Lab 1: Managing BIG-IP Advanced WAF with Policy Supervisor

Policy Supervisor is an online unified configuration solution for security policies, built with the purposes of managing and converting configuration across multiple F5 Web App Firewall solutions. It enables operators of F5 WAF technologies to easily convert policy files from BIG-IP AWAF, F5 Distributed Cloud WAF, and NGINX NAP formats. In the process Policy Supervisor generates and uses an intermediate JSON-based common declarative format called CDP (Common Declarative Policy) for policy lifecycle management. After a policy is converted to CDP, it can then be deployed to any supported WAF Solution, which is referred to as a Provider in Policy Supervisor lingo.

Please refer to the Tutorial in the GitHub repo (https://github.com/f5devcentral/ps-convert) for currently supported Provider types.

Policy Supervisor provides a graphical interface for visual policy creation, editing and management for traditional SecOps personas.

Task 1: Create a new Policy Supervisor Provider

The following steps will walk you through connecting Policy Supervisor to your BIG-IP WAF.

The first step is to create a Provider.

A Provider is a generic name used by Policy Supervisor to indicate an F5 Web App Firewall. The supported Provider types are: F5 Distributed Cloud WAF, BIG-IP Advanced WAF (AWAF), and NGINX Application Protection (NAP). Add and connect providers in Policy Supervisor to enable the deployment of your configuration policies across endpoints and load balancers for complete WAF protection.

When you add a BIG-IP instance as a provider, you must first set up an agent and associated secret on the private network to enable a secure connection between the BIG-IP instance and Policy Supervisor.

  • The agent must be connected to the same private network where the provider is running to ensure a secure connection between Policy Supervisor and the provider.

  • The agent machine must also have outbound Internet access for connectivity back to Policy Supervisor.

  • The Policy Supervisor Agent is a Linux binary that is first installed on this machine/VM and is registered using a unique token generated in the Policy Supervisor UI for your Policy Supervisor workspace only.

  • The Agent is used to create Secrets, which are stored in your environment only and are never transmitted outside of your network.

  • These secrets are used to connect to your BIG-IP AWAF or NGINX NAP instance to execute various policy-related functions within a Docker container environment on that machine/VM.

Note

Prerequisites:

Installation of the Policy Supervisor Agent requires the following applications to be installed on your Linux machine/VM:

  • Docker

  • wget

Access the F5 Policy Supervisor console at https://policysupervisor.io as instructed in the previous Introduction section of this lab guide.

Warning

Policy Supervisor uses the Microsoft Azure AD authentication service for login. You must have a valid Azure AD account to proceed with this lab.

  1. On the Overview > Providers page, click Add Provider. If this is the first provider being added, there are two Add Provider buttons on the screen. The Add Providers pane will appears.

lab001

  1. There are no agents configure yet. Choose BIG-IP for the Provider Type and click + Add new agent that will appear below the Select Agent drowpdown after a Provider Type has been selected. The Add Agent pane will appear and a token will be automatically generated as a long text string.

lab002

  1. Copy & paste (save) the value of the Token to a text file or notepad. (This token will be required in Task 2 below.)

lab003

  1. From within the Add Agent pane, locate and click the link to go to the agent-install page (step 1.). The corresponding GitLab repository page will open.

lab004

  1. At the bottom of the Package Registry page, right-click on the agent-installer file name and select Copy Link. (This URL will be required in Task 2 below.)

Note

The URL for the agent-installer file changes from time to time when it is updated.

Task 2: Install a Policy Supervisor Agent

Next, we will use the token and the URL obtained in task 1 above to install the Agent on your UDF virtual lab environment. For this lab, the Agent must be installed on your SuperJumpHost Linux machine, which is connected to the same management network as your BIG-IP. The SuperJumpHost is pre-configured in your lab environment with permission to communicate with the Policy Supervisor across the Internet.

