The A10 Networks ADC, when used for load balancing web servers, must deploy the WAF in active mode.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-237060	AADC-AG-000143	SV-237060r639627_rule		Medium

Description
The Web Application Firewall (WAF) supports three operational modes - Learning, Passive, and Active. Active is the standard operational mode and must be used in order to drop or sanitize traffic. Learning mode is used in lab environments to initially set thresholds for certain WAF checks and should not be used in production networks. Passive mode applies enabled WAF checks, but no action is taken upon matching traffic. This mode is useful in identifying false positives for filtering. Only Active mode filters web traffic.

Description

The Web Application Firewall (WAF) supports three operational modes - Learning, Passive, and Active. Active is the standard operational mode and must be used in order to drop or sanitize traffic. Learning mode is used in lab environments to initially set thresholds for certain WAF checks and should not be used in production networks. Passive mode applies enabled WAF checks, but no action is taken upon matching traffic. This mode is useful in identifying false positives for filtering. Only Active mode filters web traffic.

STIG	Date
A10 Networks ADC ALG Security Technical Implementation Guide	2021-03-25

Details

Check Text ( C-40279r639625_chk )
Review the device configuration. The following command displays the configuration and filters the output on the WAF template section: show run \| sec slb template waf If the output contains either "deploy-mode passive" or "deploy-mode learning", this is a finding. Note: Since deploy-mode active is the default value, it will not appear in the output.

Fix Text (F-40242r639626_fix)
The following command sets the deployment mode of the WAF template: slb template waf [template name] deploy-mode active