Professional Documents
Culture Documents
Design Guide: ACE Appliance and ACE Web Application Firewall
Design Guide: ACE Appliance and ACE Web Application Firewall
Introduction
Recommended topology
Clients on the Internet who wish to connect to our main web application
(http://acedemo.cisco.com in our case) obtain the IP address of the front-end virtual
IP (VIP) through DNS resolution. In this topology, the specific IP address mapped
to acedemo.cisco.com is 172.25.89.165. That VIP is owned by a Cisco ACE 4710
appliance on the front-end side of the diagram. It is linked to a serverfarm which
contains two load-balanced servers which are the actual Cisco ACE Web
Application Firewalls (WAF). Because the ACE WAFs are stateless no particular
stickiness needs to be configured between the front-end VIP and the WAFs
themselves. Requests from clients are load-balanced in a round-robin fashion. A
given client session might see its packets load-balanced between WAF1 and WAF2.
That is perfectly acceptable because the WAFs treat each request as a finite
transaction which bears no relation with the previous or next request.
Once the traffic hits a WAF incoming data is filtered according to the security
profile configured on that WAF. If the traffic is allowed to proceed, the WAF
substitutes the original source IP address of the packet with its own IP address. This
is very important to remember. It isn’t something you can change, that’s how most
reverse proxies function and the WAF falls in that category.
The actual origin (or target) web servers are concealed behind a second back-end
VIP. This step is required because the WAFs themselves do not perform any sort of
server load balancing. The second VIP in our case is 10.30.30.12. The WAFs are
configured to answer requests for hostname acedemo.cisco.com mapping to
destination server 10.30.30.12:
You can either select the factory-provided option to insert the X-Forwarded-For
header (first line of the HTTP Header Processing section of the profile) or manually
add one. We chose to manually add the header in this case. There was no specific
reason to do so other than demonstrate the WAF’s ability to tailor requests and
responses based on user-specified variables.
The back-end VIP is configured to stick sessions to a given web server based on the
value found in the X-Forwarded-For header. Here is how this is configured on the
ACE 4710:
That configuration instructs the ACE 4710 to look for the presence of the X-
Forwarded-For header in requests made to the back-end VIP and stick clients (the
WAFs in this case) to one specific web server based on the value of the header.
The traffic then hits the selected web server which returns content back to the
source IP address who requested it. That source IP address belongs to one of the
WAFs. The return traffic from the server back to client takes the reverse path by
virtue of the stateful nature of the ACE 4710. In other words thanks to the pre-
established connection record that incoming traffic set up, return traffic symmetry is
ensured. Make sure that the web servers have the proper static route to reach the IP
address of the WAFs.
Health Monitoring
To maintain a high level of availability we need to ensure that both the WAFs and
the target web servers are able to service requests at any give time. The WAFs
themselves do not implement health checks for target servers. Therefore health
checks for WAFs and web servers become the responsibility of the ACE 4710
through the use of probes. The ACE 4710 can probe the WAF directly or verify that
traffic from the web servers can be served through the WAF. This is how you can
configure the latter probe:
The probes are applied to each WAF. Note: if you would like to insert a question
mark at the CLI for the URL, press CTRL-V before hitting the ‘?’ key.
You can use a similar probe at the back-end level to verify that the web servers are
up and running.
4710-SA/WAFLB# sh run
Generating configuration....
logging enable
logging timestamp
logging monitor 7
logging device-id context-name
no logging message 111009
interface vlan 2
description Intranet