Manage F5 BIG-IP Advanced WAF Policies with Terraform (Part 5 - Working with Policy Builder)

F5 BIG-IP Advanced WAF includes a powerful learning engine which learns from the traffic and make suggestions on the application profile, behaviour and the appropriate protection mechanisms to enforce.

Table of content

Possible workflow

Because F5 BIG-IP Advanced WAF exposes a lot of information in a great dashboard, it is more convenient to learn and evaluate events and suggestions from it

We can imagine the following management workflow:

the security engineer regularly checks the sugestions directly on the F5 BIG-IP WebUI and clean the irrelevant suggestions.
once the cleaning is done, the terraform engineer (who can also be the security engineer) issues a terraform apply for the current suggestions. You can filter the suggestions on their scoring level (from 5 to 100% - 100% having the highest confidence level).
Every suggestions application can be tracked on Terraform and can easily be roll-backed if needed.

Collect the learning suggestions from F5 BIG-IPs

From a single instance

The F5 BIG-IP, or the F5 BIG-IP cluster, has a F5 BIG-IP Advanced WAF Policy with the Manual Policy Builder enabled. The security admin can connect on the F5 BIG-IP UI and remove all the suggestions that are irrelevant or considered as False Positives.

Regularly, or when the security admin is done with refining the suggestions, the terraform admin can collect the learning suggestions and enforce them directly onto production servers or through a test or qualification device before putting them in production.

You just have to create a bigip_waf_pb_suggestions targeting the instance and specifying the policy and the minimum learning score:

data "bigip_waf_pb_suggestions" "AUG3rd20221715" {
  provider               = bigip.prod 
  policy_name            = "scenario5"
  partition              = "Common"
  minimum_learning_score = 100
}

output "AUG3rd20221715" {
  value	= data.bigip_waf_pb_suggestions.AUG3rd20221715.json
}

the name of the collected suggestion should be understandable and has to start with a letter.

If you want to check the collected learning suggestions:

foo@bar:~$ terraform plan -out scenario5
foo@bar:~$ terraform apply "scenario5"
foo@bar:~$ terraform output AUG3rd20221715 | jq '. | fromjson'
{
    "suggestions": [
      {
        "action": "update-append",
        "description": "Add/Update Parameter. Disable the matched signature on the matched Parameter",
        "entity": {
          "level": "global",
          "name": "id"
        },
        "entityChanges": {
          "signatureOverrides": [
            {
              "enabled": false,
              "name": "SQL-INJ ' UNION SELECT (Parameter)",
              "signatureId": 200002736
            }
          ],
          "type": "explicit"
        },
        "entityType": "parameter"
      },
[...],      
      {
        "action": "add-or-update",
        "description": "Add Policy Server Technology",
        "entity": {
          "serverTechnologyName": "Unix/Linux"
        },
        "entityType": "server-technology"
      }
    ]
  }

Now, enforce them in the F5 BIG-IP Advanced WAF Policy on the production device:

resource "bigip_waf_policy" "this" {
    provider             = bigip.prod
    application_language = "utf-8"
    partition            = "Common"
    name                 = "scenario5"
    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
    type                 = "security"
    policy_import_json   = data.http.scenario5.body
    modifications        = [data.bigip_waf_pb_suggestions.AUG3rd20221715.json]
}

From multiple instances

You may have multiple F5 BIG-IP serving and protecting the same applications. These instances can be located in different clouds, different regions and therefore will not see the same traffic patterns.

data "bigip_waf_pb_suggestions" "S6_22AUG20221800_P1" {
  provider               = bigip.prod1
  policy_name            = "scenario6"
  partition              = "Common"
  minimum_learning_score = 100
}

data "bigip_waf_pb_suggestions" "S6_22AUG20221800_P2" {
  provider.              = bigip.prod2
  policy_name            = "scenario6"
  partition              = "Common"
  minimum_learning_score = 100
}

output "PB_S6_22AUG20221800_P1" {
	value	= data.bigip_waf_pb_suggestions.S6_22AUG20221800_P1.json
}

output "PB_S6_22AUG20221800_P2" {
	value	= data.bigip_waf_pb_suggestions.S6_22AUG20221800_P2.json
}

Now you can enforce them directly and consistently on the production WAF policies:

resource "bigip_waf_policy" "QAS6" {
    provider	         = bigip.qa
    application_language = "utf-8"
    name                 = "scenario6"
    partition            = "Common"
    template_name        = "POLICY_TEMPLATE_FUNDAMENTAL"
    type                 = "security"
    policy_import_json   = data.http.scenario6.body
    modifications        = [data.bigip_waf_pb_suggestions.S6_22AUG20221800_P1.json, data.bigip_waf_pb_suggestions.S6_22AUG20221800_P2.json]
}