F5 Essential App Protect FAQ

Q: What is Baseline Sec Protection?

Baseline Sec Protection is part of the High-Risk Attack Mitigation providing a baseline policy that will contain an effective and friction-free security ruleset, which is set to protect the application from common exploits like these:

  • High Risk Attack Signatures
  • HTTP RFC validation
  • Enforcement of Evasion Techniques
  • Method enforcements
  • Malicious file type enforcement
  • Geo-location enforcement (with provided templates);
  • Response Scrubbing to prevent sensitive data leakage (e.g. credit card numbers)
  • Base API Protection

Q: What is a Violation?

Violations occur when some aspect of a request or response does not comply with the security policy for your application. You can configure the blocking settings for any violation in a security policy to determine how the system will treat requests with violations. When a violation occurs in a request, the system can monitor, log, and/or block the request, and you can see the violations using the VIEW EVENTS card.

_images/CS-EAP-View.Events.png

In the portal, the policy settings are shown in the various tabs in the PROTECT APPLICATION card.

_images/CS-EAP-Security.Policy.Tabs.png

The complete policy is available for viewing or modification in the JSON configuration tab or through the API as shown in the JSON snippet below.

{
    "account_id": "{{ACCOUNT_ID}}",
    "catalog_id": "c-aa9N0jgHI4",
    "service_type": "waf",
    "service_instance_name": "My Test Site",
    "configuration": {
        "waf_service": {
            ...
            "policy": {
               ...
            }
        }
    }
}

Q: How does F5 Essential App Protect Service compare to AWS WAF?

Essential App Protect offers a number of unique or enhanced benefits:

  • Multi-cloud service options.
  • More security functionality built-in than the AWS WAF, providing a broader range of security application protections.
  • Simpler user interface and easy, configurable check-box security options.  Essential App Protect provides a very interactive user experience making it easier to see an issue via the interactive map and take action on that threat.
  • Fewer false positives/negatives.

AWS WAF offers:

  • Exists as part of the ALB flow (which we will be as well eventually)
  • Relatively cheap for a WAF SaaS solution
  • Declarative API allows for fast and easy CI/CD integration
  • Good API documentation and references

Q: What is attack probability?

Attack probability is a rating of the likelihood that a request that Essential App Protect reports as a detection event is actually a real attack. You can examine the requests that cause detection events to determine whether the requests are real attacks or false positives. To simplify the task of identifying false positives, each transaction with one or more detection events has an attack probability rating associated with it. The attack probability rating ranks the transactions and reports those that are either High or Very High. This table explains how to interpret the attack probability ratings.

Rating Description
Very High Request is most likely a threat.
High Request looks like a threat but requires examination.

The system assigns the attack probability rating by assessing the combination of detection events occurring in a transaction. The rating is assigned to the transaction as a whole rather than the individual detection events in the request. This is because real attacks often include multiple detection events within one transaction. The attack probability rating takes into consideration the impact of the detection events on the business.


Q: Why do I see asterisks in my parameter value pair?

Essential App Protect is treating these parameters as “sensitive” parameters. For more information, see the next section protecting sensitive information and parameters.


Q: How do I protect sensitive information and parameters?

Essential App Protect provides two mechanisms for masking sensitive information: Data Guard and Sensitive Parameters.

Data Guard: In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you enable and then masks the value in the response to obscure from all downstream views or logs. Essential App Protect provides protection for credit cards and social security numbers if Data Guard is enabled and “cc” and “ssn” are turned on.

Sensitive Parameters: Traffic between an application server and a web server can have many parameters that contain sensitive information. In addition to credit cards and social security numbers, you might have account numbers, passwords, medical, or any privacy information that you don’t want to expose. By adding these parameter names to the sensitive parameters list, Essential App Protect will mask the contents of those parameters from any display or logging that is performed as part of the service. Unlike Data Guard, the Sensitive Parameters feature will not change the parameter value that is passed between the application server and web server.

Essential App Protect defaults to enabling Data Guard and Sensitive Parameters, but there are no parameters declared as sensitive. You can add parameters to the list using either the API or the portal. To make changes through the portal, click on the PROTECT APPLICATION card on the Essential App Protect dashboard while viewing your protected application, and make your changes in the COMPLIANCE & PRIVACY section of the General tab–compliance details. You can also follow the API change instructions below, and apply those changes in the JSON configuration tab.

