Work with F5 Behavioral App Protect

Follow the steps on this page to get your application onboard with Behavioral App Protect.

If you have not yet subscribed to F5 Cloud Services, you need to do that first before getting started with Behavioral App Protect. Do that here: Subscribe to F5 Cloud Services.

Getting Started with Behavioral App Protect

The first step in getting your application onboard with Behavioral App Protect is to configure your application in the Behavioral App Protect GUI. To start configuring your application, navigate to the Applications list as follows:

  1. Click the Behavioral App Protect icon in the Cloud Services navigation menu.

    _images/BAppProtect-select-icon.png
  2. In the Behavioral App Protect menu on the left, click Applications.

Part of the configuration process requires integrating your application either with the BIG-IP or the Cloud Hosted solution. Instructions are provided here for both types of integrations, follow the instructions that are relevant for your system.

Integrate your application with the BIG-IP

  1. Click the Create button in the upper-right corner of the Behavioral App Protect screen.

    The Create Application pane appears.

  2. In Application Name, assign a name.

    _images/BAppProtect-create-application.png
  3. For Application Protection Mode, select a protection mode for your application.

    Note

    F5 recommends using the Monitoring protection mode for new applications. Before moving to Blocking mode, you should first review Checklist for moving an application to Blocking mode.

  4. From the Policy list, select the policy that you want your application associated with.

  5. Click OK, Create.

    The Integration tab is now displayed in the Behavioral App Protect screen.

    _images/BAppProtect-integrate-application.png
  6. Click on BIG-IP Native.

  7. Follow the instructions that appear explaining how to complete the integration.

  8. After completing the integration, you can test if the integration is valid by entering your site URL at Integration Validation and clicking Validate.

    If you do this, Behavioral App Protect sends a request to this URL and then checks if traffic is detected from the URL in the Cloud Services system.

Integrate your application with Cloud Hosted Behavioral App Protect

  1. Click the Create button in the upper-right corner of the Behavioral App Protect screen.

    The Create Application pane appears.

  2. Click Cloud Hosted.

    _images/BAppProtect-integrate-application-cloudhost.png
  3. In Application Domain, enter the Fully Qualified Domain Name that you want to protect.

    For example, www.f5.com

  4. In Application Name, assign a name.

  5. For Application Protection Mode, select a protection mode for your application.

    Note

    F5 recommends using the Monitoring protection mode for new applications. Before moving to Blocking mode, you should first review Checklist for moving an application to Blocking mode.

  6. Click Next.

    The ENDPOINTS & REGIONS pane appears.

  7. From the Region list, select the region that is closest to the physical location of your application.

  8. In Origin website endpoint, enter the domain or IP endpoint of your application.

  9. Click Next.

    The PROVIDE A SSL/TLS CERTIFICATE pane appears.

  10. Select an SSL certificate from the drop-down list, or select Add a new one if you want to use an SSL certificate that is not in the list.

    To add a new certificate, either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, provide your certificate chain in the text box designated for that information.

  11. Click Next.

    The ACTIVATE YOUR APPLICATION pane appears.

  12. Click Create and Activate.

    Instructions appear for completing DNS setup.

  13. Follow the instructions for completing the DNS setup and click Done.

Checklist for moving an application to Blocking mode

Before putting your application in Blocking mode, you should first verify certain issues to ensure that you are ready to move into Blocking mode.

  1. In the Behavioral App Protect dashboard, select your application and verify that it is running and receiving traffic. If it is not running or there is no traffic, clarify the cause of the problem before moving to Blocking mode.

  2. Review the application configuration. Select your application from the Applications list and review the following items:

    • Do you want to configure a proxy for the client IP address? If so, in the General Settings, go to the IP Configuration section and remove the check box by Use Client IP Address.
    • Under Behavioral App Protect Settings, review the settings in this section and ensure that these are the settings you want for Blocking mode
    • Mitigation: You can configure and preview the blocking page displayed by Behavioral App Protect.
  3. Policies: Click the Policies tab on the left side of the Cloud Services portal and select the policy used by your application. Check the following issues on the policy:

    • Whitelist/Blacklist: If there are bots or other sources that you don’t want to be blocked, put them on the whitelist.

    • Mitigation:

      • Block All Bad Bots: Enable this setting if you want Behavioral App Protect to block all bots defined as bad. When disabled, Behavioral App Protect will block only bots that send HTTP requests with attacks and vulnerability scanner bots.
      • Enable Deception: When this setting is enabled and your application is in Blocking mode, Behavioral App Protect will attempt to deceive actors who are defined as Malicious Human.

      Note

      If Deception is not enabled and your application is in Blocking mode, actors defined as Malicious Human will see the blocking page when trying to access your application.

      • Enable Conviction: When this setting is enabled and your application is in Blocking mode, Behavioral App Protect plants traps for actors defined as Suspicious Human. If the actor steps on the trap, then Behavioral App Protect changes the status of this actor to Malicious Human.
  4. Verify that Behavioral App Protect correctly identifies good bots and bad bots. Click the Events tab and use the filter to check the following event activity:

    • Correct classification of bad bots: Verify that Behavioral App Protect correctly identifies bad bots. If you find a bot that is incorrectly classified (i.e., it is really good but listed as bad), add it to the whitelist on the policy of your application.
    • Correct classification of good bots: Verify that Behavioral App Protect correctly identifies good bots. If you find a bot that is incorrectly classified (i.e., it is really bad but listed as good), add it to the blacklist on the policy of your application.
    • Verify that there are no false-positive events: Check that there are no good requests that are blocked. If there are, mark those events as False-Positive.
  5. After you have reviewed all the issues above and determined that you are ready to move your application into Blocking mode, select your application from the Applications list and in the General Configuration section select Blocking, then click Save.

    _images/BAppProtect-move-to-blocking-mode.png