Application Firewall
On This Page:
Objective
This document provides instructions on how to create an Application Firewall, also known as a Web Application Firewall (WAF), and deploy it on a load balancer. The WAF consists of technology that enables you to allow or block requests and responses based on the configuration. To learn more about a WAF, see App Firewall.
Using the instructions provided in this document, you can create a WAF with default or custom attack types, enable threat campaigns, define bot protection settings, and attach that WAF to an HTTP load balancer to protect the app that load balancer serves. These instructions also include information on how to control responses from origin servers.
Prerequisites
-
F5® Distributed Cloud Services Account. If you do not have an account, see Create an Account.
-
An HTTP/HTTPS load balancer in your edge/cloud site or in the F5 global network cloud. If you do not have a load balancer, see HTTP Load Balancer for instructions to create one.
Configuration
Protecting your applications using the WAF requires you to create a WAF object in F5® Distributed Cloud Console (Console) and enable it by attaching it to an HTTP/HTTPS load balancer that serves the application for which you want to protect (with the WAF).
Create a WAF
Perform the following to create and configure a WAF:
Step 1: Log into Console and start creating WAF object.
- From the Console homepage, click
Web App & API Protection
.
- Select the desired namespace from the
Namespace
drop-down menu.
Note: You can also create a namespace where the application firewall needs to be created in. From the Console homepage, Select the
Administration
service, and then selectPersonal Management
>My Namespaces
. ClickAdd namespace
, add a name, and then clickSave
.
-
Click
Manage
>App Firewall
. -
Click
Add App Firewall
to load the WAF creation form.
Step 2: Set metadata and WAF mode.
Fill in the required information marked with an asterisk (*
) symbol:
-
In the
Name
field under theMetadata
section, enter a name for the WAF object. -
From the
Enforcement Mode
drop-down menu under theEnforcement Mode
section, select whether you want the WAF to only monitor or block traffic:-
Blocking
: Malicious traffic is both logged and blocked. -
Monitoring
: Traffic is not blocked, but any malicious and suspicious traffic generates security events (logs).
-
Note: The
Enforcement Mode
option is with respect to your load balancer. It overrides your load balancer settings for all traffic.
Step 3: Configure detection settings.
In the Detection Settings
section perform the following:
-
From the
Security Policy
drop-down menu, select whether to apply default settings or a custom setting:-
Default
: This setting applies a broad mix of high and medium accuracy signatures, threat campaigns, and all violations. -
Custom
: This setting enables you to apply specific configurations for attack types, signature selections, automatic attack signatures, threat campaigns, and violations. You can change one or all of the configurations.
-
-
If you choose the
Custom
option, perform the following:- Attack types: The
Default
setting detects all attack types. To configure this option to disable a specific attack type, selectCustom
. Select the attack type from theDisabled Attack Types
drop-down menu.
- Attack types: The
-
From the
Signature Selection by Accuracy
menu, select from one of the available accuracy options. TheHigh and Medium
signatures are enabled by default. -
From the
Automatic Attack Signatures Tuning
menu, enable or disable the automatic attack signature tuning. This option is enabled by default and the WAF suppresses false positive triggers based on its probabilistic learning model. -
From the
Threat Campaigns
menu, enable or disable the threat campaign detection. When enabled, the WAF detects specific threat campaigns and takes action per the enforcement mode settings. -
From the
Violations
menu, selectCustom
to disable one or more violations. From theDisabled Violations
menu, select a violation to disable.
Note the following file types are disallowed by default:
{"bak", "bat", "bck", "bin", "bkp", "cer", "cfg", "cgi", "cmd", "com", "conf", "config", "crt", "dat", "der", "dll", "eml", "exe", "hta", "htr", "htw", "ida", "idc", "idq", "ini", "key", "log", "msi", "nws", "old", "p12", "p7b", "p7c", "pem", "pfx", "pol", "printer", "reg", "sav", "save", "shtm", "shtml", "stm", "sys", "temp", "tmp", "wmz"}
Note: To customize the list of file types disallowed, disable
Illegal filetype
(VIOL_FILETYPE
) using theViolations
menu option and use a custom rule in Service Policy to disallow specific file types.
