Work with the F5 Essential App Protect Service

Essential App Protect provides instant, out-of-the-gate protection from common web exploits, malicious IPs and coordinated attack types. This document will show you how to set up Essential App Protect and how to use it once protection is active.

Set up the Essential App Protect Service

The Essential App Protect Service can be set up using either the API or the portal through a series of forms. Setup instructions using the API can be found in the API Guidelines document API Guidelines Document, Section 6. To set up the Essential App Protect Service with the UI, follow the steps below:

1. Go to the Essential App Protect Service

On Your F5 Cloud, click the Essential App Protect tab in the Cloud Services navigation menu. Since you don’t have any protected applications, you will see the WorldWide Threat Map view.

2. Provide application details

On the WorldWide Threat Map view, click the Start protecting your application button. This will show a multi-step slide panel on the right side of the screen. Enter the following fields:

  • Fully Qualified Domain Name (FQDN) - This is the domain you wish to protect.
  • Name this application - This is how Essential App Protect will refer to this instance of the service. For example, this is the name you will select in the View menu to see this service.
  • Add a description (optional) - Add a longer, more detailed description of this service.
  • Choose an application encoding - This tells Essential App Protect which type of characters are used for your application. If you’re not sure, use the default since over 90% use UTF-8.
_images/CS-EAP-Signup-App.png

When you are finished, press Save & Continue.

3. Confirm endpoints and regions

Essential App Protect will look for the FQDN you entered and show you the results. If this is correct, you can select the appropriate region for this IP endpoint.

Note

If you have multiple endpoints and multiple regions, you can add these later. See the multiple IP endpoints topic in the FAQ for Essential App Protect.

If you make changes on this tab, press the Update button to save the changes.

_images/CS-EAP-Signup-Confirm.Endpoints.png

Press Save & Continue to move to the next step.

4. Setup SSL/TLS

If your application encrypts data between server and browser (uses HTTPS), then you must add an SSL or a TLS certificate so that Essential App Protect can work with your application’s encrypted communications. You have the option to add the certificate later, but then you will only have protection when your site is used without encryption (uses HTTP).

To add a certificate, you can select an existing certificate from the dropdown menu, or there is an option to Add a new one at the bottom of the menu.

_images/CS-EAP-Signup-No.Certificate.png _images/CS-EAP-Signup-No.Certificate.Add.png

To add a new certificate, either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, then you must check the Add a certificate chain (optional) checkbox and enter the chain into the field below it.

_images/CS-EAP-Signup-Certificate.png

Press Save & Continue to move to the next step.

5. Choose protection features

The APP PROTECT FEATURES step gives you the ability to enable the various methods of protection offered by Essential App Protect. Regardless of your choice, you can change the feature later by clicking on the PROTECT APPLICATION card on the Essential App Protect dashboard while viewing your protected application. You can get more details on each feature by clicking the view feature details button or one of the links below:

_images/CS-EAP-Signup-App.Protect.Features.png

6. Configure DNS

Your Essential App Protect instance has been created and it is ready to start protecting your application. The last step is to change your DNS settings so that all of your application’s traffic goes through your Essential App Protect instance. This is done by creating a CNAME record in the zone file for your application through your application’s hosting provider. For more information, see Protect Application - DNS Settings.

_images/CS-EAP-Signup-Set.up.DNS.png

After you’ve updated DNS records, it can take up to 72 hours for it to fully propagate, but it’s typically much faster. Once this process is complete, your application is actively protected by Essential App Protect.

7. Whitelist Essential App Protect

The last step is to ensure that all traffic reviewed and passing inspection in Essential App Protect can be successfully relayed to your application. To do this, you’ll need to whitelist the IP addresses used by Essential App Protect. All traffic coming from Essential App Protect to your application will come from one or more of the IP addresses listed below. Therefore, you should whitelist all the IP addresses listed for the regions you use. For maximum flexibility, you should whitelist all listed IP addresses. Additionally, if you want to ensure that no traffic to your application bypasses Essential App Protect, then you should only accept requests from these addresses.

Region Zones
us-east-1
4.192.178.6
52.70.78.148
3.89.239.134
us-east-2
3.12.21.33
3.136.204.72
3.18.8.186
us-west-2
35.155.82.220
52.12.226.166
54.70.11.143
eu-central-1
3.126.252.37
3.127.90.102
52.58.211.135
eu-west-2
3.10.135.70
35.176.145.242
35.179.50.207
ap-northeast-1
13.114.106.40
52.199.194.253
54.95.59.57
ap-southeast-1
18.141.87.26
52.221.8.87
54.169.6.87
ap-southeast-2
13.238.204.166
13.239.74.79
13.55.30.15

Dashboard

The Essential App Protect Service dashboard allows you to view the protection status of each of your protected applications and make adjustments to your protection settings as events change. To view the dashboard for an application, click Essential App Protect in the navigation menu and then select the desired application with the View: dropdown.

