F5 Essential App Protect FAQ

Q: What is a Threat Campaign?

Threat Campaigns provide targeted signatures to protect organizations from pervasive attacks that are often coordinated by organized crime and nation states. Based on F5 Labs research, Threat Campaigns provide critical intelligence to fingerprint and mitigate sophisticated attacks with nearly real-time updates.

_images/CS-Security-Threat.Campaigns.png

Q: What is Malicious IP?

A malicious IP is an IP address or security category associated with malicious activity. Turning on the Malicious IP service enhances automated security decisions with IP reputation intelligence. IP Intelligence Services can incorporate dynamic lists of threatening IP addresses from third parties into the F5 Cloud Services platform, adding context and automation to WAF mitigation decisions. IP Intelligence Services are available as an add-on service. A detailed list of the Malicious IP Categories can be found in the security details page.

_images/CS-Security-Malicious.IP.png

Q: What is High-Risk Attack mitigation?

High-Risk Attack Mitigation is an automatic attack mitigation feature that will calculate the likelihood of an incoming attack based on the type of violations that the specific request will trigger and will allow immediate request blocking.


Q: What is Baseline Sec Protection?

Baseline Sec Protection is part of the High-Risk Attack Mitigation providing a baseline policy that will contain an effective and friction-free security ruleset, which is set to protect the application from common exploits like these:

  • High Risk Attack Signatures
  • HTTP RFC validation
  • Enforcement of Evasion Techniques
  • Method enforcements
  • Malicious file type enforcement
  • Geo-location enforcement (with provided templates);
  • Response Scrubbing to prevent sensitive data leakage (e.g. credit card numbers)
  • Base API Protection

Q: How does F5 Essential App Protect Service compare to AWS WAF?

Essential App Protect offers a number of unique or enhanced benefits:

  • Multi-cloud service options.
  • More security functionality built-in than the AWS WAF, providing a broader range of security application protections.
  • Simpler user interface and easy, configurable check-box security options.  Essential App Protect provides a very interactive user experience making it easier to see an issue via the interactive map and take action on that threat.
  • Fewer false positives/negatives.

AWS WAF offers:

  • Exists as part of the ALB flow (which we will be as well eventually)
  • Relatively cheap for a WAF SaaS solution
  • Declarative API allows for fast and easy CI/CD integration
  • Good API documentation and references

Q: What is attack probability?

Attack probability is a rating of the likelihood that a request that Essential App Protect reports as a detection event is actually a real attack. You can examine the requests that cause detection events to determine whether the requests are real attacks or false positives. To simplify the task of identifying false positives, each transaction with one or more detection events has an attack probability rating associated with it. The attack probability rating ranks the transactions and reports those that are either High or Very High. This table explains how to interpret the attack probability ratings.

Rating Description
Very High Request is most likely a threat so consider clearing any learning suggestions associated with it.
High Request looks like a threat but requires examination before clearing the suggestion.

The system assigns the attack probability rating by assessing the combination of detection events occurring in a transaction. The rating is assigned to the transaction as a whole rather than the individual detection events in the request. This is because real attacks often include multiple detection events within one transaction. The attack probability rating takes into consideration the impact of the detection events on the business.


Q: Why do I see asterisks in my parameter value pair?

Essential App Protect is treating these parameters as “sensitive” parameters. For more information, see the next section protecting sensitive information and parameters.


Q: How do I protect sensitive information and parameters?

Essential App Protect provides two mechanisms for masking sensitive information: Data Guard and Sensitive Parameters.

Data Guard: In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you enable and then masks the value in the response to obscure from all downstream views or logs. Essential App Protect provides protection for credit cards if Data Guard is enabled and “cc” and “ssn” are turned on.

Sensitive Parameters: Traffic between an application server and a web server can have many parameters that contain sensitive information. In addition to credit cards and social security numbers, you might have account numbers, passwords, medical, or any privacy information that you don’t want to expose. By adding these parameter names to the sensitive parameters list, Essential App Protect will mask the contents of those parameters from any display or logging that is performed as part of the service. Unlike Data Guard, the Sensitive Parameters feature will not change the parameter value that is passed between the application server and web server.

