Work with the F5 Essential App Protect Service

Essential App Protect provides instant, out-of-the-gate protection from common web exploits, malicious IPs and coordinated attack types. This document will show you how to set up Essential App Protect and how to use it once protection is active.

Set up the Essential App Protect Service

The Essential App Protect Service can be set up using either the API or the portal through a series of forms. Setup instructions using the API can be found in the API User’s Guide. To set up the Essential App Protect Service with the portal, follow the steps below:

1. Go to the Essential App Protect Service

On Your F5 Cloud, click the Essential App Protect tab in the Cloud Services navigation menu. Since you don’t have any protected applications, you will see the WorldWide Threat Map view.

2. Provide application details

On the WorldWide Threat Map view, click the Start protecting your app button. This will show a multi-step slide panel on the right side of the screen. Enter the following fields:

  • Fully Qualified Domain Name (FQDN) - This is the domain you wish to protect.
  • Name this application - This is how Essential App Protect will refer to this instance of the service. For example, this is the name you will select in the View menu to see this service.
  • Add a description (optional) - Add a longer, more detailed description of this service.
  • Choose an application encoding - This tells Essential App Protect which type of characters are used for your application. If you’re not sure, use the default since over 90% use UTF-8.
_images/CS-EAP-Signup-App.png

When you are finished, press Save & Continue.

3. Confirm endpoints and regions

Essential App Protect will look for the FQDN you entered and show you the results. If this is correct, you can select the appropriate region for this IP endpoint.

Note

If you have multiple endpoints and multiple regions, you can add these later. Go to the Protect Application - General topic and look at the DEPLOYED REGIONS section to learn how do add, modify, and remove regions.

If you make changes on this tab, press the Update button to save the changes.

_images/CS-EAP-Signup-Confirm.Endpoints.png

Press Save & Continue to move to the next step.

4. Set up SSL/TLS

First, enable one or both listeners for this application, and specify a port for each listener enabled.

If your application encrypts data between server and browser (uses HTTPS), then you must add an SSL or a TLS certificate so that Essential App Protect can work with your application’s encrypted communications. You have the option to add the certificate later, but then you will only have protection when your site is used without encryption (uses HTTP).

To add a certificate, you can select an existing certificate from the dropdown menu, or there is an option to Add a new one at the bottom of the menu.

_images/CS-EAP-Signup-No.Certificate.png _images/CS-EAP-Signup-No.Certificate.Add.png

Certificates that you add must be PEM encoded. For more details on certificates for Essential App Protect, see How do I import an SSL/TLS X.509 certificate.

To add a new certificate, either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, then you must check the Add a certificate chain (optional) checkbox and enter the chain into the field below it.

_images/CS-EAP-Signup-Certificate.png

The option, I want to redirect my traffic from HTTP to HTTPS will cause all HTTP traffic coming into your Essential App Protect service instance to be redirected to HTTPS, so your application will only ever see HTTPS traffic.

Press Save & Continue to move to the next step.

5. Choose protection features

The APP PROTECT FEATURES step gives you the ability to enable the various methods of protection offered by Essential App Protect. Regardless of your choice, you can change the feature later by clicking on the PROTECT APPLICATION card on the Essential App Protect dashboard while viewing your protected application. You can get more details on each feature by clicking the view feature details button or one of the links below:

_images/CS-EAP-Signup-App.Protect.Features.png

6. Configure DNS

Your Essential App Protect instance has been created and it is ready to start protecting your application. The last step is to change your DNS settings so that all of your application’s traffic goes through your Essential App Protect instance. This is done by creating a CNAME record in the zone file for your application through your application’s hosting provider. For more information, see Protect Application - DNS Settings.

_images/CS-EAP-Signup-Set.up.DNS.png

After you’ve updated DNS records, it can take up to 72 hours for it to fully propagate, but it’s typically much faster. Once this process is complete, your application is actively protected by Essential App Protect.

