
Dropped support for Debian 9.x
Dropped support for Debian 10.x for Wallarm to be installed as the module for either NGINX stable or NGINX Plus
Dropped support for the operating system Ubuntu 16.04 LTS (xenial)
New method for the serverless Wallarm node deployment¶
The new deployment method lets you configure the Wallarm CDN node outside your infrastructure in 15 minutes. You need to just point to the domain to be protected and add the Wallarm CNAME record to the domain's DNS records.
System requirements for the filtering node installation¶
The filtering node now supports IP address allowlisting, denylisting, and graylisting. Wallarm Console allows adding both single IPs and countries or data centers to any IP list type.
The Wallarm node downloads an actual list of IP addresses registered in allowlisted, denylisted, or graylisted countries, regions or data centers from GCP storage. By default, access to this storage can be restricted in your system. Allowing access to GCP storage is a new requirement for the virtual machine to install the filtering node.
The filtering node now uploads data to the Cloud using
us1.api.wallarm.com:443(US Cloud) and
api.wallarm.com:443(EU Cloud) instead of
If your server with the deployed node has a limited access to the external resources and the access is granted to each resource separately, after upgrade to version 4.x the synchronization between the filtering node and the Cloud will stop. The upgraded node needs to be granted access to the API endpoint with the new port.
Unified registration of nodes in the Wallarm Cloud by tokens¶
The release 4.x enables you to register the Wallarm node in the Wallarm Cloud by the token on any supported platform. Wallarm nodes of previous versions required the "email-password" user credentials on some platforms.
Unified registration of nodes by tokens makes the connection to the Wallarm Cloud more secure and faster, e.g.:
Dedicated user accounts of the Deploy role allowing only to install the node are no longer required.
Users' data remains securely stored in the Wallarm Cloud.
Two-factor authentication enabled for the user accounts does not prevent nodes from being registered in the Wallarm Cloud.
The initial traffic processing and request postanalytics modules deployed to separate servers can be registered in the Cloud by one node token.
Changes in node registration methods result in some updates in node types:
The node supporting the unified registration by token has the Wallarm node type. The script to be run on the server to register the node is named
Previously, the Wallarm node was named cloud node. It also supported registration by the token but with the different script named
The cloud node is not required to be migrated to the new node type.
The regular node supporting the registration by "email-password" passed to the
addnodescript is deprecated.
Starting from version 4.0, registration of the node deployed as the NGINX, NGINX Plus module or the Docker container looks as follows:
- Create the Wallarm node in Wallarm Console and copy the generated token.
- Run the
register-nodescript with the node token passed or run the Docker container with the
Regular node support
The regular node type is deprecated in release 4.x and will be removed in future releases.
It is recommended to replace the regular node with the Wallarm node before the regular type is removed. You will find the appropriate instructions in the node upgrade guides.
Terraform module to deploy Wallarm on AWS¶
The Wallarm Terraform module is the scalable solution meeting the best industry standards of security and failover ensuring. During its deployment, you can choose either the proxy or mirror deployment option based on your requirements for the traffic flow.
We have also prepared the usage examples for both deployment options involving basic deployment configurations as well as advanced ones compatible with such solutions as AWS VPC Traffic Mirroring.
Wallarm AWS image distributed with the ready-to-use
If following the Infrastructure as Code (IaC) approach, you may need to use the
cloud-init script to deploy the Wallarm node to AWS. Starting from release 4.0, Wallarm distributes its AWS cloud image with the ready‑to‑use
Simplified multi-tenant node configuration¶
For the multi-tenant nodes, tenants and applications are now defined each with its own directive:
New safe blocking filtration mode.
Analysis of request sources is now performed only in the
Request source control¶
The following parameters for request source control have been deprecated:
aclNGINX directives, Envoy parameters, and environment variables used to configure IP address denylist. Manual configuration of IP denylisting is no longer required.
There are the following new features for request source control:
Wallarm Console section for full IP address allowlist, denylist and graylist control.
The safe blocking mode enables a significant reduction of false positive number by blocking only malicious requests originating from graylisted IP addresses.
For automatic IP address graylisting there is a new trigger Add to graylist released.
Automated allowlisting of Wallarm Vulnerability Scanner IP addresses. Manual allowlisting of Scanner IP addresses is no longer required.
Ability to allowlist, denylist, or graylist a subnet, Tor network IPs, VPN IPs, a group of IP addresses registered in a specific country, region, or data center.
Ability to allowlist, denylist, or graylist request sources for specific applications.
New NGINX directive and Envoy parameter
disable_aclto disable request origin analysis.
New module for API inventory discovery¶
New Wallarm nodes are distributed with the module API Discovery automatically identifying the application API. The module is disabled by default.
