PRJ-MURUS-PORTAE — Layer 7 WAF Implementation

Project Summary

Project

Murus Portae — Layer 7 WAF Implementation

Priority

P0 — management request

Status

Active — discovery phase

Owner

Evan Rosado

Stakeholders

InfoSec Management, Network Engineering

Objective

Assess WAF readiness and implement Layer 7 application firewall protection for externally-facing services behind the reverse proxy

Risk

External services currently lack application-layer inspection (SQL injection, XSS, path traversal, OWASP Top 10)

Phase Summary

Phase	Description	Status	Notes
0: Discovery	Map current architecture — firewall zones, access rules, NAT, reverse proxy config	🟡 In progress	FMC API operational, zero-rules issue under investigation
1: Audit	Confirm traffic flow, identify all exposed services, assess current L7 inspection	❌ Not started	Blocked by Phase 0 discovery
2: WAF Placement	Evaluate options — NetScaler AppFirewall vs FTD Snort IPS vs dedicated WAF	❌ Not started	Depends on Phase 1 findings
3: Implementation	Configure WAF profiles per application, learning mode, tuning	❌ Not started	—
4: Validation	Test WAF against OWASP Top 10, false positive tuning, production cutover	❌ Not started	—

Phase

Description

Status

Notes

0: Discovery

Map current architecture — firewall zones, access rules, NAT, reverse proxy config

🟡 In progress

FMC API operational, zero-rules issue under investigation

1: Audit

Confirm traffic flow, identify all exposed services, assess current L7 inspection

❌ Not started

Blocked by Phase 0 discovery

2: WAF Placement

Evaluate options — NetScaler AppFirewall vs FTD Snort IPS vs dedicated WAF

❌ Not started

Depends on Phase 1 findings

3: Implementation

Configure WAF profiles per application, learning mode, tuning

❌ Not started

—

4: Validation

Test WAF against OWASP Top 10, false positive tuning, production cutover

❌ Not started

—

Key Findings (Phase 0)

FMC management certificate expired and misconfigured (CN mismatch, no SAN) — MITM vector on management VLAN
Perimeter Access Control Policy returns zero rules via API — under investigation (parent policy inheritance, prefilter fast-path, or RBAC restriction)
Token acquisition and device/zone enumeration confirmed working via FMC REST API

Metadata

Field	Value
PRJ ID	PRJ-2026-04-murus-portae
Author	Evan Rosado
Created	2026-04-15
Updated	2026-04-16
Status	Active — discovery phase
Category	Network Security / Application Security
Priority	P0 (management request)
Scope	Layer 7 WAF readiness assessment and implementation
Platforms	Citrix NetScaler (reverse proxy), Cisco FTD/FMC (perimeter firewall)
Related	PRJ-2026-04-firewall-audit, PRJ-2026-04-dmz-migration

Field

Value

PRJ ID

PRJ-2026-04-murus-portae

Author

Evan Rosado

Created

2026-04-15

Updated

2026-04-16

Status

Active — discovery phase

PRJ-MURUS-PORTAE — Layer 7 WAF Implementation

Project Summary

Phase Summary

Key Findings (Phase 0)

Metadata

Related