What is new in Wallarm node 3.4¶

This page lists the changes released in Wallarm node 3.4 and other minor versions of Wallarm node 3.x.

If upgrading Wallarm node 2.18 or lower, please note that version 3.x contains breaking changes. Before upgrading the modules up to 3.x, please carefully review the list of changes and general recommendations for upgrade.

Which Wallarm nodes are recommended to be upgraded?¶

• Regular (client) and partner Wallarm nodes of version 2.18 and lower. Changes available in Wallarm node 3.x simplifies the node configuration and improves traffic filtration.

• Regular (client) Wallarm node of version 3.x to stay up to date with Wallarm releases and prevent installed module deprecation.

Changes available when upgrading Wallarm node of version 2.18 and lower¶

Listed changes are available for both the regular (client) and partner Wallarm node 3.4.

Changes in supported installation options¶

• Added support for CloudLinux OS 6.x

• Added support for Debian 11 Bullseye

• Dropped support for the operating system Ubuntu 16.04 LTS (xenial)

• Version of Envoy used in Wallarm Envoy-based Docker image has been increased to 1.18.4

See the full list of supported installation options →

Changes in supported filtering node configuration parameters¶

• Dropped support for all acl NGINX directives, Envoy parameters, and environment variables used to configure IP address blacklist. Manual configuration of IP blacklisting is no longer required.

  Details on migrating blacklist configuration →

• Added new NGINX directive and Envoy parameter disable_acl. This parameter allows to disable request origin analysis.

  Details on the disable_acl NGINX directive →

  Details on the disable_acl Envoy parameter →

Changes in system requirements for the filtering node installation¶

Starting with version 3.x, the filtering node supports IP addresses whitelists, blacklists, and greylists. The Wallarm Console allows adding both single IPs and countries or data centers to any IP list type.

The Wallarm node downloads an actual list of IP addresses registered in whitelisted, blacklisted, or greylisted countries or data centers from GCP storage. By default, access to this storage can be restricted in your system. Allowing access to GCP storage is a new requirement for the virtual machine on which the filtering node is installed.

Range of GCP IP addresses that should be allowed →

Changes in filtration mode logic¶

Starting with version 3.2, the logic of Wallarm node filtration modes has been changed as follows:

• Wallarm node analyzes request source only in the safe_blocking and block modes now.

• If the Wallarm node operating in the off or monitoring mode detects the request originated from the blacklisted IP, it does not block this request.

More details on Wallarm node modes →

New features¶

• Support for new filtration mode safe_blocking and IP address greylist.

  The Wallarm node operating in safe_blocking mode blocks only those malicious requests originated from greylisted IP addresses that allow a significant reduction of false positives numbers.

• New reaction of triggers Add to greyist allowing to automatically greylist IP addresses originated a specific number of malicious requests.

  Example of the trigger that greylists IP addresses →

• Management of IP address whitelist via Wallarm Console.

• Automated whitelisting of Wallarm Vulnerability Scanner IP addresses. Manual whitelisting of Scanner IP addresses is no longer required.

• Ability to whitelist, blacklist, or greylist a subnet, Tor network IPs, VPN IPs, a group of IP addresses registered in a specific country or data center.

  Details on adding IPs to the whitelist, blacklist, and greylist →

• Ability to whitelist, blacklist, or greylist request sources for specific applications.

  Details on adding IPs to the whitelist, blacklist, and greylist →

• New parameters of the file node.yaml for configuring the synchronization of the Wallarm Cloud and filtering nodes: api.local_host and api.local_port. New parameters allow specifying a local IP address and port of the network interface through which requests to Wallarm API are sent.

  See the full list of node.yaml parameters for Wallarm Cloud and filtering node synchronization setup →

• New module API Discovery that automatically identifies the application API structure.

  Details on the API Discovery module →

• The number of requests originated from blacklisted IPs is now displayed in the statistic service output, in the new parameter blocked_by_acl and in the existing parameters requests, blocked.

