Deploying a web application firewall policy with central learning from BIG-IQ
Scope This article is useful for BIG-IP/BIG-IQ users familiar with web application security.This includes, application security professionals, infrastructure management operators. Introduction Centralized Policy Building (CPB) is a feature specific to BIG-IQ.It allows security administrators to create, deploy and manage web application firewall (WAF) policies on BIG-IP devices. The policy building can occur manually or automatically.This feature is comparable to the on-box policy building feature available on BIG-IP and is better suited for distributed environments. This article focuses on the configuration of the central learning feature for web application security policies in BIG-IQ.It will take you through the different steps to create, deploy and manage the WAF policy, as well as the appropriate logging profile. The virtual server and other related elements such as profiles, pools etc. are configured using the Applications framework leveraging AS3. The steps are documented for the operator to use the BIG-IQ web user interface (webUI)to manage the WAF policy.The creation of the virtual server object can be done directly from the BIG-IQwebUIor through a simple REST call (leveraging the Postman™ clienthttps://www.postman.com/product/api-client/). Pre-requisites The following pre-requisites must be met in order to follow the procedures outlined below: BIG-IQ Central Management (CM) and BIG-IQ Data Collection Device (DCD) are deployed provisioned with all appropriate licensing. BIG-IP is deployed licensed and provisioned with both the ASM and AVR modules. A web application is available for securing via BIG-IP. All networking and network security must be in place to allow traffic between the different components. The BIG-IP, BIG-IQ CM, BIG-IQ DCD, application servers etc. all must be reachable as describedhere. The BIG-IP is running TMOS version 14.1 or greater. The BIG-IQ is running version 7.0 or greater. The discovery and import process for the target BIG-IPis completed as documentedhere. The administrator/operator performing the procedure below will have admin-level access to the BIG-IQ CMwebUI. BIG-IQ AS3 Templates are loaded on the BIG-IQ CM as describedhere. Overview The procedure detailed below goes over the following main steps on BIG-IQ: Verify proper BIG-IP/BIG-IQ configuration and reachability Create a web application security (the sample policy used in this example iscreatedwith central policy building enabled for manual learning and manual deployment of policy changes to the BIG-IP) Create a logging profile for application security Deploy the policy and logging profile using the “inactive” inactive virtual server and the profile pinning mechanism Create the application definition using AS3 referencing the policy and logging profile in the declaration. Send test traffic to the virtual server Review logs and learning suggestions on BIG-IQ Procedure For the following steps it is assumed that the operator is logged in the BIG-IQ CMwebUIand has the necessary administrative rights to create,update and delete web application security configuration as well as create applications.BIG-IQ accommodates fine-grained role-based access control (RBAC) toassign different roles to different user, e.g. security administrator role for policy management, and application administrator for other aspects of the configuration.This is beyond the scope of this article,more information is availablehere. BIG-IQ/BIG-IP configuration From theDevicestab, click onBIG-IP DEVICESand select the target BIG-IP (in this case bigip1) and verify that the followingSERVICESare discovered and imported: Local Traffic (LTM) Shared Security (SSM) Web Application Security (ASM) Ensure that the BIG-IQ DCD nodes Web Application Security service is enabled (System >> BIG-IQ DATA COLLECTION >> BIG-IQ Data Collection Devices >> [name of DCD device] >> SERVICES): WAF Policy Creation From theConfigurationtab, expandSECURITYandWeb Application Security Click onPoliciesand theCreatebutton Fill out theNamefield – and configure the policy features as desired (the picture below provides a sample for illustration purposes only and is not to be used in your environment) Click on theSavebutton located at the bottom right of the screen In the policy configuration window, expandPOLICY BUILDING, and selectSettings From thePolicy Building ModeselectCentralfrom the drop down Select thePolicy Building Device(the BIG-IQ DCD configured previously with the BIG-IQ CM) Finish configuring other dimensions in the policy as needed and click on theSave & Closebutton located at the bottom right of the window. Logging Profile Creation In theConfigurationtab, expand theSECURITYand Shared Securitysections and click onLogging Profiles Click on theCreatebutton Enter aNamein the appropriate field and click onSaveat the bottom right of the screen Click onAPPLICATION SECURITY DisableLocal Storagefor the profile Check theRemote Storage, enter the IP address of the BIG-IQ DCD in the Protocol portion of the configuration screen, as shown in the sample below. Click on theAddbutton in theServer Addressesdialog, and then selectSave & Closeon the bottom right of the screen WAF Policy and Logging Profile Deployment Deploy the policy to the BIG-IP using theinactivevirtual server Add the policy to the virtual server on the appropriate BIG-IP Click onSave & Close From theConfiguration >> Security >> Web Application Security >> Virtual Serverswindow select the ‘inactive’ virtual server for the target BIG-IP and click onDeployas shown below: Follow the deployment screen instructions: Name the deployment (e.gdeploy_demo_policy) Select deployment method (e.g. deploy immediately) Select a target device (e.g. the BIG-IP where the policy is deployed) Click onDeploy Pin the logging profile to the BIG-IP (you can also choose to create the logging profile Navigate toConfiguration >> SECURITY >> Shared Security >> Pinning Policies Click on the target BIG-IP(s)and add the logging profileby selecting Logging Profiles from the drop down as shown below: Select the logging profile from the list and click on “Add Selected” Click onSave & Close Navigate toConfiguration >> Shared Security >> Logging Profiles Select the logging profile that was just pinnedand click onDeploy Complete the deployment process as discussed above. You are now ready to deploy the application using AS3. Application Creation (AS3) Go totheApplications tab Click on Create Select the appropriate AS3 Template (in the example belowthis is a template labelled AS3-F5-HTTPS-WAF-existing-template-big-iq-defult-v1– for more information on using AS3 with BIG-IQ,more information can be foundhere) Fill out the required fields including: Application Name (e.g.demo_app) Application Service Name (e.g.demo_app_service) Target (BIG-IP device) Tenant Pool Members (IP & Port) policyWAF(e.g. /Common/demo_policy) Virtual Addresses (VS address) Security Log Profiles (e.g. /Common/demo_log_profile) All the needed Analytics Profileentities required Click onCreate Ensure that the Application Service was created, it shouldlooksomething like: You are now able to send test traffic to the application.Feel free to use the f5-waf-tester tool availablehere. Log and Suggestions Review Now that the traffic is going to the application and, let's take a look at what BIG-IQ provides in terms of visibility. Go to Monitoring, expand DASHBOARDS, select L7 Security: Select the protected virtual server and selectEvent Logsin theView in …drop-down and you should be able to view the application security logs: To look at the suggestions resulting from the traffic being sent to the BIG-IP, go toConfiguration >> SECURITY >> Web Application Security>> Policies Click on the target policy – and selectPOLICY BUILDING >>Suggestions: Select the suggestions you wish to accept, ignore, or delete, and click on the appropriate action button (e.g. Accept) Confirm your choice as appropriate on the pop-up window as needed. Once all the suggestions have been accepted, deploy the policy to the relevant BIG-IP(s) as needed: Deployment >> EVALUATE & DEPLOY >> Web Application Security and click on Create Follow the instructions to complete the deployment process. Conclusion BIG-IQ provides the ideal platform to enable security operations independently from the devops group.The multiple personas can run their tasks independently and effectively gaining granular visibility in the application performance, security, and overall status. Please note that the above steps are also used in an F5 CloudDocs Lab available by following this link.