To change compliance settings with the API, you can simply change the data_guard and sensitive_parameters variables in the policy/compliance_enforcement and policy/sensitive_parameters sections of the Essential App Protect subscription update payload, as shown below:

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{SUBSCRIPTION_ID}}

– PAYLOAD:

{
    "service_type": "waf",
    "service_instance_name": "{PROTECTED_APP}",
    "configuration": {
        "waf_service": {
            ...
            "policy": {
                "compliance_enforcement": {
                    "data_guard": {
                        "cc": true,
                        "enabled": true,
                        "ssn": true
                    },
                    "sensitive_parameters": {
                        "enabled": true,
                        "parameters": [
                           "password",
                           "creditcard"
                        ]
                    }
                },
            ...
           }
        }
    }
}

This will flag these parameters as sensitive parameters. When you create sensitive parameters, the system replaces the sensitive data in the stored request and in logs with asterisks (***), keeping the sensitive data in these parameters private.


Q: Which AWS deployment regions are supported by Essential App Protect?

AWS Region Region Name
US East (N. Virginia) us-east-1
US East (Ohio) us-east-2
US West (Oregon) us-west-2
Europe (Frankfurt) eu-central-1
Europe (London) eu-west-2
Europe (Paris) eu-west-3
Asia Pacific (Tokyo) ap-northeast-1
Asia Pacific (Seoul) ap-northeast-2
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Asia Pacific (Hong Kong) ap-east-1
Asia Pacific (Mumbai) ap-south-1
Canada (Central) ca-central-1

Q: How do I delete/retire an Essential App Protect Service instance?

The first step is to remove the CNAME record in your DNS settings that redirects your application’s traffic through your Essential App Protect Service instance. For more information, see Protect Application - DNS Settings, Step 2.

Important

When you suspend or retire a subscription, you are turning off all functions of the Essential App Protect Service instance for your application. That also means that if you still have the CNAME record in your DNS settings that you added when you created your Essential App Protect Service instance, all of your application’s traffic will be going through a non-functional proxy, effectively blocking all communication with your application. It is very important that you remove the CNAME record from your DNS settings prior to suspending or retiring an Essential App Protect Service instance.

To delete a service instance with the portal, go to the dashboard and use the View dropdown to choose All my applications. This will show a list of all your service instances. Check the box to the left of the service instance you wish to delete, and press the Delete button in the upper right. For more information, see the Dashboard section.

Using the API, “deleting” a service is done by retiring the service instance based on its subscription ID. See Delete/retire an Essential App Protect Service Instance in the API User’s Guide.


Q: What happens when I suspend Essential App Protect for my application?

When you suspend an Essential App Protect service instance, you are turning it off. Suspending a service will change its state to UNDEPLOYED in the API and Inactive in the portal, but the service will continue to exist in your list of services. Once suspended, the service will not perform any actions, and it will not act as a pass through to your application. Therefore, it is very important that before you suspend service for an application, you must first remove the CNAME record in your DNS settings that redirects your application’s traffic through your Essential App Protect Service instance. For more information, see Protect Application - DNS Settings, Step 2.

Important

When you suspend or retire a subscription, you are turning off all functions of the Essential App Protect Service instance for your application. That also means that if you still have the CNAME record in your DNS settings that you added when you created your Essential App Protect Service instance, all of your application’s traffic will be going through a non-functional proxy, effectively blocking all communication with your application. It is very important that you remove the CNAME record from your DNS settings prior to suspending or retiring an Essential App Protect Service instance.

To suspend an application, use the following request. Remember to change the subscription_id to the one assigned to the service instance you want to suspend.

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}/suspend

– RESULT

{
    "status": "STATUS_ACTIVE",
    "service_state": "UNDEPLOYING",
    "subscription_id": "s-aaVf7muxD9"
}

After a few moments, the service_state will become “UNDEPLOYED”, which you can verify by getting the subscription status. You can later “unsuspend” by activating the subscription for this service instance (the example shown has the subscription_id already inserted into the request URL).

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/s-aaVf7muxD9/activate

– RESPONSE

{
   "status": "STATUS_ACTIVE",
   "service_state": "DEPLOYING",
   "subscription_id": "s-aaVf7muxD9"
}

Q: What is a CNAME?

A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone will have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. If the DNS system is looking for example.com and finds it in the NAME of a CNAME record, then it will switch to looking for the URL in the VALUE field. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.

