4.5. Create Existing Application L3 Inbound TopologyΒΆ

Now that we have our WAFaaS device and security chain created, we will now create an Existing Application topology that will be used to protect our vulnerable Juiceshop application.

  1. Click on SSL Orchestrator and select Configuration

Go to SSL Orchestrator -> Configuration

  1. Click Add under the Topologies menu item.

Under topologies, Click Add

  1. Click Next through the Topology Information page.
  2. Next to Name, WAFaaS_inbound. Select Existing Application under SSL Orchestrator Topologies. CLick Save & Next once complete.

Adding Existing Application topology

  1. Since we already created the WAFaaS service, we can click Save & Next and go to the next page.

Services Save & Next

  1. Since we already created the WAFaaS service chain, we can click Save & Next and go to the next page.

Service Chain Save & Next

  1. We will need to adjust the All Traffic rule for our WAFaaS_inbound security policy. Click the Pencil to the right of the All Traffic rule.

Make changes to All Traffic rule

  1. Select the ssloSC_WAFaaS under Service Chain and click OK. Click Save & Next when complete.

Security Policy > Service Chain Save & Next

  1. Click Deploy to deploy your new Existing Application topology.

WAFaaS_Inbound topology deploy

  1. Click OK to acknowledge the successful deployment.

OK deployment

Deployment Complete

Now we just need to add the access policies associated with the WAFaaS_Inbound topology to the Juiceshop Virtual Server.

  1. Click on Local Traffic>>Virtual Servers>>Virtual Server List. Click on the link for the juiceshop-vs virtual server.

Juiceshop Virtual Server

  1. Scroll down about 3/4 of the way down the page to find the Access Policy section. Next to Access Profile, select ssloDefault_accessProfile and also select ssloP_WAFaaS_inbound_per_req_policy next to Per-Request Policy. Click Update when done.

Completed topology deployment

Congratulations! You have now successfully deployed WAFaaS for an existing application. Let's now go back to the Ubuntu Client and run the same SQL-injection attack to see if WAF is doing its job.