Service Chain CDN & WAAP

• Select the DNS Management service.
• Navigate to Domain Management and select Add Delegated Domain.
• Enter your domain name in the Domain Name field. Ensure that Managed by Distributed Cloud is selected for the Domain Method field. Select Save and Exit.

Note: This creates a delegated domain object with a TXT record value and the status as domain verification pending.

• Copy the value of the TXT Record field using the button to the right of the value.

• Add a TXT record in your domain records with the copied TXT string. This example shows how to add the record in Google domains.

• Go back to Console and select your delegated domain entry. Select Verify for your domain.

• After verification, the field Verification Status shows successful verification, and the nameservers get displayed on the Name Servers field.

Go back to your domain and add the NS records with the nameservers obtained from Console. This example shows adding to the Google domains.

• Select the Administration service.
• Select Personal Management -> Manage Namespaces.
• Select Add namespace.

• Enter a name and select Add Namespace.
• Change to the Web App & API Protection service.
• Click on the namespace drop-down menu and select your namespace to change to it.

• Select the Web App & API Protection service.
• Verify that the namespace you created in step 1.4 is selected.
• Navigate to Manage > Load Balancers > HTTP Load Balancers and then select Add HTTP Load Balancer.
• Enter a name for your load balancer in the Metadata section.
• Enter your domain name, corresponding to the delegated sub-domain (step 1.1), in the Domains list within the Domains and LB Type section.
• Select HTTPS with Automatic Certificate in the Load Balancer Type field.
• Check the HTTP Redirect to HTTPS checkbox.
• Ensure the HTTPS Port is set to 443 and the TLS Security Level is set to High.

• In the Origins section, select Add Item to add a new entry in the list of origin pools. This will bring up the Origin Pool with Weight and Priority setup form.

• If you already have an origin pool setup, you could select it from the Origin Pool drop-down menu; however, for this example, use the drop-down menu to select Add Item to create a new origin pool.

• Enter a name for your origin pool in the metadata section.

• The Origin Servers section contains the list of servers that make up this pool. Select Add Item to add a new server.

  • Select the type of origin server in the Select Type of Origin Server field and then enter the appropriate server identification. For this example, select Public IP of Origin Server and enter 13.56.168.147 in the Public IP field.
  • Select Apply to save the origin server information and return to the Origin Pool with Weight and Priority setup form.

  

• In the Origin servers Port section, enter 80 for the Port field.

• Optionally scroll down to the TLS port to setup TLS security.

• Select Continue at the bottom of the form to save the origin pool.

• Complete the origin pool by entering Weight and Priority values. These will only be used if you have multiple origin pools in your load balancer.

• Select Apply to save the origin pool to your load balancer.

• Select Enable in the Web Application Firewall (WAF) field.

• Use the Enable drop-down menu to select Add Item to configure a new firewall. This example will block all threats using default values.

  • Enter a name for your firewall configuration.
  • Select Blocking in the Enforcement Mode field.
  • Select Default for all fields in the Detection Settings section.

  

  • Select Continue at the bottom of the form to complete your WAF.

• Scroll down to the Common Security Controls section and select Do Not Apply Service Policies in the Service Policies field.
• In the Other Settings section, select Internet in the VIP Advertisement field.
• Verify that Round Robin is selected for the Load Balancing Algorithm field.
• Select Save and Exit at the bottom of the form to save the load balancer configuration.

• Select the Content Delivery Network service. The CDN distribution configuration page opens.

• Go to Manage > Distributions.

• Verify that the namespace you created in step 1.4 is selected.

• Select Add Distribution.

• In the Name field, enter a name for the distribution.

• Optionally, select a label and enter a description.

• Go to Basic Configuration and enter a domain name in the Domains field. This should match the delegated domain name you entered in step 1.

• Select Add item to add more domains, if needed.

• Select an option for the Select Type of CDN Distribution. The following options are supported:

  • Select HTTP to create the CDN Distribution. Select the Automatically Manage DNS Records checkbox if your domain is delegated to F5 Distributed Cloud. Otherwise, ensure in your DNS provider configuration that your domain is resolved.
  • Select HTTPS with Automatic Certificate to create the CDN Distribution with an automatic TLS certificate. Ensure that the domain is delegated to F5 Distributed Cloud. Optionally, select HTTP Redirect to HTTPS and/or Add HSTS Header checkboxes to enable those functions. You can also select TLS security level to be high or medium.
  • Select HTTPS with Custom Certificate to create the CDN Distribution with your custom TLS certificate.

