Lab 1.4: Deploy a WAF with BIG-IQ and AS3 using an ASM policy on BIG-IP using Policy Builder

Note

Estimated time to complete: 25 minutes

Lab environment access

If you have not yet visited the page Getting Started, please do so.

Workflow

  1. Larry creates the ASM policy in transparent mode on the BIG-IQ and deploy on the BIG-IP(s).
  2. David creates the AS3 template and reference ASM policy created by Larry in the template.
  3. David assigns the AS3 template to Paula.
  4. Paula creates her application service using the template given by david.
  5. After Paula does the necessary testing of her application, she reaches to Larry.
  6. Larry reviews the ASM learning and deploy the ASM policy changes on the BIG-IP(s) and set the policy to blocking mode.
  7. They all go for happy hour.

Prerequisites

1. First make sure your device has ASM module discovered and imported for SEA-vBIGIP01.termmarc.com under Devices > BIG-IP DEVICES.

2. Check if the Web Application Security service is Active under System > BIG-IQ DATA COLLECTION > BIG-IQ Data Collection Devices.

ASM Policy and Security Logging Profile creation (Larry)

Let’s first deploy the default Advance WAF policy and Security Logging Profile available in BIG-IQ to SEA-vBIGIP01.termmarc.com.

  1. Login to BIG-IQ as larry.

2. Go to Configuration > Security > Web Application Security > Policies and clone the policy called templates-default and name it as templates-default-cloned.

Note

In this example, we created a clone from an existing policy but you could also create a new policy from one of the default WAF template available in BIG-IQ under Configuration > Security > Web Application Security > Policy Templates.

../../_images/lab-5-1a1.png ../../_images/lab-5-1b1.png
  1. Select templates-default-cloned and change Enforcement Mode to transparent under POLICY BUILDING > Settings, then click on Save & Close.
../../_images/lab-5-1c1.png
  1. Under Virtual Servers, click on the inactive virtual server attached to SEA-vBIGIP01.termmarc.com.
../../_images/lab-5-210.png
  1. Select the /Common/templates-default-cloned, then click on Save & Close.
../../_images/lab-5-35.png
  1. Notice the policy is now attached to the inactive virtual servers.

Select the inactive virtual servers attached to SEA-vBIGIP01.termmarc.com, click on Deploy.

../../_images/lab-5-43.png
  1. The deployment window opens. Type a name, select Deploy immediately for the Method.
../../_images/lab-5-53.png

Under the Target Device(s) section, click on Find Relevant Devices and select the SEA-vBIGIP01.termmarc.com. Then, click on Deploy.

../../_images/lab-5-63.png
  1. Confirm the deployment information, click on Deploy.
../../_images/lab-5-73.png
  1. Wait for the deployment to complete.
../../_images/lab-5-83.png

Once the deployment is completed, you confirm the changes by clicking on view*.

../../_images/lab-5-93.png
  1. Deploy the default BIG-IQ Security Logging Profile so the ASM events are being sent correctly to BIG-IQ DCD.

Note

This step is only for your information as it’s already perform in this lab.

Under configuration tab, SECURITY, Shared Security, Logging Profiles. templates-default is the default Security Logging Profile available on BIG-IQ.

../../_images/lab-5-102.png
  1. Under Pinning Policies, click on the SEA-vBIGIP01.termmarc.com device.

Confirm the logging profile has been added under Logging Profiles.

../../_images/lab-5-113.png

Note

More information Managing Logging Profiles in Shared Security.

AS3 WAF template creation (David)

Until now we used a default AS3 template out-of-the-box (available on https://github.com/f5devcentral/f5-big-iq) for deploying an application service. It is a good practice to clone the default AS3 templates and use them more tailored to your custom needs.

  1. Login as david and Go to the Applications tab > Applications Templates and select AS3-F5-HTTPS-WAF-existing-lb-template-big-iq-default-<version> and press Clone.
  2. Give the cloned template a name: AS3-LAB-HTTPS-WAF-custom-template and click Clone.
../../_images/lab-5-122.png
  1. Open the template AS3-LAB-HTTPS-WAF-custom-template and select the Analytics_Profile AS3 class. Change to Override the Property Collect Client-Side Statistics, as well as Collect URL and Collect User Agent.
../../_images/lab-5-13a1.png

Note

Response Code, User Method and Operating System and Browser are already enabled by default in the AS3 schema.

  1. Now, select the Service_HTTPS AS3 class. Change to the property bigip under policyWAF to /Common/templates-default-cloned. Make sure the property is set to Editable.

Note

If you want to hide the ASM policy in the template, you can set the property to Override (only starting BIG-IQ 7.1, see BIG-IQ 7.0 Release note #811013).

