Setting up PT Application Firewall

Written by

Updated at November 5, 2024

Prepare your cloud
- Required paid resources
Create a web server
Run your DVWA
Set up the firewall
Test the firewall
How to delete the resources you created

PT Application Firewall is a web application firewall that ensures continuous protection for web applications, users, and network infrastructure while helping meet security standards.

In this tutorial, you will deploy a test infrastructure with PT Application Firewall for web applications and a test damn vulnerable web application (DVWA) and then test its features for protection against standard web attacks.

To set up PT Application Firewall and test it:

If you no longer need the resources you created, delete them.

Prepare your cloud

Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resources

The infrastructure support costs include:

Fee for continuously running VMs (see Yandex Compute Cloud pricing).
Fee for using public IP addresses and outgoing traffic (see Yandex Virtual Private Cloud pricing).

Create a web server

Create a dvwa-server VM with Ubuntu:
1. In the management console, select the folder to create your VM in.
2. In the list of services, select Compute Cloud.
3. Click Create virtual machine.
4. Under General information:
  - Enter the name: dvwa-server.
  - Select an availability zone to place your VM in.
5. Under Boot disk image, select Ubuntu 22.04.
6. Under Access, specify the data for access to the VM:
  - In the Login field, enter the ycuser username.
  - In the SSH key field, paste the contents of the public key file. You need to create a key pair for the SSH connection on your own.
7. Leave all other settings unchanged and click Create VM.
Note

A public and a private IP addresses are assigned to the VM when you create it. Write them down, as you will need them to access the VM and set up the firewall.
Connect to the dvwa-server VM over SSH by running the following command in the terminal:
```
ssh ycuser@<public_IP_address_of_dvwa-server>
```

Run your DVWA

Install Docker on the dvwa-server VM:

curl --fail --silent --show-error --location https://test.docker.com --output test-docker.sh
sudo sh test-docker.sh

Run a container with the DVWA:

sudo docker run --rm -it -p 8080:80 sagikazarmark/dvwa

Set up the DVWA:
1. In the browser, go to:
```
http://<public_IP_address_of_dvwa-server>:8080
```
1. On the authorization page, enter admin for username and password for password.
2. Click Create / Reset Database at the bottom of the Database Setup page.
3. Log in again using the same username and password.
4. Click DVWA Security on the left of the screen and go to the page with security settings.
5. In the Security Level section, select the required security level for the application. Select Low in the drop-down list and click Submit.

Set up the firewall

Create a VM named pt-firewall from a PT Application Firewall public image:
Management console
1. In the management console, select the folder to create your VM in.
2. In the list of services, select Compute Cloud.
3. Click Create virtual machine.
4. Under General information:
  - Enter the name: pt-firewall.
  - Select the same availability zone as the one the dvwa-server VM is in.
5. Under Boot disk image, go to the Marketplace tab.
6. Select the current PT Application Firewall image.
7. Under Access, specify the data for access to the VM:
  - In the Login field, enter the ycuser username.
  - In the SSH key field, paste the contents of the public key file. You need to create a key pair for the SSH connection yourself.
8. Enable the Access to serial console option.
9. Leave all other settings unchanged and click Create VM.
Note