7. Add deployment regions to allow list

The last step is to ensure that all traffic reviewed and passing inspection in Essential App Protect can be successfully relayed to your application. To do this, you’ll need to add the deployment region IP addresses used by Essential App Protect to the allow list for your application. All traffic coming from Essential App Protect to your application will come from one or more of the IP addresses listed below. Therefore, you should add all the IP addresses listed for the regions you use to the allow list. For maximum flexibility, you should add all listed IP addresses to the allow list. Additionally, if you want to ensure that no traffic to your application bypasses Essential App Protect, then you should only accept requests from the following addresses. whitelist

Region Zones Region Zones
ap-east-1
(Hong Kong)
18.162.185.175
18.163.219.21
18.163.39.86
eu-central-1
(Frankfurt)
3.126.252.37
3.127.90.102
52.58.211.135
ap-northeast-1
(Tokyo)
13.114.106.40
52.199.194.253
54.95.59.57
eu-west-2
(London)
3.10.135.70
35.176.145.242
35.179.50.207
ap-northeast-2
(Seoul)
15.164.11.190
3.34.70.66
3.34.84.254
eu-west-3
(Paris)
15.188.13.137
15.188.30.71
15.236.68.31
ap-south-1
(Mumbai)
13.126.218.61
3.7.76.98
3.7.88.250
sa-east-1
(São Paulo)
18.229.181.176
54.94.56.215
54.94.83.17
ap-southeast-1
(Singapore)
18.141.87.26
52.221.8.87
54.169.6.87
us-east-1
(N. Virginia)
3.89.239.134
34.192.178.6
34.194.59.77
35.171.31.31
52.70.78.148
52.204.48.4
ap-southeast-2
(Sydney)
13.238.204.166
13.239.74.79
13.55.30.15
us-east-2
(Ohio)
3.12.21.33
3.136.204.72
3.18.8.186
ca-central-1
(Central Canada)
15.222.171.216
15.222.68.186
15.223.90.142
us-west-2
(Oregon)
35.155.82.220
52.12.226.166
54.70.11.143

Deployment regions download: Essential App Protect Deployment Regions


Dashboard

The Essential App Protect Service dashboard allows you to view the protection status of each of your protected applications and make adjustments to your protection settings as events change. To view the dashboard for an application, click Essential App Protect in the navigation menu and then select the desired application with the View: drop-down menu.

_images/CS-EAP-Monitor.Applications.png

The dashboard shows an overview of one protected application as defined by the selection in the View: drop-down menu. Below, the dashboard is structured with three data cards across the top and a workspace at the bottom. Clicking on each card will change the workspace to show different information below the cards, but the cards themselves are always present at the top of the page to provide your security overview. Details for each of these cards are given below.

Near the bottom of the View: dropdown is an option to show All my applications.

_images/CS-EAP-Dashboard-View.png

This will show your Essential App Protect Service instances for each of your applications along with their current status. You can create a new service instance to protect another application by clicking the Create button. For details on the service creation process, see the Set up the Essential App Protect Service section. You can also delete a service instance by checking the box to the left of the service and pressing the Delete button in the upper right.

_images/CS-EAP-Dashboard-View-All.my.applications.png

Monitor Application

The MONITOR APPLICATIONS data card shows an overview of the malicious requests received by the application. The histogram shows the history of malicious activity over the last two hours in five-minute increments. The donut chart shows the percentage of malicious requests blocked during the last time period as well as the specific numbers of blocked and not blocked requests.

_images/CS-EAP-Monitor.Applications.Card.png

Clicking on the card will show a world map in the workspace with more details on various malicious activity for the application. The legend area in the top left of the map shows some details of the protected application including the number of application endpoints. Below that are the different types of malicious actors that can be viewed on the map. The checkboxes enable you to view or hide each type of malicious actor, which can be helpful when there are many attacks occurring simultaneously.

