Kubernetes WAF Version 1.5.1

Release Notes > What’s New > Kubernetes WAF Version 1.5.1

This version includes the following new capabilities:

Access Control Protection

Access Control Protection allows you to configure a list of HTTP methods and associated paths that are legitimate application traffic. Any HTTP request with a non-defined method-path pair is blocked.

In this release, you can configure an absolute path or a relative path using Regex expressions.

Custom Signature Protection Rules

With Signature Protection, we can add a custom rule. The incoming traffic will be inspected including this rule.

You can select if the pattern uses a regular expression (RegEx) or be an exact match. The inspection will go over the URL, Header, Body or parameters.

API Security

Following the release of the API Security Protection, we continue to provide new functionalities of this protection:

Support of OpenAPI file version 2 and version 3.

Ability to manually add a new endpoint. (You can bypass an endpoint but not remove it).

Ability to add/remove an HTTP Method to/from an endpoint.

Rules are merged in the configuration after uploading a new version of the OpenAPI file describing the application.

For Query, Path, Header and Cookie parameters, we enforce the parameter type (String, Integer, Boolean, Number), pattern or value range and format.

A few GUI improvements:

Namespace added in the OpenAPI table for better visibility.

A button to exclude a rule from the Event log.

Mitigations of some limitations:

Support for OpenAPI files bigger than 250K.

Support for external references when importing OpenAPI 2.x documents.

IP and Geo-Blocking:

A source group is introduced as a new classifier item. The source group can be an IP address, an address range, a CIDR, or a geographic location.

When the source group is specified, it can be combined with any KWAF protection to define how to block the incoming traffic.

Source group configuration is available in the GUI and can be defined in a Namespace.

A source group can be composed from one or more of the following:

CIDR (for example, 192.168.3.0/24, or fe80::0000/24)

IP (for example, 192.168.7.7, or fe9f::0022

Address range (for example, from: 192.168.4.5 to 192.168.4.19, or from fe90::0010 to fe90::0020)

Geo-location (for example, US or CA)

Bug Fixes and Improvements

This version includes the following fixes and improvements:

Added support to decode Base64 query parameters.

Additional improvements and minor bug fixes.