Deploying a web application firewall policy with central learning from BIG-IQ

Scope 

This article is useful for BIG-IP/BIG-IQ users familiar with web application security. This includes, application security professionals, infrastructure management operators. 

Introduction 

Centralized Policy Building (CPB) is a feature specific to BIG-IQ. It allows security administrators to create, deploy and manage web application firewall (WAF) policies on BIG-IP devices. The policy building can occur manually or automatically. This feature is comparable to the on-box policy building feature available on BIG-IP and is better suited for distributed environments.  

This article focuses on the configuration of the central learning feature for web application security policies in BIG-IQ. It will take you through the different steps to create, deploy and manage the WAF policy, as well as the appropriate logging profile.   

The virtual server and other related elements such as profiles, pools etc. are configured using the Applications framework leveraging AS3.    

The steps are documented for the operator to use the BIG-IQ web user interface (webUI) to manage the WAF policy.  The creation of the virtual server object can be done directly from the BIG-IQ webUI or through a simple REST call (leveraging the Postman™ client https://www.postman.com/product/api-client/).  

Pre-requisites 

The following pre-requisites must be met in order to follow the procedures outlined below: 

• BIG-IQ Central Management (CM) and BIG-IQ Data Collection Device (DCD) are deployed provisioned with all appropriate licensing. 
• BIG-IP is deployed licensed and provisioned with both the ASM and AVR modules.  
• A web application is available for securing via BIG-IP. 
• All networking and network security must be in place to allow traffic between the different components. The BIG-IP, BIG-IQ CM, BIG-IQ DCD, application servers etc. all must be reachable as described here.  
• The BIG-IP is running TMOS version 14.1 or greater. 
• The BIG-IQ is running version 7.0 or greater. 
• The discovery and import process for the target BIG-IP is completed as documented here. 
• The administrator/operator performing the procedure below will have admin-level access to the BIG-IQ CM webUI. 
• BIG-IQ AS3 Templates are loaded on the BIG-IQ CM as described here. 

Overview 

The procedure detailed below goes over the following main steps on BIG-IQ: 

• Verify proper BIG-IP/BIG-IQ configuration and reachability 
• Create a web application security (the sample policy used in this example is created with central policy building enabled for manual learning and manual deployment of policy changes to the BIG-IP) 
• Create a logging profile for application security 
• Deploy the policy and logging profile using the “inactive” inactive virtual server and the profile pinning mechanism 
• Create the application definition using AS3 referencing the policy and logging profile in the declaration.  
• Send test traffic to the virtual server 
• Review logs and learning suggestions on BIG-IQ 

Procedure 

For the following steps it is assumed that the operator is logged in the BIG-IQ CM webUI and has the necessary administrative rights to create, update and delete web application security configuration as well as create applications. BIG-IQ accommodates fine-grained role-based access control (RBAC) to assign different roles to different user, e.g. security administrator role for policy management, and application administrator for other aspects of the configuration. This is beyond the scope of this article, more information is available here.  

BIG-IQ/BIG-IP configuration 

1. From the Devices tab, click on BIG-IP DEVICES and select the target BIG-IP (in this case bigip1) and verify that the following SERVICES are discovered and imported: 
2. Local Traffic (LTM) 
3. Shared Security (SSM)
4. Web Application Security (ASM) 
5. Ensure that the BIG-IQ DCD nodes Web Application Security service is enabled (System >> BIG-IQ DATA COLLECTION >> BIG-IQ Data Collection Devices >> [name of DCD device] >> SERVICES): 

WAF Policy Creation 

1. From the Configuration tab, expand SECURITY and Web Application Security 
2. Click on Policies and the Create button 
3. Fill out the Name field – and configure the policy features as desired (the picture below provides a sample for illustration purposes only and is not to be used in your environment) 
4. Click on the Save button located at the bottom right of the screen 
5. In the policy configuration window, expand POLICY BUILDING, and select Settings  
6. From the Policy Building Mode select Central from the drop down 
7. Select the Policy Building Device (the BIG-IQ DCD configured previously with the BIG-IQ CM) 
8. Finish configuring other dimensions in the policy as needed and click on the Save & Close button located at the bottom right of the window. 

