Web Application Firewall (WAF) configuration
Web Application Firewall (WAF) rules enable blocking potentially malicious/suspect requests at the edge of the network before they can reach the applications.
How to configure WAF rules
WAF rules are configured via Terraform and associated to load balancers.
The rules are maintained alongside the configuration for the public load balancers in govuk-aws/terraform/projects/infra-public-services. For instructions on how to deploy the terraform projects see deploying terraform
For documentation on the kinds of rules:
Viewing logs for WAF
Each time a WAF rule is evaluated and matched it gets logged as either ALLOW
or BLOCK
. Requests that match the “default” action are not logged. This means
that only rules that have been explicitly told to ALLOW
or BLOCK
will be
logged, otherwise the logs would contain every single request.
Logs are shipped to a Splunk instance managed by Cyber Security for monitoring and the logs are accessible by members of GOV.UK by logging in with your GDS Google Account.
Example query links:
If you do not have access to Splunk, you can request access by raising a support ticket with IT and asking them to enable Splunk for your Google account and saying you work on GOV.UK.
Debugging issues with logs delivery
If Splunk is down the logs will be requeued and retried for several minutes before falling back to storage in an S3 bucket. The S3 bucket has a very short expiry of 3 days since its primary use is to troubleshoot issues in scenerios where Splunk delivery is failing.
In addition to the previous 3 days of backup logs, the s3 bucket will also dump
any errors encountered into failed-delivery
and failed-processing
folders.