• If you are using the HTTPS with Custom Certificate option:

  • Set the TLS configuration using the Configure option under the TLS Parameters field.

  • From the TLS Security Level drop-down menu, select the desired level.

  • In the TLS Certificates section, Select Add Item.

  • For the certificate URL encoding, select PEM or base64(binary), and then enter the certificate URL.

  • To configure the private key, Select Configure.

  • Under the Secret section, enter your private key in Text type, Select Blindfold, wait for the Blindfold operation to complete, and then Select Apply.

  • Select Add Item.

  • In the TLS Parameters section, Select Apply.

  Note: You can add more than one certificate using the Add Item option.

This example configures a CDN Distribution of type HTTPS with Automatic Certificates.

• Select Configure in the CDN Origin Pool section. The CDN origin pool configuration page opens.
• Enter the CDN origin domain name in the DNS Name field. The domain name must be the same domain name you entered for the delegated domain in step 1.1 and the HTTP load balancer in step 2.1. The requests to origin servers use this name in the host header.
• Select a TLS choice in the Enable TLS for Origin Servers field. Ensure that this matches your origin server configuration.
• Select Add Item in the List of Origin Servers section. In the origin servers page, enter public DNS name or public IP of your origin server. Select Apply.
• Enter a time value in the Origin Request Timout Duration field. The default is 60s (sixty seconds).
• Select Apply in the CDN origin pool configuration page.

Advanced configuration consists of options such as header control, security, cache control, etc. Go to Advanced Configuration section and perform the following:

• Select Show Advanced Fields toggle to display the advanced configuration options.

• Select Add Location checkbox to append the location header in the response. Value for this header is the Regional Edge Site name that serves your request.

Select Save and Exit.

It might take a few minutes for your CDN Distribution to be deployed and to be ready to cache and serve content at Regional Edges. During this time, the Status column will show Pending. Once deployment is complete, the status for your CDN distribution will show Active.

Note: To get a more detailed view of your site status, select > against your distribution object and expand its JSON view. Verify that the service domain is created. Select ... > Show Global Status against your CDN object and ensure that the Site Status section shows status as DEPLOYMENT_STATUS_DEPLOYED.

Delegated Domain with Automatic Certificates:

• Wait for the DNS Info and TLS Info columns to display the VIRTUAL_HOST_READY and Certificate Valid values. This indicates that the virtual host and certificate is created successfully.

• In the Status column, it shows Active, which indicates CDN distribution is up and running.

• Select ‘...’ in the Actions column for your distribution, and then select Show Global Status.

• Global status indicates two things: 1) whether the distribution has been pushed to the CDN back end, and 2) whether the distribution has been configured on the Edge sites.

• CDN distribution is configured successfully, when at least one edge site is configured with

  • Global status is updated to Operational and Created.
  • Site Status is updated to DEPLOYMENT_STATUS_DEPLOYED.
  • Site name is listed.
  • There will be one global, and at minimum, one status object for each site.

• In this delegated domain scenario, verify that the CDN domain is mapped to the F5 CNAME, and the F5 CNAME is mapped to the CDN Internal service domain, automatically.

  

• The user domain and F5 CNAME can be found in the JSON for your tenent.

  

• Verify CNAME mapping using DIG command, and A records with unicast IP addresses of edge site, to indicate at least one edge site is configured for CDN distribution.

  

• Verify that the requests to your CDN domain are processed, and the content is returned.

Note: In case of content updates in your origin servers, you can force the CDN servers to fetch the updated content using the purge option. Select ... > Purge for your distribution object and the CDN service initiates purge for all the cache servers.

• Access the HTTP load balancer domain using a curl command, curl -I -k lb.example.com, to make sure connection to the origin is fine. It should look something like this:

• Access the CDN distribution domain to verify the end-to-end service chain is working correctly.

• Because this is the first request to the CDN, the request will be redirected to the origin server causing the server to miss the cache (as shown at the bottom of the curl response: x-cache-status: MISS).
• Generate more requests to observe cached traffic (Hits) and origin server traffic (Misses) as shown below.

• Access the CDN domain with SQL injection or any other attack type sample.
• In Console, select the Content Delivery Network service and navigate to Monitoring > Performance.
• Select your distribution to see its dashboard.

• Observe the CDN dashboard is updated with cache misses.
• Switch to the Web App & API Protection service and navigate to Overview > Security Dashboard.

• Observe the WAF security dashboard updated with security events.