4. Lab 3: Exploring Service Policies

The following lab tasks will guide you the configuration of various Service Policies which can be used to implement a variety of security controls.

4.1. Task 1: Creating Local Namespace Service Policies

In this task you will add geo-filter and allowed-ip based service policies.

  1. In the left-hand navigation menu, expand the Security section and click Service

    Policies. In the flyout menu, click the Service Policies link.

  2. Observe the existing Service Policies and note they are source from the shared

    namespace which means they could be used within any other namespace.

  3. Click Add Service Policy in the top left area as shown.

Note

Using shared namespace Service Policies provides the ability to use API-updated

policy controls to implement common service security across multiple resources.

lab001

lab002

  1. In the Metadata section enter geo-filter for the Name and then click Rules

    in the left-hand navigation.

lab003
  1. Select Denied Sources from the dropdown for Select Policy Rules, then locate the

    Country List input field.

  2. Begin typing Fiji and then select it from the list that appears.

  3. Click the dropdown for Default Action. Observe the available options and select

    Next Policy then click Save and Exit.

lab004

lab005

lab006

  1. Observe the resulting added geo-filter Service Policy added in your namespace.
lab007
  1. Open another tab in your browser (Chrome shown), navigate to https://ipinfo.io and note

    your IP address as shown. (example provided)

lab008
  1. Return to the Service Policies window and click Add Service Policy.
lab009
  1. In the Metadata section enter allowed-ip for the Name and then click

    Rules in the left-hand navigation.

lab010
  1. Select Allowed Sources from the dropdown for Select Policy Rules, then locate the

    IPv4 Prefix List configuration section and click Configure.

Note

The section just below “List of IP Prefix Set” allows you to build a collection of

of various IP lists which can be maintained through API controls.

lab011
  1. Enter your IP address captured in Step 9 above with mask notation (//32)as shown then

    click the Apply button.

lab012
  1. In the resulting window, click the dropdown for Default Action, and select Deny

    then click Save and Exit.

lab013

lab014

  1. Observe the resulting added allowed-ip Service Policy added in your namespace.
lab015

4.2. Task 2: Attaching Service Policies and configuring IP Reputation

The following steps will enable you to attach Service Policies to your configured Load Balancer.

It will also help you understand additional approaches for Service Policies.

  1. Return to the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer

    > HTTP Load Balancers and use the Action Dots and click Manage Configuration

  2. Click Edit Configuration in the top right-hand corner.

lab016

lab017

lab018

  1. Click Security Configuration in the left-hand navigation.
  2. From the Service Policies dropdown, select Apply Specified Service Policies.
  3. In the added menu for Apply Specified Service Policies, click Configure.

lab019

lab020

lab021

  1. In the resulting Policies window, use the List of Policies dropdown to select

    your <namespace>/geo-filter Service Policy. Then click Apply.

lab022
  1. Returning to the Load Balancer window, you will note the changes shown in your

    Service Policies section.

  2. As we are already in this section, we will go ahead and add IP reputation filtering. This

    can be added as a Service Policy (shared or local namespace) or as a direct configuration.

  3. To start, the IP Reputation configuration, locate the IP Reputation section and click the

    dropdown menu, then select Enable.

lab023

lab024

  1. Using the List of IP Threat Categories to choose you may add any of the configured

    Threat categories.

  2. Select Spam Sources and Tor Proxy, then scroll to the bottom of the window and

    click the Save and Exit button.

lab025

lab026

lab027

lab028

  1. In your browser (Chrome shown), navigate to your application/Load Balancer configuration:

    http://<namespace>.lab-sec.f5demos.com.

  2. You should receive a 403 Forbidden error. This is due to a Service Policy configuration

    error. Because we only attached the geo-filter Service Policy and the Default

    Action was Next Policy, there is no other or next policy to “Allow” traffic,

    therefore, all other traffic is disallowed producing the 403. This is will also show in

    the Security Events window.

lab029
  1. Return to the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer

    > HTTP Load Balancers and use the Action Dots and click Manage Configuration

  2. Click Edit Configuration in the top right-hand corner.

lab030
  1. Click Security Configuration in the left-hand navigation.
  2. From the Service Policies section, click Edit Configuration.
lab031
  1. In the resulting window click Add Item and from the dropdown select you allow-ip

    Service Policy <namespace>/allowed-ip.

  1. Observe the order. Service Policies must be ordered correctly in a order to process

    traffic as intended. Click Apply when completed.

Note

Because the “allowed-ip” begins with an allowed ip (yours) and ends in a “Deny” a

positive security model will be applied (denying all other traffic). Similar positive or

negative service policies can be created and applied (Headers, methods, file types, etc)

  1. Scroll to the bottom of the HTTP Load Balancer configuration and click Save and Exit.

lab032

lab033

lab034

  1. In your browser (Chrome shown), navigate to your application/Load Balancer configuration:

    http://<namespace>.lab-sec.f5demos.com. You should now be able to successfully

    access the application.

lab035

4.3. Task 3: Observing Route Configurations

The following steps will enable you to attach Service Policies to your configured Load Balancer. It will also help you understand additional approaches for Service Policies.

  1. Return to the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer

    > HTTP Load Balancers and use the Action Dots and click Manage Configuration

  2. Click Edit Configuration in the top right-hand corner.

lab036

lab037

  1. Click Routes Configuration in the left-hand navigation.
  2. Toggle the Show Advanced Fields button to the On position.
  3. Under the Routes section, click Configure.
lab038
  1. In Routes, click the Add Item link.

  2. In the resulting menu, toggle the Show Advanced Fields button to the On position.

  3. Observe the various route types and matching criteria controls that can be leveraged to

    securely control access, perform pool targeting, make path responses or develop custom

    control to secure protected applications.

lab039

lab040

lab041

End of Lab 3: This concludes Lab 3, feel free to review and test the configuration.

A Q&A session will begin shortly to conclude the overall lab.

labend