4.4. Create WAFaaS Security Device

This next section of this lab will cover how to create a WAFaaS device. We will also attach a preconfigured WAF policy that will provide protection against attacks such as SQL-Injection and other OWASP Top 10 type vulnerabilities.

4.4.1. Create the ICAP service

  1. Login to the BIGIP via TMUI User Credentials

SSL Orchestrator TMUI Access

  1. Click on SSL Orchestrator on the left-hand menu and select Configuration.

SSL Orchestrator Configuration Menu

  1. Click on Services on the middle menu bar and then click Add to add new service.

SSLO GC Services

  1. Click ICAP, select Generic ICAP Service, and then click Add from below.

ICAP service

  1. Type WAFaaS as the Name. Click Add next to ICAP Devices.

ICAP service add

  1. Type 192.19.97.200 for the IP Address and then click Done.

ICAP service ip

  1. Scroll to the bottom of the page and click Save & Next to finish creating the ICAP Service.

ICAP service save

4.4.2. Create the new service chain

  1. Next we need to create a new service chain where our new WAFaaS ICAP service will be placed. Click Add under the Services Chain List to add a new service chain.

Create Service Chain

  1. Type WAFaaS as the Name, Select ssloS_WAFaaS and click Right Arrow, and then click Save at the bottom of the screen.

Save Service Chain

  1. Click Save & Next and the Deploy on the Summary page,

Save Service Chain

Deploy Service Chain

  1. Click OK to acknowledge the successful deployment message.

4.4.3. Disable TCP monitor on the ICAP Pool

  1. Click Local Traffic>>Pools>>Pool List on the left side menu bar. Click on the ssloS_WAFaaS pool.

Select Pool List

  1. Select tcp next to Health Monitors and click the Right Arrow to de-select it from the pool. Click Update down below to make adjustment.

Remove TCP profile from WAFaaS pool

4.4.4. Remove ICAP Adapt profiles

  1. Click Local Traffic>>Virtual Server List and select the ssloS_WAFaaS-t-4 virtual server. MAKE SURE you select the ICAP service with t-4 next to it.

Select the ssloS_WAFaaS-t-4 virtual server

  1. Scroll about half-way down the page and change both Request Adapt Profile and Response Adapt Profile to None. Click Update at the bottom once you have removed the adapt profiles from the virtual server.

remove adapt-profiles from the virtual server

4.4.5. Add WAF Policy to WAFaaS Virtual Server

  1. While still viewing the properties for the ssloS_WAFaaS-t-4 virtual server, click on the Security menu item.

Select Security for Virtual Server

  1. Change the Application Security Policy to Enabled and select the pre-configured WAFaaS_policy WAF policy.

  2. Change Log Profile to Enabled and select Log illegal requests. Click Update when complete.

Add Policy and logging profile to ssloS_WAFaaS-t-4 virtual server

4.4.6. Adjust WAFaaS service profile

  1. CLick Local Traffic>>Profiles>>Other>>Service and click on the service profile ssloS_WAFaaS-service link.

Select the ssloS_WAFaaS-t-4 service

  1. Change the Settings>Type to F5 Module and then click Update.

Changed the type to F5 Module

You have successfully create the WAFaaS ICAP device. Next, we will create a new L3 inbound Existing Application topology that will utilize our new WAFaaS service device.