../../_images/lab-5-13b1.png
  1. Click Save & Close.
  2. Select AS3-LAB-HTTPS-WAF-custom-template and click Publish.
  3. Before paula can use this AS3 template, david needs to update her role. Use the previous steps in Lab 3.2 to add AS3 Template AS3-LAB-HTTPS-WAF-custom-template to Application Creator VMware custom role assigned to paula.

AS3 WAF application service deployment (Paula)

Now both Advance WAF policy and Security Logging Profile are available on BIG-IP and AS3 WAF template available on BIG-IQ, let’s create the WAF application service using AS3 & BIG-IQ.

  1. Login as paula and select previously created LAB_module3 Application and click Create.
  2. Click Create to create an Application Service:
Application properties:
  • Grouping = New Application or Part of an Existing Application
  • Application Name = LAB_module3
  • Description = My second AS3 template deployment through a GUI
Select an Application Service Template:
  • Template Type = Select AS3-LAB-HTTPS-WAF-custom-template [AS3]
General Properties:
  • Application Service Name = https_waf_app_service
  • Target = SEA-vBIGIP01.termmarc.com
  • Tenant = tenant2
Analytics_Profile. Keep default.
Pool
  • Members: 10.1.20.123
Service_HTTPS
  • Virtual addresses: 10.1.10.122
  • policyWAF: /Common/templates-default-cloned
  • Security Log Profiles: /Common/templates-default
Certificate. Keep default.
TLS_Server. Keep default.
../../_images/lab-5-14a1.png ../../_images/lab-5-14b1.png
  1. Click Create.
  2. Check the application service https_waf_app_service has been created under Application LAB_module3.
../../_images/lab-5-151.png
  1. Now, let’s look on the BIG-IP and verify the application is correctly deployed in partition tenant2.
  2. Login to SEA-vBIGIP01.termmarc.com BIG-IP from lab environment. Select the partition tenant2 and look at the objects created on the BIG-IP.
../../_images/lab-5-161.png

7. Notice that new https_waf_app_service comes with a redirect. Select the HTTPS VS, Select Security and hit Policies. Application Security Policy is Enabled and the Log Profile has a templates-default selected.

../../_images/lab-5-171.png
  1. Back to the BIG-IQ and logged in as paula, select tenant2_https_waf_app_service. What is the enforced Protection Mode?
../../_images/lab-5-181.png
  1. From the lab environment, launch a remote desktop session to have access to the Ubuntu Desktop.

Open Chrome and navigate to the following URL: https://10.1.10.122.

../../_images/lab-5-191.png
  1. Paula does the necessary testing of her application, she reaches out to Larry when she is done.

Note

There are traffic generator sending good and bad traffic from the Lamp server in the lab.

  1. Paula can update application service health alert rules by clicking on the Health Icon on the top left of the Application Dashboard.
../../_images/lab-5-20a1.png ../../_images/lab-5-20b1.png

ASM Policy Learning review and Dashboard/Events (Larry & Paula)

  1. Login as larry and go to Configuration > Security > Web Application Security > Policies.
  2. Select templates-default-cloned and navigate under POLICY BUILDING > Suggestions and review the learning.
../../_images/lab-5-212.png
  1. Accept necessary suggestions.
../../_images/lab-5-221.png

Note

In case the app is deployed on a BIG-IP HA pair, the learning is not sync unless the failover group is set to automatic or the centrally builder feature is used.

  1. Navigate under POLICY BUILDING > Settings, change Enforcement Mode to blocking then click on Save & Close.
../../_images/lab-5-231.png
  1. Select the templates-default-cloned, click on Deploy to deploy the changes (same as previously done).
../../_images/lab-5-241.png

  1. Let’s generate some bad traffic, connect on the Ubuntu Lamp Server server and launch the following script:

    /home/f5/traffic-scripts/generate_http_bad_traffic.sh

  2. Check ASM type of attacks by navigating under Monitoring > EVENTS > Web Application Security > Event Logs > Events

../../_images/lab-5-25wa1.png
  1. Login as paula and select previously created LAB_module3 Application, then click on https_waf_app_service.
  2. In 7.x, the protection mode isn’t automatically updated on the Application Dashboard. This is no longer needed for 8.0 version and above.

Under Properties, select CONFIGURATION, then add upgradeProtectionMode 3/26/20 in the Description field and click Save.

../../_images/lab-5-25wa1.png
  1. In Application Dashboard, navigate to the Security Statistics and notice the Malicious Transactions.
../../_images/lab-5-261.png
  1. Stop the bad traffic script, connect on the Ubuntu Lamp Server server and CTRL+C.

Note

Try navigating to https://10.1.10.122/cal.exe from Chrome on the Lamp server.