_images/CS-EAP-Monitor.Applications.png

Try these map features:

  • Locate endpoint(s) - The concentric blue circle icon(s) shows your application endpoint(s) and location(s).
  • Quickly identify and mitigate attacks - Hover over any of the malicious actor icons on the map to get more details regarding that location. From there you can click the View Incident button to go to the VIEW EVENTS card and then get specific details on the attack. Similarly click the View Settings button to go to the PROTECT APPLICATION card to view or change settings.
  • Get real-time threat updates - Yellow attack bars indicate active attacks information. When the screen is first loaded, you will see attack bars from all malicious attackers who have attacked in the last five minutes. Subsequently, attacks bars appear as new malicious attacks are detected.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on a attack cluster (mentioned above) if any are displayed.
  • View app data insights - You can see protection statistics for this service instance by clicking either the View app data insights link or the attack percentage donut in the MONITOR APPLICATIONS data card.

Below the map is a list of the detection events shown on the map. To get details on those events, or to see other past events, click on the VIEW EVENTS data card.

Monitor Application - Protection stats

The Protection stats tab shows data visualizations that communicate your application protection perimeter in a single view in the form of a shareable report.

_images/CS-EAP-Monitor.Applications-Protection.stats.png

The primary graph shows your application’s suspicious requests over time, meaning it only shows requests that appear to be malicious. Requests are grouped into three categories, Blocked (blue), Not blocked (pink), and Total (grey). The Total category is simply the sum of the Blocked and Not blocked categories.

  • Time scale - The drop-down menu in the upper left lets you select the time period shown in the REQUESTS OVER TIME graph and sets the x-axis of the graph. The menu offers a number of predefined time ranges, and there is also a selection that allows you to create a custom time range.

  • Refresh button - The refresh button next to the time scale menu allows you to refresh the display to get the latest statistics. There is also a pull-down arrow next to it that allows you to set an automatic refresh rate. For example, choosing 30 Sec will turn the refresh button into a countdown timer with a 30 second scale. When the countdown completes, the screen refreshes with the latest data, and the countdown resets.

  • Graph type - The three-button group in the upper right portion of the graph allow you to choose the graph type - different ways to view your data.

    _images/CS-EAP-Monitor.Applications-Protection.stats-Graph.type.png

    The selections are a bar chart, a line chart, and an area chart, respectively.

  • Bin size - The three-button group to the left of the graph type buttons allow you to set the bin sizes for the x-axis, which allows you to see the graph with broader or narrower groupings

    _images/CS-EAP-Monitor.Applications-Protection.stats-Bin.size.png

    The choices are dependent on the time scale (x-axis). If the scale is set to Last 7 days, then the options are 8, 12, and 24 hours. If the scale is set to Last hour, then clearly 8, 12, and 24 hour choices would make no sense, so Essential App Protect gives you the choice of 1, 2, and 5 minute bins.

  • Bin specifics - Hover over any time period in the graph (bin) to see the details of that time period.

    _images/CS-EAP-Monitor.Applications-Protection.stats-Bin.specifics.png
  • Bin category display - Click on a category to toggle the visibility of that category.

    _images/CS-EAP-Monitor.Applications-Protection.stats-Bin.display.png

The PROTECTION STATUS area shows your current enforcement modes for each of the three classes of malicious requests. To change your enforcement modes, go to the Protect Application card, click the feature you want to change, and make the appropriate changes.

The CURRENT ATTACK STATUS gives more detail on the most recent malicious activity. The timeframe for recent is set by the bin size selection above the graph, and the data shown matches the last bin on the graph. Note that the last bin is defined as the time period from the end of the previous bin to the current time; therefore, the last time bin and the CURRENT ATTACK STATUS data will typically be less than the bin size.

The bottom row of three bar graphs allow you to see more information about the top attacks directed at your application. This can be helpful for determining situations like where there is one specific IP address producing the malicious requests or one type of attack being used.


Protect Application

The PROTECT APPLICATION card shows the current protection level for each of the categories of protection offered for an application. Each category can be either Off (not used), Monitoring (show the threat but don’t take action), or Blocking (block all threats). These and other protection settings and information can be accessed by clicking the PROTECT APPLICATION card.

