Step 1 Click the Virtual Web Applications link in the navigation menu.
Step 2 Click the New Virtual Web Application button to create a new virtual web application definition in the policy. A virtual web application encapsulates settings for a particular backend application for which you want to process and validate traffic at the ACE Web Application Firewall.
Step 3 Configure the virtual web application using the information in the following table: Table 4-1 Virtual Web Application settings
Label Description
Name A descriptive name used to identify this virtual web application definition in the policy. This name must be unique for virtual web applications in the policy. This name will appear in log descriptions for events associated with this virtual web application, so it should be sensible for users of the event log. Web App Group The group in which this virtual web application should be created. You can
choose from an existing group listed in the menu or create a new group for the application by choosing new Web App Group and typing a name for the group.
In general, a group should hold all virtual web applications that need to be managed and monitored together. Management operations that can be performed on a group include operating mode setting and virtual web application disabling. Groups are a reference point for monitoring as well, since the Web App Firewall Incidents report presents information by group.
Chapter 4 Working with Virtual Web Applications
Creating a Virtual Web Application
Basic Virtual URL With this option, specify a distinguishing portion of the request URL in incoming requests to be handled by this virtual web application, such as http://example.com/oakinsurance/
This is the address at which consumers will address requests to the Firewall. It is used to perform a prefix match against request URLs. Requests for this URL or any sub-path are matched to this virtual web application, such as to http://example.com/oakinsurance/customer. The trailing parts of the request URL, if any, are propagated to the outgoing request.
The host portion of the URL can be a hostname or an IP address. Only specify an IP address if it is also configured at the network interface of the ACE Web Application Firewall to which the policy will be deployed. If it is not, the Reactor process at the Firewall will be unable to start after policy deployment. The Virtual URL value you enter will be used to populate several properties of the virtual web application, as follows:
• The host portion of the value is used to create a new port/hostname object, if one does not already exist for the host and port combination.
• By default, a server definition is created based on the request host, and is set as the destination server for the new virtual web application object.
• The non-hostname portion of the path is used as the Path value for the virtual web application object. The path along with the port hostname composes the URL at which the web application is exposed by the Cisco ACE Web Application Firewall to clients.
While the port/hostname object generated by the virtual web application editor can be configured later to allow regular expression matching on the virtual hostname, regular expressions cannot be entered directly into the Virtual URL field when creating the virtual web application. The field accepts only letters, numbers, dots, and hyphen characters.
Matching Mode (Custom Virtual URL with Filters setting)
Based on the path you entered, choose how you want the ACE Web
Application Firewall to use the value to match requests. Also choose whether you want the value to be matched in a case-insensitive manner by selecting the checkbox for this option.
For more information, see the preceding description for the Path field. Label Description
Chapter 4 Working with Virtual Web Applications Creating a Virtual Web Application
Destination Server The HTTP server that serves as the backend destination for this virtual web application. The Cisco ACE Web Application Firewall sends traffic that is qualified by this virtual web application to this destination host. The servers that appear in this menu are those that have been configured in the Destination HTTP Servers page.
If set to “same as virtual URL,” the destination server will automatically be set to the host identified in the Virtual URL field. With the custom virtual URL option selected, the destination server maps to the Port/Hostname field.
Note A virtual web application can be assigned to a destination server that uses Reactor processing only; it is not compatible with destination servers that use Flex Path processing. In the virtual web application configuration pages, destination servers that use Flex Path processing do not appear in the destination server selection menu. If a virtual web application is assigned to a destination server that later is modified to use Flex Path processing, the virtual web application will not work correctly and results in an error while policy compilation. Also the same is true for HTTP ports.
Timeout The amount of time that the ACE Web Application Firewall should wait for a response from the destination server for each request.
Firewall Profile The traffic processing and validation profile that you want to apply for this web application. A profile is a named collection of rule and active security settings. The settings include whether a given rule is enabled and its configuration parameters.
If the profile you want to use does not yet exist, you can set the profile to one of the built-in profiles and change it later.
Monitor Mode If selected, sets the initial operating mode of the virtual web application to monitor mode. In monitor mode, a message that triggers a message inspection rule in the applied profile is not blocked. Instead it is passed through with an event logged.
When first deploying and testing the virtual web application configuration, it is often useful to set it to monitoring mode. This allows you to check for false positives (that is, legitimate traffic that nevertheless matches an attack signature) without effecting live production traffic. If the virtual web application generates false positives, you can quickly create a modifier that exempts the matched traffic from the rule that triggered the blocking event from the log description for the event.
Note that message rewrite rules are applied to traffic handled by the virtual web application in monitor mode.
Also note that, in enabled mode, messages are rejected at the first instance in which they violate a rule and are not further evaluated against other rules in the profile. The event log or incidents report will only show the rule that caused the message to be blocked, not any other rule that a message may have violated had its processing continued. On the other hand, in monitor mode, all rules violated by a message are indicated.
Chapter 4 Working with Virtual Web Applications
Creating a Virtual Web Application
Step 4 When finished, click Save Changes to commit the new virtual web application to the working policy.