Note: For a list of supported attack types, signatures, and violations, see the following guides:
Step 4: Configure signature bot protection settings.
From the Signature-Based Bot Protection
drop-down menu, select an option for bot defense:
-
Default
: By default, a malicious bot is blocked and generates a security event. Good and suspicious bot activity generates only security events, and the WAF does not block the activity. -
Custom
: Custom protection enables you to specify what action (Block
,Report
, orIgnore
) to take when the WAF detects a malicious bot, suspicious bot, or a good bot. Set the action in theMalicious Bot
,Suspicious Bot
, andGood Bot
menus.
Step 5: Configure response settings.
In the Advanced configuration
section, enable the Show Advanced Fields
option and perform the following:
-
Allowed Response Status Codes
: SelectCustom
to specify a list of HTTP response status codes that are allowed for the client. Any HTTP responses other than these are not allowed. -
Mask Sensitive Parameters in Logs
: TheDefault
option will mask the values of sensitive parameters (like credit card numbers) in request logs. You can disable this feature or useCustom
to set parameters of your choice, to be masked. For theCustom
option, clickAdd Item
and choose anHTTP Header
,Query Parameter
, orCookie
and enter the name accordingly. After you finish, clickAdd Item
. You can add more than one item using theAdd Item
option. -
Blocking Response Page
: TheDefault
option returns an HTML response page with system settings to the client. To configure a custom response page, selectCustom
and perform the following:-
From the
Response Code
menu, select a response that will be sent for blocked requests. -
In the
Custom Blocking Response Page Body
field, enter a response string of your choice. You can specify the string in ASCII format or Base64 format.
-
Note: Use the
base64
command to encode the response in Base64 format.
Step 6: Complete creating the WAF object.
Click Save and Exit
.
Attach the WAF to a Load Balancer
After creating a WAF object, you can attach it to your load balancer. Once this attachment is done, you can monitor WAF operations on Console.
Step 1: Start editing your load balancer.
-
From the Console homepage, click
Load Balancers
. -
Select the desired namespace from the
Namespace
drop-down menu. -
Click
Manage
>Load Balancers
>HTTP Load Balancers
. -
Find your load balancer and click
...
>Manage Configuration
. -
Click
Edit Configuration
to open the edit form.
Step 2: Attach WAF to the load balancer.
In the Security Configuration
section, perform the following:
- From the
Select Web Application Firewall (WAF) Config
menu, selectApp Firewall
.
-
From the
App Firewall
drop-down menu, select the WAF object you created in the previous section. -
Click
Save and Exit
.
Configure Data Guard
Data Guard prevents HTTP/HTTPS responses from exposing sensitive information, like credit card numbers and social security numbers, by masking the data. If an application leaks this sensitive data in the HTTP/HTTPS responses, then Data Guard will mask that data with a string of asterisks (*
). You can configure and enable the Data Guard feature on your WAF using rules. You can have the Data Guard rules set to apply or skip processing for the criteria configured in the rules.
Step 1: Confirm WAF enabled on HTTP/HTTPS load balancer.
Confirm that the App Firewall
option is enabled in the Security Configuration
section for load balancer configuration.
Step 2: Configure Data Guard rules.
- Under the
Data Guard Rules
field, clickConfigure
.
- Click
Add Item
.
-
In the
Name
field, add a name for this match rule. -
From the
Action
menu, select an option for Data Guard to take if the request matches the domain and path configured from theDomain
andPath Match
menus below, respectively:-
Apply
: Applies Data Guard processing for the matching criteria. -
Skip
: Skips Data Guard processing for the matching criteria.
-
-
From the
Domain
menu, select whether the request is from any domain, an exact domain, or domains with suffixes. -
From the
Path Match
menu, select an option:-
Prefix
: Match paths using a prefix. -
Path
: Match an exact path. -
Regex
: Match paths using regular expressions (regex).
