F5 Distributed Cloud WAAP

77 Topics

Out of the Shadows: API Discovery and Security
With F5 Distributed Cloud Web App and API protection security teams can discover, inventory, and secure their critical APIs. Helping bring those rogue Shadow APIs into the light.
Cameron_Delano
Nov 07, 2022 Place Technical Articles
8.6KViews
16likes
2Comments
Use F5 Distributed Cloud to service chain WAAP and CDN
The Content Delivery Network (CDN) market has become increasingly commoditized. Many providers have augmented their CDN capabilities with WAFs/WAAPs, DNS, load balancing, edge compute, and networking. Managing all these solutions together creates a web of operational complexity, which can be confusing. F5’s synergistic bundling of CDN with Web Application and API Protection (WAAP) benefits those looking for simplicity and ease of use. It provides a way around the complications and silos that many resource-strapped organizations face with their IT systems. This bundling also signifies how CDN has become a commodity product often not purchased independently anymore. This trend is encouraging many competitors to evolve their capabilities to include edge computing – a space where F5 has gained considerable experience in recent years. F5 is rapidly catching up to other providers’ CDNs. F5’s experience and leadership building the world’s best-of-breed Application Delivery Controller (ADC), the BIG-IP load balancer, put it in a unique position to offer the best application delivery and security services directly at the edge with many of its CDN points of presence. With robust regional edge capabilities and a global network, F5 has entered the CDN space with a complementary offering to an already compelling suite of features. This includes the ability to run microservices and Kubernetes workloads anywhere, with a complete range of services to support app infrastructure deployment, scale, and lifecycle management all within a single management console. With advancements made in the application security space at F5, WAAP capabilities are directly integrated into the Distributed Cloud Platform to protect both web apps and APIs. Features include (yet not limited to): Web Application Firewall: Signature + Behavioral WAF functionality Bot Defense: Detect client signals, determining if clients are human or automated DDoS Mitigation: Fully managed by F5 API Security: Continuous inspection and detection of shadow APIs Solution Combining the Distributed Cloud WAAP with CDN as a form of service chaining is a straightforward process. This not only gives you the best security protection for web apps and APIs, but also positions apps regionally to deliver them with low latency and minimal compute per request. In the following solution, we’ve combined Distributed Cloud WAAP and CDN to globally deliver an app protected by a WAF policy from the closest regional point of presence to the user. Follow along as I demonstrate how to configure the basic elements. Configuration Log in to the Distributed Cloud Console and navigate to the DNS Management service. Decide if you want Distributed Cloud to manage the DNS zone as a Primary DNS server or if you’d rather delegate the fully qualified domain name (FQDN) for your app to Distributed Cloud with a CNAME. While using Delegation or Managed DNS is optional, doing so makes it possible for Distributed Cloud to automatically create and manage the SSL certificates needed to securely publish your app. Next, in Distributed Cloud Console, navigate to the Web App and API Protection service, then go to App Firewall, then Add App Firewall. This is where you’ll create the security policy that we’ll later connect our HTTP LB. Let’s use the following basic WAF policy in YAML format, you can paste it directly in to the Console by changing the configuration view to JSON and then changing the format to YAML. Note: This uses the namespace “waap-cdn”, change this to match your individual tenant’s configuration. metadata: name: buytime-waf namespace: waap-cdn labels: {} annotations: {} disable: false spec: blocking: {} detection_settings: signature_selection_setting: default_attack_type_settings: {} high_medium_low_accuracy_signatures: {} enable_suppression: {} enable_threat_campaigns: {} default_violation_settings: {} bot_protection_setting: malicious_bot_action: BLOCK suspicious_bot_action: REPORT good_bot_action: REPORT allow_all_response_codes: {} default_anonymization: {} use_default_blocking_page: {} With the WAF policy saved, it’s time to configure the origin server. Navigate to Load Balancers > Origin Pools, then Add Origin Pool. The following YAML uses a FQDN DNS name reach the app server. Using an IP address for the server is possible as well. metadata: name: buytime-pool namespace: waap-cdn labels: {} annotations: {} disable: false spec: origin_servers: - public_name: dns_name: webserver.f5-cloud-demo.com labels: {} no_tls: {} port: 80 same_as_endpoint_port: {} healthcheck: [] loadbalancer_algorithm: LB_OVERRIDE endpoint_selection: LOCAL_PREFERRED With the supporting WAF and Origin Pool resources configured, it’s time to create the HTTP Load Balancer. Navigate to Load Balancers > HTTP Load Balancers, then create a new one. Use the following YAML to create the LB and use both resources created above. metadata: name: buytime-online namespace: waap-cdn labels: {} annotations: {} disable: false spec: domains: - buytime.waap.f5-cloud-demo.com https_auto_cert: http_redirect: true add_hsts: true port: 443 tls_config: default_security: {} no_mtls: {} default_header: {} enable_path_normalize: {} non_default_loadbalancer: {} header_transformation_type: default_header_transformation: {} advertise_on_public_default_vip: {} default_route_pools: - pool: tenant: your-tenant-uid namespace: waap-cdn name: buytime-pool kind: origin_pool weight: 1 priority: 1 endpoint_subsets: {} routes: [] app_firewall: tenant: your-tenant-uid namespace: waap-cdn name: buytime-waf kind: app_firewall add_location: true no_challenge: {} user_id_client_ip: {} disable_rate_limit: {} waf_exclusion_rules: [] data_guard_rules: [] blocked_clients: [] trusted_clients: [] ddos_mitigation_rules: [] service_policies_from_namespace: {} round_robin: {} disable_trust_client_ip_headers: {} disable_ddos_detection: {} disable_malicious_user_detection: {} disable_api_discovery: {} disable_bot_defense: {} disable_api_definition: {} disable_ip_reputation: {} disable_client_side_defense: {} resource_version: "517528014" With the HTTP LB successfully deployed, check that its status is ready on the status page. You can verify the LB is working by sending a basic request using the command line tool, curl. Confirm that the value of the HTTP header “Server” is “volt-adc”. da.potter@lab ~ % curl -I https://buytime.waap.f5-cloud-demo.com HTTP/2 200 date: Mon, 17 Oct 2022 23:23:55 GMT content-type: text/html; charset=UTF-8 content-length: 2200 vary: Origin access-control-allow-credentials: true accept-ranges: bytes cache-control: public, max-age=0 last-modified: Wed, 24 Feb 2021 11:06:36 GMT etag: W/"898-177d3b82260" x-envoy-upstream-service-time: 136 strict-transport-security: max-age=31536000 set-cookie: 1f945=1666049035840-557942247; Path=/; Domain=f5-cloud-demo.com; Expires=Sun, 17 Oct 2032 23:23:55 GMT set-cookie: 1f9403=viJrSNaAp766P6p6EKZK7nyhofjXCVawnskkzsrMBUZIoNQOEUqXFkyymBAGlYPNQXOUBOOYKFfs0ne+fKAT/ozN5PM4S5hmAIiHQ7JAh48P4AP47wwPqdvC22MSsSejQ0upD9oEhkQEeTG1Iro1N9sLh+w+CtFS7WiXmmJFV9FAl3E2; path=/ x-volterra-location: wes-sea server: volt-adc Now it’s time to configure the CDN Distribution and service chain it to the WAAP HTTP LB. Navigate to Content Delivery Network > Distributions, then Add Distribution. The following YAML creates a basic CDN configuration that uses the WAAP HTTP LB above. metadata: name: buytime-cdn namespace: waap-cdn labels: {} annotations: {} disable: false spec: domains: - buytime.f5-cloud-demo.com https_auto_cert: http_redirect: true add_hsts: true tls_config: tls_12_plus: {} add_location: false more_option: cache_ttl_options: cache_ttl_override: 1m origin_pool: public_name: dns_name: buytime.waap.f5-cloud-demo.com use_tls: use_host_header_as_sni: {} tls_config: default_security: {} volterra_trusted_ca: {} no_mtls: {} origin_servers: - public_name: dns_name: buytime.waap.f5-cloud-demo.com follow_origin_redirect: false resource_version: "518473853" After saving the configuration, verify that the status is “Active”. You can confirm the CDN deployment status for each individual region by going to the distribution’s action button “Show Global Status”, and scrolling down to each region to see that each region’s “site_status.status” value is “DEPLOYMENT_STATUS_DEPLOYED”. Verification With the CDN Distribution successfully deployed, it’s possible to confirm with the following basic request using curl. Take note of the two HTTP headers “Server” and “x-cache-status”. The Server value will now be “volt-cdn”, and the x-cache-status will be “MISS” for the first request. da.potter@lab ~ % curl -I https://buytime.f5-cloud-demo.com HTTP/2 200 date: Mon, 17 Oct 2022 23:24:04 GMT content-type: text/html; charset=UTF-8 