Scenario #5: Manage an F5 BIG-IP Advanced WAF Policy with Policy Builder on a single device

See also

https://github.com/fchmainy/awaf_tf_docs/tree/main/5.policyBuilderSingle

The goal of this lab is to manage Policy Builder Suggestions an F5 BIG-IP Advanced WAF Policy on a single device or cluster. As the traffic flows through the BIG-IP, it is easy to manage suggestions from the Policy Builder and enforce them on the WAF Policy. It also shows the potential management workflow:

  • The security engineer regularly checks the suggestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.

  • Once the cleaning is done, the Terraform engineer (who can also be the security engineer) issues a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100%, with 100% being the highest confidence level).

  • You can track and roll back every suggestion application on Terraform, if needed.

Prerequisites

On the BIG-IP:

  • BIG-IP version 16.1 or newer

  • Advanced WAF Provisioned

  • Credentials with REST API access

  • An Advanced WAF Policy with Policy Builder enabled and Manual traffic Learning

On Terraform:

Create a policy

F5 has exported a WAF Policy called scenario5.json available here, including several Policy Builder suggestions, so you do not need to generate traffic.

  1. Create 4 files:

    • variables.tf

    • inputs.auto.tfvars

    • main.tf

    • outputs.tf

    variables.tf
    1variable prod_bigip {}
2variable username {}
3variable password {}

    inputs.auto.tfvars
    1prod_bigip = "10.1.1.8:443"
2username = "admin"
3password = "whatIsYourBigIPPassword?"

    main.tf
     1terraform {
 2  required_providers {
 3    bigip = {
 4      source = "F5Networks/bigip"
 5      version = "1.15"
 6    }
 7  }
 8}
 9
10provider "bigip" {
11  alias    = "prod"
12  address  = var.prod_bigip
13  username = var.username
14  password = var.password
15}
16
17data "http" "scenario5" {
18  url = "https://raw.githubusercontent.com/fchmainy/awaf_tf_docs/main/0.Appendix/Common_scenario5__2022-8-12_15-49-28__prod1.f5demo.com.json"
19  request_headers = {
20     Accept = "application/json"
21  }
22}
23
24resource "bigip_waf_policy" "this" {
25    provider                 = bigip.prod
26    application_language = "utf-8"
27    partition            = "Common"
28    name                 = "scenario5"
29    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
30    type                 = "security"
31    policy_import_json   = data.http.scenario5.body
32}

    Note

    You can set the template name to anything, because the value is overwritten during import.


    outputs.tf
    1output "policyId" {
2 value    = bigip_waf_policy.this.policy_id
3}
4
5output "policyJSON" {
6        value   = bigip_waf_policy.this.policy_export_json
7}

  1. Initialize, plan, and apply your new Terraform project:

    foo@bar:~$ terraform init

foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

  1. Log on to your F5 BIG-IP UI and associate the Advanced WAF Policy scenario5 to the Virtual Server scenario5.vs.

    Note

    You can automate the Virtual Server and the whole application service using the BIG-IP provider with the AS3 or FAST resources.

Simulate a WAF Policy workflow

Do the following procedures, to simulate a WAF policy workflow.

Change the Policy Builder process (for testing and demo purpose only):

  1. Go to the DVWA WAF Policy on your BIG-IP Traffic Manager UI (if you are using UDF, the WAF policy is called, “scenario5” and is located under the Common partition).

  2. In the Learning and blocking Settings section (Security -> Application Security -> Policy Building -> Learning and Blocking Settings), at the very bottom of the page, navigate to the Loosen Policy settings, open the Advanced view of the Policy Building Process.

  3. Change the different sources, spread out over a time period of at least value from 10 to 1 so the policy builder generates learning suggestions faster.

Browse the vulnerable application

Browse the DVWA web application through the F5 BIG-IP Advanced WAF Virtual Server. The credentials to log in to DVWA are admin/password.

  1. Go on the DVWA Security menu and change the level to Low then Submit.

  2. Browse the DVWA website by clicking any menu.

  3. Generate some attacks, similar to the following:

    • SQL Injection: %' or 1='1 ' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

    • XSS Reflected: <script>alert('hello')</script>

Check Learning Suggestions

If you go to the WAF Policy learning suggestions, you will find multiple suggestions with a high score of 100%.

The following describes a typical real life workflow:

  • The security engineer regularly checks the suggestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.

  • Once the cleaning is done, the Terraform engineer (can either be the same person or different) creates a unique bigip_waf_pb_suggestions data source before issuing a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100% with 100% having the highest confidence level).

    Note

    You can track and roll back every suggestion application on Terraform, if needed.


  1. Go to your BIG-IP WebUI and clean the irrelevant suggestions. For example, remove all the suggestions with a score = 1%.

    Important

    You can ignore suggestions, but you never accept them on the WebUI, otherwise you will then have to reconcile the changes between the WAF Policy on the BIG-IP and the latest known WAF Policy in your Terraform state.

  2. Use Terraform to enforce the policy builder suggestions.

    1. Create a suggestions.tf file. You must use a unique name for the bigip_waf_pb_suggestions data source, in order to track what modifications have been enforced and when.

      data "bigip_waf_pb_suggestions" "AUG3rd20221715" {
  provider                = bigip.prod
  policy_name            = "scenario5"
  partition              = "Common"
  minimum_learning_score = 100
}

output "AUG3rd20221715" {
       value   = data.bigip_waf_pb_suggestions.AUG3rd20221715.json
}

    2. You can check the suggestions before they are applied to the BIG-IP:

      foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

foo@bar:~$ terraform output AUG3rd20221715 | jq '. | fromjson'

    3. You will get the JSON list of suggestions that have a learning score of 100%.

      {
    "suggestions": [
      {
        "action": "update-append",
        "description": "Add/Update Parameter. Disable the matched signature on the matched Parameter",
        "entity": {
          "level": "global",
          "name": "id"
        },
        "entityChanges": {
          "signatureOverrides": [
            {
              "enabled": false,
              "name": "SQL-INJ ' UNION SELECT (Parameter)",
              "signatureId": 200002736
            }
          ],
          "type": "explicit"
        },
        "entityType": "parameter"
      },
[...],
      {
        "action": "add-or-update",
        "description": "Add Policy Server Technology",
        "entity": {
          "serverTechnologyName": "Unix/Linux"
        },
        "entityType": "server-technology"
      }
    ]
  }

  3. Update the main.tf file:

    resource "bigip_waf_policy" "this" {
    provider             = bigip.prod
    application_language = "utf-8"
    partition            = "Common"
    name                 = "scenario5"
    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
    type                 = "security"
    policy_import_json   = data.http.scenario5.body
    modifications        = [data.bigip_waf_pb_suggestions.AUG3rd20221715.json]
}

  4. Plan and apply:

    foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

  5. Check on the BIG-IP UI that the server technologies and other suggestions to verify that they are successfully enforced in your WAF Policy.

What’s Next?