Application Firewall

Objective

This document provides instructions on how to create an Application Firewall, also known as a Web Application Firewall (WAF), and deploy it on a load balancer. The WAF consists of technology that enables you to allow or block requests and responses based on the configuration. To learn more about a WAF, see App Firewall.

Using the instructions provided in this document, you can create a WAF with default or custom attack types, enable threat campaigns, define bot protection settings, and attach that WAF to an HTTP load balancer to protect the app that load balancer serves. These instructions also include information on how to control responses from origin servers.


Prerequisites


Configuration

Protecting your applications using the WAF requires you to create a WAF object in F5® Distributed Cloud Console (Console) and enable it by attaching it to an HTTP/HTTPS load balancer that serves the application for which you want to protect (with the WAF).

Create a WAF

Perform the following to create and configure a WAF:

Step 1: Log into Console and start creating WAF object.
  • From the Console homepage, click Web App & API Protection.

Figure: Console Homepage
Figure: Console Homepage

  • Select the desired namespace from the Namespace drop-down menu.

Figure: Application Namespace
Figure: Application Namespace

Note: You can also create a namespace where the application firewall needs to be created in. From the Console homepage, Select the Administration service, and then select Personal Management > My Namespaces. Click Add namespace, add a name, and then click Save.

  • Click Manage > App Firewall.

  • Click Add App Firewall to load the WAF creation form.

Figure: Create App Firewall
Figure: Create App Firewall

Step 2: Set metadata and WAF mode.

Fill in the required information marked with an asterisk (*) symbol:

  • In the Name field under the Metadata section, enter a name for the WAF object.

  • From the Enforcement Mode drop-down menu under the Enforcement Mode section, select whether you want the WAF to only monitor or block traffic:

    • Blocking: Malicious traffic is both logged and blocked.

    • Monitoring: Traffic is not blocked, but any malicious and suspicious traffic generates security events (logs).

Figure: WAF Metadata and Mode
Figure: WAF Metadata and Mode

Note: The Enforcement Mode option is with respect to your load balancer. It overrides your load balancer settings for all traffic.

Step 3: Configure detection settings.

In the Detection Settings section perform the following:

  • From the Security Policy drop-down menu, select whether to apply default settings or a custom setting:

    • Default: This setting applies a broad mix of high and medium accuracy signatures, threat campaigns, and all violations.

    • Custom: This setting enables you to apply specific configurations for attack types, signature selections, automatic attack signatures, threat campaigns, and violations. You can change one or all of the configurations.

  • If you choose the Custom option, perform the following:

    • Attack types: The Default setting detects all attack types. To configure this option to disable a specific attack type, select Custom. Select the attack type from the Disabled Attack Types drop-down menu.

Figure: Attack Types
Figure: Attack Types

  • From the Signature Selection by Accuracy menu, select from one of the available accuracy options. The High and Medium signatures are enabled by default.

  • From the Automatic Attack Signatures Tuning menu, enable or disable the automatic attack signature tuning. This option is enabled by default and the WAF suppresses false positive triggers based on its probabilistic learning model.

  • From the Threat Campaigns menu, enable or disable the threat campaign detection. When enabled, the WAF detects specific threat campaigns and takes action per the enforcement mode settings.

  • From the Violations menu, select Custom to disable one or more violations. From the Disabled Violations menu, select a violation to disable.

Figure: Disable Violation Types
Figure: Disable Violation Types

Note the following file types are disallowed by default:

{"bak", "bat", "bck", "bin", "bkp", "cer", "cfg", "cgi", "cmd", "com", "conf", "config", "crt", "dat", "der", "dll", "eml", "exe", "hta", "htr", "htw", "ida", "idc", "idq", "ini", "key", "log", "msi", "nws", "old", "p12", "p7b", "p7c", "pem", "pfx", "pol", "printer", "reg", "sav", "save", "shtm", "shtml", "stm", "sys", "temp", "tmp", "wmz"}

Note: To customize the list of file types disallowed, disable Illegal filetype (VIOL_FILETYPE) using the Violations menu option and use a custom rule in Service Policy to disallow specific file types.

