Application Firewall
On This Page:
Objective
This document provides instructions on how to create an Application Firewall, also known as a Web Application Firewall (WAF), and deploy it on a load balancer. The WAF consists of technology that enables you to allow or block requests and responses based on the configuration. To learn more about a WAF, see App Firewall.
Using the instructions provided in this document, you can create a WAF with default or custom attack types, enable threat campaigns, define bot protection settings, and attach that WAF to an HTTP load balancer to protect the app that load balancer serves. These instructions also include information on how to control responses from origin servers.
Prerequisites
-
F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An HTTP/HTTPS load balancer in your edge/cloud site or in the F5 global network cloud. If you do not have a load balancer, see HTTP Load Balancer for instructions to create one.
Configuration
Protecting your applications using the WAF requires you to create a WAF object in F5® Distributed Cloud Console (Console) and enable it by attaching it to an HTTP/HTTPS load balancer that serves the application for which you want to protect (with the WAF).
Create a WAF
Perform the following to create and configure a WAF:
Step 1: Log into Console and start creating WAF object.
- From the Console homepage, click
Web App & API Protection
.
- Select the desired namespace from the
Namespace
drop-down menu.
Note: You can also create a namespace where the application firewall needs to be created in. From the Console homepage, Select the
Administration
service, and then selectPersonal Management
>My Namespaces
. ClickAdd namespace
, add a name, and then clickSave
.
-
Click
Manage
>App Firewall
. -
Click
Add App Firewall
to load the WAF creation form.
Step 2: Set metadata and WAF mode.
Fill in the required information marked with an asterisk (*
) symbol:
-
In the
Name
field under theMetadata
section, enter a name for the WAF object. -
From the
Enforcement Mode
drop-down menu under theEnforcement Mode
section, select whether you want the WAF to only monitor or block traffic:-
Blocking
: Malicious traffic is both logged and blocked. -
Monitoring
: Traffic is not blocked, but any malicious and suspicious traffic generates security events (logs).
-
Note: The
Enforcement Mode
option is with respect to your load balancer. It overrides your load balancer settings for all traffic.
Step 3: Configure detection settings.
In the Detection Settings
section perform the following:
-
From the
Security Policy
drop-down menu, select whether to apply default settings or a custom setting:-
Default
: This setting applies a broad mix of high and medium accuracy signatures, threat campaigns, and all violations. -
Custom
: This setting enables you to apply specific configurations for attack types, signature selections, automatic attack signatures, threat campaigns, and violations. You can change one or all of the configurations.
-
-
If you choose the
Custom
option, perform the following:- Attack types: The
Default
setting detects all attack types. To configure this option to disable a specific attack type, selectCustom
. Select the attack type from theDisabled Attack Types
drop-down menu.
- Attack types: The
-
From the
Signature Selection by Accuracy
menu, select from one of the available accuracy options. TheHigh and Medium
signatures are enabled by default. -
From the
Automatic Attack Signatures Tuning
menu, enable or disable the automatic attack signature tuning. This option is enabled by default and the WAF suppresses false positive triggers based on its probabilistic learning model. -
From the
Threat Campaigns
menu, enable or disable the threat campaign detection. When enabled, the WAF detects specific threat campaigns and takes action per the enforcement mode settings. -
From the
Violations
menu, selectCustom
to disable one or more violations. From theDisabled Violations
menu, select a violation to disable.
Note the following file types are disallowed by default:
{"bak", "bat", "bck", "bin", "bkp", "cer", "cfg", "cgi", "cmd", "com", "conf", "config", "crt", "dat", "der", "dll", "eml", "exe", "hta", "htr", "htw", "ida", "idc", "idq", "ini", "key", "log", "msi", "nws", "old", "p12", "p7b", "p7c", "pem", "pfx", "pol", "printer", "reg", "sav", "save", "shtm", "shtml", "stm", "sys", "temp", "tmp", "wmz"}
Note: To customize the list of file types disallowed, disable
Illegal filetype
(VIOL_FILETYPE
) using theViolations
menu option and use a custom rule in Service Policy to disallow specific file types.
Note: For a list of supported attack types, signatures, and violations, see the following guides:
Step 4: Configure signature bot protection settings.
From the Signature-Based Bot Protection
drop-down menu, select an option for bot defense:
-
Default
: By default, a malicious bot is blocked and generates a security event. Good and suspicious bot activity generates only security events, and the WAF does not block the activity. -
Custom
: Custom protection enables you to specify what action (Block
,Report
, orIgnore
) to take when the WAF detects a malicious bot, suspicious bot, or a good bot. Set the action in theMalicious Bot
,Suspicious Bot
, andGood Bot
menus.
Step 5: Configure response settings.
