Out of Band WAAS (Web Application & API Security)

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter

Out of Band WAAS (Web Application & API Security)


by Shashank Chandramohan


In the past couple of years, organizations have increased their utilization of cloud environments. Many teams are now finding it difficult to handle the technical complexity of cloud migration, including the ability to safeguard their applications throughout the course of the application development lifecycle. In today's environment, cloud native applications consist of an increasing number of microservices, containers, hosts and a range of computing options and technology stacks. These intricate architectures will continue to become more complex as cloud native technology continues to grow. 


Security experts have always found it difficult to secure the web apps and APIs that support these intricate architectures. Since APIs and applications are constantly evolving, current web security solutions do not provide the necessary coverage. Prisma Cloud has a WAAS (Web Application and API Security) module as a solution to protect your web applications and APIs.



The most popular method for sharing and altering data is through web applications and APIs. As web programs and APIs increase, the attack surface increases which leaves your data and resources vulnerable. 



Image: An example of how traffic is handled by WAAS


To reduce risk, a complete solution is needed by application security, development, and cloud architects to safeguard their Web applications and APIs on any infrastructure. Here is where the Prisma Cloud Compute (CWPP) module WAAS comes into play: It protects both containerized and non-containerized web applications and API security against OWASP top 10 risks, API vulnerabilities, file uploads, geo-location based controls and more. Organizations can choose how to safeguard their cloud applications using Prisma Cloud's deep web and API security, which is available both inline and Out of Band.



Image: Types of WAAS

Difference between inline and Out of Band WAAS:

Inline WAAS sits between the incoming traffic and the Web Application. It authenticates and allows/blocks the traffic and alerts the customer in real-time if it violates the rule created by the customer. On the other hand, Out of Band WAAS utilizes VPC to mirror the traffic - analyze it in real-time - and only alerts the customer based on the traffic and rules created. This gives the customer a flexible security option that meets their evolving application demands and ensures there is no trade-off between application performance and security.


Inline WAAS: Notice the different modes - Disable, Alert, Prevent and Ban.



Out of Band WAAS: Notice there is no Ban/Prevent mode.




When do you choose Out of Band?
It has been difficult for businesses to safeguard their mission-critical applications without compromising performance as they create and deploy more of their applications on the cloud. Developer and security teams can safeguard their applications with the same degree of security as conventional in-line WAFs and API security without suffering performance penalties by adding the option of Out-of-Band WAAS.


Another use case where you use Out of Band WAAS is when you don’t want to risk a failure of inline WAAS, meaning no traffic reaches your application.

How does Out of Band WAAS work?

Out of Band WAAS protects your workloads by inspecting the mirrored traffic. Client-server connections and application performance are unaffected. There are two ways to deploy WAAS Out of Band:


WAAS Out-of-band with Defender is used when you have an environment where you can deploy a defender in your workload environment.

When installing Defender on each microservice is not feasible, WAAS Out-of-band with VPC traffic mirroring is used.


Did you know?

You can monitor both protected and unprotected workloads with Prisma Cloud Out of Band WAAS.


In order to remotely monitor the unprotected apps on your source instance utilizing the built-in traffic mirroring offered by CSP, this configuration needs you to deploy a Defender on the target instance outside of your workload environment.


For instance, the AWS VPC traffic mirroring capability copies traffic from the source EC2 instance (which does not have Defender installed) to the target EC2 instance, which is located in the same VPC but has Defender installed on the host.


There is no latency cost with WAAS Out-of-band configuration. However, WAAS can only alert the Prisma Console because it cannot direct the flow of traffic. All the traffic mirroring on AWS will be taken care of by our cloud formation script.


How to create a WAAS Out of Band rule on Prisma Console:


Step 1: Open Prisma UI >Navigate to Compute>defend>WAAS> Out of Band




Step 2: Create a rule by clicking on “Add Rule”




Step 3: Enter the rule name. Use the Notes for describing the rule (Optional)


Step 4: Scope down the resources (observers) by specifying a collection. (Collections can be created on the fly or under Manage>Collection and Tags)
Observers - agents deployed for Out-of-band traffic mirror are termed Observers


Step 5: API Endpoint discovery - when toggled to enable, the mirrored traffic to and from the remote applications is examined by the Observer. The Observer reports a list of the endpoints and their resource paths in Compute > Monitor > WAAS > API observations > Out-of-band observations.


The below image shows that you are able to discover API endpoints and the risks that they present for the applications.



You can also see any unprotected web apps as shown in the below image.




Step 6: When employing VPC traffic mirroring, ports cannot be automatically identified since no agent is directly installed on the source workload and the traffic is redirected through the CSP's traffic mirroring service to the Prisma Cloud Observer.


Step 7: Toggle on VPC traffic monitoring to enable the flow of mirrored traffic from the source instance to the destination instance's Prisma Cloud Observer.


Step 8: Click Save. Once the rule is created click on “Add App” to configure the firewall settings, Bot protection, Denial of Service, etc.




For in-depth information about VPC mirroring, you can look at the documentation here: Deploy WAAS Out-of-band with VPC Traffic Mirroring


Note: VPC Traffic Mirroring OOB is available only for AWS environments, but Defender based OOB is available anywhere a Defender can be deployed.


Example: How to create traffic mirroring in AWS manually




Step 1: Deploy host defender on an EC2 instance. This will be our WAAS Observer. 

Step 2: Configure Traffic Mirroring. Here, set up the Source, Target, Filter and Session.

Step 3: Create Out of Band WAAS rule on Prisma UI.
Step 4: Perform Sanity checks.

Step 5:  Check Monitor > Events > WAAS Out of Band. This will provide you with insights into the events that occurred.




Click on any of the attack types to gather more information.




Modern problems require modern solutions. Modern online applications that are API-centric and cloud native, as well as the microservices they use, are sophisticated, which creates a host of new security challenges. To supplement traditional security measures, this new environment needs new security solutions and methods and with Prisma Cloud WAAS module offering OWASP Top-10 Coverage, API Protection, Access Control, File Upload Control, Detection of Unprotected Web Applications, Penalty Box for Attackers, Bot Protection, DoS Protection let us secure our web applications.



Register or Sign-in
Top Liked Authors