cancel
Showing results for 
Search instead for 
Did you mean: 
ltwagnon
Legacy Employee
Legacy Employee

I've been writing a series of articles on the features and capabilities of the BIG-IP ASM...here are the links for your reading pleasure:

  1. What Is The ASM?
  2. Policy Building
  3. The Importance of File Types, Parameters, and URLs

In those articles I've used a fictitious auction site to test the ASM. Several people have inquired about this auction site and they wanted to know how to configure it so that they could get their own hands dirty with testing and configuring their ASM. Well, this article outlines the steps needed to get your own BIG-IP ASM and PHP Auction site up and running. Then, it's up to you to try out all the cool features of the ASM.

 

Required Software

I used virtual machines to set up and configure the BIG-IP and the auction site. You can use whatever hypervisor you want, but for the purposes of this article, I'll show you how it's done using VMware workstation. So, here's the list of software you will need to make all this happen:

  • VMware Workstation (free trial available here). I'm using a Windows PC, but you can use Linux if you want.
  • BIG-IP Virtual Edition (make sure you have the ASM module).
  • The PHP Auction Site VMware files.
UPDATE:  The Google Drive folder that has all the download files is here:  https://drive.google.com/drive/folders/0B4xC7Uw8ziLER3RqZXZWTFZTcW8?resourcekey=0-shweDpAzbgSyDTAkHq...

 

Caveat: This article assumes you already have a licensed and configured BIG-IP system, so I will just focus on the PHPAuction side of things. If you don't have the BIG-IP Virtual Edition, contact your sales rep and ask for a copy. Also, if you need help licensing and configuring the BIG-IP Virtual Edition, check out these solutions on AskF5:

 

Virtual Network Configuration

Before loading up the PHP Auction site, you need to complete the following steps to configure the VMware Workstation Virtual Network Editor (shown in the picture below). If you have already set up your BIG-IP Virtual Edition, you may have already stepped through this configuration. If that's the case, you will want to make sure the settings for your VMnets are the same as the settings shown below.

 

0151T000003d5tzQAA.jpg

 

  • Delete any existing VMnets EXCEPT for VMnet0
  • Click the "Add Network" button, and add VMnet1, VMnet2, and VMnet3

 

 

VMnet0 Settings

Since you kept the VMnet0 settings, you don't have to do anything else with that one. Here's a quick screenshot of the VMnet0 settings:

 

0151T000003d5u0QAA.jpg

 

 

VMnet1 Settings

After you confirm the VMnet0 settings, select VMnet1 (this net will act as the out of band management) and configure it as follows:

  • Select the Host-only (connect VMs internally in a private network) option
  • Select the "Connect a host virtual adapter to this network" checkbox
  • Clear the "Use local DHCP service to distribute IP address to VMs" checkbox
  • For the Subnet IP, enter 10.128.1.0 and for the Subnet mask enter 255.255.255.0

 

0151T000003d5u1QAA.jpg

 

 

VMnet2 Settings

After you confirm the VMnet1 settings, select VMnet2 (this will act as the external VLAN for access to 0.0.0.0) and configure it as follows:

  • Select the "NAT (shared host’s IP address with VMs)" option
  • Select the "Connect a host virtual adapter to this network" checkbox
  • Clear the "Use local DHCP service to distribute IP address to VMs" checkbox
  • For the Subnet IP, enter 10.128.10.0 and for the Subnet mask enter 255.255.255.0
  • Click the "NAT Settings" button
    • For the Gateway IP enter 10.128.10.1 and then click OK.

 

0151T000003d5u2QAA.jpg

 

VMnet3 Settings

After you configure the VMnet2 settings, select VMnet3 (this will act as the internal VLAN where the server image exists) and configure it as follows:

  • Host-only (connect VMs internally in a private network) option selected
  • Connect a host virtual adapter to this network checkbox cleared
  • Use local DHCP service to distribute IP address to VMs checkbox cleared
  • For the Subnet IP enter 10.128.20.0 and for the Subnet mask enter 255.255.255.0
  • Ensure that the “Connect a host virtual adapter to this network” checkbox is cleared. This prevents your local workstation from having direct access to this network. This will avoid asymmetric routing issues and also allows you to demonstrate secure remote access and full proxy features.

 

0151T000003d5u3QAA.jpg

 

 

This concludes the network setup for VMware. Now you can install the PHP Auction virtual machine...

 

 

Install the PHP Auction Image

 

In VMware Workstation, select File >> Open and choose the "Open Virtual Machine Format" PHP Auction file (this will be a .ovf file).