Note: For a list of supported attack types, signatures, and violations, see the following guides:

Step 4: Configure signature bot protection settings.

From the Signature-Based Bot Protection drop-down menu, select an option for bot defense:

  • Default: By default, a malicious bot is blocked and generates a security event. Good and suspicious bot activity generates only security events, and the WAF does not block the activity.

  • Custom: Custom protection enables you to specify what action (Block, Report, or Ignore) to take when the WAF detects a malicious bot, suspicious bot, or a good bot. Set the action in the Malicious Bot, Suspicious Bot, and Good Bot menus.

Signature Bot Protection Settings
Figure: Signature Bot Protection Settings

Step 5: Configure response settings.

In the Advanced configuration section, enable the Show Advanced Fields option and perform the following:

  • Allowed Response Status Codes: Select Custom to specify a list of HTTP response status codes that are allowed for the client. Any HTTP responses other than these are not allowed.

  • Mask Sensitive Parameters in Logs: The Default option will mask the values of sensitive parameters (like credit card numbers) in request logs. You can disable this feature or use Custom to set parameters of your choice, to be masked. For the Custom option, click Add Item and choose an HTTP Header, Query Parameter, or Cookie and enter the name accordingly. After you finish, click Add Item. You can add more than one item using the Add Item option.

  • Blocking Response Page: The Default option returns an HTML response page with system settings to the client. To configure a custom response page, select Custom and perform the following:

    • From the Response Code menu, select a response that will be sent for blocked requests.

    • In the Custom Blocking Response Page Body field, enter a response string of your choice. You can specify the string in ASCII format or Base64 format.

Note: Use the base64 command to encode the response in Base64 format.

HTTP Blocking Response Settings
Figure: HTTP Blocking Response Settings

Step 6: Complete creating the WAF object.

Click Save and Exit.


Attach the WAF to a Load Balancer

After creating a WAF object, you can attach it to your load balancer. Once this attachment is done, you can monitor WAF operations on Console.

Step 1: Start editing your load balancer.
  • From the Console homepage, click Load Balancers.

  • Select the desired namespace from the Namespace drop-down menu.

  • Click Manage > Load Balancers > HTTP Load Balancers.

  • Find your load balancer and click ... > Manage Configuration.

  • Click Edit Configuration to open the edit form.

Load Balancer Edit Configuration
Figure: Load Balancer Edit Configuration

Step 2: Attach WAF to the load balancer.

In the Security Configuration section, perform the following:

  • From the Select Web Application Firewall (WAF) Config menu, select App Firewall.

App Firewall
Figure: App Firewall

  • From the App Firewall drop-down menu, select the WAF object you created in the previous section.

  • Click Save and Exit.

Select WAF Object
Figure: Select WAF Object


Configure Data Guard

Data Guard prevents HTTP/HTTPS responses from exposing sensitive information, like credit card numbers and social security numbers, by masking the data. If an application leaks this sensitive data in the HTTP/HTTPS responses, then Data Guard will mask that data with a string of asterisks (*). You can configure and enable the Data Guard feature on your WAF using rules. You can have the Data Guard rules set to apply or skip processing for the criteria configured in the rules.

Step 1: Confirm WAF enabled on HTTP/HTTPS load balancer.

Confirm that the App Firewall option is enabled in the Security Configuration section for load balancer configuration.

WAF Enabled on Load Balancer
Figure: WAF Enabled on Load Balancer

Step 2: Configure Data Guard rules.
  • Under the Data Guard Rules field, click Configure.

Configure
Figure: Configure

  • Click Add Item.

Add Item
Figure: Add Item

  • In the Name field, add a name for this match rule.

  • From the Action menu, select an option for Data Guard to take if the request matches the domain and path configured from the Domain and Path Match menus below, respectively:

    • Apply: Applies Data Guard processing for the matching criteria.

    • Skip: Skips Data Guard processing for the matching criteria.

Set Data Guard Action
Figure: Set Data Guard Action

  • From the Domain menu, select whether the request is from any domain, an exact domain, or domains with suffixes.

  • From the Path Match menu, select an option:

    • Prefix: Match paths using a prefix.

