Protect new applications¶
Overview¶
A security policy must ensure all allowed users have access to your application, while prohibiting access to bad actors and malicious activity. Often, there is also a delicate balance between implementing the appropriate level of security based on an application’s exposure to threat (sensitivity), while reducing false positives to a minimum.
Every web application in your organization needs a security policy, whether the application is accessible to the public or only employees. This requirement can be light work or a heavy lift, depending on several factors, including the size of your organization, the number of applications to a single policy, and the sensitivity of your applications and data.
Before you begin¶
To create a WAF policy, you first need to select a template and verify what kind of security maintenance your application requires. Template selection is based on the following questions:
What level of security does my application need?
How many security admin resources can I dedicate to application protection?
For more comprehensive security requirements: Have I dedicated a user as Security Manager or Administrator? See How to: Assign standard roles to users.
Each template ranges in security from strict to moderate traffic mitigation. Stricter templates require more administrative resources to decipher good and bad traffic.
The following templates are provided:
Rating Based template - This is the default template. The template provides standard protection from untargeted attacks, which you can deploy with minimal administrative effort, time, and risk of disruption to your application.
Security - Moderate to high
Resource requirements - LowPolicy Builder templates - These templates applies various levels of traffic prediction and consistent policy tuning based on your traffic learning settings.
Comprehensive - The Comprehensive template is intended to provide maximum security with all violations, features, and learning is turned on. The template is recommended for expert security operations managers.
Security - High
Resource requirements - HighFundamental - The Fundamental template provides enhanced security during the policy building process as the policy actively blocks violations. This template is recommended for intermediate users and may require more time to fine-tune.
Security - Moderate
Resource requirements - ModerateRapid Template - The Rapid Template creates a basic security policy that you can review and fine-tune over time. This template initially operates in transparent mode, meaning that it does not block traffic unless you changed the enforcement mode and enforce the policy. This template is recommended for beginning users who want to incorporate Policy Builder in their policy tuning process.
Security - Low
Resource requirements - Low
How to protect new applications¶
Use the following procedures to create a new WAF policy and deploy a new application with WAF security:
(Optional)Customize WAF policy general settings
Create a new WAF policy¶
Use the following procedure to create a new WAF security policy. Ensure you have first evaluated your application’s protection requirements and security resources to ensure you select the best template for WAF protection.
Note: By default, the policy template is Rating-Based.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
At the top of the screen, click Create.
Type a policy Name and an optional Description.
Add Tags if you would like to filter your policy according to keywords.
By default, Bot Defense, Threat Campaigns, and IP Intelligence are enabled. L7 DoS Protection is disabled by default. You can toggle the button to disable one or more.
Note: IP Intelligence is enabled by default on all policy templates. To ensure IP Intelligence can regularly reach a third party vendor to identify IP addresses and security categories, you must ensure that your BIG-IP Next Central Manager or instances have Licensing activated. To activate your license, go to the Workspace icon → Instances → Select instance name → Licensing. For more information about this BIG-IP Next license, log in to https://account.f5.com/myf5 with your F5 customer credentials.
To change the template, application language, and whether the policy is case sensitive, toggle the Advanced View button to the top right of the Policy Properties panel.
Select a Template for your WAF policy.
Note: The template will populate the required fields within the new policy including Enforcement Mode and Application Language. You can change these fields during policy creation or by editing a policy.
To change the Application Language, select a language from the list provided.
Note: Unicode(utf-8) is the default application language.
Enable the as case-sensitive, toggle the Policy is Case Sensitive button. Enabling this option can increase false positives, enable only if required for your application’s URIs.
Note: Case sensitivity is disabled by default.
Click Save
The WAF policy is added to your policies list. You can now use this policy to Create an HTTPS application with a WAF policy.
See Customize general settings for customizing event logging, allowed response codes, allowed/disallowed geolocations, HTTP and cookie header length, and XFF headers.
Create an HTTPS application with a WAF policy¶
Use this procedure to deploy a new application service to a managed BIG-IP Next instance from the UI. This workflow creates an application service with multiple virtual servers. For example, you could specify one virtual server and pool for HTTP connections and a second server and pool to handle HTTPS connections. You could also configure an application service with just one virtual server, but set it up with multiple pools. Just repeat the relevant steps to get to the configuration you are trying to create.
These steps assume you have not created your own applications service template.
Prerequisites¶
You must have Administrator or Application Manager user credentials to manage application creation. Users with Instance Manager or Auditor credentials have read-only access to the application creation process.
One or more BIG-IP Next instances are discovered on BIG-IP Next Central Manager. Ensure you have the IP address of the BIG-IP Next instance you plan to deploy the application to.
Required application and network parameter details, for example: server names or addresses, pool names, and pool member addresses or
Log in to BIG-IP Next Central Manager, click the Workspace icon next to the F5 logo, and then click Applications.
If this is the first application service you are adding to BIG-IP Next Central Manager, click Start Adding Apps. Otherwise, at the top of the screen, click Add Application.
For Application Service Name, specify a name for the application service and click Start Creating.
The Application Service Properties screen opens.For the Description, specify a description of the application service and then click Start Creating.
The Virtual Servers tab of the Application Service Properties screen opens.Click the Pools tab.
The Pools tab opens so you can specify the pools the application service will use.For the Name of pool, specify a name for the pool.
Specify the Service Port to use for this pool.
Select a Load-Balancing Mode for the pool.
Select a Monitor Type for the pool.