_images/CS-EAP-Protect.Application.Card.png

The Protections Settings section has six tabs: General, Hi-risk Attack Mitigation, Malicious IP, Threat Campaigns, DNS Settings, and JSON configuration. Each tab is discussed in a section below.

_images/CS-EAP-Protect.Application.png

Protect Application - General

In the General tab, there are four sections as shown below:

  • APPLICATION DETAILS -
    • Fully Qualified Domain Name (FQDN): This is the protected application.
    • Application Encoding: The type of characters used for your application.
    • Application Display Name: This is the name Essential App Protect will use for your protected application. This name will be shown in the View: dropdown menu in the upper right corner of most Essential App Protect screens.
    • Description: Use this optional field to differentiate between like-named applications.
  • LISTENER SETTINGS - This area shows how your listeners are setup. HTTPS is for encrypted traffic, and HTTP is for unencrypted traffic. Encrypted traffic requires an SSL/TLS certificate. If you have a certificate specified for this service, this section will show some information about the certificate, including its name and expiration date. To make changes to your listener settings, click the Manage listener details button.

    _images/CS-EAP-Protect.Application-Manage.listener.details.png
    • Enable HTTP Listener: Check this box to allow unencrypted HTTP traffic to your site through your Essential App Protect service instance and enter the port number for this communication (80 is the default HTTP port).
    • Enable HTTPS Listener: Check this box to allow encrypted HTTPS traffic to your site through your Essential App Protect service instance and enter the port number for this communication (443 is the default HTTP port).
    • I want to redirect traffic from HTTP to HTTPS: Check this box to tell Essential App Protect to reroute all HTTP traffic received to your HTTPS port. This check box can only be checked if you have both an HTTP and HTTPS listener as well as an SSL certificate.
    • TLS version: Select the minimum TLS version allowed for the HTTPS listener. Allowable minimum versions are 1.0, 1.1, and 1.2. The default and recommended version is 1.2, which tells Essential App Protect to only accept requests that use TLS 1.2. If you set version to a lower value, then Essential App Protect will accept requests that use that version or higher, for example, setting version to 1.1 will allow 1.1 and 1.2 requests. Note: Setting version to 1.0 is strongly discouraged because it leaves your app susceptible to a number of vulnerabilities.
    • SSL/TLS CERTIFICATE: Specify the certificate you want to use.  If you want to add a certificate, use this pull-down menu to select Add a new one, and enter your certificate information. You can either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, then you must check the Add a certificate chain (optional) checkbox and enter the chain into the field below it.  Otherwise, check the This certificate is self-signed box. For more information on certificates, see How do I import an SSL/TLS X.509 certificate.
  • DEPLOYED REGIONS - This section shows the AWS region(s) where your application is deployed. If your application has multiple IP endpoints, then you may have multiple regions listed. For each region, you’ll see the protocols and port used for each deployed region. For the complete list of supported AWS regions, see the region list in the FAQ for Essential App Protect. Click the MANAGE REGIONS button to modify, add, or remove regions.

    _images/CS-EAP-Protect.Application-Manage.regions.png

    The MANAGE REGIONS table lets you add and remove regions as well as see the status of your existing regions.