content-length: 2200 vary: Origin access-control-allow-credentials: true accept-ranges: bytes cache-control: public, max-age=0 last-modified: Wed, 24 Feb 2021 11:06:36 GMT etag: W/"898-177d3b82260" x-envoy-upstream-service-time: 63 strict-transport-security: max-age=31536000 set-cookie: 1f945=1666049044863-471593352; Path=/; Domain=f5-cloud-demo.com; Expires=Sun, 17 Oct 2032 23:24:04 GMT set-cookie: 1f9403=aCNN1JINHqvWPwkVT5OH3c+OIl6+Ve9Xkjx/zfWxz5AaG24IkeYqZ+y6tQqE9CiFkNk+cnU7NP0EYtgGnxV0dLzuo3yHRi3dzVLT7PEUHpYA2YSXbHY6yTijHbj/rSafchaEEnzegqngS4dBwfe56pBZt52MMWsUU9x3P4yMzeeonxcr; path=/ x-volterra-location: dal3-dal server: volt-cdn x-cache-status: MISS strict-transport-security: max-age=31536000 To see a security violation detected by the WAF in real-time, you can simulate a simple XSS exploit with the following curl: da.potter@lab ~ % curl -Gv "https://buytime.f5-cloud-demo.com?<script>('alert:XSS')</script>" * Trying x.x.x.x:443... * Connected to buytime.f5-cloud-demo.com (x.x.x.x) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem * CApath: none * (304) (OUT), TLS handshake, Client hello (1): * (304) (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=buytime.f5-cloud-demo.com * start date: Oct 14 23:51:02 2022 GMT * expire date: Jan 12 23:51:01 2023 GMT * subjectAltName: host "buytime.f5-cloud-demo.com" matched cert's "buytime.f5-cloud-demo.com" * issuer: C=US; O=Let's Encrypt; CN=R3 * SSL certificate verify ok. * Using HTTP2, server supports multiplexing * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x14f010000) > GET /?<script>('alert:XSS')</script> HTTP/2 > Host: buytime.f5-cloud-demo.com > user-agent: curl/7.79.1 > accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS == 128)! < HTTP/2 200 < date: Sat, 22 Oct 2022 01:04:39 GMT < content-type: text/html; charset=UTF-8 < content-length: 269 < cache-control: no-cache < pragma: no-cache < set-cookie: 1f945=1666400679155-452898837; Path=/; Domain=f5-cloud-demo.com; Expires=Fri, 22 Oct 2032 01:04:39 GMT < set-cookie: 1f9403=/1b+W13c7xNShbbe6zE3KKUDNPCGbxRMVhI64uZny+HFXxpkJMsCKmDWaihBD4KWm82reTlVsS8MumTYQW6ktFQqXeFvrMDFMSKdNSAbVT+IqQfSuVfVRfrtgRkvgzbDEX9TUIhp3xJV3R1jdbUuAAaj9Dhgdsven8FlCaADENYuIlBE; path=/ < x-volterra-location: dal3-dal < server: volt-cdn < x-cache-status: MISS < strict-transport-security: max-age=31536000 < <html><head><title>Request Rejected</title></head> <body>The requested URL was rejected. Please consult with your administrator.<br/><br/> Your support ID is 85281693-eb72-4891-9099-928ffe00869c<br/><br/><a href='javascript&colon;history.back();'>[Go Back]</a></body></html> * Connection #0 to host buytime.f5-cloud-demo.com left intact Notice that the above request intentionally by-passes the CDN cache and is sent to the HTTP LB for the WAF policy to inspect. With this request rejected, you can confirm the attack by navigating to the WAAP HTTP LB Security page under the WAAP Security section within Apps & APIs. After refreshing the page, you’ll see the security violation under the “Top Attacked” panel. Demo To see all of this in action, watch my video below. This uses all of the configuration details above to make a WAAP + CDN service chain in Distributed Cloud. Additional Guides Virtually deploy this solution in our product simulator, or hands-on with step-by-step comprehensive demo guide. The demo guide includes all the steps, including those that are needed prior to deployment, so that once deployed, the solution works end-to-end without any tweaks to local DNS. The demo guide steps can also be automated with Ansible, in case you'd either like to replicate it or simply want to jump to the end and work your way back. Conclusion This shows just how simple it can be to use the Distributed Cloud CDN to frontend your web app protected by a WAF, all natively within the F5 Distributed Cloud’s regional edge POPs. The advantage of this solution should now be clear – the Distributed Cloud CDN is cloud-agnostic, flexible, agile, and you can enforce security policies anywhere, regardless of whether your web app lives on-prem, in and across clouds, or even at the edge. For more information about Distributed Cloud WAAP and Distributed Cloud CDN, visit the following resources: Product website: https://www.f5.com/cloud/products/cdn Distributed Cloud CDN & WAAP Demo Guide: https://github.com/f5devcentral/xcwaapcdnguide Video: https://youtu.be/OUD8R6j5Q8o Simulator: https://simulator.f5.com/s/waap-cdn Demo Guide: https://github.com/f5devcentral/xcwaapcdnguide
Dave_Potter
Nov 01, 2022 Place Technical Articles
7.6KViews