    • Path: Match an exact path.

    • Regex: Match paths using regular expressions (regex).

  • Click Add Item.

Add Data Guard Rules
Figure: Add Data Guard Rules

Step 3: Apply Data Guard rules.

Click Apply.

Apply Data Guard Rules
Figure: Apply Data Guard Rules


Monitor WAF Operation

You can verify and monitor the WAF activities from the Web App & API Protection (WAAP) service from the Console homepage.

Step 1: Navigate to WAAP service.

Select the Web App & API Protection service from the Console homepage or from the Select service option located on the top left in any page.

Step 2: Inspect WAAP high-level overview.
  • Click Overview > Dashboard to view the WAAP overall monitoring view. This view shows combined trend for security events and performance metrics, such as latency, downstream, and upstream traffic.

WAAP Overview Dashboard
Figure: WAAP Overview Dashboard

  • Click on a load balancer to load its monitoring view. For more information, see Monitor Load Balancer guide.
Step 3: Inspect WAAP performance dashboard.
  • Click App & APIs > Performance to view the performance overview. This view shows trend for performance metrics, such as latency, errors, traffic rate, alerts, etc.

WAAP Performance Dashboard
Figure: WAAP Performance Dashboard

  • Click on a load balancer to load its monitoring view. For more information, see Monitor Load Balancer guide.
Step 4: Inspect security monitoring dashboard.
  • Click App & APIs > Security. The Traffic Overview displays a time series graph for total requests, attacks, and blocked requests.

  • Click on a load balancer to load its security monitoring view. Security overview also shows a list of load balancers and the WAF information for them. The WAF information includes enforcement mode, attacks, malicious users, dropped requests, etc. For detailed information on load balancer monitoring, see Monitor Load Balancer guide.

Security Monitoring View
Figure: Security Monitoring View

Note: You can also edit the load balancer configuration using the ... > Manage Configuration option in the Actions field.

Step 5: Observe load balancer monitoring.
  • Switch to Load Balancers service.

  • Select the namespace where you created the load balancer with the WAF.

  • Click Virtual Hosts > HTTP Load Balancers.

  • From the list, hover over your load balancer and click on the Security Monitoring to load the security monitoring view. Alternatively, you can click on the load balancer to open its default view of General Monitoring and then from the top drop-down menu, select the Security Monitoring view.

  • Inspect the various WAF activities, such as security events, malicious user events, etc. For more information on load balancer monitoring, see Monitor HTTP Load Balancer.


Create WAF Exclusion Rules

These rules define the signature IDs and violations/attack types that should be excluded from WAF processing on specific match criteria. The specific match criteria include domain, path, and method. If the client request matches on all these criteria, then the WAF will exclude processing for the items configured in the App Firewall Detection Control section.

The WAF exclusion rules are configured and applied during load balancer configuration.

Note: When creating WAF exclusion rules, you must not create two identical rules that have the same match criteria for easier maintenance. Instead, it is recommended to update an existing rule.

Step 1: Build a custom rule list.
  • From the Console homepage, click Load Balancers.

  • Select Manage > Load Balancers > HTTP Load Balancers.

  • Select the desired namespace.

  • Find your existing load balancer to edit its configuration, or click Add HTTP load balancer to create a new load balancer.

  • Under the Security Configuration section, enable the Show Advanced Fields option.

  • Under the WAF Exclusion Rules field, click Configure.

WAF Exclusion Rules
Figure: WAF Exclusion Rules

  • Click Add Item.

  • In the Name field, enter a name for the WAF exclusion rule. Optionally, add a description.

  • From the Domain drop-down menu:

    • Select whether this rule applies to all domains, an exact domain, or a particular domain suffix. Any Domain is the default value. If you select Exact Value, enter a value in the field provided. If you select Suffix Value, enter a value with a suffix (for example, xzy.com).
  • In the Path Regex field, enter a directory path with regular expressions (regex) to match patterns to exclude from WAF processing.

Match Pattern with Regex
Figure: Match Pattern with Regex

  • Optionally, select request methods to match from the Methods menu.

