Setting up PT Application Firewall

Written by

Updated at December 4, 2024

Prepare your cloud
- Required paid resources
Create a web server
Run your DVWA
Set up the firewall
Test the firewall
How to delete the resources you created

PT Application Firewall is a web application firewall that ensures continuous protection for web applications, users, and network infrastructure while helping meet security standards.

In this tutorial, you will deploy a test infrastructure with PT Application Firewall for web applications and a test damn vulnerable web application (DVWA) and then test its features for protection against standard web attacks.

To set up PT Application Firewall and test it:

If you no longer need the resources you created, delete them.

Prepare your cloud

Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Required paid resources

The infrastructure support costs include:

Fee for continuously running VMs (see Yandex Compute Cloud pricing).
Fee for using public IP addresses and outgoing traffic (see Yandex Virtual Private Cloud pricing).

Create a web server

Create a Ubuntu VM named dvwa-server.
1. On the folder page in the management console, click Create resource and select Virtual machine instance.
2. Under Boot disk image, in the Product search field, enter Ubuntu 22.04 and select a public Ubuntu 22.04 image.
3. Under Location, select an availability zone to create your VM in. If you do not know which availability zone you need, leave the default one.
4. Under Network settings:
  - In the Subnet field, select the network and subnet to connect your VM to. If the required network or subnet is not listed, create it.
  - Under Public IP, keep Auto to assign your VM a random external IP address from the Yandex Cloud pool or select a static address from the list if you reserved one in advance.
5. Under Access, select SSH key and specify the VM access data:
  - In the Login field, enter the username: ycuser.
  - In the SSH key field, select the SSH key saved in your organization user profile.
    
    If there are no saved SSH keys in your profile, or you want to add a new key:
    - Click Add key.
    - Enter a name for the SSH key.
    - Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
    - Click Add.
    The SSH key will be added to your organization user profile.
    
    If users cannot add SSH keys to their profiles in the organization, the added public SSH key will only be saved to the user profile of the VM being created.
6. Under General information, specify the VM name: dvwa-server.
7. Leave all other settings unchanged and click Create VM.
Note

A public and a private IP addresses are assigned to the VM when you create it. Write them down, as you will need them to access the VM and set up the firewall.
Connect to the dvwa-server VM over SSH by running the following command in the terminal:
```
ssh ycuser@<public_IP_address_of_dvwa-server>
```

Run your DVWA

Install Docker on the dvwa-server VM:

curl --fail --silent --show-error --location https://test.docker.com --output test-docker.sh
sudo sh test-docker.sh

Run a container with the DVWA:

sudo docker run --rm -it -p 8080:80 sagikazarmark/dvwa

Set up the DVWA:
1. In the browser, go to:
```
http://<public_IP_address_of_dvwa-server>:8080
```
1. On the authorization page, enter admin for username and password for password.
2. Click Create / Reset Database at the bottom of the Database Setup page.
3. Log in again using the same username and password.
4. Click DVWA Security on the left of the screen and go to the page with security settings.
5. In the Security Level section, select the required security level for the application. Select Low in the drop-down list and click Submit.

Set up the firewall

Create a VM named pt-firewall from a PT Application Firewall public image:
Management console
1. On the folder page in the management console, click Create resource and select Virtual machine instance.
2. Under Boot disk image, in the Product search field, enter PT Application Firewall and select the current PT Application Firewall image.
3. Under Location, select the same availability zone as the one the dvwa-server VM is in.
4. Under Network settings:
  - In the Subnet field, select the network and subnet to connect your VM to. If the required network or subnet is not listed, create it.
  - Under Public IP, keep Auto to assign your VM a random external IP address from the Yandex Cloud pool or select a static address from the list if you reserved one in advance.
5. Under Access, select SSH key and specify the VM access data:
  - In the Login field, enter the username: ycuser.
  - In the SSH key field, select the SSH key saved in your organization user profile.
    
    If there are no saved SSH keys in your profile, or you want to add a new key:
    
    Click Add key.
    
    Enter a name for the SSH key.
    
    Upload or paste the contents of the public key file. You need to create a key pair for the SSH connection to a VM yourself.
    
