The page has been translated by Gen AI.

WAF Build Process Guide

To start the WAF service, you need to apply for the service and then perform WAF license installation and monitoring integration verification. After you request the WAF service, the person in charge will review the service request details and contact you. Please refer to the process below to request the WAF service.

guide

WAF installation is directly supported by SDS engineers and proceeds after consulting with the client on configuration, specifications, and related details.

  • Considering the overall process schedule, apply for the service at least one month before the service launch (business days).
Diagram
Figure. WAF Build Process

Preliminary preparation work

The preliminary preparation steps for using the WAF service are carried out according to the following procedure.

  1. Submit a service request to install the WAF. (MSP → SDS)
  2. Please request WAF SW installation. (SDS → Engineer)
  3. Please provide the engineer information for the WAF installation work. (SDS → MSP)

Samsung Cloud Platform Console task (MSP execution)

To use the WAF service, the Samsung Cloud Platform Console performs the following steps.

  1. Register an SSL certificate in the Certificate Manager service.
    • Application path: Samsung Cloud Platform Console > Security > Certificate Manager
    • Purpose: Operation
  2. Create a Virtual Server service for WAF.
    • Application path: Samsung Cloud Platform Console > Compute > Virtual Server
    • Determine CPU, memory, and block storage capacity based on WAF specifications.
    • WAF Virtual Server specifications: view quotation
  3. Create a Load Balancer service.
    • Application path: Samsung Cloud Platform Console > Networking > Load Balancer
  4. Create an L7 service for SSL offloading.
  5. Create an L4 service when load balancing is required for WAF redundancy.
  6. Create an L4 service when load balancing is required for web server redundancy.
  7. Configure the required Load Balancer/Firewall/Security Group.
    • Configure the Firewall and Security Group to match the Load Balancer’s communication path as follows.
    • The source inputs the user’s network information.
      CategoryCommon Security Zone FWInternet Gateway FWLoad Balancer FWVirtual Server SG
      Inbound (destination)LB service public IPLB service private IPLB service private IPLB Link IP
      IP (example)123.43.8.xxx10.10.0.xxx10.10.0.xxx192.168.254.xxx
      PortLB service portLB service portLB service portForwarding/Health Check Port
      Table. FW/SG configuration items according to the Load Balancer's communication path
  8. Configure HTTP redirection for the LB service. (Optional)
    • Set the Load Balancer’s HTTP redirection option as follows.
      LB serviceL7 HTTPL7 HTTPS
      LB Profile > Profile TypeApplicationApplication
      LB Profile > Service ClassificationL7 HTTPL7 HTTP
      LB Profile > HTTP RedirectionSettingsNot set
      IP/NAT IPSet the sameSet the same
      service port80443
      forwarding port8080
      Server Group > When Using WAFNot setWAF Virtual Server
      Server Group > When WAF is not usedNot setWEB Virtual Server
      Certificate registrationUnregisteredRegister
      Table. Load Balancer HTTP redirection configuration items
  9. Grant the WAF engineer access permissions to the Virtual Server for WAF.

WAF SW Installation and Test (WAF Engineer & MSP)

When the WAF specifications are finalized, the engineer installs the WAF software and conducts testing.

Policy request and implementation for WAF security monitoring

Create and apply policies required for WAF security monitoring.

  1. Request the required policy from the Samsung Cloud Platform Console. (SDS → MSP)
  2. Deliver and apply the created policy. (SDS → MSP)
  3. Check the items that require policy registration. (Direct Connect Firewall/Security Group/Routing)
    • SDS → Verify that the WAF access path for each client is secured. If additional registration is required, request it by email.
    • Check whether the WAF → SIEM log transmission path is secured for each client. If additional registration is needed, request it via email.

Constraints

When installing the WAF, first check the following constraints before proceeding.

  • When WAF is configured as a single instance, service continuity cannot be guaranteed in case of a failure of the WAF-installed Virtual Server or the WAF application. (Bypass is not supported between Samsung Cloud Platform LB and WAF)
  • If service availability of the website where WAF is applied is critical, WAF redundancy must be implemented. If WAF redundancy is required, a separate request must be made.
  • Security monitoring through the Samsung Cloud Platform service is available only for Penta Security products.
  • Other vendors’ products are listed in the marketplace, but Samsung SDS security monitoring services are not offered.
How-to guides
Release Note