Web application firewalls (WAF) are a type of reverse proxy technology that operate at Layer 7 of the open systems interconnection (OSI) stack. They are generally implemented to protect web applications and web services from malicious traffic or users. A WAF is usually deployed as a hardware or software component or as a cloud-native managed service and operates primarily as a reverse proxy, sometimes in a 1:1 configuration to backend systems and sometimes support multiple backend systems and multiple frontend IPs or host names.
This topic is generally relevant to ArcGIS Enterprise deployments only. While ArcGIS Online includes security features similar to those described in this article, a customer-deployed WAF should not be used as a front-end URL to access ArcGIS Online resources or content, as this is an unsupported pattern which may lead to unexpected behavior.
WAFs are different from regular reverse proxies as they are designed to protect the backend application. They do not simply pass requests transparently, they generally have logic to inspect the requests, including the request URL, headers, source location, and body, for malicious or potentially malicious contents. Most WAFs implement a common ruleset, that is either defined by the manufacturer or a community, to identify common malicious attempts, such as SQL injection attempts, server-side request forgery (SSRF) or other types of behavior. WAFs can also implement metering, to limit a number of requests in a certain period, protect against distributed denial-of-service (DoS) attacks, and filter access to block IPs from certain geographic areas or sources. Each of these rules can be individually configured on or off, and the WAF can implement and apply hundreds or thousands of these rules to the protected application.
WAFs often have two modes that can be configured, including:
Inbound traffic monitoring refers to the inspection and filtering of incoming requests to a system, whether from internal or public sources. While inbound traffic monitoring can refer to other methods or approaches beyond WAFs, these concepts are often closely linked.
ArcGIS software relies on a wide variety of HTTP request types and responses, ranging from GET, POST and OPTIONS requests to large content bodies, unique headers, and various methods for token-based authentication. An overly conservative WAF is likely to present problems for client applications of an ArcGIS Enterprise deployment.
When implementing or using a WAF with an ArcGIS deployment, consider some of the following guidance:
Esri provides a detailed example of WAF rules compatibility, based on the Azure WAF offering, identifying rules or configurations that may cause issues for ArcGIS deployments and should be disabled. This document is available in the ArcGIS Trust Center: ArcGIS Enterprise Web Application Filter Rules (an ArcGIS login required).
This example includes specific rules from one specific WAF provider, but may provide an easier path towards configuring an organization’s specific WAF rule sets in the future. Also keep in mind that certain application functionality may be blocked by a WAF and this may be acceptable, if that application or service is never planned for use with a system, the fact that the traffic is blocked might be considered a non-issue. As further WAF testing or validation is completed, more resources will be referenced on this page – at this time, the Azure WAF ruleset is the only available detailed example, though it may inform proper configuration of other WAF products or offerings.