_images/CS-EAP-Monitor.Applications.png

The dashboard shows an overview of one protected application as defined by the selection in the View: dropdown. Below, the dashboard is structured with three data cards across the top and a workspace at the bottom. Clicking on each card will change the workspace to show different information below the cards, but the cards themselves are always present at the top of the page to provide your security overview. Details for each of these cards is given below.

At the bottom of the View: dropdown is an option to show All my applications.

_images/CS-EAP-Dashboard-View.png

This will show your Essential App Protect Service instances for each of your applications along with their current status. You can create a new service instance to protect another application by clicking the Create button. For details on the service creation process, see the Set up the Essential App Protect Service section. You can also delete a service instance by checking the box to the left of the service and pressing the Delete button in the upper right.

_images/CS-EAP-Dashboard-View-All.my.applications.png

Monitor Application

The MONITOR APPLICATIONS data card shows an overview of the malicious requests received by the application. The histogram shows the history of malicious activity over the last two hours in five-minute increments. The donut chart shows the percentage of malicious requests blocked during the last time period as well as the specific numbers of blocked and not blocked requests.

_images/CS-EAP-Monitor.Applications.Card.png

Clicking on the card will show a world map in the workspace with more details on various malicious activity for the application. The legend area in the top left of the map shows some details of the protected application including the number of application endpoints. Below that are the different types of malicious actors that can be viewed on the map. The checkboxes enable you to view or hide each type of malicious actor, which can be helpful when there are many attacks occurring simultaneously.

_images/CS-EAP-Monitor.Applications.png

Try these map features:

  • Locate endpoint(s) - The concentric blue circle icon(s) shows your application endpoint(s) and location(s).
  • Quickly identify and mitigate attacks - Hover over any of the malicious actor icons on the map to get more details regarding that location. From there you can click on the View Incident button to go to the VIEW EVENTS card and then get specific details on the attack. Similarly click the View Settings button to go to the PROTECT APPLICATION card to view or change settings.
  • Get real-time threat updates - Yellow attack bars indicate active attacks information. When the screen is first loaded, you will see attack bars from all malicious attackers who have attacked in the last five minutes. Subsequently attacks bars appear as new malicious attacks are detected.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on a attack cluster (mentioned above) if any are displayed.

Below the map is a list of the detection events shown on the map.


Protect Application

The PROTECT APPLICATION card shows the current protection level for each of the categories of protection offered for an application. Each category can be either Off (not used), Monitoring (show the threat but don’t take action), or Blocking (block all threats). These and other protection settings and information can be accessed by clicking the PROTECT APPLICATION card.

_images/CS-EAP-Protect.Application.Card.png

The Protections Settings section has six tabs: General, Hi-risk Attack Mitigation, Malicious IP, Threat Campaigns, DNS Settings, and JSON configuration. Each tab is discussed in a section below.

_images/CS-EAP-Protect.Application.png

Protect Application - General

In the General tab, there are four sections as shown below:

  • APPLICATION DETAILS -
    • Fully Qualified Domain Name (FQDN): This is the protected application.
    • Application Encoding: The type of characters used for your application.
    • Application Display Name: This is the name Essential App Protect will use for your protected application. This name will be shown in the View: dropdown menu in the upper right corner of most Essential App Protect screens.
    • Description: Use this optional field to differentiate between like-named applications.
  • SSL CERTIFICATE - If your application encrypts data between server and browser (uses HTTPS), then this area will show the certificate you added when you set up Essential App Protect for this application.
  • DEPLOYED REGIONS - This section shows the AWS region(s) where your application is deployed. If your application has multiple IP endpoints, then you may have multiple regions listed. For each region, you’ll see the port used for communicating with the application and whether or not it is using TLS (Transport Layer Security. For the complete list of supported AWS regions, see the region list in the FAQ for Essential App Protect.
  • COMPLIANCE & PRIVACY - Essential App Protect provides two general mechanisms for masking sensitive information, Data Guard and Sensitive Parameters, which are enabled or disabled with their associated checkboxes. In addition, each of these options have options of their own that are enabled/disabled with either checkboxes or combo boxes. To see or build your list of sensitive parameters, click on Manage sensitive parameters. Then you can select from the list in the dropdown portion of each of the combo boxes, or you can enter your own sensitive parameters by simply typing the parameter’s name in the box and pressing the Enter/Return key for each entry. For more information on the compliance options, see the sensitive information topic in the FAQ for Essential App Protect.

