Orchestrated Infrastructure Security - Advanced WAF
The F5 Beacon capabilities referenced in this article hosted on F5 Cloud Services are planning a migration to a new SaaS Platform - Check out the latest here.
This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.
If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series Implementing SSL Orchestrator here.
This article focuses on configuring F5 Advanced WAF deployed as a Layer 2 solution. It covers the configuration of Advanced WAF protection on an F5 BIG-IP running version 16.0.0.
Configuration files of BIG-IP deployed as Advanced WAF can be downloaded from here from GitLab.
Please forgive me for using SSL and TLS interchangeably in this article.
This article is divided into the following high level sections:
- Advanced WAF Network Configuration
- Attach Virtual Servers to an Advanced WAF Policy
Advanced WAF: Network Configuration
The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Vwire configuration will be covered later.
From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.
Give it a name, ingress1 in this example. Set the Interface to 2.1. Set Tagging to Untagged then click Add.
Note: In this example interface 2.1 will receive decrypted traffic from sslo1
Interface 2.1 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.
Give it a name, egress1 in this example. Set the Interface to 2.2. Set Tagging to Untagged then click Add.
Note: In this example interface 2.2 will send decrypted traffic back to sslo1
Interface 2.2 (untagged) should be visible like in the image below. Click Finished.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2
It should look something like this when done:
Note: In this example Interface 2.3 and 2.4 are physically connected to sslo2.
Click VLAN Groups then Create on the right.
Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.
Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:
For full Layer 2 transparency the following CLI option needs to be enabled:
(tmos)# modify sys db connection.vgl2transparent value enable
Attach Virtual Servers to an Advanced WAF Policy
You can skip this step if you already have an Advanced WAF policy created and attached to one or more virtual servers. If not, we’ll cover it briefly. In this example we configured Comprehensive Protection which includes Bot Mitigation, Layer 7 DoS and Application Security.
Give it a name, App_Protect1 in this example then click Save & Next.
Select the Enforcement Mode and Policy Type. Click Save & Next.
Configure the desired Bot Defense options. Click Save & Next on the lower right.
Configure the desired DoS Profile Properties. Click Save & Next.
Assign the policy to your application server(s) by moving them to Selected. Click Save & Next.
Click Finish/Deploy when done.
In this article you learned how to configure BIG-IP in layer 2 transparency mode using VLAN groups. We also covered how to create an Advanced WAF policy and attach it to your Virtual Servers.
Click Next to proceed to the next article in the series.