  1. Browse to your lab session at https://udf.f5.com again and find the Deployment tab to see your virtual machines.

lab006

  1. Find the SuperJumpHost system and click its ACCESS link to see a list of access options.

lab007

  1. Select Web Sell to access the SuperJumpHost machine’s command line interface in a new browser tab. (You will be automatically logged in as root.)

lab008

  1. Set your working directory to /tmp with the “cd /tmp” linux command.

cd /tmp

  1. Use the URL copied at step 5 above to download the installer via the command line: “wget <…insert URL from above Task 1 here…>”

wget <...insert URL here...>

  1. After the download completes, rename the file with this linux command: “mv download agent-installer”

mv download agent-installer

  1. Next, give the installer package execution rights to enable it to run: “chmod +x ./agent-installer”

chmod +x ./agent-installer

  1. Run the agent installer by using the following command: “./agent-installer”

./agent-installer

lab009

  1. Wait for the “Enter agent token” prompt and paste the token copied from Task 1 above. (command-V on a MAC, Ctrl-Shift-V on Windows)

../_images/PSAgentToken.png

  1. Paste the value of the Token obtained in Task 1 above.

lab010

  1. Enter the name “udf” when prompted for the agent name. Wait for registration to complete successfully (takes a few minutes). You will be prompted to “Enter secret name”.

lab011

  1. Select Add Secret and/or type “bigip” when prompted for the secret name. If the secret already exists, you must first select **Remove Secret* and delete it before attempting to add it again.*

  2. Type “admin” when prompted for the username.

  3. Type “Canada123!” when prompted for a password.

  4. Press “Enter” when prompted for the ssh key path (we’re not using one in this demo).

  5. Press “Enter” when prompted to select an option (choose the default “Finish” option).

Task 3: Finish adding a first provider in Policy Supervisor

The configuration of the new Provider can be completed now that the Agent is ready.

1. Go to https://policysupervisor.io again and click Done (return to the Add Provider Pane with BIG-IP selected for the Provider Type).

../_images/PSAddProvider.png

2. Select the new udf option that should now be visible on the dropdown list for the Agent field (the provider that was created in the previous task).

3. Choose the new bigip option that should now be visible on the drop-down list for the Secrets field (the secret that was created in the previous task) and click Continue.

  1. The Provider Name and Provider URL fields will now appear.

  2. Type “bigip1” for the Provider Name* and type “https://10.1.1.6” for the Provider URL as shown above.

  3. Click the Test Connection button and wait for the tests to complete successfully.

Task 4: Add a 2nd BIG-IP provider in Policy Supervisor

We will re-use the same udf Agent and bigip Secret created in Task 2 above to manage the WAF policies on your 2nd BIG-IP because they are connected to the same management network in your UDF virtual lab environment.

  1. Click the Add another Provider button to add the second BIG-IP appliance in your virtual lab environment.

../_images/PSAddProvider2.png

  1. Select the BIG-IP option for the provider type.

  2. Select the udf option for Agent.

  3. Select the bigip option for Secret (the two BIG-IP’s have been configured with the same password).

  4. Click Continue.

The Provider Name and Provider URL fields will now appear.

  1. Type “bigip2” for the Provider Name and type “https://10.1.1.7” for the Provider URL.

  2. Click the Test Connection button and wait for the tests to complete successfully.

  1. Click the Go to overview link.

../_images/PSProviderList.png

You now have two BIG-IP providers configured in Policy Supervisor.

Task 5: Ingest an existing BIG-IP WAF policy in Policy Supervisor

BIG-IP1 is already configured with a WAF policy attached to the web_app virtual server. Let’s ingest this WAF policy into Policy Supervisor.

  1. Start from the Providers Overview page.

../_images/PSBIGIPProvider.png

  1. Click to select bigip1, then click Ingest Policies.

../_images/PSIngest.png

  1. Select the discovered policy (i.e., My_ASM_Rapid…) and click Continue.

../_images/PSIngest2.png

  1. Click Next.

../_images/PSIngest2b.png

  1. Type “Ingest from bigip1” for the required commit message,

  2. click Save & Ingest Policy, then wait for the ingestion to complete successfully.

../_images/PSIngest3.png
../_images/PSIngest4.png

Task 6 (optional): Import an existing BIG-IP WAF policy in Policy Supervisor

F5 WAF policies can be imported instead of ingested. This option is useful when the installation of a Policy Supervisor agent is not possible or when the BIG-IP appliance cannot be configured or managed as a Provider.