Click the Virtual Servers tab.
The Virtual Servers tab opens.For the Virtual Server Name, specify a name for the virtual server.
For Pool, select the pool that you want this virtual server to use.
For the Virtual Port, specify the port number to use to access the virtual server.
To specify Protocols or Profiles, click the edit icon under Protocols & Profiles.
The Protocols screen opens.Select the protocols you want to enable.
If the protocol you selected requires a certificate, a field displays so you can choose one.
When you have specified the protocols and profiles needed, click Save to return to the Application Service Properties screen.
To specify security policies, click the edit icon under Security Policies.
The Security Policies screen opens.Click Use a WAF Policy.
Select the WAF Policy Name for the application service.
Repeat steps 11-16 to specify settings for additional virtual servers as needed.
When you finish specifying settings for the application service, click Review & Deploy.
The Instance/Locations page opens.Click Start Adding and then select the instances to which you want to deploy the application service, then click Add to List.
The Deploy screen opens.For each instance/location you added in the previous step, under Virtual Address, specify the IP address(es) of the virtual server(s).
Add Pool Members for each pool.
For the first pool, click the down arrow under Members, then click the + Pool Members button.
The Pool Members (endpoints) screen opens.Click Add Row and then specify a Name and IP Address for the first pool member.
To add additional members, click Add Row again.
When you finish adding pool members, click Save.
Repeat sub-steps 1 - 4 to add pool members for each pool.
When you finish adding pool members to each pool, click Deploy Changes.
The Deploy Application Service screen displays a summary of the changes to be deployed.Click Yes, Deploy to complete the deployment.
Customize general settings¶
Your policy template selection impacts the security level and required maintenance to ensure your policy is maximizing its application security, while allowing good traffic.
Once you create and save a new policy, you can optionally tune the remaining policy features, including the following basic settings:
Customize your policy’s general settings. Once you create a new policy, you can edit all settings excluding the policy name and template.
Note: You need to have a user role of Security Manager or Administrator to manage a WAF policy.
Click the workspace icon next to the F5 icon, and click Security.
From the left menu click Policies under WAF.
Select the name of the policy.
A panel for the Basic Settings opens. Here you can edit most fields, excluding the Name, Template, and Application Language.
Add or remove Tags for policy sorting and filtering within BIG-IP Next Central Manager.
Enable or disable, Bot Defense, L7 DoS Protection, Threat Campaigns, or IP Intelligence by toggling the button.
Note: By default, all these protection settings are enabled.
Change the Enforcement Mode by selecting:
Transparent - Traffic is blocked if it causes a violation (configured for blocking).
Blocking - Traffic is not blocked even if a violation is triggered.
For Log Events select the following option for security policy event logging:
None - None of the events detected are logged.
Illegal - Only illegal events are added to the events log.
All - All events regardless of their outcome are added to the events log.
Note: For more information about web application and L7 DoS event logs, see How To: Create and Manage WAF Event Logs on BIG-IP Next Central Manager
To view all available fields, toggle Advanced View button to the top right of the Basic Settings panel.
Modify default Allowed Response Codes to your applications by entering or deleting response codes the policy permits.
By default, the system accepts all response codes from 100 to 399 as valid responses. Response codes from 400 to 599 are considered invalid unless added to the Allowed Response Status Codes list. By default, 400, 401, 404, 407, 417, and 503 are on the list as allowed HTTP response status codes.
Modify the allowed and disallowed geolocations for the policy. By default, all countries are allowed. Traffic that originates from the countries assigned to the Disallowed Geolocations are restricted.
Select one or more countries from a list and use the arrow key to move the selection to the other list.
Select Select All and use the arrow key to move the entire country list from one status to another.
For advanced settings you can provide general specifications for headers on incoming requests:
Maximum HTTP Header Length allows you to specify whether there is a limit to the allowed header Length (in Bytes) from a request. If you do not need a limit select Any to allow requests regardless of HTTP header length. The default setting is a maximum of 8192 Bytes.
If a length is specified, Maximum HTTP Header Length must be greater than 0 and less than 65536 bytes (64K).
Maximum Cookie Header Length allows you to specify whether there is a limit to the allowed header Length (in Bytes) from a request. If you do not need a limit select Any to allow requests regardless of cookie header length. The default setting is a maximum of 8192 Bytes.
If a length is specified, Maximum Cookie Header Length must be greater than 0 and less than 65536 bytes (64K).
Enable Trust XFF if you want the policy to trust the X-Forwarded-For header and use the IP address information in the HTTP header for the proxy server.
Leave this option disabled if you think the HTTP header may be spoofed or crafted by a malicious client. With this setting disabled, if the system is deployed behind an internal proxy, the system uses the internal proxy’s IP address instead of the client’s IP address.
Add Custom XFF Headers if you require the policy to trust a server further than one hop toward the client (the last proxy traversed). You can use this setting to define a specific header that is inserted closer to, or at the client. Additionally, if you require the policy to trust a proxy server that uses a different header name than the XFF header name, you can add the desired header name to the Custom XFF Headers setting. When adding a custom header, the XFF header is not trusted anymore.
Click Save to save your changes. If you would like to automatically deploy your changes to the BIG-IP Next instance, click Save & Deploy.
To further manage your WAF policy and deploy changes to your application service, see Next Steps.
Next Steps¶
Managing your WAF security policy¶
WAF Policy Management - A comprehensive list of all policy components and how to manually change the component settings.
(Policy Builder Templates) Manage learning suggestions