3.7. Creating an F5 Advanced WAF Service (On-box)

3.7.1. What it is

Advanced WAF is built on proven F5 technology and goes beyond reactive security such as static signatures and reputation to proactively detect and mitigate bots, secure credentials and sensitive data, and defend against application denial-of-service (DoS).

Advanced WAF delivers flexible and comprehensive protections wherever apps reside and without compromising performance. Advanced WAF is offered as an appliance, virtual edition, and as a managed service—providing automated WAF services that meet complex deployment and management requirements while protecting your apps with great precision. It is the most effective solution for guarding modern applications and data from existing and emerging threats while maintaining compliance with key regulatory mandates.

In SSL Orchestrator 11.0, Advanced WAF is configured as an “on-box” resource. That is, AWAF is licensed, provisioned, and running on the same SSL Orchestrator appliance. The SSL Orchestrator service inserts AWAF security policies (application security, DoS, and Bot defense) directly inside the decrypted service chain.

For more information on F5 Advanced WAF: https://www.f5.com/products/security/advanced-waf

Note that SSL Orchestrator does not recognize WAF policies created with the Guided Configuration wizard.

3.7.2. How to build it

Either from a topology workflow or directly under the Services tab in the SSL Orchestrator user interface, click the Add button to create a new F5 Advanced WAF (On-Box) service.

AWAF Service	User Input
Name	Provide a name for this service.
Description	Optionally enter a description here.
Application Security Policy	Lists the Application Security Manager (ASM) application security policies already created on the BIG-IP system. An Application Security policy protects a web application server from malicious traffic, using positive and negative security features. Use an existing policy or select Create New to create a new policy. Clicking Create New redirects you to a new tab outside of the Guided Configuration. On creating the new policy, return and refresh the dropdown to select it.
DoS Protection Profile	Lists the DoS profiles already created on the BIG-IP system. A DoS Protection profile defines the strategies used to detect and mitigate Denial of Service (DoS) attacks on protected objects. It is designed to protect your data center from attacks by detecting and mitigating many malicious traffic patterns, and packet types, also referred to as attack vectors or attack signatures. Depending on your license, you can reuse the DoS profile across services and virtuals only a specific number of times. This means that you may not be able to reuse the DoS profile multiple times as your license configuration may restrict it. Use an existing profile or select Create New to create a new profile. Clicking Create New redirects you to a new tab outside of Guided Configuration. On creating the new profile, return and refresh the dropdown to select it.
Bot Defense Profile	Lists the Bot Defense profiles already created on the BIG-IP system. A Bot Defense profile proactively helps identify and mitigate automated attacks on your applications by web robots before they cause damage to the site. This defense method, called bot defense, can prevent starting of layer 7 DoS attacks, web scraping, and brute force attacks. Use an existing profile or select Create New to create a new profile. Clicking Create New redirects you to a new tab outside of Guided Configuration. On creating the new profile, return and refresh the dropdown to select it.
Log Profiles	Lists the Logging profiles already created on the BIG-IP system. A Logging profile determines which events the system logs, where it logs, and the format of these events. Select an Available log profile and move it to the list of Selected log profiles.

Click Save & Next to proceed.

The workflow will proceed to the Service Chains page to allow adding of this new service to a service chain.