cancel
Showing results for 
Search instead for 
Did you mean: 
KevinGallaugher
F5 Employee
F5 Employee

Introduction

This article is part of a series on implementing Orchestrated Infrastructure Security. It includes High Availability, Central Management with BIG-IQ, Application Visibility with Beacon and the protection of critical assets using F5 Advanced WAF and Protocol Inspection (IPS) with AFM. It is assumed that SSL Orchestrator is already deployed, and basic network connectivity is working.

If you need help setting up SSL Orchestrator for the first time, refer to the Dev/Central article series Implementing SSL Orchestrator here.

This article focuses on configuring F5 Advanced WAF deployed as a Layer 2 solution. It covers the configuration of Advanced WAF protection on an F5 BIG-IP running version 16.0.0.

Configuration files of BIG-IP deployed as Advanced WAF can be downloaded from here from GitLab. 

Please forgive me for using SSL and TLS interchangeably in this article.

This article is divided into the following high level sections:

  • Advanced WAF Network Configuration
  • Attach Virtual Servers to an Advanced WAF Policy

Advanced WAF: Network Configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Vwire configuration will be covered later.

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

0151T000003pjzVQAQ.png

Give it a name, ingress1 in this example. Set the Interface to 2.1. Set Tagging to Untagged then click Add.

0151T000003pjzbQAA.png

Note: In this example interface 2.1 will receive decrypted traffic from sslo1 

Interface 2.1 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

0151T000003pjzfQAA.png

Give it a name, egress1 in this example. Set the Interface to 2.2. Set Tagging to Untagged then click Add.

0151T000003pjzkQAA.png

Note: In this example interface 2.2 will send decrypted traffic back to sslo1

Interface 2.2 (untagged) should be visible like in the image below. Click Finished.

0151T000003pjzzQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2

It should look something like this when done:

0151T000003pjzWQAQ.png

Note: In this example Interface 2.3 and 2.4 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

0151T000003pjzgQAA.png

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

0151T000003pjzvQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:

0151T000003pjzcQAA.png

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Attach Virtual Servers to an Advanced WAF Policy

You can skip this step if you already have an Advanced WAF policy created and attached to one or more virtual servers. If not, we’ll cover it briefly. In this example we configured Comprehensive Protection which includes Bot Mitigation, Layer 7 DoS and Application Security.

0151T000003pk00QAA.png

Give it a name, App_Protect1 in this example then click Save & Next.

0151T000003pk0TQAQ.png

Select the Enforcement Mode and Policy Type. Click Save & Next.

0151T000003pjzhQAA.png

Configure the desired Bot Defense options. Click Save & Next on the lower right.

0151T000003pk0UQAQ.png

Configure the desired DoS Profile Properties. Click Save & Next.

0151T000003pk0ZQAQ.png

Assign the policy to your application server(s) by moving them to Selected. Click Save & Next.

0151T000003pk02QAA.png

Click Finish/Deploy when done.

Summary

In this article you learned how to configure BIG-IP in layer 2 transparency mode using VLAN groups. We also covered how to create an Advanced WAF policy and attach it to your Virtual Servers.

Next Steps

Click Next to proceed to the next article in the series.

Version history
Last update:
‎07-Oct-2020 13:59
Updated by:
Contributors