10likes
0Comments
Deploy WAF on any Edge with F5 Distributed Cloud (SaaS Console, Automation)
F5 XC WAAP/WAF presents a clear advantage over classical WAAP/WAFs in that it can be deployed on a variety of environments without loss of functionality. In this first article of a series, we present an overview of the main deployment options for XC WAAP while follow-on articles will dive deeper into the details of the deployment procedures.
Valentin_Tobi
May 30, 2023 Place Technical Articles
6.3KViews
9likes
0Comments
Protect an application spread across several locations with F5 XC WAAP and Multi-Cloud Networking
Understand in less than 5 minutes how F5XC WAAP can protect an application deployed in several locations and environments.
Matt_Dierick
Sep 21, 2022 Place Technical Articles
2.5KViews
9likes
0Comments
Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform
Introduction: With day-to-day enhancements in security architecture, a request initiated at the source point traverses through multiple hops before it reaches the destination point. By design, if a request passes through any CDN/ Proxy that is present between the real client and the load balancer, we will no longer see the client’s IP address as the source address in the Load Balancer but the CDN/Proxy IP instead. Identification of real Client IP address is sometimes necessary for monitoring, logging, defining allow/deny policies and other purposes. “Trusted Client IP Header” feature of F5 Distributed Cloud platform solves the above concern and provides the ability to identify the real client IP address that initiated the connection. Security events and request logs will show this real client IP address as the source IP, when this feature is enabled. Trusted Client IP Header feature in F5 Distributed Cloud platform allows the admin to configure Client IP Headers. The admin can define a list of one or more Client IP Headers as Trusted headers. Below are some key points to be considered while configuring headers list: When multiple headers are configured, F5 Distributed Cloud platform follows top to bottom precedence, which means initially first header is considered and system checks for its availability in the request. If not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found. When none of the defined headers exists, or the value of the configured header is not an IP address, then the system will use the source IP of the packet. When multiple IP addresses are available in header value, the system will read the rightmost IP address and considers it as real Client IP address. But when using X-Forwarded-For Header and if multiple IPs are available in value, the system reads the rightmost-1 IP address and considers it as real client IP address. Below video provies brief introduction to Trusted Client IP Headers feature: Demonstration: In this demonstration, we will see how to identify the real client IP address using “Trusted Client IP headers” option in F5 Distributed Cloud platform. We are using F5 Distributed Cloud Content Distribution Network (check references for more details) Load-balancer configured with “Trusted Client IP Header” option enabled Airlines test application as a backend origin server. As shown in the below demo architecture, the request initiated at the client initially reaches to the available F5 CDN server and then the request from CDN hits the load balancer. Load balancer validates the request for configured headers availability, identifies the true client IP address and displays it rather than the CDN IP. The request from load balancer finally hits the backend application. Step 1: Creation of Origin Pool From your desired namespace, navigate to Manage -> Load Balancers -> Origin pools Click on "Add Origin Pool" Provide a name for Origin pool Configure Origin server details with valid Port details. Proceed with “Save and Exit” Step 2: Creation of Load Balancer with Trusted Client IP Header enabled From your desired namespace, Navigate to Manage -> Load Balancers -> HTTP Load Balancers Click on "Add HTTP load balancer" Provide a name for the Load Balancer Provide valid domain name and choose appropriate load balancer type under Basic Configuration Associate the above created Origin Pool in the load balancer In Other Settings, Enable Trusted Client IP Headers Provide a list of one or more Client Headers. Admin can configure any header which is used to find client IP address. Click on “Save and Exit” to save the Load Balancer configuration. Step 3: Create any Content Delivery Network or Proxy Here we are