  Details on the statistic service →

• The libdetection library is now supported in the Envoy-based Wallarm node. This library additionally validates the SQL Injection attacks to confirm detected malicious payloads. If the payload is not confirmed by the libdetection library, the request is considered to be legitimate. Using this library allows reducing the number of false positives among the SQL Injection attacks.

  By default, the library libdetection is disabled. To improve the attack detection, we recommend enabling it.

  Details on the libdetection library →

• New environment variable WALLARM_APPLICATION that can be passed to the Wallarm NGINX‑based Docker container of version 3.4.1-1 or higher. This variable is used to set the identifier of the protected application to be used in the Wallarm Cloud.

  Instructions on deploying the Wallarm NGINX‑based Docker container →

Changes available when upgrading Wallarm node of version 3.0¶

Breaking change¶

Starting with version 3.2, the logic of Wallarm node filtration modes has been changed as follows:

• Wallarm node analyzes request source only in the safe_blocking and block modes now.

• If the Wallarm node operating in the off or monitoring mode detects the request originated from the blacklisted IP, it does not block this request.

• If the Wallarm node operating in the monitoring mode detects the attack originated from the whitelisted IP, it uploads the attack data to the Wallarm Cloud. Uploaded data is displayed in the Events section of Wallarm Console.

Details on Wallarm node modes →

Changes in supported installation options¶

• Added support for CloudLinux OS 6.x

• Added support for Debian 11 Bullseye

• Version of Envoy used in Wallarm Envoy-based Docker image has been increased to 1.18.4

See the full list of supported installation options →

New features¶

• Ability to whitelist, blacklist, or greylist request sources for specific applications.

  Details on adding IPs to the whitelist, blacklist, and greylist →

• The number of requests originated from blacklisted IPs is now displayed in the statistic service output, in the new parameter blocked_by_acl and in the existing parameters requests, blocked.

  Details on the statistic service →

• The libdetection library is now supported in the Envoy-based Wallarm node. This library additionally validates the SQL Injection attacks to confirm detected malicious payloads. If the payload is not confirmed by the libdetection library, the request is considered to be legitimate. Using this library allows reducing the number of false positives among the SQL Injection attacks.

  By default, the library libdetection is disabled. To improve the attack detection, we recommend enabling it.

  Details on the libdetection library →

• New environment variable WALLARM_APPLICATION that can be passed to the Wallarm NGINX‑based Docker container of version 3.4.1-1 or higher. This variable is used to set the identifier of the protected application to be used in the Wallarm Cloud.

  Instructions on deploying the Wallarm NGINX‑based Docker container →

Changes available when upgrading Wallarm node of version 3.2¶

• Added support for CloudLinux OS 6.x

  See the full list of supported platforms →

• Added support for Debian 11 Bullseye

  See the full list of supported platforms →

• Version of Envoy used in Wallarm Envoy-based Docker image has been increased to 1.18.4

  See the full list of supported platforms →

• New environment variable WALLARM_APPLICATION that can be passed to the Wallarm NGINX‑based Docker container of version 3.4.1-1 or higher. This variable is used to set the identifier of the protected application to be used in the Wallarm Cloud.

  Instructions on deploying the Wallarm NGINX‑based Docker container →

Upgrade process¶

1. Review recommendations for the modules upgrade.

2. Upgrade installed modules following the instructions for your Wallarm node deployment option:

   • General recommendations for a safe node upgrade process
   • Upgrading modules for NGINX, NGINX Plus, Kong
   • Upgrading the Docker container with the modules for NGINX or Envoy
   • Upgrading NGINX Ingress controller with integrated Wallarm API Security modules
   • Cloud node image

3. If upgrading the Wallarm node 2.18 or lower to version 3.4, migrate whitelist and blacklist configuration from previous Wallarm node versions to 3.4.

Other updates in Wallarm products and components →