Hi Yarix,
A WAF works differently to IDS/IPS systems. An IDS can have rules to detect attacks at various layers of the OSI stack, and for various applications. They typically sit on the network (in-line or on a span port) and monitor all traffic through the network. A WAF on the other hand sits in-line with your webservers and looks specifically at application layer attacks against webservices.
The vTM WAF can be configured in either detection (IDS like) or potection (IPS like) mode, where it will either just alert you to attacks or actively prevent them. The minimal configuration you need to get IPS like protection for your web services would be:
- Install the WAF in vTM under System -> Application Firewall
- The in the WAF:
- Creat a policy and perform application mapping of your hosts
- Apply the baselines using the wizard.
- Enable the WAF for your HTTP vservers.
- TEST TEST TEST
The WAF will be running in "detection" mode by default, once you are happy that you don't have any false positives then you can log back in to the WAF UI and switch into "protection" mode.
You can also use vTM to protect other services by writing custom TrafficScript rules. For example you could protect APIs by making use of the built in XML validation, or you could write rate shaping rules to limit brute force login attempts against any service.
If you're feeling adventurous, then there is also an article kicking around somewhere which describes how to import SNORT IDS rules for use in vTM. https://web.archive.org/web/20100917074840/http://knowledgehub.zeus.com:80/articles/2007/12/20/conve...
Cheers,
Mark
