Scenario #5: Managing an F5 BIG-IP Advanced WAF Policy with Policy Builder on a single device

See also

https://github.com/fchmainy/awaf_tf_docs/tree/main/5.policyBuilderSingle

The goal of this lab is to manage Policy Builder Suggestions an F5 BIG-IP Advanced WAF Policy on a single device or cluster. As the traffic flows through the BIG-IP, it is easy to manage suggestions from the Policy Builder and enforce them on the WAF Policy. It also shows the potential management workflow:

  • The security engineer regularly checks the sugestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.
  • Once the cleaning is done, the Terraform engineer (who can also be the security engineer) issues a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100%, with 100% being the highest confidence level).
  • Every suggestions application can be tracked on Terraform and can easily be roll-backed if needed.

Pre-requisites

On the BIG-IP:

  • BIG-IP version 16.1 or newer
  • Advanced WAF Provisioned
  • Credentials with REST API access
  • An Advanced WAF Policy with Policy Builder enabled and Manual traffic Learning

On Terraform:

Policy Creation

F5 has already exported a WAF Policy called scenario5.json available here including several Policy Builder Suggestions so you won’t have to generate traffic.

Create 4 files:

  • variables.tf
  • inputs.auto.tfvars
  • main.tf
  • outputs.tf
variables.tf
1
2
3
variable prod_bigip {}
variable username {}
variable password {}

inputs.auto.tfvars
1
2
3
prod_bigip = "10.1.1.8:443"
username = "admin"
password = "whatIsYourBigIPPassword?"

main.tf
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
terraform {
  required_providers {
    bigip = {
      source = "F5Networks/bigip"
      version = "1.15"
    }
  }
}

provider "bigip" {
  alias    = "prod"
  address  = var.prod_bigip
  username = var.username
  password = var.password
}

data "http" "scenario5" {
  url = "https://raw.githubusercontent.com/fchmainy/awaf_tf_docs/main/0.Appendix/Common_scenario5__2022-8-12_15-49-28__prod1.f5demo.com.json"
  request_headers = {
     Accept = "application/json"
  }
}

resource "bigip_waf_policy" "this" {
    provider            = bigip.prod
    application_language = "utf-8"
    partition            = "Common"
    name                 = "scenario5"
    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
    type                 = "security"
    policy_import_json   = data.http.scenario5.body
}

Note

The template name can be set to anything. When it is imported, the value is overwritten.


outputs.tf
1
2
3
4
5
6
7
output "policyId" {
     value   = bigip_waf_policy.this.policy_id
}

output "policyJSON" {
        value   = bigip_waf_policy.this.policy_export_json
}

Initialize, plan, and apply your new Terraform project:

foo@bar:~$ terraform init

foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

Log on to your F5 BIG-IP UI and associate the Advanced WAF Policy scenario5 to the Virtual Server scenario5.vs.

Note

The Virtual Server and the whole application service can be automated using the BIG-IP provider with the AS3 or FAST resources.

Simulate a WAF Policy workflow

Change the Policy Builder process (for testing and demo purpose only):

  1. Go to the DVWA WAF Policy on your BIG-IP TMUI (if you are using UDF, the WAF policy is called scenario5 and is located under the Common partition.
  2. In the Learning and blocking Settings (Security > Application Security : Policy Building : Learning and Blocking Settings), at the very bottom of the page, go on the Loosen Policy settings in the Advanced view of the Policy Building Process.
  3. Change the different sources, spread out over a time period of at least value from 10 to 1 so the policy builder generates learning suggestions more rapidly.

Browse the Vulnerable Application

Now browse the DVWA web application through the F5 BIG-IP Advanced WAF Virtual Server. The credentials to log in to DVWA are admin/password.

  1. Go on the DVWA Security menu and change the level to Low then Submit.
  2. Browse the DVWA website by clicking into any menus.
  3. Generate some attacks:
    • SQL Injection: %' or 1='1 ' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #
    • XSS Reflected: <script>alert('hello')</script>

Check Learning Suggestions

If you go to the WAF Policy learning suggestions, you will find multiple suggestions with a high score of 100% (because we have not been picky in the learning process settings).

Here is a typical workflow in real life:

  • The security engineer regularly checks the sugestions directly on the BIG-IP WebUI and cleans the irrelevant suggestions.
  • Once the cleaning is done, the Terraform engineer (can either be the same person or different) creates a unique bigip_waf_pb_suggestions data source before issuing a Terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5% to 100% with 100% having the highest confidence level).

Note

Every suggestions application can be tracked on Terraform and can easily be roll-backed if needed.


  1. Go to your BIG-IP WebUI and clean the irrelevant suggestions.

    For example, remove all the suggestions with a scoring = 1%

    Important

    You can ignore suggestions but you should never accept them on the WebUI, otherwise you will then have to reconciliate the changes between the WAF Policy on the BIG-IP and the latest known WAF Policy in your Terraform state.

  2. Use Terraform to enforce the policy builder suggestions.

    1. Create a suggestions.tf file. The name of the bigip_waf_pb_suggestions data source should be unique so we can track what modifications have been enforced and when.

      data "bigip_waf_pb_suggestions" "AUG3rd20221715" {
  provider                = bigip.prod
  policy_name            = "scenario5"
  partition              = "Common"
  minimum_learning_score = 100
}

output "AUG3rd20221715" {
       value   = data.bigip_waf_pb_suggestions.AUG3rd20221715.json
}

      You can check the suggestions before they are applied to the BIG-IP:

      foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

foo@bar:~$ terraform output AUG3rd20221715 | jq '. | fromjson'

      You will get the JSON list of suggestions that have a learning score of 100%.

      {
    "suggestions": [
      {
        "action": "update-append",
        "description": "Add/Update Parameter. Disable the matched signature on the matched Parameter",
        "entity": {
          "level": "global",
          "name": "id"
        },
        "entityChanges": {
          "signatureOverrides": [
            {
              "enabled": false,
              "name": "SQL-INJ ' UNION SELECT (Parameter)",
              "signatureId": 200002736
            }
          ],
          "type": "explicit"
        },
        "entityType": "parameter"
      },
[...],
      {
        "action": "add-or-update",
        "description": "Add Policy Server Technology",
        "entity": {
          "serverTechnologyName": "Unix/Linux"
        },
        "entityType": "server-technology"
      }
    ]
  }

    2. Update the main.tf file:

      resource "bigip_waf_policy" "this" {
    provider             = bigip.prod
    application_language = "utf-8"
    partition            = "Common"
    name                 = "scenario5"
    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
    type                 = "security"
    policy_import_json   = data.http.scenario5.body
    modifications        = [data.bigip_waf_pb_suggestions.AUG3rd20221715.json]
}

    3. Plan and apply:

      foo@bar:~$ terraform plan -out scenario5

foo@bar:~$ terraform apply "scenario5"

    Check on the BIG-IP UI that the server technologies and other suggestions have been succesfully enforced to your WAF Policy.