Lab 1 - Use the Secure Guided Configuration to Build a WAF Policy

Objective

  • Log into the BIG-IP
  • Create a blocking policy using the guided configuration utiliy
  • Apply the security policy to an existing virtual server
  • Apply a security logging profile to the virtiual server

Create security policy using the Guided Configuration

  1. On your UDF page, go to your BIG-IP component, click the Access drop down menu and choose TMUI (traffic management user interface). This is a link to your configuration utility.

    ../../_images/bigiplogin1.png

  2. Login to the BIG-IP with the ever so secure credentails of Username admin and Password f5demos4u!.

  3. On the Main tab to your left, select Security > Guided Configuration. This opens the Guided Configuration screen.

    ../../_images/webappbutton1.png

  4. Click on the Web Application Protection template button.

    ../../_images/webapptemplate1.png

  5. The guided configuration now provides an overview of what will be configured. Click the Next button.

  6. Give your configuration the name juice_shop_waf this will also name your security policy.

  7. Under Select Enforcement Mode select Blocking

    Note

    Typically you would deploy a new policy in a transparent mode so you can observe the logs before blocking to help avoid false positives. But come on….this is a lab. We are going to block stuff!

  8. Click on Show Advanced Settings button in the upper right hand corner of your page.

    ../../_images/advanced21.png

  9. Under Server Technologies add the following to the selected window. Adding these technologies will assist in building a more precise policy.

    • AngularJS
    • Express.js
    • JavaScript
    • JQuery
    • MongoDB
    • Node.js
    • SQLite

  10. Press the Save & Next Button below.

    ../../_images/servertechnologies1.png

    Note

    We are adding these technologies since we know what the application is using. There is also a feature that can be turned on that can allow the policy to learn these technologies.

  11. Check off Assign Policy to Virtual Server, under Virtual Server choose Use Existing, and move the Juice_Shop_VS to the selected window. Press Save & Next

    ../../_images/addvs1.png

  12. The next page will summarize the objects and policy configuration. Review, and take note that you can also go back and edit if required. When done click Deploy at the bottom of the screen. It will take a few moments to complete the policy build.

    ../../_images/ready_to_deploy1.png

  13. After the policy is created, we will want to apply a logging profile to our new security policy.

    • Go to Securirty -> Overview -> Summary, and the policy you just created should be listed.
    • Place a check to the left of the Virtual Server name that your new security policy is applied to.
    • Now click the blue Attach button above and select Logging Profile
    ../../_images/attachlogging11.png
    • Select Log illegal requests and press the other Attach button below.
    ../../_images/attachlogging21.png
    • You will now see the logging profile is added under the Application Security column.

  14. You now have an active application security policy that is learning, staging, and logging protections against the Juice_Shop virtual server.