Support of WAF Signature Staging in F5 Distributed Cloud (XC)
Introduction:
Attack signatures are the rules and patterns which identifies attacks against your web application. When the Load balancer in the F5 Distributed Cloud (XC) console receives a client request, it compares the request to the attack signatures associated with your WAF policy and detects if the pattern is matched. Hence, it will trigger an "attack signature detected" violation and will either alarm or block based on the enforcement mode of your WAF policy. A generic WAF policy would include only the attack signatures needed to protect your application. If too many are included, you waste resources on keeping up with signatures that you don't need. Same way, if you don't include enough, you might let an attack compromise your application.
F5 XC WAF is supporting multiple states of attack signatures like enable, disable, suppress, auto-supress and staging. This article focusses on how F5 XC WAF supports staging and detects the staged attack signatures and gives the details of attack signatures by allowing them into the application.
Staging:
A request that triggers a staged signature will not cause the request to be blocked, but you will see signature trigger details in the security event. When a new/updated attack signature(s) is automatically placed in staging then you won't know how that attack signature is going to affect your application until you had some time to test it first. After you test the new signature(s), then you can take them out of staging, apply respective event action to protect your application!
Environment:
- F5 Distributed Cloud Console
- Security Dashboard
Configuration:
Here is the step-by-step process of configuring the WAF Staging Signatures and validating them with new and updated signature attacks.
- Login to F5 Distributed Cloud Console and navigate to “Web App & API Protection” -> App Firewall and then click on `Add App Firewall`.
- Name the App Firewall Policy and configure it with given values.
- Navigate to “Web App & API Protection” à Load Balancers à HTTP Load Balancers and click on `Add HTTP Load Balancers`.
- Name the Load Balancer and Configure it with given values and associate the origin pool.
- Origin pool ``petstore-op`` configuration.
-
Associate the initially created APP firewall ``waf-sig-staging`` under LB WAF configuration section.
- ``Save and Exit`` the configuration and Verify that the Load balancer has created successfully with the name ``petstore-op``.
Validation:
To verify the staging attacks, you need the signature attacks listed in attack signature DB. In this demo we are using the below newly added attack signature (200104860) and updated attack signature (200103281) Id’s.
Now, Let’s try to access the LB domain with the updated attack signature Id i.e 200103281 and verify that the LB dashboard has detected the staged attack signature by reflecting the details.
F5 XC Dashboard Event Log:
Now try to access the LB domain with new signature attack adding the cookie in the request header.
F5 XC Dashboard Event Log:
Now, Disable the staging in WAF policy ``waf-sig-staging``.
Let’s try to access the LB domain with new signature attack.
F5 XC Dashboard Event Log:
Conclusion:
As you see from the demo, F5 XC WAF supports staging feature which will enhance the testing scope of newly added and updated attack signature(s).
Reference:
Employee- Janibasha
Nice article Shajiya_Shaik which showcased solution to decrease the false positives by analyzing the incoming traffic first for few days before blocking them in production.
- Nikoolayy1
MVP
Nice article!
