Use Case 06: WAF (XML) Policy Management in a Role with Juice Shop With AS3¶
OVERVIEW¶
WAF-Policy-Mangement-Role.yaml and JuiceShop-Docker-Deploy.yaml are Ansible Roles to manage blocked IP addresses and URL’s on F5 ASM through Ansible automation using the Juice Shop website.
Web Application Firewalls work to protect web applications by inspecting incoming traffic, blocking bots, SQL injection, Cross Site Scripting and a host of other attacks. This playbook is designed to demonstrate a basic WAF scenario to create and modify an F5 WAF (ASM) policy to block URL(s) or IP address(s) or both.
Using this role, other security vendors or even ticketing based solutions like Service NOW, users will be able to create a start to finish automated solution based on when attacks can occur.
RUNNING THE TEMPLATE¶
Running this template assumes that a F5 BIG-IP instance, necessary webservers and Ansible node are available.
Login to the Ansible host
Change Directory in the Ansible Host to the use-cases repo previously downloaded
cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/06-WAF-Policy-Management-JuiceShop-Roles-AS3/Launch the Ansible playbook ‘JuiceShop-WAF.yaml’ to build out the Juice Shop Podman container on each webserver node and deploy the VIP/WAF Policy:
ansible-navigator run JuiceShop-WAF.yaml --mode stdoutAttention
This can take up to 5 minutes due to installing of podman and all of its sub-components, and the JuiceShop application on each webserver.
(Optional) Block your Client IP Address with WAF
You can use the IP address of the External Client Node to block which is “10.1.1.9”
ansible-navigator run Block-My-IP.yaml --mode stdout --extra-vars "my_ip_address=10.1.1.9"This template will gather your IP Address from your SSH connection and then add it to the existing WAF Policy and start blocking your IP so that when you browse port 8085 you will get a “Request Rejected” message.
Note
This Playbook modifies the provisioning of modules on the BIG-IP and will take some time to complete as the new module comes online.
Attention
This Playbook detects if blocked URL or IP already exists and only add what is new (idempotency).
TESTING AND VALIDATION¶
VERIFYING WAF POLICY ENFORCEMENT:
Access Using F5 UDF Console:
Using the External Client (UDF –> Components –> External Client –> Access –> Firefox)
In the Bookmarks bar you can select the
Ansible Labs
Folder and goto201 - Labs
and SelectUse Case 6
OR within the browser you can browse to https://10.1.20.30:8085/
Access the URL’s present in the f5_vars.yml file to see the WAF policy in action
BIG-IP CONFIGURATION VERIFICATION:
This section is optional and for testing and verification purposes only. It assumes knowledge of how to operate BIG-IP commands and networking.
Access Using F5 UDF Console:
BIG-IP - (In UDF –> Components –> BIG-IP –> Access –> TMUI) - This will popup a webpage to access the F5 Login Page
Login to the BIG-IP instance
Navigate to Security –> Application Security to view the WAF policy deployed
Navigate to Local Traffic –> Virtual Servers
View the deployed use case access F5-BIG-IP-Public-IP:port (8085)
Login information for the BIG-IP:
username: admin
password: found in the inventory hosts file
UDF Lab Revert¶
Once you have completed this section it is recommended to go back to Use-Case 00 and run the restore of the BIG-IP before continuing to test the Modules Section.