In order to protect your application, all traffic must go through your Essential App Protect service instance for validation and then forwarded to your application. This is done by creating a CNAME record in the zone file for your application. The CNAME value for your service instance is generated when the instance is created. You can get your CNAME value in the portal on the DNS tab (see Protect Application - DNS Settings) or with the API using the Get Subscription request (see Get and Use a CNAME Value).

For more information, see the following references:


Q: How can I create a new Essential App Protect service instance for my application?

If you are using the API, refer to API Guidelines Document, Section 6.

If you are using the portal, and this is the first application you will be protecting, refer to this section: Set up the Essential App Protect Service. If you have already created one or more service instances, then you can create another from the dashboard while viewing all your applications.

_images/CS-EAP-Dashboard-View-All.my.applications.png

Press the Create button to show the multi-step slide panel on the right side of the screen to create a new service instance. For details on the creation process, refer to this section: Set up the Essential App Protect Service.


Q: What is monitoring mode vs. blocking mode?

Each of the three event categories, High-risk Attack Mitigation, Malicious IP, and Threat Campaigns can be used in either Monitoring Mode or Blocking mode, as shown below:

_images/CS-EAP-Protect.Application-Malicious.IP.png

Blocking Mode means that Essential App Protect will block all disallowed requests, whereas Monitoring Mode will allow the request but log it as suspicious for future review. The VIEW EVENTS card will show both blocked and monitored events, but the status will be Blocked or Not blocked respectively.

Malicious IP violations have an extra level of selection, as shown above. In Blocking Mode, the default is to block all malicious IP categories; however, you can uncheck any individual category to unblock it. Unblocked categories revert to being just monitored, but you can uncheck the associated Monitor checkbox to completely ignore the category.

If Monitoring Mode is selected, then blocking is not available for any category, and all categories are monitored by default. You can uncheck the associated Monitor checkbox to completely ignore the category.

Q: How do I switch between my applications?

On the Essential App Protect dashboard, you can use the View: dropdown to see your protected applications and select the one you wish to view.

_images/CS-EAP-Dashboard-View-Switch.png

Q: How do I import an SSL/TLS X.509 certificate?

Here are some requirements for certificates that Essential App Protect can support:

  • You can import a certificate which is self signed, or a certificate which is signed by an external certificate authority. If the certificate is signed by an external certificate authority, you must also include the certificate chain.

  • The certificate must use one of the following algorithms and key sizes:

    • 1024-bit RSA
    • 2048-bit RSA
    • 4096-bit RSA
  • The certificate, private key, and certificate key chain must be PEM encoded. If your certificate is not PEM encoded, you can usually convert it to the PEM format using the following steps:

    1. If your file begins with -----BEGIN and you can open it in a text editor, or if your file has comments or header information followed by -----BEGIN, then your file is in PEM format already. Simply change the extension to .pem and you’re ready to add the certificate with the steps below using either the API or the portal.
    2. If the file is binary, convert the certificate with this command: openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem and convert the private key with this command: openssl rsa -in server.key -out server.key.pem -outform PEM
  • The private key PEM block may be encrypted; however, if it is encrypted, you must provide the passphrase.

  • The private key must be in PKCS#1, ASN.1 DER form.

Add certificate with the portal

To add a new service instance with a certificate (for https:), use the onboarding instructions, Set up SSL/TLS. To add a certificate to an existing service, see Listener Settings.

Add certificate with API

To add a new service instance with a certificate (for https:), use the onboarding instructions, Essential App Protect Service API Overview and Example.

Adding the certificate to an existing service instance is a two-step process.

  1. Upload the certificate to Essential App Protect and get a certificate id from the response JSON.

    POST https://api.cloudservices.f5.com/v1/svc-certificates/certificates
    

    – PAYLOAD

    {
        "account_id": "{{ACCOUNT_ID}}",
        "certificate": "-----BEGIN CERTIFICATE-----\n ... -----END CERTIFICATE-----\n",
        "private_key": "-----BEGIN PRIVATE KEY-----\n ... -----END PRIVATE KEY-----\n",
        "certificate_chain": "-----BEGIN CERTIFICATE-----\n ... -----END CERTIFICATE-----\n"
    }
    

    – RESPONSE

    {
        "id": "cert-aaQHsCI-Px"
    }
    
  2. Tell Essential App Protect to use the returned certificate id by updating your service instance with an “https” section added containing the returned certificate id for the certificate_id value and the enabled key set to true, as shown below.

    PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{SUBSCRIPTION_ID}}
    

    – PAYLOAD

    {
        "account_id": "{{ACCOUNT_ID}}",
        "catalog_id": "c-aa9N0jgHI4",
        "service_type": "waf",
        "service_instance_name": "My Test Site",
        "configuration": {
            "waf_service": {
                "application": {
                    "fqdn": "dvwa.waf.dev.f5aas.com",
                    "http": {
                        "enabled": true,
                        "port": 80
                    },
                    "https": {
                        "enabled": true,
                        "port": 443,
                        "tls": {
                            "certificate_id": "{{CERTIFICATE_ID}}"
                        }
                    },
                    "waf_regions": {...}
                },
                "event_logging": {...},
                "industry": "finance",
                "policy": {...}
            }
        }
    }
    


Q: How do I delete an SSL/TLS certificate?

Unused certificates can be deleted with the API using the following request. You will need the certificate_id to specify which certificate you would like to delete.

DELETE https://api.cloudservices.f5.com/v1/svc-certificates/{certificate_id}

If the certificate was not being used, you will get response code 200 indicating it was deleted. If the certificate is still in use, you will get response code 400 with the error message, “Certificate is still in use.”

If you do not know the certificate_id, you can get a list of all certificates in your account and their associated IDs with this request:

GET https://api.cloudservices.f5.com/v1/svc-certificates/certificates/{account_id}

– RESULT

{
    "certificates": [
        {
            "id": "cert-aaHUFXTyjo",
            "common_name": "certificate-1",
            "account_id": "",
            "expiration_date": "2027-10-24T19:25:53Z"
        },
        ...
        {
            "id": "cert-aaLewZcv3X",
            "common_name": "certificate-n",
            "account_id": "",
            "expiration_date": "2027-10-24T19:25:53Z"
        }
    ]
}

Q: What happens when I mark an event as an exception?

Essential App Protect examines every request coming into your application, evaluates the threat level, and then determines whether or not the it’s a violation. There may be cases where you determine that an event flagged as a violation is a false positive, meaning it’s an expected type of request and therefore not a violation. You can tell your Essential App Protect Service instance to allow future events like this one to pass through to the application and not be considered a threat. This is done by selecting Mark as exception from the kabob menu () on the line logging the event. You can also click on the line to show the details slide panel and click the Mark as exception at the bottom.

_images/CS-EAP-View.Events-Mark.as.exception.png

The details of what specifically happens is dependent on the category and violation type for the event.

Category Sub Violation Mark as exception specifics
Malicious IP All This will add the IP address of the event to the IP ENFORCEMENT RULES and list it’s IP Action to Allow. This means that all traffic from this IP address will pass through to the application. You have the option to continue logging the events in the IP ENFORCEMENT RULES table.
High-risk Attack Signatures The specific Attack type will be allowed for all future events, but only in the same context. For instance, if the signature was found in the header, marking it as an exception will only allow it for the future in a header. For more information on attack signatures, see the Attack Signatures table.
Geo Location The specific Source location will be allowed for all future events.
Disallowed File Types The specific file type (extension) will be allowed for all future events.
Disallowed HTTP Method The specific method will be allowed for all future events.
other sub violations The specific sub violation will be allowed for all future events.
Threat Campaigns All The specific threat campaign will be allowed for all future events.

Q: How do I globally disable an attack signature?

You can disable an attack signature by adding it to the exceptions in your policy for High-risk Attack Mitigation using either the API or the JSON configuration tab in the portal. You will need the signature ID for the attack signature you want to disable, which you can find in the Attack Signatures Table. For example, if you want to disable two attack signatures, 200100064 and 200010038, you would simple add these to the exceptions section in the JSON, as shown below.

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}

– PAYLOAD

{
    "account_id": "{{ACCOUNT_ID}}",
    "catalog_id": "c-aa9N0jgHI4",
    "service_type": "waf",
    "service_instance_name": "My application",
    "configuration": {
        "waf_service": {
            "application": { ... },
            "industry": "finance",
            "policy": {
                "encoding": "utf-8",
                "compliance_enforcement": { ... },
                "high_risk_attack_mitigation": {
                    "enabled": true,
                    "enforcement_mode": "blocking",
                    "signature_enforcement": { ... },
                    "allowed_methods": { ... },
                    "disallowed_file_types": { ... },
                    "http_compliance_enforcement": { ... },
                    "websocket_compliance_enforcement": { ... },
                    "geolocation_enforcement": { ... },
                    "ip_enforcement": { ... },
                    "exceptions": {
                        "attack_signatures": [
                            {
                                "id": "200100064",
                                "enabled": false
                            },
                            {
                               "id": "200010038",
                                "enabled": false
                            }
                        ]
                    }
                },
                "malicious_ip_enforcement": { ... },
                "threat_campaigns": { ... },
            }
        }
    }
}

Q: How do I get attack signature information with the API?