using F5 XC CDN between the client and the load balancer. CDN is a server that is used to serve web content quickly. CDN servers are distributed globally, and the main aim is to reduce latency and delay in end-to-end communication and thereby increases the efficiency. Check references for more exploration links. Navigate to Home -> Content Delivery Network -> Manage -> Distributions Click on “Add Distribution” Provide a name for the CDN Provide a valid domain name Choose appropriate CDN type Create a CDN Origin Pool by clicking on “Configure” Provide your HTTP Load Balancer domain name which is created above in the DNS name Add above created HTTP Load balancer domain name in the list of Origin Servers of CDN Origin pool Click on “Apply” twice CDN Origin pool gets created and associated with the CDN Click on “Save and Exit” Note: F5 CDN has provided a dedicated header called “X-F5-True-Client-Ip” to extract the real client address. Customers who are using F5 CDN can use this header to identify the client IP address. Similarly, customer can configure any headers or custom headers to identify the client IP. Step 4: Access the backend Origin Server Open a browser Access the backend server using the configured domain Observe that request hits the backend server and response page is visible Step 5: Validate logs and source IP To check the source IP, in F5 Distributed Cloud Console, Navigate to Home -> Load Balancer -> Virtual Hosts -> HTTP Load Balancers Choose the appropriate load balancer and open Security Monitoring -> Requests Observe the Client IP and validate it with the client public IP address. Client IP address should be displayed in the logs rather than the CDN/Proxy IP as the feature is enabled. This source IP can further be used in WAF Exclusions rules, to block or allow clients. Conclusion: As you can see from the above demonstration, with Trusted Client IP Headers option enabled in F5 Distributed Cloud platform, the request logs and security events are getting logged with the real client IP address as the source IP rather than the CDN IP. Reference Links: F5 Distributed Cloud Services F5 Distributed Cloud WAF F5 XC CDN Exploration Configure CDN Distribution
Salini_K
Feb 12, 2023 Place Technical Articles
2.9KViews
8likes
1Comment
Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect
This 2019 API Security article covers the summary of OWASP API Security Top 10 – 2019 categories and newly published 2023 API security article covered introductory part of newest edition of OWASP API Security Top 10 risks – 2023. We will deep-dive into some of those common risks and how we can protect our applications against these vulnerabilities using F5 NGINX App Protect. Excessive Data Exposure Problem Statement: As shown below in one of the demo application API’s, Personal Identifiable Information (PII) data, like Credit Card Numbers (CCN) and U.S. Social Security Numbers (SSN), are visible in responses that are highly sensitive. So, we must hide these details to prevent personal data exploits. Solution: To prevent this vulnerability, we will use the DataGuard feature in NGINX App Protect, which validates all response data for sensitive details and will either mask the data or block those requests, as per the configured settings. First, we will configure DataGuard to mask the PII data as shown below and will apply this configuration. Next, if we resend the same request, we can see that the CCN/SSN numbers are masked, thereby preventing data breaches. If needed, we can update configurations to block this vulnerability after which all incoming requests for this endpoint will be blocked. If you open the security log and filter with this support ID, we can see that the request is either blocked or PII data is masked, as per the DataGuard configuration applied in the above section. Injection Problem Statement: Customer login pages without secure coding practices may have flaws. Intruders could use those flaws to exploit credential validation using different types of injections, like SQLi, command injections, etc. In our demo application, we have found an exploit which allows us to bypass credential validation using SQL injection (by using username as “' OR true --” and any password), thereby getting administrative access, as below: Solution: NGINX App Protect has a database of signatures that match this type of SQLi attacks. By configuring the WAF policy in blocking mode, NGINX App Protect can identify and block this attack, as shown below. If you check in the security log with this support ID, we can see