    Click Add.
6. Under General information, specify the VM name: pt-firewall.
7. Under Additional, enable the Access to serial console option.
8. Leave all other settings unchanged and click Create VM.
Note

A public and a private IP addresses are assigned to the VM when you create it. It is recommended to make the public IP address static.
Go to the serial console of the new VM:
Management console
1. In the management console, select the folder the VM was created in.
2. Go to Compute Cloud and select the pt-firewall VM.
3. Go to the Serial console tab.
4. Enter pt for username and positive for password.
5. You will be prompted to change the password. Enter the current password (positive) and create a new one in line with the system requirements.
6. Possible further actions will be suggested. Enter 0.
7. Create a configuration by running the following commands one by one:
```
if set eth-ext1 inet_method dhcp
dns add 77.88.8.8
config commit
config sync
```
Log in to the firewall configuration console:
1. In the browser, go to:
```
http://<public_IP_address_of_pt-firewall>:8443
```
2. On the authorization page, enter admin for username and positive for password.
3. You will be prompted to change the password. Enter the current password (positive) and create a new one.
Configure the network interfaces:
1. At the top of the screen, select Configuration / Network / Gateways.
2. In the table, click the edit icon in the row with the pt-firewall interface.
3. On the General tab, enable Active to activate the interface.
4. In the Aliases field of the Network tab, add the WAN-wan, LAN-lan, and MGMT-mgmt options from the drop-down list.
5. Click Apply.
Configure an Upstream with the DVWA set as a backend server:
1. At the top of the screen, select Configuration / Network / Upstreams.
2. On the UPSTREAMS page, click Create.
3. In the Name field, enter DVWA.
4. In the Backend line, click Add and specify the following:
  - In the Host field: <public_IP_address_of_dvwa-server>.
  - In the Port field: 8080.
5. Leave all the other settings as they are and click Apply.
Configure the service:
1. At the top of the screen, select Configuration / Network / Services.
2. On the SERVICES page, click Create.
3. In the Name field, enter DVWA-RP.
4. In the Servers line, click Add and specify the following:
  - In the Network interface alias field: WAN-wan from the drop-down list.
  - In the Listen Port field: 80.
  - In the Upstream field: DVWA from the drop-down list.
5. Leave all the other settings as they are and click Apply.
Add a web application:
1. At the top of the screen, select Configuration / Security / Web applications.
2. On the WEB APPLICATIONS page, click Create.
3. In the Name field, enter DVWA-APP.
4. In the Service field, select DVWA-RP from the drop-down list.
5. In the Protection mode field, select Detection from the drop-down list.
6. In the Locations line, click Add and specify \/.
7. Leave all the other settings as they are and click Apply.

Test the firewall

To test the firewall, use the Wallarm GoTestWAF tool for web attack simulation:

Open a new window in the command line terminal and connect to the dvwa-server VM over SSH:
```
ssh yclogrus@<public_IP_address_of_dvwa-server>
```

Run a test with the following command:

sudo docker run -v ${PWD}/reports:/app/reports wallarm/gotestwaf --url=http://<public_IP_address_of_pt-firewall>/ --skipWAFBlockCheck

Wait for the test to complete and view the results. It is easy to see from the Summary table that no attacks were blocked (the TRUE-NEGATIVE TESTS BLOCKED section):

Summary:
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|            TYPE             | TRUE-NEGATIVE TESTS BLOCKED | TRUE-POSITIVE TESTS PASSED  |           AVERAGE           |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
| API Security                | 0.00%                       | n/a                         | 0.00%                       |
| Application Security        | 0.17%                       | 100.00%                     | 50.09%                      |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|                                                                        SCORE            |           25.05%            |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+

In your browser, return to the WEB APPLICATIONS section (Configuration / Security / Web applications) of the firewall setup page and click the edit icon in the DVWA row.
In the Protection mode field, select Active prevention from the drop-down list and click Apply.
In the terminal, run the test from step 2 once again.

Wait for the test to complete and view the results. This time, the Summary table shows that all attacks were blocked (100% of attacks in the TRUE-NEGATIVE TESTS BLOCKED section):

Summary:
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|            TYPE             | TRUE-NEGATIVE TESTS BLOCKED | TRUE-POSITIVE TESTS PASSED  |           AVERAGE           |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
| API Security                | 100.00%                     | n/a                         | 100.00%                     |
| Application Security        | 100.00%                     | 0.00%                       | 50.00%                      |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+
|                                                                        SCORE            |           75.00%            |
+-----------------------------+-----------------------------+-----------------------------+-----------------------------+

How to delete the resources you created

To stop paying for the resources you created:

Delete the dvwa-server and pt-firewall VMs.
Delete the static public IP addresses.

Setting up PT Application Firewall

Prepare your cloudPrepare your cloud

Required paid resourcesRequired paid resources

Create a web serverCreate a web server

Run your DVWARun your DVWA

Set up the firewallSet up the firewall

Test the firewallTest the firewall

How to delete the resources you createdHow to delete the resources you created