Introduction to F5 Distributed Cloud Platform Per Route WAF Policy
Introduction:
By default, F5 Distributed Cloud Platform supports WAF and routing at the domain level i.e the origin pool associated with the Load balancer. F5 Distributed Cloud WAF provides the feasibility to create multiple routes with specific paths and attach the WAF rules individually on each path. This article is specifically demonstrating the above use case.
In general, when a load balancer of host type HTTP/HTTPS, the request can be further matched based on parameters like URLs, headers, query parameters, http methods, etc. Once the request is matched, it can be sent to a specific endpoint based on the routing configuration and policy rules.
The route object is used to configure L7 routing decision and is made of 3 things.
- Matching condition for incoming request
- Actions to take if the matching condition is true
- Whether the custom java script is enabled for this route match.
Parameters offered per route configuration:
- URL path
- Prefix
- Specific header or Regex
Demonstration:
In this demo we will see how to forward a HTTP request depending on the route configuration and their associated WAF rules from F5 Distributed Cloud Services to origin server endpoints.
we are using
- F5 Distributed Cloud Platform as the Environment.
- Arcadia Application as an origin server. Refer
- Load-balancer configured with multiple routes which are associated with different WAF rules.
We shall see the demonstration in the below video to know the flow of how to configure and validate F5 Distributed Cloud Per-Route WAF Policy.
Procedure:
Step 1: Origin Pool Creation
- From your desired namespace, navigate to Manage --> Load Balancers --> Origin pools
- Click on "Add Origin Pool"
- Give it a name
- Add the Origin server details along with Port info.
- Click on ‘Save and Exit’
Step 2: Load Balancer with Route config and WAF Rules
- From the WAAP --> Navigate to Manage --> Load Balancers --> HTTP Load Balancers
- Click on "Add HTTP load balancer"
- Give it a name
- Set the domain name under Basic Configuration
- Under Routes section, click on ‘Configure’, click on ‘Add Item’
- Select the type of Route as "Simple Route".
- Select HTTP method as “Any”.
- Select "Regex" under the "Path match" drop-down menu.
- Enter the string “\/trading\/.*” (without the quotes) as the regular expression (or Regex). This matches the requests for https://perroutewaf.com/trading/
- Associate the above created Origin Pool.
- Under Advanced Options --> navigate to Security --> Web Application Firewall --> App Firewall --> Add Item.
- Create a WAF App firewall rule with Enforcement mode as “Blocking”.
- After attaching the WAF rule to the route, click on “Apply”.
- Repeat the above steps to create another route with Regex “.*” and the WAF rule Enforcement Mode ‘Monitoring’.
- Click on “Save and Exit” to save the Load Balancer configuration.
Step 3: Validating perRouteWAF functionality
- Output of /trading/.* route path:
- Open a browser and navigate to the login page of the application load balancer.
- try to generate SQL Injection attack to login as higher privileged user like admin.
- Output of /.* route path:
- Try to access the Load Balancer with another route “/index.html”.
- Generate the SQL Injection attack to home page to get the privileged info.
Step4: Logs Verification
- Monitor the security event log from F5 Distributed Cloud console, Navigate to WAAP --> Apps & APIs --> Security, select your LB and click on ‘Security Event’ tab.
Conclusion:
As you can see from the demonstration, F5 Distributed Cloud WAF has allowed and blocked the requests based on the route configuration and their associated WAF policies applied on the Load balancer.
For further information click the links below:
- Shajiya_ShaikEmployee
Hi Daniel,
Glad to know that the article is helpful to you.
The answer for your question is
you can use prefix , path , regex anything and based on the type you can mention the match condition like for example
for prefix (/trading),
for regex (\/trading\/.*) ,
for path (<specific valid path i.e> /index.html)
Above three scenarios will work sucessfully. The precedence will be given to the route slot number. (ie first come first serve).
There is no particular recomendation of using the type, but based on our requirement we can use the Route Types.
Hi Shajiya_Shaik,
thanks for sharing this knowledge with us. Very useful article.
May I ask a question? For the Route config your are using regex. If I would want to use Prefix instead and use "/" and "/trading" - would this work too?
What is the matching criteria? First match? Longest match?
Is there a best practice or recommendation when to use regex and when to use Prefix?Thanks & best
Daniel