Scenario #5: Managing an F5 BIG-IP Advanced WAF Policy with Policy Builder on a single device¶
The goal of this lab is to manage Policy Builder Suggestions an F5 BIG-IP Advanced WAF Policy on a single device or cluster. As the traffic flows through the BIG-IP, it is easy to manage suggestions from the Policy Builder and enforce them on the WAF Policy. It also shows the potential management workflow:
- The security engineer regularly checks the sugestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.
- Once the cleaning is done, the Terraform engineer (who can also be the security engineer) issues a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100%, with 100% being the highest confidence level).
- Every suggestions application can be tracked on Terraform and can easily be roll-backed if needed.
Pre-requisites¶
On the BIG-IP:
- BIG-IP version 16.1 or newer
- Advanced WAF Provisioned
- Credentials with REST API access
- An Advanced WAF Policy with Policy Builder enabled and Manual traffic Learning
On Terraform:
- Using F5 BIG-IP provider version 1.15.0 or newer
- Using Hashicorp versions following Releases and Versioning
Policy Creation¶
F5 has already exported a WAF Policy called scenario5.json available here including several Policy Builder Suggestions so you won’t have to generate traffic.
Create 4 files:
- variables.tf
- inputs.auto.tfvars
- main.tf
- outputs.tf
1 2 3 | variable prod_bigip {}
variable username {}
variable password {}
|
1 2 3 | prod_bigip = "10.1.1.8:443"
username = "admin"
password = "whatIsYourBigIPPassword?"
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | terraform {
required_providers {
bigip = {
source = "F5Networks/bigip"
version = "1.15"
}
}
}
provider "bigip" {
alias = "prod"
address = var.prod_bigip
username = var.username
password = var.password
}
data "http" "scenario5" {
url = "https://raw.githubusercontent.com/fchmainy/awaf_tf_docs/main/0.Appendix/Common_scenario5__2022-8-12_15-49-28__prod1.f5demo.com.json"
request_headers = {
Accept = "application/json"
}
}
resource "bigip_waf_policy" "this" {
provider = bigip.prod
application_language = "utf-8"
partition = "Common"
name = "scenario5"
template_name = "POLICY_TEMPLATE_FUNDAMENTAL"
type = "security"
policy_import_json = data.http.scenario5.body
}
|
Note
The template name can be set to anything. When it is imported, the value is overwritten.
1 2 3 4 5 6 7 | output "policyId" {
value = bigip_waf_policy.this.policy_id
}
output "policyJSON" {
value = bigip_waf_policy.this.policy_export_json
}
|
Initialize, plan, and apply your new Terraform project:
foo@bar:~$ terraform init
foo@bar:~$ terraform plan -out scenario5
foo@bar:~$ terraform apply "scenario5"
Log on to your F5 BIG-IP UI and associate the Advanced WAF Policy scenario5 to the Virtual Server scenario5.vs.
Note
The Virtual Server and the whole application service can be automated using the BIG-IP provider with the AS3 or FAST resources.
Simulate a WAF Policy workflow¶
Change the Policy Builder process (for testing and demo purpose only):¶
- Go to the DVWA WAF Policy on your BIG-IP TMUI (if you are using UDF, the WAF policy is called scenario5 and is located under the Common partition.
- In the Learning and blocking Settings (Security > Application Security : Policy Building : Learning and Blocking Settings), at the very bottom of the page, go on the Loosen Policy settings in the Advanced view of the Policy Building Process.
- Change the different sources, spread out over a time period of at least value from 10 to 1 so the policy builder generates learning suggestions more rapidly.
Browse the Vulnerable Application¶
Now browse the DVWA web application through the F5 BIG-IP Advanced WAF Virtual Server. The credentials to log in to DVWA are admin/password.
- Go on the DVWA Security menu and change the level to Low then Submit.
- Browse the DVWA website by clicking into any menus.
- Generate some attacks:
SQL Injection: %' or 1='1 ' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
XSS Reflected: <script>alert('hello')</script>
Check Learning Suggestions¶
If you go to the WAF Policy learning suggestions, you will find multiple suggestions with a high score of 100% (because we have not been picky in the learning process settings).
Here is a typical workflow in real life:
- The security engineer regularly checks the sugestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.
- Once the cleaning is done, the Terraform engineer (can either be the same person or different) creates a unique bigip_waf_pb_suggestions data source before issuing a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100% with 100% having the highest confidence level).
Note
Every suggestions application can be tracked on Terraform and can easily be roll-backed if needed.
Go to your BIG-IP WebUI and clean the irrelevant suggestions.
For example, remove all the suggestions with a scoring = 1%
Important
You can ignore suggestions but you should never accept them on the WebUI, otherwise you will then have to reconciliate the changes between the WAF Policy on the BIG-IP and the latest known WAF Policy in your Terraform state.
Use Terraform to enforce the policy builder suggestions.
Create a suggestions.tf file. The name of the bigip_waf_pb_suggestions data source should be unique so we can track what modifications have been enforced and when.
data "bigip_waf_pb_suggestions" "AUG3rd20221715" { provider = bigip.prod policy_name = "scenario5" partition = "Common" minimum_learning_score = 100 } output "AUG3rd20221715" { value = data.bigip_waf_pb_suggestions.AUG3rd20221715.json }
You can check the suggestions before they are applied to the BIG-IP:
foo@bar:~$ terraform plan -out scenario5 foo@bar:~$ terraform apply "scenario5" foo@bar:~$ terraform output AUG3rd20221715 | jq '. | fromjson'
You will get the JSON list of suggestions that have a learning score of 100%.
{ "suggestions": [ { "action": "update-append", "description": "Add/Update Parameter. Disable the matched signature on the matched Parameter", "entity": { "level": "global", "name": "id" }, "entityChanges": { "signatureOverrides": [ { "enabled": false, "name": "SQL-INJ ' UNION SELECT (Parameter)", "signatureId": 200002736 } ], "type": "explicit" }, "entityType": "parameter" }, [...], { "action": "add-or-update", "description": "Add Policy Server Technology", "entity": { "serverTechnologyName": "Unix/Linux" }, "entityType": "server-technology" } ] }
Update the main.tf file:
resource "bigip_waf_policy" "this" { provider = bigip.prod application_language = "utf-8" partition = "Common" name = "scenario5" template_name = "POLICY_TEMPLATE_FUNDAMENTAL" type = "security" policy_import_json = data.http.scenario5.body modifications = [data.bigip_waf_pb_suggestions.AUG3rd20221715.json] }
Plan and apply:
foo@bar:~$ terraform plan -out scenario5 foo@bar:~$ terraform apply "scenario5"
Check on the BIG-IP UI that the server technologies and other suggestions have been succesfully enforced to your WAF Policy.