    • Add: You can add additional regions using the Add button, which will bring out a slide panel allowing you to enter the region, endpoint, and HTTP/HTTPS ports.
    • Delete: Select any regions you want to remove and click the Delete button or select Delete from the Kabob menu () that appears at the right edge of each row when you hover.
    • Edit a region by clicking on the region’s name in the list or select Edit from the Kabob menu () that appears at the right edge of each row when you hover. This will bring out a slide panel allowing you to make changes to the region.
    • Filter All: Enter a filter string and the table will only show regions containing that string somewhere in the row. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “asia east” will not match a row that contains “AWS: Asia Pacific (Hong Kong) ap-east-1”. The filter will not match port numbers.
    • Region status: This column shows whether the region is Active (taking traffic), Down (not taking traffic), or Deploying… (the region is still being created).
    • HTTP, HTTPS: These columns show the port(s) for the region. N/A means that region does not support that protocol. These columns also display green up or red down icons based on TCP checks of the configured ports.
  • COMPLIANCE & PRIVACY - Essential App Protect provides two general mechanisms for masking sensitive information, Data Guard and Sensitive Parameters, which are enabled or disabled with their associated checkboxes. In addition, each of these options have options of their own that are enabled/disabled with either checkboxes or combo boxes. To see or build your list of sensitive parameters, click on Manage sensitive parameters. Then you can select from the list in the dropdown portion of each of the combo boxes, or you can enter your own sensitive parameters by simply typing the parameter’s name in the box and pressing the Enter/Return key for each entry. For more information on the compliance options, see the sensitive information topic in the FAQ for Essential App Protect.

If you make changes on this tab, press the Update button to save the changes.


Protect Application - High-risk Attack Mitigation

High-Risk Attack Mitigation evaluates incoming requests and calculates the likelihood that it is actually an incoming attack. It does this based on the types of violations that are shown and enabled or disabled on this tab. Listed below are the things available on this tab.

_images/CS-EAP-Protect.Application-Hi.risk.Attack.Mitigation.png

  • Turn on checkbox: The entire category of high-risk attack mitigation can be enabled or disabled using the checkbox at the top. If it is checked (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected). For more information about monitoring vs blocking, see the Monitoring vs. Blocking topic in the FAQ for Essential App Protect.

  • ATTACK SIGNATURES are rules or patterns that identify attacks or classes of attacks on a web application and its components. A security policy compares patterns in the attack signatures against the contents of requests and responses looking for potential attacks. Some of the signatures are designed to protect specific operating systems, web servers, databases, frameworks or applications. For more details, see the Attack Types section in the Security Details document.

  • GEOLOCATION ENFORCEMENT gives you options for denying requests from certain countries. You can either deny requests from OFAC-sanctioned countries or you can deny requests from a list of countries that you create (which can be empty). Click Manage countries to add or delete denied countries from your list.

  • DISALLOWED FILE TYPES allow you to block access to certain file types. The scroll list shows common file types that you can block (checked box) or allow (unchecked box). Click Manage file types to add or delete other file types not listed.

  • IP ENFORCEMENT allows you to grant or deny access to your application from specific IP addresses. This is analogous to an “allow list” and/or a “deny list.” IP addresses listed here and their selected options will override any other options or settings for those IP addresses, such as in the Malicious IP tab. Click Manage rules to add and/or see the IP addresses listed and set options for each of them.

    _images/CS-EAP-Protect.Application-Hi.risk-IP.enforcement.png
    • IP Address/CIDR - enter the IP address you want affected. If you want to cover a range of IP addresses, you can include a CIDR block.
    • IP Action - Block will deny access all traffic (denylist), and Allow will allow all traffic (allowlist). Selecting Ignore Malicious IP means that you want to allow requests from this IP, even though it might be labeled malicious, but you still want to block attacks that might come from this IP. whitelist blacklist
    • Description - Enter a descriptive name or phrase to help you identify the IP address.
    • Event Logging - Check the box if you want all events from the IP address logged and viewable by clicking on the VIEW EVENTS card.
  • PROTOCOL COMPLIANCE ENFORCEMENT

    • HTTP verifies the HTTP request is properly formed. Malformed HTTP requests can be used to bypass proxy filters, poison caches, or cause the response from one request to be incorrectly matched with another; Ref: OWASP HTTP.
    • API enforces proper XML requests. The system checks that the request contains XML data that is well-formed, according to W3C standards. Sending a document which the application was not expecting to handle can result in various attacks, like denial of service.
  • METHOD ENFORCEMENT governs the use of specific HTTP request methods. By default, Essential App Protect allows GET, HEAD, and POST methods.

If you make changes on this tab, press the Update button to save the changes.