 

0151T000003d5u4QAA.jpg 0151T000003d5u5QAA.jpg

 

 

After you import the virtual machine (you may have to accept a few license agreements, etc), then you move on to configuring the virtual machine network settings. The following screenshot shows the settings for the PHP Auction virtual machine. You will need to customize the three Network Adapters to the settings shown in the picture below (you will use the three custom VMnets you just created), but you shouldn't need to configure anything else on this screen.

 

0151T000003d5u6QAA.jpg

 

 

 

After the virtual machine imports correctly, you can power it on and let it boot up. When the boot up completes, you will see the following login screen:

 

0151T000003d5u7QAA.jpg

 

The login is "root" and the password is "default". So, go ahead and login and then you can leave it alone...you won't need to touch it again.

 

Configure the BIG-IP

Now it's time to make sure the BIG-IP is set up correctly to protect the traffic flowing to/from the auction site. First, create a pool (I called it "auction_pool" but you can call it whatever you want) with node address 10.128.20.150 and service port 80. This pool only has one member. The following screenshot shows you the details for the auction pool.

 

0151T000003d5u8QAA.jpg

 

Next, you create the virtual server. I called it "auction_vs" but you can call it whatever you want...just don't call me Shirley. The IP address for the virtual server is 10.128.10.35, and I chose service port 443 so I could test out some crazy SSL capabilities. But, you can choose port 80 if you want. Keep in mind that if you choose port 443, you should create an SSL client profile and configure the appropriate certificate and key combo for the profile. The following screenshot shows the details of the virtual server configuration.

 

0151T000003d5u9QAA.jpg

 

 

The Final Touches

OK...now that the BIG-IP is all set up and the PHP Auction virtual machine is running, you should be able to access the auction site from your browser of choice. One other optional thing you can do is add the virtual server IP address of the auction site to the "hosts" file in WIndows. You should be able to locate this file at: C: >> Windows >> System32 >> drivers >> etc. You can add the IP address to the file and then provide a host name for the auction site...the example below shows the name "auction.f5demo.com" but, again, you can choose something different if you want.

 

0151T000003d5uAQAQ.jpg

 

 

So, the final check is to make sure all this works. Notice that the "auction.f5demo.com" worked as expected. You can also use the IP address "10.128.10.35" if you want.

 

0151T000003d5uBQAQ.jpg

 

 

 

I hope this information is helpful. Feel free to comment and/or ask questions as needed. Also, be sure to check out the articles that dig deeper into the configurations and capabilities of the ASM!

 

 

Comments
Praveen_Kumar_K
Nimbostratus
Nimbostratus
Hello John,

 

 

I am going through all your security related article, i should say i was looking for this. Your articles are very simple and easy to understand.

 

 

Which version of F5 with ASM you are using on Vmware workstation.

 

I can find only above version 10 virtual edition which can be used on VMware ESX/i Server. I am using Microsoft Hyper-V with 8GB ram desktop.
ltwagnon
Legacy Employee
Legacy Employee
Praveen, thanks for the question and thanks for the comments on these ASM articles...I'm glad they are helping!

 

 

I am using ASM version 11.3 (virtual edition) and VMware Workstation version 9. The virtual edition BIG-IPs are designed to work with many different hypervisors, so you should be good with either VMware or Microsoft Hyper-V. BIG-IP VE also works with XenServer, KVM, and Amazon Web Services. Let me know if you need more detail on any of these and I can get you the specifics. Thanks again!!
fx_91779
Nimbostratus
Nimbostratus
Hi John,

 

 

I've converted hack-it from Redhat to Debian, and it's upgradeable

 

 

Please check this link: https://www.dropbox.com/sh/09dkjicaes2hygo/AAAmW_XMF3N-KQ_nIpvEnogla?dl=0

 

 

ova & readme available

 

 

Thanks
ltwagnon
Legacy Employee
Legacy Employee
Budi, thanks so much for doing this...great work!!

 

 

John

 