-
-
Click
Add Item
.
Step 3: Apply Data Guard rules.
Click Apply
.
Monitor WAF Operation
You can verify and monitor the WAF activities from the Web App & API Protection
(WAAP) service from the Console homepage.
Step 1: Navigate to WAAP service.
Select the Web App & API Protection
service from the Console homepage or from the Select service
option located on the top left in any page.
Step 2: Inspect WAAP high-level overview.
- Click
Overview
>Dashboard
to view the WAAP overall monitoring view. This view shows combined trend for security events and performance metrics, such as latency, downstream, and upstream traffic.
- Click on a load balancer to load its monitoring view. For more information, see Monitor Load Balancer guide.
Step 3: Inspect WAAP performance dashboard.
- Click
App & APIs
>Performance
to view the performance overview. This view shows trend for performance metrics, such as latency, errors, traffic rate, alerts, etc.
- Click on a load balancer to load its monitoring view. For more information, see Monitor Load Balancer guide.
Step 4: Inspect security monitoring dashboard.
-
Click
App & APIs
>Security
. TheTraffic Overview
displays a time series graph for total requests, attacks, and blocked requests. -
Click on a load balancer to load its security monitoring view. Security overview also shows a list of load balancers and the WAF information for them. The WAF information includes enforcement mode, attacks, malicious users, dropped requests, etc. For detailed information on load balancer monitoring, see Monitor Load Balancer guide.
Note: You can also edit the load balancer configuration using the
...
>Manage Configuration
option in theActions
field.
Step 5: Observe load balancer monitoring.
-
Switch to
Load Balancers
service. -
Select the namespace where you created the load balancer with the WAF.
-
Click
Virtual Hosts
>HTTP Load Balancers
. -
From the list, hover over your load balancer and click on the
Security Monitoring
to load the security monitoring view. Alternatively, you can click on the load balancer to open its default view ofGeneral Monitoring
and then from the top drop-down menu, select theSecurity Monitoring
view. -
Inspect the various WAF activities, such as security events, malicious user events, etc. For more information on load balancer monitoring, see Monitor HTTP Load Balancer.
Create WAF Exclusion Rules
These rules define the signature IDs and violations/attack types that should be excluded from WAF processing on specific match criteria. The specific match criteria include domain, path, and method. If the client request matches on all these criteria, then the WAF will exclude processing for the items configured in the App Firewall Detection Control
section.
The WAF exclusion rules are configured and applied during load balancer configuration.
Note: When creating WAF exclusion rules, you must not create two identical rules that have the same match criteria for easier maintenance. Instead, it is recommended to update an existing rule.
Step 1: Build a custom rule list.
-
From the Console homepage, click
Load Balancers
. -
Select
Manage
>Load Balancers
>HTTP Load Balancers
. -
Select the desired namespace.
-
Find your existing load balancer to edit its configuration, or click
Add HTTP load balancer
to create a new load balancer. -
Under the
Security Configuration
section, enable theShow Advanced Fields
option. -
Under the
WAF Exclusion Rules
field, clickConfigure
.
-
Click
Add Item
. -
In the
Name
field, enter a name for the WAF exclusion rule. Optionally, add a description. -
From the
Domain
drop-down menu:- Select whether this rule applies to all domains, an exact domain, or a particular domain suffix.
Any Domain
is the default value. If you selectExact Value
, enter a value in the field provided. If you selectSuffix Value
, enter a value with a suffix (for example,xzy.com
).
- Select whether this rule applies to all domains, an exact domain, or a particular domain suffix.
-
In the
Path Regex
field, enter a directory path with regular expressions (regex) to match patterns to exclude from WAF processing.
-
Optionally, select request methods to match from the
Methods
menu. -
Configure detection control from the
App Firewall Detection Control
section. ClickAdd item
for each subsection:-
For the
SignatureID
, enter a signature ID to exclude from WAF processing. -
For the
Violation Type
, select a violation from the menu to exclude from WAF processing. -
For the
Attack Type
, select a type of attack to exclude from WAF processing.
