Lab 4: F5 Distributed Cloud Bot Defense connector for BIG-IP

This lab will focus on the deployment of Bot Defense via a Bot Defense Connector on a BIG-IP. You will use both the F5 Distributed Cloud Console and a BIG-IP in your lab deployment to complete this lab.

Task 1: Define the protected application in F5 Distributed Cloud Bot Defense

1. Login to your F5 Distributed Cloud tenant at https://f5-xc-lab-sec.console.ves.volterra.io/web/home.

2. From the Home page select the Bot Defense tile.

3. From the left-hand menu select Manage >> Applications. Then select the “Add Application” button.

4. On the Protected Application screen do the following:

   1. Give the application a descriptive Name (like “f5airlines”)

   2. Leave the Application Region as “US”.

   3. Select “Custom” for the Connector Type.

   4. Click Save and Exit.

5. This will return you to the Applications screen. Click the ellipsis icon on the right of your newly defined application. Here you will find the ability to copy various values that are needed to configure the BIGIP connector.

Task 2: Configure F5 BIGIP Distributed Cloud Bot Defense connector profile

1. Select the Airline App Access Method for your F5 BIGIP in your UDF deployment.

2. From this new browser tab, take note of the FQDN. You will need it when configuring the F5 Distributed Cloud Bot Defense profile later in this lab.

3. Access the TMUI of your BIGIP 17.1. Login credentials are admin/f5xcdemo!.

4. In the F5 BIGIP TMUI, browse to Distributed Cloud Services > Bot Defense > BD Profiles and click the (+) icon to create a new Bot Defense profile.

5. On the New BD Profile… screen edit the following settings:

   General Properties

   1. Give the BD profile a descriptive Name.

   API Request Settings

   2. Paste into the Application ID field the value copied from F5 Distributed Cloud console.

   3. Paste into the Tenant ID field the value copied from F5 Distributed Cloud console.

   4. Paste into the API Key field the value copied from F5 Distributed Cloud console.

   

   JS Insertion Configuration

   5. Select the check box to enable Inject JS in Specific URL.

   6. In the JS Inject Included Paths, enter /user/signin and click Add.

   Protected Endpoint(s) – Web

   7. For Protected URIs:

      1. In the Host field paste in the FQDN from the Airline App Access Method to you BIGIP.

      Note

      See Exercise 1 step 8. FQDN for your Airline App will be similar to 3995dde2-4cf8-4c5b-89f2-2d0717d76d5b.access.udf.f5.com.

      2. Enter /user/signin into the Path field.

      3. Select Block from the Mitigation Action dropdown.

      4. Click Add.

      

   Advanced Features

   8. Select the Advanced view from the section dropdown.

   9. From the Protection Pool – Web dropdown select the ibd-webus.fastcache.net pool.

   10. From the SSL Profile dropdown select the serverssl profile.

   

   11. Choose X-Forwarded-For from the Source of Client IP Address dropdown.

   12. Click Finished.

The F5 Distributed Cloud Bot Defense connector profile is now configured. However, in order to protect the application we must assign the BD profile to the virtual server.

6. From the F5 BIGIP TMUI, browse to Local Traffic >> Virtual Servers. Select the airline-backend.f5se.com virtual server.

7. Select the Distributed Cloud Services tab at the top and then do the following:

   1. Set Bot Defense to Enabled.

   2. From the Profile dropdown, select the BD profile created in the previous step.

   3. Click Update.

Task 3: Test and Monitor Protected Traffic

1. Select the Airline App Access Method for your F5 BIGIP in your UDF deployment

2. Select Signin in the top left to access the F5 AIR login page. This is the protected page configured in your F5 BIGIP Distributed Cloud Bot Defense Profile.

3. Enter any email address and password and click Confirm to submit a login attempt.

4. Try several login attempts with your browser.

5. You can generate “attack” traffic by opening your browser’s “Developer Tools”, selecting the Network tab, finding the POST request to the login page, right-clicking it, and choosing “Copy as cURL”.

You can then paste the copied request into a terminal/command prompt and hit Enter.

Repeat this several times to generate many requests.

6. Return to the F5 Distributed Cloud console and navigate to the Bot Defense service.

7. From the left-hand menu, select Overview >> Monitor. Change the time range to Last 1 hour.

Here you will see a high-level overview of the traffic to your Bot Defense protected applications.

8. From the left-hand menu, select Report >> Traffic Analyzer.

Here you can see the most recent requests associated with your connector-protected applications, the Traffic Type, the Automation Type, and additional detailed information about these requests.

9. Browse to the other sections under Report in the Bot Defense console; Bad Bot Report, Protection Coverage Report, Transaction Usage.