Enhanced attack analysis with the libdetection library¶
Attack analysis performed by Wallarm has been enhanced by involving an additional attack validation layer. Wallarm node 4.4 and above in all form-factors (including Envoy) are distributed with the libdetection library enabled by default. This library performs secondary fully grammar-based validation of all SQLi attacks reducing the number of false positives detected among SQL injections.
Memory consumption increase
With the libdetection library enabled, the amount of memory consumed by NGINX/Envoy and Wallarm processes may increase by about 10%.
The rule enabling the
overlimit_res attack detection fine-tuning¶
We have introduced the new rule allowing the
overlimit_res attack detection fine-tuning.
overlimit_res attack detection fine-tuning via the NGINX and Envoy configuration files is considered to be the deprecated way:
The rule allows setting up a single request processing time limit as the
wallarm_process_time_limitNGINX directive and
process_time_limitEnvoy parameter did before.
The rule allows to block or pass the
overlimit_resattacks in accordance with the node filtration mode instead of the
wallarm_process_time_limit_blockNGINX directive and
process_time_limit_blockEnvoy parameter configuration.
The listed directives and parameters have been deprecated and will be deleted in future releases. It is recommended to transfer the
overlimit_res attack detection configuration from directives to the rule before. Relevant instructions are provided for each node deployment option.
If the listed parameters are explicitly specified in the configuration files and the rule is not created yet, the node processes requests as set in the configuration files.
New blocking page¶
The sample blocking page
/usr/share/nginx/html/wallarm_blocked.html has been updated. In the new node version, it has new layout and supports the logo and support email customization.
New blocking page with the new layout looks as follows by default:
New parameters for basic node setup¶
New environment variables to be passed to the Wallarm NGINX‑based Docker container:
WALLARM_APPLICATIONto set the identifier of the protected application to be used in the Wallarm Cloud.
NGINX_PORTto set a port that NGINX will use inside the Docker container.
New parameters of the file
node.yamlto configure the synchronization of the Wallarm Cloud and filtering nodes:
api.local_port. New parameters allow specifying a local IP address and port of the network interface to send requests to Wallarm API through.
Disabling IPv6 connections for the NGINX-based Wallarm Docker container¶
The NGINX-based Wallarm Docker image 4.2 and above supports the new environment variable
DISABLE_IPV6. This variable enables you to prevent NGINX from IPv6 connection processing, so that it only can process IPv4 connections.
Renamed parameters, files and metrics¶
The following NGINX directives and Envoy parameters have been renamed:
rulesets, and correspondingly the
tsNentries in this section →
Parameters with previous names are still supported but will be deprecated in future releases. The parameter logic has not changed.
The Ingress annotation
nginx.ingress.kubernetes.io/wallarm-instancehas been renamed to
The annotation with the previous name is still supported but will be deprecated in future releases. The annotation logic has not changed.
The file with the custom ruleset build
/etc/wallarm/lomhas been renamed to
/etc/wallarm/custom_ruleset. In the file system of new node versions, there is only the file with the new name.
The private key file
/etc/wallarm/license.keyhas been renamed to
/etc/wallarm/private.key. Starting from the node version 4.0 the new name is used by default.
The collectd metric
gauge-lom_idhas been renamed to
In new node versions, the collectd service collects both the deprecated and new metrics. The deprecated metric collection will be stopped in future releases.
/var/log/wallarm/addnode_loop.loglog file in the Docker containers has been renamed to
Parameters of the statistics service¶
The number of requests originating from denylisted IPs is now displayed in the statistic service output, in the new parameter
blocked_by_acland in the existing parameters
The following node statistics parameters have been renamed:
In new node versions, the
http://127.0.0.8/wallarm-statusendpoint temporarily returns both the deprecated and new parameters. The deprecated parameters will be removed from the service output in future releases.
New variables to configure the node logging format¶
The following node logging variables have been changed:
wallarm_request_timehas been renamed to
This variable means time in seconds the CPU spent processing the request.
The variable with the previous name is deprecated and will be removed in future releases. The variable logic has not changed.
wallarm_request_mono_timehas been added
This variable means time in seconds the CPU spent processing the request + time in the queue.
Increasing the performance by omitting attack search in requests from denylisted IPs¶
wallarm_acl_access_phase directive enables you to increase the Wallarm node performance by omitting the attack search stage during the analysis of requests from denylisted IPs. This configuration option is useful if there are many denylisted IPs (e.g. the whole countries) producing high traffic that heavily loads the working machine CPU.
Upgrade installed modules following the instructions for your Wallarm node deployment option:
Migrate allowlist and denylist configuration from previous Wallarm node versions to 4.4.