that request is blocked because of SQL injection risk, as below. Insufficient Logging & Monitoring Problem Statement: Appropriate logging and monitoring solutions play a pivotal role in identifying attacks and also in finding the root cause for any security issues. Without these solutions, applications are fully exposed to attackers and SecOps is completely blind to identifying details of users and resources being accessed. Solution: NGINX provides different options to track logging details of applications for end-to-end visibility of every request both from a security and performance perspective. Users can change configurations as per their requirements and can also configure different logging mechanisms with different levels. Check the links below for more details on logging: https://www.nginx.com/blog/logging-upstream-nginx-traffic-cdn77/ https://www.nginx.com/blog/modsecurity-logging-and-debugging/ https://www.nginx.com/blog/using-nginx-logging-for-application-performance-monitoring/ https://docs.nginx.com/nginx/admin-guide/monitoring/logging/ https://docs.nginx.com/nginx-app-protect-waf/logging-overview/logs-overview/ Unrestricted Access to Sensitive Business Flows Problem Statement: By using the power of automation tools, attackers can now break through tough levels of protection. The inefficiency of APIs to detect automated bot tools not only causes business loss, but it can also adversely impact the services for genuine users of an application. Solution: NGINX App Protect has the best-in-class bot detection technology and can detect and label automation tools in different categories, like trusted, untrusted, and unknown. Depending on the appropriate configurations applied in the policy, requests generated from these tools are either blocked or alerted. Below is an example that shows how requests generated from the Postman automation tool are getting blocked. By filtering the security log with this support-id, we can see that the request is blocked because of an untrusted bot. Lack of Resources & Rate Limiting Problem Statement: APIs do not have any restrictions on the size or number of resources that can be requested by the end user. Above mentioned scenarios sometimes lead to poor API server performance, Denial of Service (DoS), and brute force attacks. Solution: NGINX App Protect provides different ways to rate limit the requests as per user requirements. A simple rate limiting use case configuration is able to block requests after reaching the limit, which is demonstrated below. Server-Side Request Forgery Problem Statement: In an SSRF attack, vulnerable API endpoint within the application is targeted and attacker sends an unauthorized request allowing it to access internal resources. One of the common reasons for this is limited or lack of user input data validation. Example: In the demo application below, click on ‘Contact Mechanic’ and provide required details like Mechanic name, Problem Description and send Service Request. Below image shows that ‘contact_mechanic’ endpoint is internally making a call to ‘mechanic_api’ URL. Since ‘mechanic_api’ parameter accepts URL as data, this can be vulnerable to SSRF attacks. Exploiting the vulnerable endpoint by modifying ‘mechanic_api’ URL call to www.google.com in POST data call got accepted by returning 200 OK as response. This vulnerability can be misused to gain access to internal resources. Solution: To prevent this vulnerability, we will use the WAF API Security Policy in NGINX App Protect, which validates all the API request parameters and will block the suspicious requests consisting of irrelevant parameters, as shown below. Restricted/updated swagger file with .json extension is added as below: Policy used: App Protect API Security Retrying the vulnerability with ‘mechanic_api’ URL call to www.google.com in POST data now getting blocked. Validating the support ID in the security log below: Mass Assignment Problem Statement: API Mass Assignment vulnerability arises when clients can modify immutable internal object properties via crafted requests, bypassing API Endpoint restrictions. Attackers exploit this by sending malicious HTTP requests to escalate privileges, bypass security mechanisms, or manipulate the API Endpoint's functionality. Placing an order with quantity as 1: Bypassing API Endpoint restrictions and placing the order with quantity as -1 is also successful. Solution: To overcome this vulnerability, we will use the WAF API Security Policy in NGINX App Protect which validates all the API Security event triggered and