Web App Security & Performance

• Select the DNS Management service.
• Navigate to Domain Management and select Add delegated domain.
• Enter your domain name in the Domain Name field. Ensure that Managed by Distributed Cloud is selected for the Domain Method field. Select Save and Exit.

Note: This creates a delegated domain object with a TXT record value and the status as domain verification pending.

• Verify that the delegated domain object is displayed in the list and copy the value of the TXT Record field using the button to the right of the value.

• Add a TXT record in your domain records with the copied TXT string. This example shows how to add the record in Google domains.

• Go back to Console and select your delegated domain entry. Select Verify for your domain.

• After verification, the field Verification Status shows successful verification, and the nameservers get displayed on the Name Servers field.

Go back to your domain and add the NS records with the nameservers obtained from Console. This example shows adding to the Google domains.

This example demonstrates securing the public website cloud.f5.com. You can obtain the public certificate using more than one method. This example shows how to obtain using Firefox browser.

• Open https://cloud.f5.com website in browser.
• Select the padlock symbol on the URL bar and then select the arrow button next to the Connection Secure option.

• Select More Information to display the security options.

• Select the View Certificate button in the displayed security options.

• Switch to the Entrust Root Certification Authority - G2 tab and scroll down to the Miscellaneous section. Select PEM (Cert) and Ok in the confirmation box to download the certificate.

• Log into the Console and select the Administration service.
• Navigate to Personal Management and select My Namespaces. Select Add namespace.

• Set a name, optionally add users, and select Save. This example creates waap namespace.

• Select the Web App & API Protection service.
• Change to your new application namespace and navigate to Manage > Load Balancers > Origin Pools.
• Select Add Origin Pool.
• Enter a name for your origin pool in the metadata section.

• In the Origin Servers section, select Add Item.
  • Select Public DNS Name of Origin Server for the Type of Origin Server field.
  • Enter the public DNS name of your origin server in the DNS Name field. This example configures cloud.f5.com as the DNS name.
  • Select Apply to save the origin server selection.

• In the Origin server Port section, enter 443 for the Port field.
• Scroll down to the TLS section, and select Enable.
• Select SNI Value in the SNI Selection field and enter the SNI. This example sets cloud.f5.com as the SNI Value.
• Select High for the TLS Security Level field.
• Select Use Custom CA List for the Origin Server Verification field.
• Select Base64(binary) option for the Trusted CAs field.
• Switch to command terminal and encrypt the downloaded public certificate of the website using Base64. Copy the output.

cat author-www-f5-com.pem | base64
  

• Go back to Console and enter the copied Base64 string in the Trusted CAs field.

Note: Configuring the public certificate enables Distributed Cloud Services to establish connection to the origin server.

• Select Save and Exit.

• Navigate to Manage > Load Balancers > HTTP Load Balancers. Select Add HTTP Load Balancer.

• Enter a name and your domain in the Name and Domains fields respectively. This will create an A name entry, cloudf5-vip, which will resolve to an IP address that is pointed to a VIP that is hosted on F5 ADN.

• Select HTPS with Automatic Certificate in the Load Balancer Type field. This will create an SSL certificate for this domain and sign it with a public Certificate Authority (CA).

• Since this use case attempts to provide a proxy to an existing public site, it is required to enable automatic host-rewriting. Therefore, route configuration is required. Scroll down to the Routes section and select Configure.

• Select Add Item, select ANY for the HTTP Method, select Regex for the Path Match field, and enter (.*?) (all routes) in the Regex field.

Note: The option Simple Route is applied by default for the Select Type of Route field.

• Select Add Item for the Origin Pools section. Select the origin pool created in the previous step for the Origin Pool field and select Apply.

• Select Apply at the bottom of the Routes configuration form to add the route to the load balancer configuration and return to the load balancer configuration form.

Note: Ensure that the Automatic Host Rewrite option is selected by default for the Host Rewrite field. This ensures that the requests coming to the domain you configured are redirected to the public DNS name of the origin server.

• Select Apply to apply this list to the load balancer.
• Scroll to the bottom and select Save and Exit to complete the load balancer.

The load balancer object gets displayed on the screen. The fields DNS Info and TLS Info with values VIRTUAL_HOST_READY and Certificate Valid indicate that the virtual host certificate is successfully validated and ready for use. You can verify this by entering the load balancer domain into a browser.

Note: Select Refresh on the load balancers display list screen to display the latest status.

• In the Web App & API Protection service, select the same namespace as your load balancer.
• Navigate to Manage > Load Balancers > HTTP Load Balancers.
• Select ...>Manage Configuration for your load balancer to view its configuration. Next select Edit Configuration in the upper right corner to edit its configuration.
• Scroll down to the Web Application Firewall section.
• Select Enable for the Web Application Firewall (WAF) field, and then use the Enable pull-down menu to select the Add Item button.

• Enter a name for the firewall.
• Select Blocking for the Enforcement Mode field.
• Leave the Protection Settings at their defaults and select Continue to save the WAF and return to the HTTP Load Balancer form.

• In the API Protection section, select Enable in the API Discovery field.
• In the DoS Protection section, select Enable for the DDoS Detection field, and then Enable for the Auto Mitigation field.

• Scroll down to the Common Security Controls section and select Enable for the Malicious User Detection field.

Note: This quickstart uses default malicious user detection settings. You can customize those settings by creating an app type and applying it to this load balancer with a label (in the metadata section).

• Scroll down and select Save and Exit to save these security settings.

• In the Web App & API Protection service, select the same namespace as your load balancer.
• Select Overview > Dashboards > Performance Dashboard. This provides an overall performance view of the entire namespace, including Health, Active Alerts, Active Configuration, Traffic Overview, and Throughput graphs. Below these is a list of Load Balancers.

• Select the name of the load balancer you want to monitor in load balancers list. This will show the performance dashboard for that specific load balancer.

• Select the Requests tab. Each request shown represents a call to our website.
• Select a request to get more information specific to that request.
• Select Forensics to see the Forensics panel allowing you to filter the requests chart by various metrics, like country and soure ip.

• Select Overview > Dashboards > Security Dashboard. This provides an overall security view of the entire namespace, including Threat intelligence, Bot Traffics, API Classification, DDoS Attack Activity, Security Events, Top Attack Sources, Top Attacked Paths, Events by Country, and Active Configuration. Below these is a list of Load Balancers.

• Select the name of the load balancer you want to monitor in the load balancers list. This will show the security dashboard for that specific load balancer.

• Select the Security Analytics tab to see all security events, shown in a bar chart and below in a table. The chart shows time-based counts for the different types of events. The table shows event summary information across the columns.
• The Actions column provides options to either block the requesting client and/or add the client to the list of trusted clients (depending on the type of event).
• Select > at the left side of a row to see the specifics of the request and the violations that were triggered by the attack.
• To see only blocked requests, use the Add Filter option and select Action, In, Select Block, followed by Apply.

Note: For more information on analzying security, see the security section of the Monitor HTTP Load Balancer document.