Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Protect your Mobile Applications with F5 Distributed Cloud Bot Defense

Ted_Byerly
Legacy Employee
Legacy Employee

on ‎22-Jul-2022 10:32 - edited on ‎15-Nov-2022 13:16 by Community Manager

Introduction

The newly released F5 Distributed Cloud (F5XC) Bot Defense iApp v.3.0.3 Connector for BIG-IP supports the following enhancements:

  • Enables Mobile SDK support: Customers can now configure endpoints for web, mobile, or both.
  • Independent SNAT configuration: Customers can configure SNAT for access to F5 Security API separately from SNAT for their protected virtual servers. 
  • Syslog improvements: Log messages are now distinguished by syslog severity level and can be associated with a specific transaction. Detailed per-transaction log messages are available if desired.  
  • SIEM logging: Users can send log messages to an external logserver/SIEM by using BIG-IP’s High Speed Logging (HSL) feature. (This applies to data generated on the BIG-IP and not to data from F5 Cloud dashboards.)  
  • Many additional performance and functional improvements. 

In this article, I will show you how to protect an Application with the new iApp and how to enable Moblie SDK.

Getting Started

First login to F5 Distributed Cloud console.

msdk_login.png

 Click on the Bot Defense Tile

msdk_bot_tile.png

 

Make sure you are working in the correct Namespace.

Click Add Application

msdk_add_app.png

 

Give your protected application a Name, Labels and Description.  Select your Application Region and F5 BIG-IP iApp as the Connector Type.

Click Save and Exit

msdk_add_app_detail.png

 

Next, we will download the iApp template created for this application and save it in an accessible location to be installed on your BIG-IP.

msdk_iApp_download_xc.png

 Now we will import the template, create the Application Service on the BIG-IP and configure the iApp.

Log in to your BIG-IP.

Screen Shot 2022-07-14 at 2.57.52 PM.png

 

Navigate to iApps, Templates, Click Templates.

msdk__template_import.png

 

Next Click Import.

Navigate to the template file you downloaded from F5XC Console.

And click Upload

 msdk_template_imported.png

 

Next navigate to Application Services, and click Applications, click Create

msdk_App_Service2.png

 Give your application a Name and select the template you just uploaded.

msdk_App_Service.png

 

This will display the iApp page where we will configure all the options to protect your mobile applications. I have covered web applications in previous articles that I will link to at the end.

You can select Advanced at the top of the page to see the complete list of options. You must change Mobile SDK options tab shown at the bottom of the image to Yes, to see the correct Security Endpoints.

msdk_adv_msdk.png

First, again you will be prompted that you need a F5XC Security Mobile SDK Subscription.  You will supply what headers are expected from your mobile SDK and Enter the Mobile SDK Reload Header Name supplied by F5. This is used for signaling between the Mobile SDK and the F5XC Security service.

msdk_headers.png

Moving to the next section you will cover how the BIG-IP will handle the JS Injections, the URL and/or path and where on the page to inject.

msdk_JS_Injection.png

The next section has the newly added features for the iApp version 3.0.3.  You'll notice at the bottom, you configure what URLs to be routed to the F5XC console.  The options are Web, MSDK or Both. I give more details below the image of how to set this up and what to consider when designing your protected endpoints.

msdk_endpoints_both.png

When Mobile-SDK support is enabled, there are three types of protected endpoints:

  • Web
  • MSDK
  • Both

Endpoints marked Both can be accessed by either web or MSDK clients. When a client request reaches a Both endpoint, the F5XC Bot Defense iApp assumes the request comes from a web client unless the request includes a Mobile Request ID value shown in the red box above.

There are two types of Mobile Request ID’s:

  • ​​​​​​​Special request headers
  • Special string values embedded in a request body (typically a POST request)

To recognize Mobile SDK requests by headers, enter regular expressions to recognize the names and acceptable values of those headers. To recognize Mobile SDK requests by one or more keywords embedded in request-bodies, enter a suitable regular expression, using alternation to recognize different keywords if necessary. Beware of partial matches; use regex operators like ^ and $ and [^\w] as needed.

The Actions available for protected endpoints also differ between Web type and MSDK type endpoints. Requests from MSDK clients may be Continued or Blocked but cannot be Redirected or Dropped. Whenever the Action configured for an MSDK request is Redirect or Drop, it is silently converted to Block whenever it is applied to a request from an MSDK client.

The host and path are determined by your application.

Finally, I want to point out a few features under Advanced Features that were highlighted in the opening of this article.

Previous versions of the Bot Defense iApp “borrowed” the SNAT configuration they needed to connect to the F5XC Security Service API server(s) from the virtual-server to which Bot Defense protection was attached. That approach was not optimal, so starting with iApp v3.0.3, a distinct SNAT configuration must be selected. The default option is SNAT Automap:

If configured to do so, iApp v3.0.3 will log an informative message about each transaction (a transaction is a distinct client HTTP request). Transaction logging does not directly incur a performance penalty but sending transaction logs to the local control-plane syslogd will incur a large performance penalty. If you want to log transactions, you should enable HSL (High-Speed Logging) to an external log server:

Many log servers prefer messages in structured (JSON) format, which you may choose in the iApp.

To include some HTTP request headers in transaction log messages (for example, headers which identify site users) specify a regex to match those headers’ names.

msdk_bottom_config.png

 

Make sure you click Finished and you will have deployed your protected application.

Closing:

I wanted to highlight the changes F5 has made and show how easily you can deploy the iApp and take advantage of all the new features.

That is all that you need to configure, to take advantage of F5’s Distributed Cloud Security Service.

Note:

If you are upgrading from an earlier version of the iApp (for example, iApp v.3.0.2 or v.3.0.1), you need take these steps to avoid possible errors:

Prior to installing the v3.0.3 template:

  • Reconfigure the current Application Service (iApp instance).
  • Set Clean Before Deletion to Yes.
  • Select Finished.

Install the v3.0.3 template. Be sure to select the Overwrite existing template checkbox before uploading the new template.

Reconfigure the current Application Service:

  • Set Clean Before Deletion to No.
  • Check and update configuration as needed.
  • Select Finished.

Related Articles:

Get Started:

 

Labels:
Version history
Last update:
‎15-Nov-2022 13:16
Updated by:
Community Manager
Contributors
Copyright © 2023 Khoros, LLC