based on the enforcement mode set in the validation rules, the request will either get reported or blocked, as shown below. Restricted/updated swagger file with .json extension is added as below: Policy used: App Protect API Security Re-attempting to place the order with quantity as -1 is getting blocked. Validating the support ID in Security log as below: Conclusion: In short, this article covered some common API vulnerabilities and shows how NGINX App Protect can be used as a mitigation solution to prevent these OWASP API security risks. Related resources for more information or to get started: F5 NGINX App Protect OWASP API Security Top 10 2019 OWASP API Security Top 10 2023
Janibasha
Nov 13, 2023 Place Technical Articles
2.6KViews
7likes
0Comments
Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform
Overview: This article is a continuation of the series of articles on OWASP API Security vulnerabilities and demonstrates a scenario for mitigating API Mass Assignment using F5 Distributed Cloud Platform (XC). Introduction to OWASP API Mass Assignment: APIs are the foundation building blocks for today’s modern applications and because of such high acceptance there are software frameworks available to help the developers with the implementation, but these frameworks sometimes allow developers to automatically bind client’s request parameters into the code variables, opening gates for the attackers to exploit the Mass Assignment vulnerability. API Mass Assignment vulnerability occurs when manually crafted requests from clients to modify immutable internal object properties are not restricted by API Endpoints. Attackers can take advantage of this vulnerability by framing an HTTP request to escalate user privilege, bypass security mechanisms or use any other approach to make the API Endpoints work in a way it was not designed to work. Note: Mass Assignment and Excessive Data Exposure which were a separate risk category in OWASP API Sec 2019 are now merged into a new risk category named Broken Object Property Level Authorization The above image is the pictorial representation of possible exploitation of Mass Assignment vulnerability. You can see the attacker is successfully able to escalate his privilege from normal user to admin by manipulating the JSON content of the API request. In the first step, the attacker sends a valid API request to add the user and gets a response back with a parameter carrying information about the role. In the second step, the attacker adds the role parameter to the JSON object in the API request eventually resulting in successful exploitation of the vulnerability. Prevention Steps: Automatic binding of client’s input data into application's internal code variables should be avoided. Allow/Deny list should be clearly defined for the properties that should or shouldn't be accessible by the clients. Application schema should be well defined and enforced on all incoming client requests. Demonstration: For this demonstration we’ve already hosted crAPI (completely ridiculous API) application by referring to the QuickStart guide in the repository. Also, in the XC console we added the hosted application as an origin server and attached it with the newly created HTTP Load Balancer (LB). Note: crAPI is a vulnerable application designed for training purposes and can be a helpful tool to understand the OWASP top 10 most critical API security risks. For more details you can refer to OWASP crAPI repository Attack Scenario: In the use case below we have an API endpoint which is used to order products. This endpoint has a vulnerable field named “quantity” that can be exploited for mass assignment by providing a negative value resulting in a successful purchase order with an increase in available balance. As shown below at the start of the demo, the available balance for a user account is 200 $. Step1: First step is to gather the endpoint and request payload data by placing a valid purchase order from GUI. In the above screenshot, you can see we have successfully placed the order from the GUI which resulted in a decrease of available balance by 10$. This is a valid customer use case scenario. Step2: Next, we will try to place an order for a product with negative quantity using the gathered endpoint and check if mass assignment vulnerability is present or not. As you can see in the above screenshot the order with the negative quantity is placed successfully and the available balance is increased by 10$ which is not expected. Hence, we can conclude that mass assignment vulnerability