  1. Browse to https://udf.f5.com again and find the Deployment tab to see your virtual machines.

lab006

  1. Find bigip1 under F5 Products and click its ACCESS link to see a list of access options.

../_images/UDFTMUI1.png

  1. Select the TMUI option to opoen bigip1’s GUI management interface in a new browser tab.

../_images/TMUILogin.png

  1. Login with username “admin” and password “Canada123!”.

../_images/TMUIVS.png

  1. Click to the “Security -> Application Security -> Security Policies -> Policies List” page.

../_images/BIGIPPolicyList.png

  1. Click on your policy’s name (My_ASM_Rapid_Deployment_Policy).

../_images/BIGIPExport.png

  1. Click the EXPORT button and select the JSON Format option.

../_images/BIGIPExport2.png

  1. Click the OK button and wait a few momemts for the export process to complete.

../_images/BIGIPExport3.png

  1. If prompted, click Allow to complete the download of the exported policy to your workstation. The resulting JSON file should now be in your Downloads folder.

  2. Browse back to the Policy Supervisor Policy Overview page (*https://policysupervisor.io/).

../_images/PSImport1.png

  1. Click the Add button and select the Import from File option.

../_images/PSImport2.png

  1. Enter a name in the Policy Name text box (for example: bigip1 waf imported policy).

  2. Select the BIG-IP option form the Policy Type dropdown list.

  3. Click the Upload button, then locate and select the previously downloaded JSON file.

  4. Enter a note in the Import Notes / Summary text box.

  5. Click the Import button.

../_images/PSImport3.png

  1. Wait for the import process to complete.

../_images/PSImport4.png

  1. Click the Go to Overview button.

../_images/PSImport5.png

The imported WAF policy will be listed on the Policies Overview page as shown in the screenshot image above, which shows two WAF policies: one that was just imported in the steps above and the other was previously imported using the Ingest method.

Task 7: Deploy a WAF policy to a BIG-IP

  1. In Policy Supervisor, browse to the Policies Overview page.

../_images/PSDeploy1.png
../_images/PSDeploy2.png

  1. Select a policy then find and click on the Deploy button.

../_images/PSDeploy3.png

  1. Select bigip2 option from the Provider options and type “Deploy to bigip2” in the mandatory commit message text box and click the Conversion Summary button.

../_images/PSDeploy4.png

  1. Wait for the Conversion Summary screen to appear.

../_images/PSDeploy5.png

  1. Click the Save & Continue button.

../_images/PSDeploy6.png

  1. Click the Continue Deployment button on the Conversion Report screen that appears.

../_images/PSDeploy7.png

  1. Select the web_app virtual server from the dropdown list and click the Next button.

../_images/PSDeploy7b.png

  1. Click the Deploy button.

../_images/PSDeploy8.png
../_images/PSDeploy9.png

  1. Wait for the deployment to successfully complete. and click the Back to Overview button.

../_images/PSImport5.png

Task 8: Confirm successful deployment of the WAF policy on BIG-IP2

Note

The password for the admin account on your BIG-IP appliances is set to Canada123!

  1. Browse to https://udf.f5.com again and find the Deployment tab to see your virtual machines.

lab006

  1. Find bigip2 under F5 Products and click its ACCESS link to see a list of access options.

../_images/UDFTMUI2.png

  1. Select the TMUI option to opoen bigip2’s GUI management interface in a new browser tab.

../_images/TMUILogin.png

  1. Login with username “admin” and password “Canada123!”.

../_images/TMUIVS.png

  1. Browse to the virtual servers list page.

../_images/TMUIVS2.png

  1. Click on the web_app name to view the virtual sever’s properties page.

../_images/TMUIVS3.png

  1. Browse to the virtual sever’s Security -> Policies page.

../_images/TMUIVS4.png

  1. Observe that the Application Security Policy (e.g., the WAF policy) is Enabled.

WELL DONE!!!

In the next lab we will deploy a WAF policy ingested from a BIG-IP appliance to an F5 Distributed Cloud WAF.

labbgn