Logging Profile Creation 

1. In the Configuration tab, expand the SECURITY and Shared Security sections and click on Logging Profiles 
2. Click on the Create button 
3. Enter a Name in the appropriate field and click on Save at the bottom right of the screen 
4. Click on APPLICATION SECURITY 
5. Disable Local Storage for the profile 
6. Check the Remote Storage, enter the IP address of the BIG-IQ DCD in the Protocol portion of the configuration screen, as shown in the sample below. 
7. Click on the Add button in the Server Addresses dialog, and then select Save & Close on the bottom right of the screen 

WAF Policy and Logging Profile Deployment 

1. Deploy the policy to the BIG-IP using the inactive virtual server 
2. Add the policy to the virtual server on the appropriate BIG-IP 
3. Click on Save & Close 
4. From the Configuration >> Security >> Web Application Security >> Virtual Servers window select the ‘inactive’ virtual server for the target BIG-IP and click on Deploy as shown below:  
5. Follow the deployment screen instructions: 
6. Name the deployment (e.g deploy_demo_policy) 
7. Select deployment method (e.g. deploy immediately) 
8. Select a target device (e.g. the BIG-IP where the policy is deployed)  
9. Click on Deploy 
10. Pin the logging profile to the BIG-IP (you can also choose to create the logging profile 
11. Navigate to Configuration >> SECURITY >> Shared Security >> Pinning Policies 
12. Click on the target BIG-IP(s) and add the logging profile by selecting Logging Profiles from the drop down as shown below:  
13. Select the logging profile from the list and click on “Add Selected” 
14. Click on Save & Close 
15. Navigate to Configuration >> Shared Security >> Logging Profiles 
16. Select the logging profile that was just pinned and click on Deploy 
17. Complete the deployment process as discussed above. 

 

You are now ready to deploy the application using AS3.

Application Creation (AS3) 

1. Go to the Applications tab 
2. Click on Create 
3. Select the appropriate AS3 Template (in the example below this is a template labelled AS3-F5-HTTPS-WAF-existing-template-big-iq-defult-v1 – for more information on using AS3 with BIG-IQ, more information can be found here)  
4. Fill out the required fields including:  
5. Application Name (e.g. demo_app) 
6. Application Service Name (e.g. demo_app_service) 
7. Target (BIG-IP device) 
8. Tenant  
9. Pool Members (IP & Port) 
10. policyWAF (e.g. /Common/demo_policy) 
11. Virtual Addresses (VS address) 
12. Security Log Profiles (e.g. /Common/demo_log_profile) 
13. All the needed Analytics Profile entities required 
14. Click on Create 
15. Ensure that the Application Service was created, it should look something like: 

You are now able to send test traffic to the application. Feel free to use the f5-waf-tester tool available here.  

Log and Suggestions Review 

Now that the traffic is going to the application and, let's take a look at what BIG-IQ provides in terms of visibility.

1. Go to Monitoring, expand DASHBOARDS, select L7 Security: 
2. Select the protected virtual server and select Event Logs in the View in … drop-down and you should be able to view the application security logs:
3. To look at the suggestions resulting from the traffic being sent to the BIG-IP, go to Configuration >> SECURITY >> Web Application Security >> Policies 
4. Click on the target policy – and select POLICY BUILDING >>Suggestions:
5. Select the suggestions you wish to accept, ignore, or delete, and click on the appropriate action button (e.g. Accept)
6. Confirm your choice as appropriate on the pop-up window as needed.
7. Once all the suggestions have been accepted, deploy the policy to the relevant BIG-IP(s) as needed: Deployment >> EVALUATE & DEPLOY >> Web Application Security and click on Create
8. Follow the instructions to complete the deployment process.

Conclusion

BIG-IQ provides the ideal platform to enable security operations independently from the devops group. The multiple personas can run their tasks independently and effectively gaining granular visibility in the application performance, security, and overall status.

Please note that the above steps are also used in an F5 CloudDocs Lab available by following this link.