A public and a private IP addresses are assigned to the VM when you create it. It is recommended to make the public IP address static.
Go to the serial console of the new VM:
Management console
1. In the management console, select the folder the VM was created in.
2. Go to Compute Cloud and select the pt-firewall VM.
3. Go to the Serial console tab.
4. Enter pt for username and positive for password.
5. You will be prompted to change the password. Enter the current password (positive) and create a new one in line with the system requirements.
6. Possible further actions will be suggested. Enter 0.
7. Create a configuration by running the following commands one by one:
```
if set eth-ext1 inet_method dhcp
dns add 77.88.8.8
config commit
config sync
```
Log in to the firewall configuration console:
1. In the browser, go to:
```
http://<public_IP_address_of_pt-firewall>:8443
```
2. On the authorization page, enter admin for username and positive for password.
3. You will be prompted to change the password. Enter the current password (positive) and create a new one.
Configure the network interfaces:
1. At the top of the screen, select Configuration / Network / Gateways.
2. In the table, click the edit icon in the row with the pt-firewall interface.
3. On the General tab, enable Active to activate the interface.
4. In the Aliases field of the Network tab, add the WAN-wan, LAN-lan, and MGMT-mgmt options from the drop-down list.
5. Click Apply.
Configure an Upstream with the DVWA set as a backend server:
1. At the top of the screen, select Configuration / Network / Upstreams.
2. On the UPSTREAMS page, click Create.
3. In the Name field, enter DVWA.
4. In the Backend line, click Add and specify the following:
  - In the Host field: <public_IP_address_of_dvwa-server>.
  - In the Port field: 8080.
5. Leave all the other settings as they are and click Apply.
Configure the service:
1. At the top of the screen, select Configuration / Network / Services.
2. On the SERVICES page, click Create.
3. In the Name field, enter DVWA-RP.
4. In the Servers line, click Add and specify the following:
  - In the Network interface alias field: WAN-wan from the drop-down list.
  - In the Listen Port field: 80.
  - In the Upstream field: DVWA from the drop-down list.
5. Leave all the other settings as they are and click Apply.
Add a web application:
1. At the top of the screen, select Configuration / Security / Web applications.
2. On the WEB APPLICATIONS page, click Create.
3. In the Name field, enter DVWA-APP.
4. In the Service field, select DVWA-RP from the drop-down list.
5. In the Protection mode field, select Detection from the drop-down list.
6. In the Locations line, click Add and specify \/.
7. Leave all the other settings as they are and click Apply.

Test the firewall

To test the firewall, use the Wallarm GoTestWAF tool for web attack simulation:

Open a new window in the command line terminal and connect to the dvwa-server VM over SSH:
```
ssh yclogrus@<public_IP_address_of_dvwa-server>
```

Run a test with the following command:

sudo docker run -v ${PWD}/reports:/app/reports wallarm/gotestwaf --url=http://<public_IP_address_of_pt-firewall>/ --skipWAFBlockCheck

Wait for the test to complete and view the results. It is easy to see from the Summary table that no attacks were blocked (the TRUE-NEGATIVE TESTS BLOCKED section):

Summary:
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|            TYPE             | TRUE-NEGATIVE TESTS BLOCKED | TRUE-POSITIVE TESTS PASSED  |           AVERAGE           |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
| API Security                | 0.00%                       | n/a                         | 0.00%                       |
| Application Security        | 0.17%                       | 100.00%                     | 50.09%                      |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|                                                                        SCORE            |           25.05%            |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+

In your browser, return to the WEB APPLICATIONS section (Configuration / Security / Web applications) of the firewall setup page and click the edit icon in the DVWA row.
In the Protection mode field, select Active prevention from the drop-down list and click Apply.
In the terminal, run the test from step 2 once again.

Wait for the test to complete and view the results. This time, the Summary table shows that all attacks were blocked (100% of attacks in the TRUE-NEGATIVE TESTS BLOCKED section):

Summary:
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|            TYPE             | TRUE-NEGATIVE TESTS BLOCKED | TRUE-POSITIVE TESTS PASSED  |           AVERAGE           |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
| API Security                | 100.00%                     | n/a                         | 100.00%                     |
| Application Security        | 100.00%                     | 0.00%                       | 50.00%                      |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|                                                                        SCORE            |           75.00%            |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+

How to delete the resources you created

To stop paying for the resources you created:

Delete the dvwa-server and pt-firewall VMs.
Delete the static public IP addresses.

Setting up PT Application Firewall

Prepare your cloudPrepare your cloud

Required paid resourcesRequired paid resources

Create a web serverCreate a web server

Run your DVWARun your DVWA

Set up the firewallSet up the firewall

Test the firewallTest the firewall

How to delete the resources you createdHow to delete the resources you created

Was the article helpful?