Release Notes > What’s New > Kubernetes WAF Version 1.6.0
Kubernetes WAF Version 1.6.0
This version includes the following new capabilities:
KWAF Backend Communication
Starting with KWAF version 1.6.0, all KWAF back-end communication is mTLS encrypted.
XML Support
As part of the RFC Validation protection, the module parses and evaluates the XML body structure of requests as well as values encapsulated within the XML tags. Parameter names are created using the full hierarchy of nested tags containing each value.
Specific XML security violations, such as XML Bomb attacks and XXE attacks, will be mitigated and/or reported based on the operational mode of the RFC Validation protection.
Classifier Global Protection Mode
Classifiers define attributes to match against the client traffic (Application Path, particular HTTP header value) and assign protections to this traffic. Classifiers allows flexible configuration of protections based on traffic attributes per policy.
Per classifiers, we can add a Global Protection mode before it reaches the protection modules:
*Inspect: Traffic is inspected for each protection type and violations are reported depending on the configuration of each protector.
*Block: Traffic is blocked. A security page is presented, and a Forensic Security event is created.
*Block no Report: Traffic is blocked. A security page is presented, but a Forensic Security event is not created.
*Bypass: Traffic is not inspected at all.
Graphical user interface, text, application, email Description automatically generated
Exclusion Rules
Depending on the nature of the API/Web Application traffic, the rule IDs defined in the Expression engine, or the Signature engine can be excluded (false positive for example).
The scope of the exclusion is global within the given classifier. The exclusion can now be limited to the parameters and headers of the request:
*Exclusions are per application/profile.
*Exclusions must be at minimum with the context of the header, and/or parameter per for one or multiple Rule IDs.
For the Expression engine, the exclusions can be:
*per Parameter Name (can be a regex)
*one or all Rule IDs
 
 
 
Exclude from Classifier:
 
 
 
 
Exclude from Forensics:
 
For the Signature engine, the exclusions can be:
*per Zones (URI, Header, parameter, body)
*per Parameter Name (can be a regex)
*per Header Name (can be a regex)
*one or all Rule IDs
 
 
 
 
Exclude from Classifier:
 
 
 
 
 
Exclude from Forensics:
 
Graphical user interface, application Description automatically generated
Latency
In an Istio environment, using the Envoy external authorization filter, the following metrics help to measure the latency at different levels:
*envoy_http_downstream_rq_time_bucket: Latency measure from the Enforcer
*istio_request_duration_milliseconds_bucket: Whole latency measure from Istio
The metrics can be collected from Grafana and exposed in a dashboard, as shown in the example below:
Bug Fixes and Improvements
This version includes the following fixes and improvements:
*Activity tracking improvements (rate limit, exclusion rules)
*Json parsing improvements
*Additional improvements and minor bug fixes.