Link11 WAAP
v5
v5
  • Link11 WAAP Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Overview
  • Policy mapping
  • Traffic routing

Was this helpful?

Export as PDF
  1. How Link11 WAAP Works

Policy Mapping and Traffic Routing

PreviousTraffic Reporting and AnalyticsNextTagging

Last updated 1 month ago

Was this helpful?

Overview

When L11WAAP processes incoming requests (as described in the discussion of the ), the system must perform:

  • Policy mapping: deciding which security rulesets are applicable to the request.

  • Traffic routing: If the request successfully passes through the filtering process, the system must decide how and where to route it to the protected backend.

Policy mapping

However, other stages of processing will vary. Admins can specify different rulesets for enforcement, depending on the request's destination URL. For these stages, policy mapping is necessary.

Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). It associates each path with several rulesets:

Traffic routing

When a request has successfully passed through traffic filtering, L11WAAP forwards it to the customer's backend, accepts the backend's response, and returns the response to the client.

When a request is processed, its destination URL is evaluated against the list of paths, to find the best match. The Backend Service associated with that path is the one to which L11WAAP will send the request, and then receive the response, and so on.

As shown in the diagram above, a fundamental component within L11WAAP is the . Generally, admins will configure a Server Group to represent a domain. Each Server Group specifies:

A , used for policy mapping.

The that is based upon.

The domain's .

During the traffic filtering process, some stages of processing (for example, ) are universal; the same rulesets are enforced upon all requests.

When a request is received, it is first matched with the appropriate Server Group. As shown above, every Server Group includes a , which is the foundation for policy mapping.

(which defines the threat signatures, content requirements, and other restrictions to enforce upon the request according to its content)

(which restrict the rates at which traffic sources can submit requests)

(which define the disposition of requests, depending on the that it received during processing)

The request's destination URL is evaluated against the list of paths, to find the best match. The rulesets associated with that path are the ones used to process the request. For more information, see the explanation of .

To do this, the system must know how to route requests to the backend. This is configured in .

Each Security Policy includes a list of paths (which are usually expressions, although individual URLs can be specified too). Each path is associated with, among other things, a .

Server Group
Security Policy
Proxy Template
SSL Certificate
Global Filtering
Security Policy
Content Filter Profile
Rate Limit Rule(s)
ACL Profile
tags
Security Policies
Backend Service
traffic filtering process
Security Policy path mapping