Protect Application - Malicious IP

A malicious IP is an IP address or security category associated with malicious activity. Turning on the Malicious IP service enhances automated security decisions with IP reputation intelligence. IP Intelligence Services can incorporate dynamic lists of threatening IP addresses from third parties into the F5 Cloud Services platform, adding context and automation to WAF mitigation decisions. IP Intelligence Services are available as an add-on service. A detailed list of the Malicious IP Categories can be found in the security details page.

_images/CS-EAP-Protect.Application-Malicious.IP.png

The actions you can take on the Malicious IP tab are shown below:

  • Turn on checkbox: The entire category of malicious IP enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected). For more information about monitoring vs blocking, see the Monitoring vs. Blocking topic in the FAQ for Essential App Protect.

  • The list box shows the different Malicious IP categories. This allows you to have different settings for each malicious IP category. Details for each category are shown below.

    Malicious IP category Description
    anonymous_proxies IP addresses that are associated with web proxies that shield the originator’s IP address (such as proxy and anonymization services).
    bot_nets IP addresses of computers that are infected with malicious software (Botnet Command and Control channels, and infected zombie machines) and are controlled as a group by a Bot master, and are now part of a botnet. Hackers can exploit botnets to send spam messages, launch various attacks, or cause target systems to behave in other unpredictable ways.
    cloud_services IP addresses and networks that belong to cloud providers, which offer services hosted on their servers via the Internet.
    denial_of_service IP addresses that have launched denial-of-service (DoS) attacks, distributed denial-of-service (DDoS) attacks, anomalous SYN flood attacks, or anomalous traffic detection. These attacks are usually requests for legitimate services, but occur at such a fast rate that targeted systems cannot respond quickly enough and become bogged down or unable to service legitimate clients.
    infected_sources Active IP addresses that issue HTTP requests with a low reputation index score, or that are known malicious web sites offering or distributing malware, shell code, rootkits, worms, or viruses.
    mobile_threats IP addresses of malicious and unwanted mobile applications.
    phishing_proxies IP addresses that host phishing sites, and other kinds of fraud activities, such as ad click fraud or gaming fraud.
    scanners IP addresses that are involved in reconnaissance, such as probes, host scan, domain scan, and password brute force, typically to identify vulnerabilities for later exploits.
    spam_sources IP addresses tunneling spam messages through proxy, anomalous SMTP activities and forum spam activities.
    tor_proxies IP addresses acting as exit nodes for the Tor Network. Exit nodes are the last point along the proxy chain and make a direct connection to the originator’s intended destination.
    web_attacks IP addresses involved in cross site scripting, iFrame injection, SQL injection, cross domain injection, or domain password brute force.
    windows_exploits Active IP addresses that have exercised various exploits against Windows resources by offering or distributing malware, shell code, rootkits, worms, or viruses using browsers, programs, downloaded files, scripts, or operating system vulnerabilities.

If you make changes on this tab, press the Update button to save the changes.


Protect Application - Threat Campaigns

Threat Campaigns provide targeted signatures to protect organizations from pervasive attacks that are often coordinated by organized crime and nation states. Based on F5 Labs research, Threat Campaigns provide critical intelligence to fingerprint and mitigate sophisticated attacks with nearly real-time updates.

The Threat Campaign tab allows you to tell Essential App Protect how to deal with these types of threats. Because there are hundreds of different campaigns, Essential App Protect provides different ways to look at and filter the list. The actions you can take are listed below.

_images/CS-EAP-Protect.Application-Threat.Campaigns.png

  • Turn on checkbox: The entire category of Threat Campaign enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected). For more information about monitoring vs blocking, see the Monitoring vs. Blocking topic in the FAQ for Essential App Protect.
  • Filter the table to see only campaigns that include a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “remote include” will not match a row that contains “Remote File Include”; however, “file include” will match “Remote File Include”, but it will exclude rows that contain “File <anything but Include>”.
  • Enable checkbox allows you to check or uncheck all the row checkboxes at once. The Enable checkbox has three states: blue with check means all rows are checked, blue with dash means there is a mix of checked and unchecked rows, and empty means all rows are unchecked.
  • Enable or disable individual threat campaigns with the checkbox in each row of the table. If you have disabled some campaigns and want to turn them all back on, simply check the Enable checkbox in the table header to enable all campaigns in the list.
  • Sort columns by clicking on column header.

