Versa Integrated Web Application Firewall
For supported software information, click here.
Note: This service-chained solution deployed with VOS is in limited availability and is deployed with service templates. Contact your sales team for more information.
Web-facing government and enterprise applications are primary targets for injection attacks, cross-site scripting, authentication exploits, and other threats reported by the Open Worldwide Application Security Project (OWASP). To address these risks, Versa Networks provides an integrated Web Application Firewall (WAF) as a native capability within its SASE and Sovereign SASE platform.
The Versa integrated WAF delivers comprehensive, real-time HTTP/HTTPS traffic inspection powered by the OWASP Core Rule Set. The Core Rule Set is an industry-standard, community-maintained collection of attack-detection rules providing baseline protection against top vulnerability categories defined by OWASP, and hundreds of additional attack variants.
This capability is deployed directly on Versa CSG-series edge gateway appliances and is integrated into the Versa Operating SystemTM (VOSTM) through the platform’s service-chaining framework. No additional third-party appliances, external cloud WAF services, or separate management infrastructure is required.
Functionality
The integrated WAF runs as a managed service within the VOS software on the CSG edge gateway. The platform’s service-chaining capability selectively steers traffic through the WAF based on match conditions that you can configure as part of a policy. This ensures targeted inspection with minimal latency impact on non-targeted flows.
Traffic Inspection Flow
- A remote user (using SASE VPN client) or a branch-site user initiates an HTTP/HTTPS request to a protected application at the data center or headquarters site.
- The request traverses the Versa SD-WAN or zero-trust network access (ZTNA) tunnel and arrives at the CSG edge gateway.
- The VOS software evaluates the traffic against configured service-chain policies. Matching traffic is steered to the integrated WAF for deep inspection.
- The WAF engine evaluates the HTTP transaction against the OWASP Core Rule Set. Malicious requests, such as SQL injection or XSS payloads, are blocked and logged. Legitimate traffic is forwarded to the originating server.
- Traffic that does not match the WAF policy criteria, such as general internet-bound traffic, bypasses the WAF entirely, preserving throughput.
Centralized Management and Analytics
WAF event logs are forwarded to Versa Analytics for centralised real-time alerting, threat correlation, dashboarding, and forensic investigation. WAF policies and service templates are provisioned and managed through Versa Director, enabling uniform deployment and lifecycle management across all edge locations from a single console.
Sovereign Deployment
The entire WAF capability executes locally on the edge appliance. All traffic inspection occurs within the sovereign network boundary. No application data is routed through external cloud services, which ensures full compliance with data-residency, air-gapped, and on-premises deployment requirements.
OWASP Top 10 Vulnerability Coverage (2025)
The Versa integrated WAF, powered by the OWASP Core Rule Set, provides detection and active mitigation across all ten OWASP Top 10 threat categories for 2025:
|
OWASP ID |
Vulnerability Category |
WAF Mitigation |
|---|---|---|
|
A01:2025 |
Broken Access Control |
Blocks path traversal, forced browsing, and privilege escalation attempts through request-level access policy enforcement. |
|
A02:2025 |
Security Misconfiguration |
Blocks information leakage from verbose error messages, default credential probes, exposed administrative interfaces, and insecure default configurations. |
|
A03:2025 |
Software Supply Chain Failures |
Detects exploitation attempts targeting known common vulnerabilities and exposures (CVEs) in common frameworks, libraries, and dependencies. Mitigates risks from vulnerable or outdated third-party components. |
|
A04:2025 |
Cryptographic Failures |
Detects insecure transport patterns and blocks attempts to downgrade or bypass encryption mechanisms. |
|
A05:2025 |
Injection |
Comprehensive detection of SQL, NoSQL, OS command, LDAP, and cross-site scripting (XSS) injection attacks using pattern matching and anomaly-based scoring. |
|
A06:2025 |
Insecure Design |
Defence-in-depth rules enforce input validation, rate limiting, and request-size constraints to mitigate design-level weaknesses. |
|
A07:2025 |
Authentication Failures |
Mitigates brute force attacks, credential stuffing, cookie theft, and session fixation through rate limiting and pattern detection. |
|
A08:2025 |
Software or Data Integrity Failures |
Validates request integrity and blocks serialization/de-serialization exploits, tampered payloads, and unsigned software update attempts. |
|
A09:2025 |
Security Logging and Alerting Failures |
Generates detailed WAF event logs forwarded to Versa Analytics for real-time alerting, threat correlation, and forensic analysis. |
|
A10:2025 |
Mishandling of Exceptional Conditions |
Detects and blocks attack vectors that exploit improper error handling, uncaught exceptions, and application failure modes to leak sensitive information or bypass security controls. |
In addition to the OWASP Top 10, the platform provides protection against common attack patterns including:
- Cookie theft
- Malicious active content injection
- HTTP protocol violations
- Remote code execution
- Local/remote file inclusion
Complementary Security Stack
The integrated WAF operates alongside the full Versa SASE security stack, delivering layered protection that extends well beyond standalone WAF or ZTNA-only solutions:
- Intrusion prevention system (IPS): Signature-based and anomaly-based network threat detection complementing the WAF’s application-layer inspection.
- Anti-virus (AV): Real-time malware scanning for file uploads and downloads traversing the edge gateway.
- Zero trust network access (ZTNA): Identity-aware, per-session microsegmentation to ensure that only authenticated and authorized users reach protected applications.
- Next-generation firewall (NGFW): Stateful inspection, application identification, and URL filtering for comprehensive network security.
This layered approach delivers comprehensive application-layer, network-layer, and identity-layer security within a single integrated platform. This is a significant differentiation over solutions that provide OWASP coverage without the accompanying IPS and AV capabilities.
Key Benefits
- Data sovereignty and air-gap compliance—All WAF inspection occurs on-premises within the edge appliance. No application data traverses external services, fully meeting data residency and sovereign network requirements.
- Unified management—WAF policies are deployed and managed through Versa Director alongside SD-WAN, ZTNA, NGFW, and other services, with no need for a separate management console.
- OWASP Core Rule Set—Protection powered by the industry-standard, community-maintained OWASP Core Rule Set, which is regularly updated to address emerging threats and is widely trusted by organizations worldwide.
- Seamless platform integration—Runs as a native service within the VOS software on the CSG edge appliance, leveraging the platform’s service-chaining capability. No additional hardware or network redesign is required.
- Scalable deployment—Service templates enable rapid, consistent WAF deployment across distributed edge locations. Rule set updates are distributed centrally for uniform protection.
- Cost efficiency—Delivered as an integrated platform capability, eliminating the need for separate WAF appliances, per-seat licensing, or external cloud WAF subscriptions.
Supported Software Information
Releases 22.1.4 and later support all content described in this article.