Web Application Firewall (WAF) configuration
Web Application Firewall (WAF) rules enable blocking potentially malicious/suspect requests at the edge of the network before they can reach the applications.
How to configure WAF rules
WAF rules are confgiured via terraform and associated to infrastructure resources such as load balancers.
The rules are maintained alongside the configuration for the public load balancers in govuk-aws/terraform/projects/infra-public-services. For instructions on how to deploy the terraform projects see deploying terraform
For documentation on the kinds of rules:
Viewing logs for WAF
Each time a WAF rule is evaluated and matched it gets logged as either
BLOCK. Requests that match the “default” action are not logged. This means
that only rules that have been explicitly told to
BLOCK will be
logged, otherwise the logs would contain every single request which would not
be of much value.
Logs are shipped to a Splunk instance managed by Cyber Security for monitoring and the logs are accessible by members of GOV.UK by logging in with your GDS Google Account.
Example query links:
If you do not have access to splunk, then you can request access by raising a support ticket with IT and asking them to enable Splunk for your Google account and saying you work on GOV.UK.
Debugging issues with logs delivery
If for some reason Splunk is down, the logs will be requeued and retried for a several minutes, before falling back to storage in an S3 bucket. The S3 bucket has a very short expiry of 3 days since it’s primary use is to troubleshoot issues in scenerios where Splunk delivery is failing.
In addition to the previous 3 days of backup logs, the s3 bucket will also dump
and errors encountered into