In the preview version, Essential App Protect defaults to enabling Data Guard and Sensitive Parameters, but there are no parameters declared as sensitive. You can add parameters to the list using either the API or the UI. To make changes through the UI, click on the PROTECT APPLICATION card on the Essential App Protect dashboard viewing your protected application and making changes in the COMPLIANCE & PRIVACY section of the General tab–compliance details. .. compliance details: f5-cloud-services-Security-WorkWith.html#protect-application

To change compliance settings with the API, you can simply change the data_guard and sensitive_parameters variables in the policy/compliance_enforcement section of the Essential App Protect subscription update payload, as shown below:

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{SUBSCRIPTION_ID}}

– PAYLOAD:

{
    "service_type": "waf",
    "service_instance_name": "{PROTECTED_APP}",
    "configuration": {
        "waf_service": {
            ...
            "policy": {
                "compliance_enforcement": {
                    "data_guard": {
                        "cc": true,
                        "enabled": true,
                        "ssn": true
                    },
                    "sensitive_parameters": {
                        "enabled": true,
                        "parameters": [
                           "password",
                           "creditcard"
                        ]
                    }
                },
            ...
           }
        }
    }
}

This will flag these parameters as sensitive parameters. When you create sensitive parameters, the system replaces the sensitive data in the stored request and in logs with asterisks (***), keeping the sensitive data in these parameters private.


Q: Which AWS deployment regions are supported by Essential App Protect?

AWS Region Region Name
US East (N. Virginia) us-east-1
US East (Ohio) us-east-2
US West (Oregon) us-west-2
Europe (Frankfurt) eu-central-1
Europe (London) eu-west-2
Europe (Paris) eu-west-3
Asia Pacific (Tokyo) ap-northeast-1
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Canada (Central) ca-central-1

Q: How do I add multiple IP endpoints for my application?

This is done by modifying the JSON to include multiple IP endpoints. In the UI, use the JSON Configuration section to modify the JSON. The API solution is basically the same–modify the payload JSON to have multiple endpoints, and either create or modify the subscription. See the JSON example below showing multiple IP endpoints.

Use this API request to create a subscription instance with multiple endpoints:

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions

or this one to add endpoints to an existing instance:

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}

– PAYLOAD

{
    ...
    "configuration": {
        "waf_service": {
                ...
                "waf_regions": {
                    "aws": {
                        "us-east-1": {
                            "endpoint": {
                                "domain": "<region1.yourdomain.com>",
                                "port": 80,
                                "use_TLS": false
                            }
                        },
                        "us-west-2": {
                            "endpoint": {
                                "domain": "<region2.yourdomain.com>",
                                "port": 80,
                                "use_TLS": false
                            }
                        }
                    }
        ...
}

Q: How do I delete/retire an Essential App Protect Service instance?

The first step is to remove the CNAME record in your DNS settings that redirects your application’s traffic through your Essential App Protect Service instance. For more information, see Protect Application - DNS Settings, Step 2.

Using the API, “deleting” a service is done by retiring the service instance based on it’s subscription ID. The subscription ID gets created as part of the service instance creation and returned in the response JSON as subscription_id. You can also get all of your subscription IDs with the following request:

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions?catalogId=c-aa9N0jgHI4&account_id={{ACCOUNT_ID}}&service_type=waf

– RESULT

{
    "subscriptions": [
        {
            "subscription_id": "s-aadIkDJUJV",
            "account_id": "a-aaQsw6MlaD",
            "user_id": "u-aaiJJFFvZE",
            "catalog_id": "c-aa9N0jgHI4",
            "service_instance_id": "waf-aaid2NxVnX",
            "status": "ACTIVE",
            "service_instance_name": "Example Application",
            "deleted": false,
            "service_type": "waf",
            "configuration": {
                <!-- service specific configuration content -->
            },
            <!-- service specific content -->
        },
        {
            "subscription_id": "s-aaVf7muxD9",
            "account_id": "a-aaQsw6MlaD",
            "user_id": "u-aaiJJFFvZE",
            "catalog_id": "c-aa9N0jgHI4",
            "service_instance_id": "waf-aaOjMlcBmW",
            "status": "ACTIVE",
            "service_instance_name": "Example2",
            "deleted": false,
            "service_type": "waf",
            "configuration": {
                <!-- service specific configuration content -->
            },
            <!-- service specific content -->
        },
    ],
    <!-- subscriptions details -->
}

Once you have the correct subscription ID, you can then use the following request to retire the subscription. Remember to change the subscription_id to the one assigned to the service instance you want to retire.

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}/retire

– RESULT

{
    "status": "RETIRED",
    "service_state": "UNDEPLOYED",
    "subscription_id": "s-aaVf7muxD9"
}

Important

When you suspend or retire a subscription, you are turning off all functions of the Essential App Protect Service instance for your application. That also means that if you still have the CNAME record in your DNS settings that you added when you created your Essential App Protect Service instance, all of your application’s traffic will be going through a non-functional proxy, effectively blocking all communication with your application. It is very important that you remove the CNAME record from your DNS settings prior to suspending or retiring an Essential App Protect Service instance.


Q: What is a CNAME?

A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone wlil have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. If the DNS system is looking for example.com and finds it in the NAME of a CNAME record, then it will switch to looking for the URL in the VALUE field. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.

For more information, see the following references:


Q: Who should I contact for help regarding F5 Cloud Services?

Visit the F5 Cloud Services Support page to see all of your support options.