If you make changes on this tab, press the Update button to save the changes.


Protect Application - High-risk Attack Mitigation

High-Risk Attack Mitigation evaluates incoming requests and calculates the likelihood that it is actually an incoming attack. It does this based on the types of violations that are shown and enabled or disabled on this tab. Listed below are the things available on this tab.

_images/CS-EAP-Protect.Application-Hi.risk.Attack.Mitigation.png

  • Turn on checkbox: The entire category of high-risk attack mitigation can be enabled or disabled using the checkbox at the top. If it is checked (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected).
  • ATTACK SIGNATURES are rules or patterns that identify attacks or classes of attacks on a web application and its components. A security policy compares patterns in the attack signatures against the contents of requests and responses looking for potential attacks. Some of the signatures are designed to protect specific operating systems, web servers, databases, frameworks or applications. For more details, see the Attack Types section in the Security Details document.
  • GEOLOCATION ENFORCEMENT gives you options for denying requests from certain countries. You can either deny requests from OFAC-sanctioned countries or you can deny requests from a list of countries that you create (which can be empty). Click Manage countries to add or delete denied countries from your list.
  • DISALLOWED FILE TYPES allow you to block access to certain file types. The scroll list shows common file types that you can block (checked box) or allow (unchecked box). Click Manage file types to add or delete other file types not listed.
  • IP ENFORCEMENT allows you to deny or grant access to your application from specific IP addresses. This is analogous to a “white list” and/or a “blacklist.” IP addresses listed here and their selected options will override any other options or settings for those IP addresses, such as in the Malicious IP tab. Click Manage rules to add and/or see the IP addresses listed and set options for each of them.
    • IP Address - enter the IP address you want affected.
    • IP Action - Block will deny access all traffic (blacklist), and Allow will allow all traffic (whitelist).
    • Description - Enter a descriptive name or phrase to help you identify the IP address.
    • Event Logging - Check the box if you want all events from the IP address logged and viewable by clicking on the VIEW EVENTS card.
  • PROTOCOL COMPLIANCE ENFORCEMENT
    • HTTP verifies the HTTP request is properly formed. Malformed HTTP requests can be used to bypass proxy filters, poison caches, or cause the response from one request to be incorrectly matched with another; Ref: OWASP HTTP.
    • API enforces proper XML requests. The system checks that the request contains XML data that is well-formed, according to W3C standards. Sending a document which the application was not expecting to handle can result in various attacks, like denial of service.
    • WebSocket adds WebSocket URLs and defines defense measures in a WebSocket profile. This protects against attacks such as server stack abuse, session riding, cross-site scripting, and SQL injection; Ref WebSocket security.
  • METHOD ENFORCEMENT governs the use of specific HTTP request methods. By default, Essential App Protect allows GET, HEAD, and POST methods.

If you make changes on this tab, press the Update button to save the changes.

Protect Application - Malicious IP

A malicious IP is an IP address that has been deemed to be some form of bad actor. Essential App Protect will make this determination after receiving a request that fits into one of the malicious IP categories shown on the Malicious IP tab. The actions you can take are listed below.

_images/CS-EAP-Protect.Application-Malicious.IP.png

  • Enable checkbox: The entire category of malicious IP enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected).
  • The list box shows the different Malicious IP categories. This allows you to have different settings for each malicious IP category.

If you make changes on this tab, press the Update button to save the changes.

For more information about Malicious IP and the related categories, see the Malicious IP topic in the FAQ for Essential App Protect.


Protect Application - Threat Campaigns

Threat Campaigns provide targeted signatures to protect organizations from pervasive attacks that are often coordinated by organized crime and nation states. The Threat Campaign tab allows you to tell Essential App Protect how to deal with these types of threats. Because there are hundreds of different campaigns, Essential App protect provides different ways to look at and filter the list. The actions you can take are listed below.

_images/CS-EAP-Protect.Application-Threat.Campaigns.png

  • Enable checkbox: The entire category of Threat Campaign enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected).
  • Enable or disable individual threat campaigns with the Enable check box in each row of the table.
  • Filter the table to see only campaigns that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “remote include” will not match a row that contains “Remote File Include”; however, “file include” will match “Remote File Include”, but it will exclude rows that contain “File <anything but Include>”.
  • Sort columns by clicking on column header.