VFB
Cirrus
Cirrus
Has anyone gotten this to work with VMWARE Fusion?
John_Buchanan
Nimbostratus
Nimbostratus
I've got the vm running on VMware Workstation 10.x, but all I get from Apache is a 404 error. Should this run pretty much out of the box? Would you expect to see this error result if I have not followed the network interface configuration quite as shown? Myself and a colleague went through the instructor lead ASM class last week and are eager to get the hack-it site up and running to run through some labs again as well as aid in development of implementation of ASM in our production environment. thank you
hardi_ameen
Altostratus
Altostratus
please can you provide the users login, I studentx as a username and password is not working! appreciate your advice!
Luis_Villalobos
Nimbostratus
Nimbostratus
Hardi, the user will be student1, student2, student3, etc. with student1, student2, student3 as password.
Valentine_96813
Nimbostratus
Nimbostratus
Just downloaded this and the student logins are not working. Anyone else having this issue?
Valentine_96813
Nimbostratus
Nimbostratus
Okay, nvm. If you took the ASM class, the student IDs were already created. If you download the auction site from Devcentral, you have to register all the IDs you want to use by clicking 'Register now' on the auction home page once you install it using the directions above. Oh, an you must fill in every field with something, its required.
dgalati_13969
Nimbostratus
Nimbostratus
Hi, I downloaded this from Google Docs and I was able to load it into VMware Workstation Pro 12. I followed the instructions on this article but I cant ping the Auction Server so I cant get the Pool or VS to come up. Needless to say I cant log into the auction site. Is there more getting the auction site up and going? Thank you,
Dai_Do_203354
Nimbostratus
Nimbostratus
Great! Thanks!
ltwagnon
Legacy Employee
Legacy Employee
FYI...Budi Ang created another version of the Hack-it site using OpenBSD 5.4 and using chroot httpd. Check it out here: https://www.dropbox.com/sh/zwf7fnx8jdyaozl/AAD_iLju4iF5HzLLHwokMBLna?dl=0
zeropixel_23561
Nimbostratus
Nimbostratus
I have the local F5 ASM running in my mac os x vmware, and I have setup the network adapters. I downloaded OpenBSD 5.4 ova and plan to install in my local VM vmware, so I can test it with the Hack-it site. I cannot make the network adapters changes for OpenBSD because it may mess up my local F5 ASM? I have followed debian-f5-asm-amd64-README.txt to make changes on dns and dhcp. Could you please advise. Thanks!
Harry1
Nimbostratus
Nimbostratus

Hello John,

 

i just tried to download PHPAUCTIOn with ASm. could you please help me out that how can i block SQLinjection attack however i applied asm policy but still i am able to inject user's database with sql injection for example 'OR 1=1. also not able to see that malicious event in ASM.

 

dany508_223775
Nimbostratus
Nimbostratus

Hi,

 

Has anyone got this working with VMware fusion? I tried to import the Debian version, however, It's not working straight away. In spite of manually adding interfaces still, it's not seen when starting the VM. Apache, MySQL start without issues but I have an issue with the network interfaces.

 

Thanks!

 

dany508_223775
Nimbostratus
Nimbostratus

Loaded the Redhat version.It started working straight away!!!

 

dany508_223775
Nimbostratus
Nimbostratus

Thanks John..Awesome work..

 

Noah_Milhim_231
Nimbostratus
Nimbostratus

Hi Dear; I tried installing the ASM and PHPauction VMs, ASM cannot reach PHPAuction site on 10.128.20.150 VMnet3(internal vlan) as per the steps, could you please share the network settings from ASM side.

 

ltwagnon
Legacy Employee
Legacy Employee

The ASM configuration steps are toward the end of the article. Make sure you update your hosts file to reflect the IP address changes as well. That was one thing that confused me for a little bit. If you are still having problems, maybe you can share what steps you have taken and then we can try to figure out what might be causing the actual problem. Thanks!

 

ltwagnon
Legacy Employee
Legacy Employee

@prak, do you have your attack signatures enabled? Even if you have the policy applied, you need to make sure attack signatures are not in staging mode. When the ASM blocks a request, the block details should show up in the logs. Here's an article that talks about attack signatures: https://devcentral.f5.com/s/articles/the-big-ip-application-security-manager-part-4-attack-signature...

 

flipperbox77_32
Nimbostratus
Nimbostratus

Hi There, I'm wondering if there is a Citrix Xen Server version of this Auction Site, I'd tried to run this VMWare version to Citrix, but no luck(Kernel panic: VFS: Unable to mount root fs on 8:03). thanks in advance.

 

ltwagnon
Legacy Employee
Legacy Employee

Hi flipperbox77. I'm not aware of a Citrix Xen Server version of this site, but there is a Debian version you can mess with. Here's the link: https://drive.google.com/file/d/0B4xC7Uw8ziLEenpVd3lhdUVIak0/view

 

This site was created several years ago, and it's not actively supported (to my knowledge) so I'm not sure how many versions are out there for all the various platforms. Hope this helps!

 

Is there a way to build this into a VM ourselves?

 

It would be great to build in docker and for testing ASM in Azure/AWS etc.

 

Cheers,

 

ltwagnon
Legacy Employee
Legacy Employee

Hi Andrew. Unfortunately, this web app is old and not supported any more (that I know of), and I've had problems finding the person who created it originally. I can ask around to see if we have something similar for docker, azure, asm, etc. I can let you know what I find out. Thanks!