-
Note: You can exclude an
Attack Type
instead of excluding individual signatures under theSignatureID
subsection. If you are excluding a particular attack type, you do not need to add signature IDs that belong to that attack type. When you exclude an attack type, this action automatically excludes all signatures under that attack type.
-
After you finish, click
Add Item
. -
Click
Apply
.
Note: The order of the WAF exclusion rules matter. The WAF will process the rules starting from the top and work its way down. If there is a match on one rule, then the execution process stops and the subsequent rules are not evaluated. You can change the order of these rules by simply dragging and dropping the rules in the order you see fit. You can also click
...
>Move to another spot
, and then use the arrows to move the rule up or down the list.
Step 2: Save and complete.
-
Continue to configure your load balancer, as needed.
-
After you finish, click
Save and Exit
.
Note: For more information about creating or editing a load balancer, see HTTP Load Balancer.
Skip WAF Processing
If you want to entirely skip WAF processing using match criteria, you need to create a custom rule in service policy configuration.
Step 1: Navigate to service policies in Console.
-
From the Console homepage, click
Load Balancers
. -
Select the application namespace.
-
Click
Security
>Service Policies
>Service Policies
. -
Find your existing service policy, or click
Add service policy
to create a new service policy.
Step 2: Create or edit service policy.
-
In the
Rules
section, perform the following:-
From the
Select Policy Rules
menu, selectCustom Rule List
. -
Click
Configure
.
-
-
Click
Add Item
. -
In the
Name
field, add a name for this rule. Optionally, add a description for this new rule. -
Click
Configure
.
-
In the
Action
section, enable theShow Advanced Fields
option. -
From the
Action
menu, select an option:-
If you select
Deny
, the request is denied entirely. No other evaluation occurs in the service policy. -
If you select
Allow
, the request goes through to the service policy but WAF processing is skipped. The service policy will continue to process all other settings and rules. -
If you select
Next Policy
, the request is allowed through and is processed using the next configured service policy, but WAF processing is skipped in the current service policy. This option requires another service policy be configured and placed in the next available order.
-
Note: If you want to skip WAF processing and have no other service policy to evaluate, select
Allow
. If you have another service policy after the current one that includes skipping WAF processing, selectNext Policy
.
- From the
Select App Firewall Action Type
menu, selectSkip App Firewall Processing
.
-
From the
Client Selection
menu, select which clients this rule will apply to. -
In the
Servers
section, clickAdd item
and enter exact values or regular expressions for the server names. Continue to clickAdd item
to build your list. -
In the
Request Match
section, enter the types of requests that you want to match with this policy rule. You can specify the request type in a number of different ways:-
HTTP Method
: Select the HTTP methods from theMethod List
drop-down. Using the drop-down menu multiple times will allow you to select multiple methods. -
HTTP Path
: ClickConfigure
and enter prefix values, exact values, or regular expressions for an HTTP path. Continue to clickAdd item
to build your list. ClickApply
after you finish.
-
-
HTTP Query Parameters
: ClickAdd Item
and then enter a parameter name in theQuery Parameter Name
field. Use theMatch Options
drop-down menu to select a match value.Present/Not Present
matches if that parameter name is/is not in the request.Match Values
allows you to enter exact values and/or regular expression for values to match against. -
HTTP Headers
: ClickAdd Item
and then enter a header name in theHeader Name
field. Use theMatch Options
drop-down menu to select a match value.Present/Not Present
matches if that parameter name is/is not in the request.Match Values
allows you to enter exact values and/or regular expression for values to match against. -
After you complete the custom rule, click
Apply
to add it to your service policy. -
Click
Add Item
. -
Click
Apply
.
Step 3: Save and complete.
Click Save and Exit
to save the new custom rule.
Note: For more information about creating or editing a service policy, see Service Policy.