If you make changes on this tab, press the Update button to save the changes.

For more information about Threat Campaign, see the Threat Campaign topic in the FAQ for Essential App Protect


Protect Application - DNS Settings

The DNS Settings tab helps with the update or addition of your CNAME record in your DNS settings.

_images/CS-EAP-Protect.Application-DNS.Settings.png

Step 1. Copy this CNAME: The CNAME value shown is the specific URL for protecting your application. It is essentially your copy of Essential App Protect. By creating a CNAME record, you’ll be directing all traffic to your application to first go through this URL for verification.

Step 2. Update your CNAME record: The details for this step will be dependent on your hosting provider. Generally, you are modifying your application’s zone records, which are used for DNS. Your hosting provider will provide the tools to do this–look for DNS Records, Manage DNS, Zone Editor, or something similar. When creating the CNAME record, you’ll enter two key fields:

  1. Name: think of this as what someone would type into a browser to get to your application
  2. Value: the URL for your copy of Essential App Protect (the CNAME shown in Step 1)

Step 3. Wait for propagation: This process transmits your updated zone file to DNS name servers throughout the world.

Note

This process can take up to 72 hours, but it is typically much faster.

Step 4. Test: Click the Test updated DNS button to verify that your CNAME change is correct. This test will be successful when you have correctly added the CNAME record and it has propagated globally.


Protect Application - JSON Configuration

Sometimes it is convenient to see an entire Essential App Protect configuration at once. Use the JSON configuration tab to see and edit your configuration for this service instance (visit json.org for more information on the JSON format). This can be convenient for making quick edits or even to copy/paste an entire security policy from one service instance to another.

_images/CS-EAP-Protect.Application-JSON.Configuration.png

The JSON window is a basic editor allowing you to view, scroll, and make changes to the configuration.

  • Click the small arrows next to the line numbers to expand or collapse sections of the JSON.
  • The standard copy function copies selected text (collapsed sections are expanded in the copied text).
  • The standard paste function will overwrite existing text.
  • An error marker (red box containing ‘X’) will appear next to a line number if there is a syntax error on this line (sometimes caused by the preceding line).

If you have made changes to the JSON and want those changes to modify your protection settings, click the Update button.


View Events

The VIEW EVENTS data card provides an overview of events logged and/or blocked based on your security policy.

_images/CS-EAP-View.Events.Card.png

Clicking in the card will show the list of recent events along with details for each.

_images/CS-EAP-View.Events.png

Actions you can take within the table:

  • Filter the table to see only events that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “illegal type” will not match a row that contains “Illegal File type”; however, “illegal file” will match and it will exclude rows that contain “Illegal <anything but Include>”.

  • Sort columns by clicking on column header.

  • Kabob menu () at the right edge of each row gives three options for an event:

    • Always allow this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Allow, which means all traffic from this IP address will bypass all protection capabilities within Essential App Protect. This is the equivalent of “whitelisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • Always block this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Block, which means no requests from this IP address will reach your application. This is the equivalent of “blacklisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • Mark as exception - Use this option to tell Essential App Protect that this type of event should not be blocked.
    • View full request - This brings up a separate browser tab showing all the details of the request associated with this row. See below.
  • Click on any row to see a more detailed view of the request in a slide panel on the right side of the table.

    _images/CS-EAP-View.Events-Details.png

    In the slide panel, you can:

    • Use the Source IP Address dropdown to either always allow or always block this IP address in accordance with the IP Enforcement Rules. For more information on IP Enforcement Rules, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • View full request - This brings up a separate browser tab showing all the details of the request.
    _images/CS-EAP-View.Events-View.Full.Request.png

Worldwide Threat Map

To see the worldwide threat campaigns, use the View: dropdown (below the user information in the top right of the Cloud Services window) and select WorldWide Threat Map.

_images/CS-EAP-Worldwide.Threats.png

The left side of the map shows an overview of the activity seen over the past 24 hours. It also shows a list of the recent threat campaigns detected. To see the full list, click + Show all. If you don’t have any protected applications yet, you will also see some getting started information and the Start protecting your application button to set up Essential App Protect for an application. For details on how to do this, refer to the Set up the Essential App Protect Service section.

Try these map features:

  • Attack details - Hover over any of the threat icons on the map to get more details regarding that location.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on an attack cluster (mentioned above) if any are displayed.