 

F5_Fan_162146
Nimbostratus
Nimbostratus

Second the request to publish instructions on setting up env in aws.

 

Duncan_Proffitt
Altostratus
Altostratus

Great post. So, doing this in HTTP worked like a dream. Some crazy SSL stuff HAD to be done. (the challenge was on!)

 

Set up different VS (although using the same dest add, but with different port - 443) Created custom pool as well (added a custom ssl monitor to see what's happening - still red) Pool member 10.128.20.150:443 - showing down (although parent node 10.128.20.150 is showing up)

 

Created custom SSL client profile Created self-signed cert & key to add to the custom profile But when https://10.128.10.35/ I get the attempted cert exchange, but it fails with ..

 

An error occurred during a connection to 10.128.10.35. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

 

So, my thoughts were that the cert is at fault. (we'll get to that later)

 

The HTTP stuff works ok.

 

So a couple questions from the Noob

 

1) Can I set up HTTP & HTTPS profiles for the site to run side-by-side, or will I have to bring down the HTTP vs? 2) I set up a self cert to make this happen, I assume that any details will be acceptable in the cert, and I dont have to use the settings in the training manuals? 3) Are there specific settings in the self-cert creation I need for this exercise Thanks in advance D.

 

SOLUTION FOUND - PICNIC (Problem in chair, not in computer) One HAS to remember to allow 443 on the self IP!! (DOH) {slinks away, slightly ashamed}

 

Dojs
Cirrostratus
Cirrostratus

I build my lab here in the v13 and works well. Changed the IP, and trying to take time to insert all studentX to users. Great Lab

 

KVHCL_366398
Nimbostratus
Nimbostratus

Hi John could you please provide the PHP Auction Site for Hyper V.

 

MSZ
Nimbostratus
Nimbostratus

Can anyone explain the traffic flow with details like encryption/Decryption through f5?

 

We have an website with HTTPS enabled. We have LTM We have ASM SSL offloading on F5

 

Internet --> F5 --> Webserver

 

What will actually do the F5 here for incoming traffic and for outgoing traffic ?

 

Somil_319871
Nimbostratus
Nimbostratus

Good stuff John, I need some test scripts from different vulnerability catagory as want to test with & without ASM for a POC, appriciate if you can help pls.

 

Amresh008
Nimbostratus
Nimbostratus

It's not working for me guys, having followed all the steps - This page cannot be displayed.VIP is not pingable from the PHP machine, but the server is.

 

When your on the hackit site you can access the admin pages by changing the URL to /admin/admin.php. Then you can reset passwords or create accounts.

 

Podikkandi
Nimbostratus
Nimbostratus

Same for me too...

After configuring the SNAT and interfaces of BigIP in webserver series and VIP series, its working fine.

I think those steps are not mentioned here

Yogi
Nimbostratus
Nimbostratus

​I have Hyper-V on my machine and while I am converting the VMDK files to vhd it do not load the OS.

nibble
Nimbostratus
Nimbostratus

Thank you for this article!

FrancisOlivier
Nimbostratus
Nimbostratus

Can you please provide default http login/pwd ?

hardi_ameen
Altostratus
Altostratus

for the F5 Utility access through GUI:

username: admin

password: admin

 

tmsh access using ssh:

username: root

Password: default

FrancisOlivier
Nimbostratus
Nimbostratus

Thanks you very much hardi.ameen for the info 👌

Mohanraj
Nimbostratus
Nimbostratus

Can anyone help this links are not working

https://www.dropbox.com/sh/zwf7fnx8jdyaozl/AAD_iLju4iF5HzLLHwokMBLna?dl=0

https://www.dropbox.com/sh/09dkjicaes2hygo/AAAmW_XMF3N-KQ_nIpvEnogla?dl=0

Mohanraj
Nimbostratus
Nimbostratus

Links over here need access to the files.

The PHP Auction Site VMware files (Redhat version available here) and (Debian version available here).

 

RKRam
Nimbostratus
Nimbostratus

yes, it need access to download this files.

 

can anyone help to download this file.

ltwagnon
Legacy Employee
Legacy Employee

See if this link works better:

 

https://drive.google.com/drive/folders/0B4xC7Uw8ziLER3RqZXZWTFZTcW8?resourcekey=0-shweDpAzbgSyDTAkHqy-iw&usp=sharing

 

fazlan
Nimbostratus
Nimbostratus

I can access the auction site via http ( port 80 ) but when i try to access it via port 443 its not working. Does it work only in port 80 ? 

 

Version history
Last update:
‎25-Sep-2013 15:00
Updated by:
Contributors