In the Advanced configuration
section, enable the Show Advanced Fields
option and perform the following:
-
Allowed Response Status Codes
: SelectCustom
to specify a list of HTTP response status codes that are allowed for the client. Any HTTP responses other than these are not allowed. -
Mask Sensitive Parameters in Logs
: TheDefault
option will mask the values of sensitive parameters (like credit card numbers) in request logs. You can disable this feature or useCustom
to set parameters of your choice, to be masked. For theCustom
option, clickAdd Item
and choose anHTTP Header
,Query Parameter
, orCookie
and enter the name accordingly. After you finish, clickAdd Item
. You can add more than one item using theAdd Item
option. -
Blocking Response Page
: TheDefault
option returns an HTML response page with system settings to the client. To configure a custom response page, selectCustom
and perform the following:-
From the
Response Code
menu, select a response that will be sent for blocked requests. -
In the
Custom Blocking Response Page Body
field, enter a response string of your choice. You can specify the string in ASCII format or Base64 format.
-
Note: Use the
base64
command to encode the response in Base64 format.
Step 6: Complete creating the WAF object.
Click Save and Exit
.
Attach the WAF to a Load Balancer
After creating a WAF object, you can attach it to your load balancer. Once this attachment is done, you can monitor WAF operations on Console.
The WAF policy configured at the load balancer level applies to all domains configured on the load balancer. If you would like to configure a different WAF policy than the one configured on the load balancer for specific match criteria (method, path, etc.), you can do so by configuring the WAF policy per route. Both methods are provided below.
Step 1: Start editing your load balancer.
-
From the Console homepage, click
Load Balancers
. -
Select the desired namespace from the
Namespace
drop-down menu. -
Click
Manage
>Load Balancers
>HTTP Load Balancers
. -
Find your load balancer and click
...
>Manage Configuration
. -
Click
Edit Configuration
to open the edit form.
Step 2: Attach WAF to the load balancer.
In the Web Application Firewall
section, perform the following:
-
From the
Web Application Firewall (WAF)
menu, selectEnable
. -
From the
Enable
drop-down menu, select the WAF object you created in the previous section.
Step 3: Optionally, attach WAF to a specific route.
- Configure your routes per the instructions in the HTTP Load Balancer guide, if not yet configured.
- In the
Advanced Options
field, clickConfigure
.
-
In the
Security
section, perform the following:- From the
Web Application Firewall (WAF)
drop-down menu, selectApp Firewall
.
- From the
- From the
App Firewall
drop-down menu, select the WAF policy for the route you configured.
-
Select
Apply
. -
Select
Apply
to complete route configuration. -
Select
Apply
to close the route configuration form.
Step 4: Save settings.
Click Save and Exit
.
Configure Data Guard
Data Guard prevents HTTP/HTTPS responses from exposing sensitive information, like credit card numbers and social security numbers, by masking the data. If an application leaks this sensitive data in the HTTP/HTTPS responses, then Data Guard will mask that data with a string of asterisks (*
). You can configure and enable the Data Guard feature on your WAF using rules. You can have the Data Guard rules set to apply or skip processing for the criteria configured in the rules.
Step 1: Confirm WAF enabled on HTTP/HTTPS load balancer.
Confirm that the App Firewall
option is enabled in the load balancer configuration.
Step 2: Configure Data Guard rules.
-
Under the
Data Guard Rules
field, clickConfigure
. -
Click
Add Item
.
-
In the
Name
field, add a name for this match rule. -
From the
Action
menu, select an option for Data Guard to take if the request matches the domain and path configured from theDomain
andPath Match
menus below, respectively:-
Apply
: Applies Data Guard processing for the matching criteria. -
Skip
: Skips Data Guard processing for the matching criteria.
-
-
From the
Domain
menu, select whether the request is from any domain, an exact domain, or domains with suffixes. -
From the
Path Match
menu, select an option:-
Prefix
: Match paths using a prefix. -
Path
: Match an exact path. -
Regex
: Match paths using regular expressions (regex).
-
-
Click
Add Item
.
Step 3: Apply Data Guard rules.
Click Apply
.
Monitor WAF Operation
You can verify and monitor the WAF activities from the Web App & API Protection
(WAAP) service from the Console homepage.
Step 1: Navigate to WAAP service.
-
Select the
Web App & API Protection
service from the Console homepage or from theSelect service
option located on the top left in any page. -
Select your desired namespace.
-
Select
Overview
.
Step 2: Inspect security dashboard.
This view provides for security metrics, such as threat intelligence, bot traffic, API classification, DDoS attack information, and security events for all load balancers with corresponding WAFs in a given namespace. All individual load balancers are listed at the bottom of the page.
The Threat Intelligence
field provides summary information about any known attacks or campaigns for a given time range. The Bot Traffic
field provides summary information about the percentage of bot traffic from normal and malicious bots. The API Classification
field provides summary information about total API endpoints and any detected PII. The DDoS Attack Activity
field provides summary information about the total number of layer 7 attacks across all load balancers in the given namespace.
You can also view summary information for all security events, view the source IP attack origin from the Top Attack Sources
field, and view which paths and domains were attacked in the Top Attacked Paths
field. The Events by Country
field provides a graphical display of source countries where the attacks originated. The Active Configuration
field provides the total number of load balancers in the namespace as well as the services enabled on each.
