Lab 1: Deploying F5 Distributed Cloud Proxy Services to Securely Deliver a Public Endpoint

This lab will focus on the deployment and security of an existing hosted application using F5 Distributed Cloud Platform and Services. This lab will be deployed in a SaaS only configuration with no on-premises (public or private cloud) elements. All configuration will be made via the F5 Distributed Cloud Console and within the F5 Distributed Cloud Global Network services architecture.

For the tasks that follow, you should have already noted your individual namespace. If you failed to note it, return to the Introduction section of this lab, follow the instructions provided and note your namespace accordingly. The Delegated Domain and the F5 Distributed Cloud Tenant are listed below for your convenience as they will be the same for all lab attendees.

Following the tasks in the prior Introduction Section, you should now be able to access the F5 Distributed Cloud Console, having set your Work Domain Roles and Skill levels. If you have not done so already, please login to your tenant for this lab and proceed to Task 1.

Task 1: Configure Load Balancer and Origin Pool

The following steps will allow you to deploy and advertise a globally available application. These steps will create an origin pool, add a health monitor, define an application, register its DNS, and advertise the application on the Internet using the F5 Distributed Cloud Global Network.

  1. Following the Introduction section instructions, you should now be in the Multi-Cloud App Connect

    configuration window. If for some reason you are not in the Multi-Cloud App Connect window, use the

    Select Service in the left-hand navigation, and click Multi-Cloud App Connect as shown in the

    Introduction section, Task 2, Step 9.

  2. In the left-hand navigation expand Manage and click Load Balancers > Origin Pools

  3. In the resulting screen click the Add Origin Pool in the graphic as shown.

Note

*You have defaulted to your specific namespace as that is the only namespace to which you have

administrative access.*

lab001

lab002

  1. In the resulting window, enter <namespace>-pool in the Name field and click Add Item under

    Origin Servers

lab003

  1. In the resulting window, Public DNS Name of Origin Server should be selected for Select Type of

    Origin Server.

  2. For DNS Name enter the following hostname: demo-app.amer.myedgedemo.com and then click Apply

lab004

  1. After returning to the prior window, change the Port under Origin server Port to 80.

  2. Scroll to the bottom and click Save and Exit.

lab005

lab006

  1. In the left-hand navigation expand Manage and click Load Balancers > HTTP Load Balancers.

  2. In the resulting screen click the Add HTTP Load Balancer in the graphic as shown.

lab007

lab008

  1. Using the left-hand navigation and in the sections as shown, enter the following data. Values where

    <namespace> is required, use the name of your given namespace.

    • Metadata:Name ID: <namespace>-lb

    • Domains and LB Type: List of Domains: <namespace>.lab-sec.f5demos.com

    • Domains and LB Type: Select Type of Load Balancer: HTTP

    • Domains and LB Type: Automatically Manage DNS Records: (Check the checkbox)

    • Domains and LB Type: HTTP Port: 80

lab009

  1. In the current window’s left-hand navigation, click Origins. Next, click Add Item Pools section of

    Origins.

lab010

  1. In the resulting window, verify Origin Pool is selected for Select Origin Pool **Method.

  2. Select the <namespace>/<namespace>-pool from the Origin Pool dropdown.

  3. Click Apply

lab011

  1. In the resulting HTTP Load Balancer window, scroll to the Other Settings section and note the

    VIP Advertisement setting.

  2. Click Save and Exit at the bottom of the HTTP Load Balancer configuration screen.

Note

The VIP Advertisement selection controls how/where the application is advertised. The “Internet” setting

means that this application will be advertised globally using the F5 Distributed Cloud Global Network

utilizing Anycast.

lab012

  1. In the HTTP Load Balancers window, note the application hostname under the Domains column (This

    was done in Task1: Step 11).

lab013

Task 2: Testing the Application and Viewing Telemetry Data

The following steps will validate access to the application via web browser, review the Performance Monitoring dashboard, and gather request details.

  1. Open another tab in your browser (Chrome shown), navigate to the newly configured Load Balancer

    configuration: http://<namespace>.lab-sec.f5demos.com, to confirm it is functional.

  2. Navigate to the HEADER section under Menu to generate additional traffic.

lab014

lab015

  1. Returning to the F5 Distributed Cloud Console, use the left-hand navigation to navigate to Multi-Cloud App

    Connect section and click on Performance

  2. Scroll to the Load Balancers section of the page and click the link for your respective load balancer.

lab016

lab017

  1. Change the viewable time period from Last 5 minutes (default) to 1 hour by selecting the dropdown

    shown, click Last 1 hour then clicking Apply.

