The page has been translated by Gen AI.

WAF Construction Process Guide

To initiate the WAF service, a license installation and control system connection check are required after applying for the service. If you apply for the WAF service, the person in charge will contact you after checking the service request details. Refer to the process below to apply for the WAF service.

Notice

WAF installation is directly supported by SDS engineers, and it proceeds after discussing the configuration/specifications with the customer company.

  • Please apply for the service at least 1 month before the minimum service opening date (based on business days) considering the entire process schedule.
Configuration
Figure. WAF construction process

1. Preparatory Work

The preliminary preparation work for using the WAF service will proceed according to the following procedure.

  1. Apply for WAF installation as a service request.(MSP → SDS)
  2. Request WAF SW installation.(SDS → Engineer)
  3. Please provide engineer information for WAF installation work.(SDS → MSP)

2. Samsung Cloud Platform Console work (MSP performance)

To use the WAF service, the following work is done in the Samsung Cloud Platform Console.

  1. Register the SSL certificate in the Certificate Manager service.
  • Application path: Samsung Cloud Platform Console > Security > Certificate Manager
  • Purpose: Operation
  1. Create a Virtual Server service for WAF.
  • Application path: Samsung Cloud Platform Console > Compute > Virtual Server
  • WAF specifications determine the capacity of CPU/Memory/Block Storage
  • WAF Virtual Server specification: Check the quotation
  1. Load Balancer service should be created.
  • Application path: Samsung Cloud Platform Console > Networking > Load Balancer
  1. Create an L7 service for SSL Offloading.
  2. Create an L4 service when load balancing is needed for WAF redundancy.
  3. Create an L4 service when load balancing is needed for WEB server duplication.
  4. Set the necessary Load Balancer/Firewall/Security Group.
  • Load Balancer’s communication path should have a corresponding Firewall and Security Group set as follows.
  • The starting point is where you enter your network information.
    ClassificationCommon Security Zone FWInternet Gateway FWLoad Balancer FWVirtual Server SG
    Inbound (Destination)LB 서비스 Public IPLB 서비스 Private IPLB 서비스 Private IPLB Link IP
    IP (example)123.43.8.xxx10.10.0.xxx10.10.0.xxx192.168.254.xxx
    PortLB Service PortLB Service PortLB Service PortForward/Health Check Port
    Table. FW/SG setting items according to the communication path of Load Balancer
  1. Set the HTTP redirection of the LB service. (optional)
  • Load Balancer’s HTTP redirection item should be set as follows.
    Load Balancer ServiceL7 HTTPL7 HTTPS
    LB Profile > Profile TypeApplicationApplication
    LB Profile > Service ClassificationL7 HTTPL7 HTTP
    LB Profile > HTTP RedirectionSettingsNot Set
    IP/NAT IPset the same wayset the same way
    Service Port80443
    Transfer Port8080
    Server Group > WAF in useNot setWAF Virtual Server
    Server Group > WAF not usednot setWEB Virtual Server
    Certificate RegistrationUnregisteredRegistered
    Table. Load Balancer's HTTP redirection settings
  1. Grant WAF engineers access permission to the WAF Virtual Server.

3. WAF SW installation and testing (WAF engineer & MSP)

When the WAF specification is confirmed, the engineer installs the WAF software and proceeds with the test.

4. Policy request and reflection for WAF security monitoring

WAF security monitoring requires policies to be created and applied.

  1. Request the necessary policy from the Samsung Cloud Platform Console.(SDS → MSP)
  2. Deliver and apply the created policy.(SDS → MSP)
  3. Check the details that require policy registration.(Direct Connect Firewall/Security Group/Routing)
  • SDS → Check if the WAF access path is secured for each customer company. If additional registration is required, please request by email.
  • It checks if the log transmission path from WAF to SIEM is secured for each client company. If additional registration is required, please request by email.

Limitations

WAF installation, check the following restrictions first and proceed.

  • When WAF is configured alone, service continuity cannot be guaranteed in case of WAF installation Virtual Server or WAF application failure (Samsung Cloud Platform LB and WAF do not support bypass)
  • If the service availability of the WAF-applied target website is important, WAF duplication application is required. If WAF duplication application is required, it must be requested separately.
  • Samsung Cloud Platform service provides security monitoring through Pentasecurity products only.
  • Other vendor products are registered in the marketplace, but the SamsungSDS security management service is not provided.
How-to guides
Release Note