Introduction to F5 Distributed Cloud Platform Per Route WAF Policy

Introduction:

By default, F5 Distributed Cloud Platform supports WAF and routing at the domain level i.e the origin pool associated with the Load balancer. F5 Distributed Cloud WAF provides the feasibility to create multiple routes with specific paths and attach the WAF rules individually on each path. This article is specifically demonstrating the above use case.

In general, when a load balancer of host type HTTP/HTTPS, the request can be further matched based on parameters like URLs, headers, query parameters, http methods, etc. Once the request is matched, it can be sent to a specific endpoint based on the routing configuration and policy rules.

The route object is used to configure L7 routing decision and is made of 3 things.

  • Matching condition for incoming request
  • Actions to take if the matching condition is true
  • Whether the custom java script is enabled for this route match.

Parameters offered per route configuration:

  • URL path
  • Prefix
  • Specific header or Regex

Demonstration:

In this demo we will see how to forward a HTTP request depending on the route configuration and their associated WAF rules from F5 Distributed Cloud Services to origin server endpoints.

we are using

  • F5 Distributed Cloud Platform as the Environment.
  • Arcadia Application as an origin server. Refer
  • Load-balancer configured with multiple routes which are associated with different WAF rules. 

We shall see the demonstration in the below video to know the flow of how to configure and validate F5 Distributed Cloud Per-Route WAF Policy.

 Procedure:

  Step 1: Origin Pool Creation

  • From your desired namespace, navigate to Manage --> Load Balancers --> Origin pools 
  • Click on "Add Origin Pool" 
  • Give it a name 
  • Add the Origin server details along with Port info. 
  • Click on ‘Save and Exit’

  Step 2: Load Balancer with Route config and WAF Rules

  • From the WAAP --> Navigate to Manage --> Load Balancers --> HTTP Load Balancers
  • Click on "Add HTTP load balancer"
  • Give it a name
  • Set the domain name under Basic Configuration
  • Under Routes section, click on ‘Configure’, click on ‘Add Item’ 
  • Select the type of Route as "Simple Route". 
  • Select HTTP method as “Any”. 
  • Select "Regex" under the "Path match" drop-down menu. 
  • Enter the string “\/trading\/.*” (without the quotes) as the regular expression (or Regex). This matches the requests for https://perroutewaf.com/trading/ 
  • Associate the above created Origin Pool.
  • Under Advanced Options --> navigate to Security --> Web Application Firewall --> App Firewall --> Add Item.
  • Create a WAF App firewall rule with Enforcement mode as “Blocking”. 
  • After attaching the WAF rule to the route, click on “Apply”. 
  • Repeat the above steps to create another route with Regex “.*” and the WAF rule Enforcement Mode ‘Monitoring’. 
  • Click on “Save and Exit” to save the Load Balancer configuration. 

 Step 3: Validating perRouteWAF functionality 

 - Output of /trading/.* route path:

  •  Open a browser and navigate to the login page of the application load balancer.
  •  try to generate SQL Injection attack to login as higher privileged user like admin.Fig: In the above screenshot you can see, F5 Distributed Cloud WAF engine has blocked the request as the WAF rule is configured as “Blocking”.

- Output of /.* route path: 

  •  Try to access the Load Balancer with another route “/index.html”. 
  • Generate the SQL Injection attack to home page to get the privileged info.Fig: In the above screenshot you can see, F5 Distributed Cloud WAF engine has just detected but allowed the request as the WAF rule is configured as “monitoring”.

 Step4: Logs Verification 

  • Monitor the security event log from F5 Distributed Cloud console, Navigate to WAAP --> Apps & APIs --> Security, select your LB and click on ‘Security Event’ tab.Fig: The above screenshot shows the details about allowed, blocked requests and attack signatures identified by Distributed Cloud WAF engine.

 Conclusion:

As you can see from the demonstration, F5 Distributed Cloud WAF has allowed and blocked the requests based on the route configuration and their associated WAF policies applied on the Load balancer.  

For further information click the links below:  

  1. F5 Distributed Cloud Services
  2. F5 Distributed Cloud WAF 
Updated Jan 04, 2023
Version 2.0
  • Hi Daniel, 

    Glad to know that the article is helpful to you.

    The answer for your question is 

    you can use prefix , path , regex anything and based on the type you can mention the match condition like for example

    for prefix (/trading),

    for regex (\/trading\/.*) ,

    for path (<specific valid path i.e> /index.html)

    Above three scenarios will work sucessfully. The precedence will be given to the route slot number. (ie first come first serve).

    There is no particular recomendation of using the type, but based on our requirement we can use the Route Types.

  • Hi Shajiya_Shaik,

    thanks for sharing this knowledge with us. Very useful article.

    May I ask a question? For the Route config your are using regex. If I would want to use Prefix instead and use "/" and "/trading" - would this work too?
    What is the matching criteria? First match? Longest match?
    Is there a best practice or recommendation when to use regex and when to use Prefix?

    Thanks & best
    Daniel