  2. Note the End to end Latency tile. This shows the average latency for all requests to this load

    balancer.

Note

As you have not run many requests, summary analytics may not be available in the dashboard view yet.

lab018

lab019

  1. Click the Requests link to see detailed information about individual requests.

  2. Note the Chart shows a graphical representation of all of the response codes for the selected time

    frame.

Note

This data can be filtered to quickly narrow in on points of interest.

lab020

lab021

  1. Click the Hide Chart link to free up space in the browser window.

  2. Expand one of the individual requests to view additional details about that request.

  3. Note the Duration section. This shows the latency for this specific request. These values can be

    compared to the average latency data noted in step 6.

lab022

lab023

Task 3: Add an Application Firewall Policy to Protect the Application

The following steps will guide you through adding a Web Application Firewall (WAF) Policy.

These steps will apply a preconfigured WAF policy to the load balancer created in Task 1.

  1. Following Task 2, you should have the Multi-Cloud App Connect navigation panel on the left of your

    console. If for some reason you do not see the Multi-Cloud App Connect navigation panel, use the

    Select Service dropdown at the top left, and click Multi-Cloud App Connect as shown in the

    Introduction section, Task 2, Step 9.

  2. In the left-hand navigation expand Manage and click Load Balancers > HTTP Load Balancers

  3. On the resulting page find the HTTP Load Balancer created in Task 1 (<namespace>-lb). Click the

    ellipsis under Actions and select Manage Configuration.

lab028

lab029

  1. On the resulting page click Edit Configuration.

  2. Click Web Application Firewall in the left-hand navigation.

lab030

lab031

  1. Under the Web Application Firewall section select Enable from the Web Application Firewall

    (WAF) dropdown.

  2. Select preconfigured the Web Application Firewall

    (shared/base-appfw) from the Enable dropdown.

  3. Scroll to the bottom of the page and click Save and Exit

lab032

lab033

Task 4. Test the Application Firewall and View Security Events

The following steps will test and validate the Web Application Firewall, review the Security

Monitoring dashboard, and gather security event details.

  1. Open another tab in your browser (Chrome shown), navigate to the newly configured Load Balancer

    configuration: http://<namespace>.lab-sec.f5demos.com, to confirm it is functional.

  2. Using some of the sample attacks below, add the URI path & variables to your application to generate

    security event data.

    • /?cmd=cat%20/etc/passwd

    • /product?id=4%20OR%201=1

    • /cart?search=aaa’><script>prompt(‘Please+enter+your+password’);</script>

Note

The web application firewall is blocking these requests to protect the application. The block page can

be customized to provide additional information.

lab034

  1. Returning to the F5 Distributed Cloud Console, use the left-hand navigation to navigate to Multi-Cloud App

    Connect section and click on Performance

  2. Scroll to the Load Balancers section of the page and click the link for your respective load balancer.

lab016

lab017

  1. Click the Performance Monitoring dropdown at the top of the page and select Security Monitoring

lab035

  1. From the Dashboard view, using the horizontal navigation, click Security Analytics.

  2. Note the Chart shows a graphical representation of all of the response codes for the selected time

    frame.

Note

If you lost your 1 Hour Filter, re-apply using Task 2: Step 5

lab037

lab038

  1. Click the Hide Chart link to free up space in the browser window.

  2. Expand your latest security event as shown.

  3. Note the summary detail provided in the Information link. The req_id which is synonymous with

Support ID (filterable) from the block page.

  1. Scroll to the bottom of the information screen to see specific signatures detected and actions taken

    during the security event.

Note

Note that Requests have additional detail in JSON format

lab039

lab040

lab041

End of Lab 1: This concludes Lab 1. In this lab you created an origin pool to connect to the

application, you then created a load balancer and associated the origin pool to the load balancer. This

allowed the application to be advertised via the F5 Distributed Cloud Global Network. The Distributed Cloud

Console was then used to review telemetry data gathered for the application. Next an Application Firewall

policy was assigned to protect the application. Finally a sample attack was run against the application and the security event data was reviewed within the Distributed Cloud Console.

A brief presentation will be shared prior to the beginning of Lab 2.

labend