The Essential App Protect API provides a path for getting attack signature information. The following request will return one page of up to 50 attack signatures, by default.

GET https://api.cloudservices.f5.com/waf/v1/attack-signatures/signatures
{
    "signatures": [
        {
            "id": "200002195",
            "name": "SQL-INJ sysoledbusers",
            "rule": "",
            "last_updated": "2014/03/09 06:42:17",
            "apply_to": "Request",
            "attack_type": "SQL-Injection",
            "risk": 3,
            "accuracy": 1,
            "systems": [
                {
                    "name": "General Database"
                }
            ],
            "references": [
                {
                    "type": "url",
                    "id": "http://www.owasp.org/index.php/SQL_Injection"
                },
                {
                    "type": "url",
                    "id": "http://www.webappsec.org/projects/threat/classes/sql_injection.shtml"
                }
            ]
        },
        <!-- more attack signatures -->
    ],
    "page_size": 50,
    "page": 1,
    "count": 6021
}

You can add a query to change the response. For instance to get the second page, use the following request.

GET https://api.cloudservices.f5.com/waf/v1/attack-signatures/signatures?page=1&page_size=50

The page_size variable is not necessary, since the default is 50, but if you want to 20 get signatures per page, then you need to specify page_size=20 for all requests because page 2 is different for different pages sizes.

You can also get a signature by signature ID, as shown below:

GET https://api.cloudservices.f5.com/waf/v1/attack-signatures/signatures?id=200010038

Most of the names in the response JSON can be used as query parameters, so for example you can ask for all attack signatures that have a risk of 3, or an attack_type of SQL-Injection, or an accuracy of 1. Note that values for the query parameters are case sensitive.

Q: How do I whitelist traffic from my Essential App Protect service instance?

All traffic that gets reviewed and passes inspection in Essential App Protect will be relayed to your application. Whitelisting the Essential App Protect endpoints will ensure that all such traffic can successfully reach your application. Instructions for doing this can be found in the UI setup instructions.


Q: What is the update cadence for Threat Campaigns and Attack Signatures?

Attackers are constantly looking for ways to exploit the latest vulnerabilities and/or new ways to exploit old vulnerabilities. F5’s Threat Research team is constantly monitoring malicious activity around the globe and creating signatures specific to these exploits. As new signatures are created, they are added to Essential App Protect, meaning you always have the latest known threat campaigns and attack signatures.


Q. How does Essential App Protect choose which end-point (region) to send requests to?

If you have specified multiple endpoints (regions) for your protected application, Essential App Protect will use Amazon Route 53’s Latency Based Routing (LBR) feature to dynamically select the endpoint with the lowest latency. You can read more about Latency Based Routing on the AWS DNS Routing Policies page–look for this FAQ: “Q. What is Amazon Route 53’s Latency Based Routing (LBR) feature?”


Q: How do I redirect HTTP traffic to HTTPS?

For information on how to redirect traffic using the portal, go to the Protect Application - General section and view the LISTENER SETTINGS topic. Alternatively, you can redirect traffic via the JSON configuration using the JSON settings shown below in the API instructions.

To redirect traffic using the API, you can setup the JSON payload as shown below, and update the subscription. In order to redirect traffic from HTTP to HTTPS, you must enable both an HTTP and an HTTPS port, and you must set the https_redirect value to true. Also, in order to enable an HTTPS port, you’ll need to specify a certificate_id, if you haven’t already done so.

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}

– PAYLOAD

{
     "application": {
         "description": "",
             "fqdn": "example.com",
         "http": {
             "enabled": true,
             "https_redirect": true,
             "port": 80
         },
         "https": {
             "enabled": true,
             "port": 443,
             "tls": {
                 "certificate_id": "cert-aazympHk_p"
             }
         },
         "waf_regions": { ... }
     },
     "policy": { ... }
}

Q: Who should I contact for help regarding F5 Cloud Services?

Visit the F5 Cloud Services Support page to see all of your support options.