This view also displays WAF information which includes enforcement mode, bot attacks, security events, malicious users, and DDoS events.
- Select
Security Dashboard
.
- Use the selector to select a specific load balancer. You can select up to five. The default view displays information for all load balancers in the selected namespace.
- From the bottom of the page, select a load balancer to load its security performance view.
Note: You can also edit the load balancer configuration using the
...
>Manage Configuration
option in theActions
field.
- View the security information for the specific load balancer.
- Select any of the tabs at the top to view the corresponding information for
API Endpoints
,Malicious Users
,Security Events
,DDoS
,Alerts
,Requests
, andBot Defense
.
Create WAF Exclusion Rules
These rules define the signature IDs and violations/attack types that should be excluded from WAF processing on specific match criteria. The specific match criteria include domain, path, and method. If the client request matches on all these criteria, then the WAF will exclude processing for the items configured in the detection control.
The WAF exclusion rules are configured and applied during load balancer configuration.
Note: When creating WAF exclusion rules, you must not create two identical rules that have the same match criteria for easier maintenance. Instead, it is recommended to update an existing rule.
Step 1: Build a custom rule list.
-
From the Console homepage, click
Load Balancers
. -
Select
Manage
>Load Balancers
>HTTP Load Balancers
. -
Select the desired namespace.
-
Find your existing load balancer to edit its configuration, or click
Add HTTP load balancer
to create a new load balancer. -
Go to
Web Application Firewall
section. Under theWAF Exclusion Rules
field, clickConfigure
. -
Click
Add Item
. -
In the
Name
field, enter a name for the WAF exclusion rule. Optionally, add a description. -
From the
Domain
drop-down menu:- Select whether this rule applies to all domains, an exact domain, or a particular domain suffix.
Any Domain
is the default value. If you selectExact Value
, enter a value in the field provided. If you selectSuffix Value
, enter a value with a suffix (for example,xzy.com
).
- Select whether this rule applies to all domains, an exact domain, or a particular domain suffix.
-
In the
Path Regex
field, enter a directory path with regular expressions (regex) to match patterns to exclude from WAF processing.
-
Optionally, select request methods to match from the
Methods
menu. -
Configure detection control from the exclude sections. Click
Add item
for each subsection:-
For the
Exclude App Firewall Signature Contexts
, enter a signature ID to exclude from WAF processing. -
For the
Exclude App Firewall Violation Contexts
, select a violation from the menu to exclude from WAF processing. -
For the
Exclude App Firewall Attack Types Contexts
, select a type of attack to exclude from WAF processing. -
For the
Exclude Bot Names Contexts
, enter the name of the bot that should not be affected by the WAF.
-
-
Enter a timestamp in the
Expiration Timestamp
field if you want this rule to stop being used after the entered timestamp expires.
Note: You can exclude an attack type instead of excluding individual signatures. If you are excluding a particular attack type, you do not need to add signature IDs that belong to that attack type. When you exclude an attack type, this action automatically excludes all signatures under that attack type.
-
After you finish, click
Add Item
. -
Click
Apply
.
Note: The order of the WAF exclusion rules matter. The WAF will process the rules starting from the top and work its way down. If there is a match on one rule, then the execution process stops and the subsequent rules are not evaluated. You can change the order of these rules by simply dragging and dropping the rules in the order you see fit. You can also click
...
>Move to another spot
, and then use the arrows to move the rule up or down the list.
Step 2: Save and complete.
-
Continue to configure your load balancer, as needed.
-
After you finish, click
Save and Exit
.
Note: For more information about creating or editing a load balancer, see HTTP Load Balancer.
Skip WAF Processing for Specific Match Criteria
If you want to entirely skip WAF processing for specific match criteria, you need to enable this feature in the load balancer configuration. The match criteria are a combination of domain, method, and path.
Step 1: Navigate to your load balancer.
-
From the Console homepage, click
Load Balancers
. -
Select the application namespace.
-
Click
Manage
>Load Balancers
>HTTP Load Balancers
. -
From the displayed list, find your load balancer and select
...
>Manage Configuration
.
- Select
Edit Configuration
.
Step 2: Edit load balancer configuration.
-
From the left pane menu, select
Web Application Firewall
. -
Under the
WAF Exclusion Rules
subsection, clickConfigure
.
- Select
Add Item
.
Step 3: Add rule name, metadata, and exclusion criteria.
- In the
Name
field, add a rule name.
-
From the
Domain
menu, select wether this exclusion rule and match criteria will apply to all domains, a specific domain, or a grouping of domains. For a specific domain, selectExact Value
and then enter the domain name. For a grouping of domains, selectSuffix Value
and then enter the value. -
In the
Path Regex
field, enter a regular expression to match incoming requests.
-
From the
Methods
menu, select the type of request methods to be matched. -
From the
WAF Exclusion Rule Action
menu, selectSkip App Firewall Processing
.
-
Select
Apply
to save the exclusion rule. -
Select
Apply
again to apply the exclusion rule.
Step 4: Save and complete.
Select Save and Exit
to save the new configuration.