What is new in Wallarm node (if upgrading node 2.18 or lower)¶
This page lists the changes available when upgrading the node 2.18 up to version 3.6. Listed changes are available for both the regular (client) and multi-tenant Wallarm nodes.
Wallarm nodes 2.18 and lower are deprecated
Wallarm nodes 2.18 and lower are recommended to be upgraded since they are deprecated.
Node configuration and traffic filtration have been significantly simplified in the Wallarm node of version 3.6. Some settings of node 3.6 are incompatible with the nodes of older versions. Before upgrading the modules, please carefully review the list of changes and general recommendations.
Supported installation options¶
Wallarm Ingress controller based on the latest version of Community Ingress NGINX Controller, 1.1.3.
Added support for AlmaLinux, Rocky Linux and Oracle Linux 8.x instead of the deprecated CentOS 8.x.
Wallarm node packages for the alternative operating systems will be stored in the CentOS 8.x repository.
Added support for CloudLinux OS 6.x
Added support for Debian 11 Bullseye
Dropped support for the operating system Ubuntu 16.04 LTS (xenial)
System requirements for the filtering node installation¶
Starting with version 3.x, the filtering node supports IP address whitelisting, blacklisting, and greylisting. Wallarm Console allows adding both single IPs and countries or data centers to any IP list type.
The Wallarm node downloads an actual list of IP addresses registered in whitelisted, blacklisted, or greylisted countries or data centers from GCP storage. By default, access to this storage can be restricted in your system. Allowing access to GCP storage is a new requirement for the virtual machine to install the filtering node.
New safe blocking filtration mode.
Analysis of request sources is now performed only in the
Request source control¶
The following parameters for request source control have been deprecated:
aclNGINX directives, Envoy parameters, and environment variables used to configure IP address blacklist. Manual configuration of IP blacklisting is no longer required.
There are the following new features for request source control:
Wallarm Console section for full IP address whitelist, blacklist and greylist control.
The safe blocking mode enables a significant reduction of false positive number by blocking only malicious requests originating from greylisted IP addresses.
For automatic IP address greylisting there is a new trigger Add to greyist released.
Automated whitelisting of Wallarm Vulnerability Scanner IP addresses. Manual whitelisting of Scanner IP addresses is no longer required.
Ability to whitelist, blacklist, or greylist a subnet, Tor network IPs, VPN IPs, a group of IP addresses registered in a specific country or data center.
Ability to whitelist, blacklist, or greylist request sources for specific applications.
New NGINX directive and Envoy parameter
disable_aclto disable request origin analysis.
New module for API structure discovery¶
New Wallarm nodes are distributed with the module API Discovery automatically identifiyng the application API structure. The module is disabled by default.
Support of the libdetection library in the Envoy-based nodes¶
The libdetection library is now supported in the Envoy-based Wallarm nodes. This library additionally validates the SQL Injection attacks to confirm detected malicious payloads. If the payload is not confirmed by the libdetection library, the request is considered to be legitimate. This library reduces the number of false positives among the SQL Injection attacks.
By default, the library libdetection is disabled. To improve the attack detection, we recommend enabling it.
New blocking page¶
The sample blocking page
/usr/share/nginx/html/wallarm_blocked.html has been updated. In the new node version, it has new layout and supports the logo and support email customization.
New blocking page with the new layout looks as follows by default:
New parameters for basic node setup¶
New environment variables to be passed to the Wallarm NGINX‑based Docker container:
WALLARM_APPLICATIONto set the identifier of the protected application to be used in the Wallarm Cloud.
NGINX_PORTto set a port that NGINX will use inside the Docker container. This allows avoiding port collision when using this Docker container as a sidecar container within a pod of Kubernetes cluster.
New parameters of the file
node.yamlto configure the synchronization of the Wallarm Cloud and filtering nodes:
api.local_port. New parameters allow specifying a local IP address and port of the network interface to send requests to Wallarm API through.
Renamed parameters, files and metrics¶
The following NGINX directives and Envoy parameters have been renamed:
Parameters with previous names are still supported but will be deprecated in future releases. The parameter logic has not changed.
The Ingress annotation
nginx.ingress.kubernetes.io/wallarm-instancehas been renamed to
The annotation with the previous name is still supported but will be deprecated in future releases. The annotation logic has not changed.
The file with the custom ruleset build
/etc/wallarm/lomhas been renamed to
/etc/wallarm/custom_ruleset. In the file system of new node versions, there is only the file with the new name.
The collectd metric
gauge-lom_idhas been renamed to
In new node versions, the collectd service collects both the deprecated and new metrics. The deprecated metric collection will be stopped in future releases.
Parameters of the statistics service¶
The number of requests originating from blacklisted IPs is now displayed in the statistic service output, in the new parameter
blocked_by_acland in the existing parameters
The following node statistics parameters have been renamed:
In new node versions, the
http://127.0.0.8/wallarm-statusendpoint temporarily returns both the deprecated and new parameters. The deprecated parameters will be removed from the service output in future releases.
Upgrade installed modules following the instructions for your Wallarm node deployment option:
Migrate whitelist and blacklist configuration from previous Wallarm node versions to 3.6.