Link11 WAAP
v5
v5
  • Link11 WAAP Documentation
  • Release Notes
  • Known Issues
  • User Guide
    • Introduction to Link11 WAAP
  • How Link11 WAAP Works
    • Traffic Filtering Process
    • Traffic Reporting and Analytics
    • Policy Mapping and Traffic Routing
    • Tagging
    • UI Overview and Common Elements
  • Console UI Walkthrough
    • Analytics
      • Dashboard
      • Events Log
    • Security
      • Global Filters
      • Flow Control Policies
      • Security Policies
      • Rate Limit Rules
      • ACL Profiles
      • Actions
      • Dynamic Rules
      • Quarantined
      • Content Filter
        • Content Filter Profiles
        • Content Filter Rules
    • Sites
      • Server Groups
      • Proxy Templates
      • Mobile Application Groups
      • Backend Services
      • Edge Functions
      • DNS Records
      • SSL
        • Load Balancers
        • Certificates
    • System
      • Interactive Challenge
      • SSO Configuration
      • Purge CDN Cache
      • Users Management
      • Security Alerts
      • Log Exporters
      • Version Control
      • System DB
      • Publish Changes
    • Account
  • Using the product
    • Best Practices
      • Saving and Publishing Your Changes
      • Enabling Passive Challenges
      • Understanding and Diagnosing Traffic Issues
    • How Do I...
      • Authenticate mobile app users
      • Ban, unban, and allowlist traffic sources
      • Bypass Link11 WAAP for loadtesting or other purposes
      • Configure a new path/section of a site
      • Control caching behavior
      • Enable GraphQL traffic
      • Enable mTLS (mutual TLS)
      • Protect sensitive information in logs and analytics
      • Quickly block an attacker
      • Redirect or block HTTP traffic
      • Run custom code
      • Set rate limits and exemptions
      • Stream event data to a SIEM solution or other destination
    • The Link11 WAAP API
      • Overview
      • Internal data structures
      • Using Swagger UI
      • Using curl
  • Reference Information
    • Acronyms
    • API
      • API access to traffic data
      • Types of namespaces
      • Namespace reference
        • ACL Profiles
        • Actions
        • Backend Services
        • Certificates
        • Configs
        • Content Filter Profiles
        • Content Filter Rules
        • Data queries
        • Dynamic Rules
        • Edge Functions
        • Flow Control Policies
        • Global Filters
        • Load Balancers
        • Log Exporters
        • Mobile Application Groups
        • Planets
        • Proxy Templates
        • Rate Limit Rules
        • Security Alerts
        • Security Policies
        • Server Groups
        • Tags
        • Tools
        • Users
    • Hostile Bot Detection / LWCSI
      • Environmental detection and browser verification
      • Client authentication
      • Biometric behavioral verification
    • HTTP Response Codes
    • Log Exporter Output
    • Pattern Matching Syntax
    • Query Filter Syntax and Best Practices
  • Support
Powered by GitBook
On this page
  • Overview
  • How to enable mTLS

Was this helpful?

Export as PDF
  1. Using the product
  2. How Do I...

Enable mTLS (mutual TLS)

PreviousEnable GraphQL trafficNextProtect sensitive information in logs and analytics

Last updated 1 month ago

Was this helpful?

Overview

Link11 WAAP supports mTLS encryption. The scope of this feature is as follows:

  • mTLS is optional, and can be enabled for individual Server Groups.

  • Admins upload CA Certificates, and assign them to Server Groups (as described below).

  • Currently, mTLS can be enforced between clients and L11WAAP. A later release will add enforcement between L11WAAP and the origin.

  • In the user interface, mTLS is only available when using an (Network Load Balancer). To enable mTLS when using a Link11 load balancer, contact support.

  • When mTLS is enabled, the user must present a client certificate at the beginning of each session during the TLS handshake. L11WAAP will validate the date and issuer of the certificate. If validation fails, the user will receive an error, and will not be permitted to connect to the protected system.

mTLS verification does not exempt a client from other types of traffic filtering. Even if a client successfully establishes an mTLS connection with L11WAAP, its requests will still be blocked if they originate from a banned source, or exceed rate limits, or match a content filtering signature, etc.

How to enable mTLS

Setting up mTLS is a straightforward process:

  • Upload the CA Certificate(s) in the CA Certificates tab of the page.

  • your changes.

  • Assign the appropriate certificate to each Server Group:

    • Open the Server Group in the page.

    • Turn on the CA Certificate toggle.

    • A dropdown list of CA Certificates will appear. Select the appropriate one.

  • Publish your changes.

NLB
Certificates
Publish
Server Group Editor