If you make changes on this tab, press the Update button to save the changes.

For more information about monitoring vs blocking, see the Monitoring vs. Blocking topic in the FAQ for Essential App Protect.


Protect Application - DNS Settings

The DNS Settings tab helps with the update or addition of your CNAME record in your DNS settings.

_images/CS-EAP-Protect.Application-DNS.Settings.png

Step 1. Copy this CNAME: The CNAME value shown is the specific URL for protecting your application. It is essentially your copy of Essential App Protect. By creating a CNAME record, you’ll be directing all traffic to your application to first go through this URL for verification.

Step 2. Update your CNAME record: The details for this step will be dependent on your hosting provider. Generally, you are modifying your application’s zone records, which are used for DNS. Your hosting provider will provide the tools to do this–look for DNS Records, Manage DNS, Zone Editor, or something similar. When creating the CNAME record, you’ll enter two key fields:

  1. Name: think of this as what someone would type into a browser to get to your application
  2. Value: the URL for your copy of Essential App Protect (the CNAME shown in Step 1)

Step 3. Wait for propagation: This process transmits your updated zone file to DNS name servers throughout the world.

Note

This process can take up to 72 hours, but it is typically much faster.

Step 4. Test: Click the Test updated DNS button to verify that your CNAME change is correct. This test will be successful when you have correctly added the CNAME record and it has propagated globally.


Protect Application - JSON Configuration

Sometimes it is convenient to see an entire Essential App Protect configuration at once. Use the JSON configuration tab to see and edit your configuration for this service instance (visit json.org for more information on the JSON format). This can be convenient for making quick edits or even to copy/paste an entire security policy from one service instance to another.

_images/CS-EAP-Protect.Application-JSON.Configuration.png

The JSON window is a basic editor allowing you to view, scroll, and make changes to the configuration.

  • Click the small arrows next to the line numbers to expand or collapse sections of the JSON.
  • The standard cut and copy functions (Ctrl+X/Command+X, Ctrl+C/Command+C) will cut or copy selected text (collapsed sections are expanded in the cut/copied text).
  • The standard paste function (Ctrl+V/Command+V) will insert cut/copied text or overwrite highlighted text.
  • An error marker (red box containing ‘X’) will appear next to a line number if there is a syntax error on this line (sometimes caused by the preceding line).

If you have made changes to the JSON and want those changes to modify your protection settings, click the Update button.


View Events

Security Incidents Events

The VIEW EVENTS data card provides an overview of events logged and/or blocked based on your security policy.

_images/CS-EAP-View.Events.Card.png

Clicking in the card header or the Security row will show the list of recent security incidents along with details for each.  You can also click on the Service row to see the list of configuration events, which are changes to your Essential App Protect service settings.

_images/CS-EAP-View.Events.png

Actions you can take with the table:

  • The Timeframe menu in the upper right allows you to specify the time period to cover within the table. You have a number of options from Last 5 mins to Last 30 days as well as an option to +Create a custom time range.

  • A Refresh button is next to the time frame menu that allows you to refresh the display to get the latest incidents. There is also a pull-down arrow next to it that allows you to set an automatic refresh rate. For example, choosing 30 Sec will turn the refresh button into a countdown timer with a 30 second scale. When the countdown completes, the screen refreshes with the latest data, and the countdown resets.

  • Export all allows you to export the all of your security incidents in the table to a CSV, JSON, or XLS file. The resulting file will contain all information for each incident, including the full request and the violation details. The export operation does not take into consideration any filter you have applied to the table.

  • Filter the table to see only events that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “illegal type” will not match a row that contains “Illegal File type”; however, “illegal file” will match and it will exclude rows that contain “Illegal <anything but Include>”.

