F5 BIG-IP SSL Orchestrator Configuration with Advanced WAFaaS

Introduction

This use case allows you to insert F5 Advanced WAF functionality in SSL Orchestrator from the Service Catalog.  This is a new feature in SSL Orchestrator version 11.0.

Note: This article applies to SSL Orchestrator version 11.0 and newer. If using an older version refer to the article HERE

Below is a video demonstration of this article:

Click HERE for a Lightboard Lesson on F5 Advanced WAF.

Advanced WAFaaS is the ability to insert F5 BIG-IP Advanced WAF profiles into the SSL Orchestrator Service Chain for Inbound Topologies.  This service allows you to configure and deploy Advanced Web Application Firewall profiles through the SSL Orchestrator.  This configuration is specific to a WAF policy running on the SSL Orchestrator device.  It is also possible to deploy WAF on a separate BIG-IP device, in which case you’d simply configure an inline transparent proxy service.  The ability to insert F5’s Advanced WAF into the Service Chain presents a significant customer benefit.  Some examples of the benefits are:

  • Consolidation of best-in-class advanced WAF capabilities with SSL Orchestrator’s dynamic, policy-based decrypted malware inspection and traffic steering.
  • The Advanced WAF Service can be used for multiple SSL Orchestrator Topologies.
  • Management of SSL Orchestrator and Advanced WAF on the same platform.
  • Simplifies logging and troubleshooting.

This guide assumes you already have SSL Orchestrator and F5 Advanced WAF licensed and provisioned on the BIG-IP and wish to add this functionality to an Inbound Topology.  In order to run Advanced WAF and SSL Orchestrator on the same device you will need an Advanced Web Application Firewall (AWF) add-on license.

Note: SSL Orchestrator 11.0 requires BIG-IP version 17.1.0

Configuration

From the SSL Orchestrator Guided Configuration click Services then Add

Select the F5 tab then double click on F5 Advanced WAF (On-Box)

Give it a name, F5_AWAF in this example

Click the down arrow next to Application Security Policy and select your Advanced WAF policy, Advanced-WAF-Policy in this example

The Advanced WAF Policy protects your web applications from application attacks like SQL injection, cross-site scripting and a variety of other malicious attacks.  You can also specify a DoS Protection and Bot Defense Profile.

A DoS Protection profile will also protect your web applications from Denial of Service attacks.

A Bot Defense Profile will protect your web applications from malicious bot attacks

Select a Log Profile if desired.  The logging of connections is important for visibility and forensics.

Click Save & Next at the bottom

Click Save & Next at the bottom

Click Deploy

Click OK to the Success message

Add the Advanced WAF Service to the Service Chain by clicking the Service Chains tab then click on the name of the Service Chain, Service_Chain in this example

Move the F5_WAF Service from Available to Selected

Click Deploy when done

If presented with the following warning, click OK

Click OK to the Success message

When done it should look like the following

The configuration is now complete.  Using the F5 Advanced WAFaaS this way is functionally the same as using it by itself.  There are no known limitations to this configuration.

Additional Information

For more information on configuration of SSL Orchestrator refer to the Deployment Guides HERE

Exporting/Importing WAFaaS policy

To export an existing Advanced WAF policy navigate to Security > Application Security > click the name of the policy you wish to export

Click Export then choose one of the supported formats like XML

To import the Advanced WAF policy click Create > Import from the Policies List screen

Example of Advanced WAF Policy creation

A demo video of Advanced WAF Policy creation is available HERE

Example of Advanced WAF Protection in action

SQL Injection is a common web application attack that should be blocked by the Advanced WAF policy.  Here is what a typical SQL Injection attack might look like as an HTTPS request:

https://10.1.20.200/rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--

This request should be blocked and the response will look like this:

Here is an example of what the Log File should contain:

Note: Both Advanced WAF and SSL Orchestrator are CPU-driven functions. This will need to be factored into capacity planning when deploying the two together.

 

 

Updated Apr 28, 2023
Version 3.0
No CommentsBe the first to comment