Configuring F5 Big-IP Web Application Firewall (WAF)

Configuring F5 Big-IP Web Application Firewall (WAF)

I decided to share my experience in configuring F5 devices. This is the first of my articles about the configuration of F5 Big-IP WAF and Balancer solutions.

1. F5 Big-IP ASM Module

WAF functionality in F5 devices is implemented by ASM Module which needs to be additionally enabled on balancers after installation of the respective licenses. This module adds a new “Security” menu to the F5 balancer’s main menu and all WAF related troubleshooting and manipulations are possible under this newly created Security menu.

image

I will focus on particular features that are necessary for the troubleshooting of WAF blocks.

1.1. Security Policy

Security Policy is the main object that holds all the WAF policy which is basically a collection of block/pass rules. Security Policy can be in two following enforcement modes:

  • Transparent – WAF is not blocking any traffic only traffic analysis takes place
  • Blocking – WAF is blocking and analyzing traffic

WAF is always analyzing traffic and proposes block or allow suggestions based on the traffic it observes. This learning suggestions can be used for fine-tuning of Security Policies that need fine-tuning from time to time. If there is no need for Learning suggestions, we can disable learn mode for particular signature or for the whole Security Policy.

To get list of Security policies please navigate to Security ›› Application Security : Security Policies : Policies List

Here you can view the list of policies and view high-level settings like whether the policy is in blocking or transparent mode or to which Virtual Servers Policy is applied to. You can also modify some settings like Allowed HTTP response codes here.

image

image

Note: You must Save and Apply policy after you make changes to it in order for the new settings to get applied.

Sometimes it’s necessary to disable or eliminate the WAF affect to some particular Virtual Server, Path, or to turn off Security Policy completely. There following ways to accomplish this goal.

1.2. Changing Policy Enforcement Mode

Security Policy can be in one of two enforcement modes – Transparent and Blocking.

To change enforcement mode of Security Policy please navigate to: Security ›› Application Security : Policy Building : Learning and Blocking Settings select necessary Security policy from drop-down menu and changes is enforcement mode to Transparent/Blocking. These settings are applied to the whole Security Policy and will affect every Virtual Server to which security Policy is applied to.

Do not forget to Save and Apply Policy for changes to take effect.

image

1.3. Attach/Detach Security Policy from particular Virtual Server

To attach or detach Security Policy from/to particular VS or to many VSs we need to navigate to: Security ›› Overview: Summary

image

Here we can select the desired VS and associate or disassociate Security Policy with it. This page gives us also Summary View of all Virtual Servers and their Security Policy associations. We can also view and attach/detach Dos Protection, Bot Defense, and Logging profiles to our VSs here. This page is convenient for making bulk attach/detach operations on VSs.

The same task can be accomplished from Local Traffic ›› Virtual Servers : Virtual Server List ›› [Virtual Server Name] page. We need to select VS and navigate to Security >> Policy page enable/disable Security/DoS/Bot Defense/Logging and other profiles from/to VS.

image

Comments are closed.