  • Sort columns by clicking on column header.

  • Kabob menu () that appears at the right edge of each row when you hover gives three options for an event:

    • Always allow this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Allow, which means all traffic from this IP address will bypass all protection capabilities within Essential App Protect. This is the equivalent of “allowlisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section. whitelist
    • Always block this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Block, which means no requests from this IP address will reach your application. This is the equivalent of “denylisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section. blacklist
    • Mark as exception - Use this option to tell Essential App Protect that this type of event should not be blocked.
    • View full request - This brings up a separate browser tab showing all the details of the request associated with this row. See below.
  • Click on any row to see a more detailed view of the request in a slide panel on the right side of the table.

    _images/CS-EAP-View.Events-Details.png

    In the slide panel, you can:

    • Use the Source IP Address dropdown to either always allow or always block this IP address in accordance with the IP Enforcement Rules. For more information on IP Enforcement Rules, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • View full request - This brings up a separate browser tab showing all the details of the request. For High-risk events, this page will also show the ID of the signature that was detected. Clicking on the ID will bring up the Security Details page and show more information about that specific signature in the Attack Signatures table.
    _images/CS-EAP-View.Events-View.Full.Request.png

Service-specific Events

The Service-specific tab in the EVENTS workspace shows changes made to your service configuration. This provides a record of all changes and allows you to see who made the changes, when the changes were made, and you have the ability to roll back to a previous service configuration. The most recent event in the list represents the current state of your service instance.

At the top of the table is a filter that can help see only certain types of events. For instance, if you notice that a sensitive parameter is no longer being masked, and you want to see who made that change and when, you can enter “sensitive” into the filter and the table will only show entries containing “sensitive”. The filter is not case sensitive, and it filters across all columns. This allows you to do things like see all changes made by a specific user by entering a unique portion of their username.

Each column has a column header. Clicking on the column header name will cause the table to be sorted alphabetically by that column. Clicking on the column header again will reverse the sorting. Sorting works in context with filtered content, so you can sort all changes made by a specific user.

_images/CS-EAP-View.Events-Service.Specific.png
  • Export all allows you to export the all of your configuration changes to a CSV, JSON, or XLS file. The resulting file will contain all information for each event that is shown in the table, but it will not contain the configuration information available in the slide panel you see by clicking on a configuration row.

  • Filter the table to see only events that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “illegal type” will not match a row that contains “Illegal File type”; however, “illegal file” will match and it will exclude rows that contain “Illegal <anything but Include>”.

  • Sort columns by clicking on column header.

  • Click on a Configuration row to see a more detailed view of the request in a slide panel on the right side of the table.

    _images/CS-EAP-View.Events-Service.Specific-Apply.this.version.png
  • Apply this version - This will copy the entire service configuration you see in the configuration window to your service instance, effectively rolling back any changes any user made since that version. It will also create a new service specific event showing that you applied this configuration. This function will have no effect on System type events, so for instance there’s no need to worry about removing attack signature updates by rolling back to a previous configuration.

  • Copy/Paste - the configuration window supports the Copy function (Ctrl+C/Command+C) allowing you to copy some or all of your configuration and paste the contents somewhere else. The configuration window is readonly, however, so you cannot modify it’s contents.


Worldwide Threat Map

To see the worldwide threat campaigns, use the View: dropdown (below the user information in the top right of the Cloud Services window) and select WorldWide Threat Map.

_images/CS-EAP-Worldwide.Threats.png

The left side of the map shows an overview of the activity seen over the past 24 hours. It also shows a list of the recent threat campaigns detected. To see the full list, click + Show all. If you don’t have any protected applications yet, you will also see some getting started information and the Start protecting your application button to set up Essential App Protect for an application. For details on how to do this, refer to the Set up the Essential App Protect Service section.

Try these map features:

  • Attack details - Hover over any of the threat icons on the map to get more details regarding that location.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on an attack cluster (mentioned above) if any are displayed.