Table of contents


Web Application Firewall (WAF) configuration

Web Application Firewall (WAF) rules enable blocking potentially malicious/suspect requests at the edge of the network before they can reach the applications.

How to configure WAF rules

WAF rules are confgiured via terraform and associated to infrastructure resources such as load balancers.

The rules are maintained alongside the configuration for the public load balancers in govuk-aws/terraform/projects/infra-public-services. For instructions on how to deploy the terraform projects see deploying terraform

For documentation on the kinds of rules:

Viewing logs for WAF

Each time a WAF rule is evaluated and matched it gets logged as either ALLOW or BLOCK. Requests that match the “default” action are not logged. This means that only rules that have been explicitly told to ALLOW or BLOCK will be logged, otherwise the logs would contain every single request which would not be of much value.

Logs are shipped to a Splunk instance managed by Cyber Security for monitoring and the logs are accessible by members of GOV.UK by logging in with your GDS Google Account.

Example query links:

If you do not have access to splunk, then you can request access by raising a support ticket with IT and asking them to enable Splunk for your Google account and saying you work on GOV.UK.

Debugging issues with logs delivery

If for some reason Splunk is down, the logs will be requeued and retried for a several minutes, before falling back to storage in an S3 bucket. The S3 bucket has a very short expiry of 3 days since it’s primary use is to troubleshoot issues in scenerios where Splunk delivery is failing.

In addition to the previous 3 days of backup logs, the s3 bucket will also dump and errors encountered into failed-delivery and failed-processing folders.

This page was last reviewed on 15 July 2019. It needs to be reviewed again on 15 October 2019 by the page owner #govuk-2ndline .
This page was set to be reviewed before 15 October 2019 by the page owner #govuk-2ndline. This might mean the content is out of date.