  • Configure detection control from the App Firewall Detection Control section. Click Add item for each subsection:

    • For the SignatureID, enter a signature ID to exclude from WAF processing.

    • For the Violation Type, select a violation from the menu to exclude from WAF processing.

    • For the Attack Type, select a type of attack to exclude from WAF processing.

Match Criteria for WAF Exclusion
Figure: Match Criteria for WAF Exclusion

Note: You can exclude an Attack Type instead of excluding individual signatures under the SignatureID subsection. If you are excluding a particular attack type, you do not need to add signature IDs that belong to that attack type. When you exclude an attack type, this action automatically excludes all signatures under that attack type.

  • After you finish, click Add Item.

  • Click Apply.

Apply WAF Exclusion Rule
Figure: Apply WAF Exclusion Rule

Note: The order of the WAF exclusion rules matter. The WAF will process the rules starting from the top and work its way down. If there is a match on one rule, then the execution process stops and the subsequent rules are not evaluated. You can change the order of these rules by simply dragging and dropping the rules in the order you see fit. You can also click ... > Move to another spot, and then use the arrows to move the rule up or down the list.

WAF Exclusion Rule Order
Figure: WAF Exclusion Rule Order

Step 2: Save and complete.
  • Continue to configure your load balancer, as needed.

  • After you finish, click Save and Exit.

Note: For more information about creating or editing a load balancer, see HTTP Load Balancer.


Skip WAF Processing

If you want to entirely skip WAF processing using match criteria, you need to create a custom rule in service policy configuration.

Step 1: Navigate to service policies in Console.
  • From the Console homepage, click Load Balancers.

  • Select the application namespace.

  • Click Security > Service Policies > Service Policies.

  • Find your existing service policy, or click Add service policy to create a new service policy.

Step 2: Create or edit service policy.
  • In the Rules section, perform the following:

    • From the Select Policy Rules menu, select Custom Rule List.

    • Click Configure.

Select Custom Rule List
Figure: Select Custom Rule List

  • Click Add Item.

  • In the Name field, add a name for this rule. Optionally, add a description for this new rule.

  • Click Configure.

Add Custom Rule
Figure: Add Custom Rule

  • In the Action section, enable the Show Advanced Fields option.

  • From the Action menu, select an option:

    • If you select Deny, the request is denied entirely. No other evaluation occurs in the service policy.

    • If you select Allow, the request goes through to the service policy but WAF processing is skipped. The service policy will continue to process all other settings and rules.

    • If you select Next Policy, the request is allowed through and is processed using the next configured service policy, but WAF processing is skipped in the current service policy. This option requires another service policy be configured and placed in the next available order.

Note: If you want to skip WAF processing and have no other service policy to evaluate, select Allow. If you have another service policy after the current one that includes skipping WAF processing, select Next Policy.

  • From the Select App Firewall Action Type menu, select Skip App Firewall Processing.

Skip WAF Processing Option
Figure: Skip WAF Processing Option

  • From the Client Selection menu, select which clients this rule will apply to.

  • In the Servers section, click Add item and enter exact values or regular expressions for the server names. Continue to click Add item to build your list.

  • In the Request Match section, enter the types of requests that you want to match with this policy rule. You can specify the request type in a number of different ways:

    • HTTP Method: Select the HTTP methods from the Method List drop-down. Using the drop-down menu multiple times will allow you to select multiple methods.

    • HTTP Path: Click Configure and enter prefix values, exact values, or regular expressions for an HTTP path. Continue to click Add item to build your list. Click Apply after you finish.

Specific Path
Figure: Specific Path

  • HTTP Query Parameters: Click Add Item and then enter a parameter name in the Query Parameter Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • HTTP Headers: Click Add Item and then enter a header name in the Header Name field. Use the Match Options drop-down menu to select a match value. Present/Not Present matches if that parameter name is/is not in the request. Match Values allows you to enter exact values and/or regular expression for values to match against.

  • After you complete the custom rule, click Apply to add it to your service policy.

  • Click Add Item.

  • Click Apply.

Step 3: Save and complete.

Click Save and Exit to save the new custom rule.

Note: For more information about creating or editing a service policy, see Service Policy.


Concepts


API References