5. (Optional) Lab 4: Fine Tuning a WAF Policy

This lab is also covered in the xC WAF 102 course.

In this next lab we will learn how to customize a WAF policy.

We will go through the actions of disabling specific WAF rules that are associated with a specific Load Balancer and application path.

5.1. Leveraging Support ID/Request ID

In the previous lab exercises you may have noticed that a “support ID” appears when you trigger a WAF block.

We can use the reported support ID to disable specific signatures.

5.1.1. Exercise 1: Generate Cross Site Scripting (XSS)

  1. Send the following request to your [NAMESPACE].lab-sec.f5demos.com site

    /headers/?username=<script>window.open(%27hello%20world%27);</script>

  2. Retrieve the “support ID” that is displayed. Copy the value into your clipboard (i.e. highlight support ID in Chrome and select “Copy” / Ctrl-C).

  3. Click on “Select service” and select “Load Balancers”. Click “Virtual Hosts”->”HTTP Load Balancers” and click on your “global” Load Balancer

  4. Select the “global” Load Balancer. Click on the “Performance Monitoring” dropdown and select “Security Monitoring”. Select the “Security Events” tab.

  5. Click on “Refresh” (on the page) until you see a request that matches the time of your most recent request.

    ../_images/screenshot-global-vip-public-security-events-refresh.png
  6. Click on “Add Filter” under Security events

    ../_images/screenshot-global-vip-public-security-events-add-filter.png
  7. Select “req_id”

    Warning

    If you do not see “req_id” you may need refresh your browser window. Also ensure that you see at least one event on the page.

  8. Select the Operator “In”

  9. Paste in the support ID.

    ../_images/screenshot-global-vip-public-security-events-paste-req-id.png
  10. Click the “Assign a custom value(s)… link”

    ../_images/screenshot-global-vip-public-security-events-paste-req-id-assign.png
  11. At the bottom of the page you should see the desired Security Event. Scroll to the far right to look for the “Actions” column and click on the three dots “…”

  12. Select “Create WAF Exclusion Rule” from the “Actions” menu

    ../_images/create-exception-rule-action.png

5.1.2. Exercise 2: Creating WAF Exclusion Rule

  1. Take note of the list of Signature IDs that are listed.

    ../_images/waf-exclusion-rules-ids.png
  2. Search for one of the IDs at: https://clouddocs.f5.com/cloud-services/latest/f5-cloud-services-Essential.App.Protect-Details.html For example searching for “200000098” should return a “XSS script tag (Parameter)” signature.

  3. Click on “Apply”. You will now be taken to the “WAF Exclusion Rules” dialogue.

  4. Click on “Apply”. You will now be taken into the HTTP Load Balancer configuration and you should see under “WAF Exclusion Rules” it should show as “Configured”.

  5. Scroll to the bottom of the page and click on “Save and Exit”

  6. Retry visiting your site with the same URL to your [NAMESPACE].lab-sec.f5demos.com site

    /headers/?username=<script>window.open(%27hello%20world%27);</script>

5.1.3. Exercise 3: View Requests Log

We can also view requests that have been excluded from a WAF policy by viewing the requests log.

  1. From the “Security Events” page in F5 Distributed Cloud Console click on the “Requests” menu item at the top of the page.

  2. Look for a “GET” request for /headers/ and click on the arrow on the left of the date to expand the entry.

  3. Observe that under “Policy Hits” you will see the WAF exclusion rule that was triggered.

    ../_images/requests-policy-exclusion.png
  4. Try visiting your site with the a different URL to your [NAMESPACE].lab-sec.f5demos.com site: /txt/?username=<script>window.open(%27hello%20world%27);</script>

  5. Observe that this request is blocked. F5 Distributed Cloud WAF can exclude signatures by both Signature ID and path; and these exclusions are tied to a specific HTTP Load Balancer.

Congratulations you have completed the lab!

5.1.4. Video Walkthrough

Optional Video you can watch if you get stuck