Reblaze Part of Link11
v5
v5v2.20.4v2.20.2v2.20v2.18v2.16v2.14v2.12v2 Release NotesMobile SDK v2.3.0Mobile SDK v2.2.x
v5
v5v2.20.4v2.20.2v2.20v2.18v2.16v2.14v2.12v2 Release NotesMobile SDK v2.3.0Mobile SDK v2.2.x
  • Reblaze Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Overview
  • Policy mapping
  • Traffic routing

Was this helpful?

Export as PDF
  1. How Link11 WAAP Works

Policy Mapping and Traffic Routing

PreviousTraffic Reporting and AnalyticsNextTagging

Last updated 3 days ago

Was this helpful?

Overview

When L11WAAP processes incoming requests (as described in the discussion of the traffic filtering process), the system must perform:

  • Policy mapping: deciding which security rulesets are applicable to the request.

  • Traffic routing: If the request successfully passes through the filtering process, the system must decide how and where to route it to the protected backend.

As shown in the diagram above, a fundamental component within L11WAAP is the Server Group. Generally, admins will configure a Server Group to represent a domain. Each Server Group specifies:

  • A Security Policy, used for policy mapping.

  • The Proxy Template that is based upon.

  • The domain's SSL Certificate.

Policy mapping

During the traffic filtering process, some stages of processing (for example, Global Filtering) are universal; the same rulesets are enforced upon all requests.

However, other stages of processing will vary. Admins can specify different rulesets for enforcement, depending on the request's destination URL. For these stages, policy mapping is necessary.

When a request is received, it is first matched with the appropriate Server Group. As shown above, every Server Group includes a Security Policy, which is the foundation for policy mapping.

Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). It associates each path with several rulesets:

  • Content Filter Profile (which defines the threat signatures, content requirements, and other restrictions to enforce upon the request according to its content)

  • Rate Limit Rule(s) (which restrict the rates at which traffic sources can submit requests)

  • ACL Profile (which define the disposition of requests, depending on the tags that it received during processing)

The request's destination URL is evaluated against the list of paths, to find the best match. The rulesets associated with that path are the ones used to process the request. For more information, see the explanation of Security Policy path mapping.

Traffic routing

When a request has successfully passed through traffic filtering, L11WAAP forwards it to the customer's backend, accepts the backend's response, and returns the response to the client.

To do this, the system must know how to route requests to the backend. This is configured in Security Policies.

Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). Each path is associated with, among other things, a Backend Service.

When a request is processed, its destination URL is evaluated against the list of paths, to find the best match. The Backend Service associated with that path is the one to which L11WAAP will send the request, and then receive the response, and so on.