How to implement a waf

Hi Vyos Forum,

any idea how to implement a WAF for protect exposed services


Well first of all I’ll just leave this here - personally having run/used them before I think they end up being much, much more trouble than they’re worth and give you a mostly false sense of security.

THAT SAID, I realise many orgs have a requirement for one.

So you could look at using Vyos’ containter function and running something like


thanks for this useful hint

To do WAF’s at scale you need to either use a hardwarebased plattform such as PaloAlto Networks who offloads to ASIC/FGPA’s to do the heavy lifting.

Or something like this example where Arista were used to split up traffic over multiple installations of Bro to do the processing:

maybe this helps with your idea.

1 Like