exists in this demo application. Prevention through F5 XC: As mentioned in the prevention steps for the purpose of schema validation we will upload OpenAPI specification file to XC and set up the validation rules on incoming client requests If a mismatch occurs, an API Security event will be triggered and based on the enforcement mode set in the validation rules, the request will either get reported or blocked. Step1: As shown in the below image, update the crAPI’s OpenAPI specification file (a.k.a. swagger file) by adding a “minimum” keyword with value as “1” for the “quantity” parameter to restrict the request carrying a negative quantity to bypass Step2: Import crAPI’s swagger file to the LB and create API Definitions Login to F5 XC console Navigate to your LB and start editing the applied configuration Scroll down to API Protection and select “Enable” in API Definition field Click “Add Item”, Enter a name Click “Upload Swagger file”, Enter a name and upload the swagger file for your application, Apply the changes Now from your LB main config page, select “Custom List” for “Validation” field and click Configure. Start configuring Validation List, click “Add Item”, Enter a name, select “Validate” for “OpenAPI Validation Request Processing Mode” field, select “Block” for field “Request Validation Enforcement Type” and select all available properties in “Request Validation Properties” field, below of the config page select “Base Path - /” for “Type” field, Apply the changes. Refer to the document for more details. Step3: Try to repeat the attack scenario of ordering a product with negative quantity. As you can see in the above screenshot the attack was blocked successfully by the XC. Step4: Monitor the “Security Analytics” logs from F5 XC console Conclusion: API Mass assignment vulnerability can illegally be exploited by attackers to cause some serious damage but as demonstrated, F5 XC API security solutions can help to detect and mitigate such vulnerabilities with the help of Open-API schema validation feature. For more details, follow below links: OWASP API Security Project OWASP API6:2019 Mass Assignment F5 Distributed Cloud Services F5 Distributed Cloud WAAP Overview of OWASP API Security Top 10 2019 Introduction to OWASP API Security Top 10 2023
Shubham_Mishra
Feb 09, 2023 Place Technical Articles
4.7KViews
7likes
2Comments
Introduction to F5 Distributed Cloud Platform Per Route WAF Policy
Introduction: By default, F5 Distributed Cloud Platform supports WAF and routing at the domain level i.e the origin pool associated with the Load balancer. F5 Distributed Cloud WAF provides the feasibility to create multiple routes with specific paths and attach the WAF rules individually on each path. This article is specifically demonstrating the above use case. In general, when a load balancer of host type HTTP/HTTPS, the request can be further matched based on parameters like URLs, headers, query parameters, http methods, etc. Once the request is matched, it can be sent to a specific endpoint based on the routing configuration and policy rules. The route object is used to configure L7 routing decision and is made of 3 things. Matching condition for incoming request Actions to take if the matching condition is true Whether the custom java script is enabled for this route match. Parameters offered per route configuration: URL path Prefix Specific header or Regex Demonstration: In this demo we will see how to forward a HTTP request depending on the route configuration and their associated WAF rules from F5 Distributed Cloud Services to origin server endpoints. we are using F5 Distributed Cloud Platform as the Environment. Arcadia Application as an origin server. Refer Load-balancer configured with multiple routes which are associated with different WAF rules. We shall see the demonstration in the below video to know the flow of how to configure and validate F5 Distributed Cloud Per-Route WAF Policy. Procedure: Step 1: Origin Pool Creation From your desired namespace, navigate to Manage --> Load Balancers --> Origin pools Click on "Add Origin Pool" Give it a name Add the Origin server details along with Port info. Click on ‘Save and Exit’ Step 2: Load Balancer with Route config and WAF Rules From the WAAP --> Navigate to Manage --> Load Balancers --> HTTP Load Balancers Click on "Add HTTP load balancer" Give it a name Set the domain name under Basic Configuration Under Routes section, click on ‘Configure’, click on ‘Add Item’ Select the type of Route as "Simple Route". Select HTTP method as “Any”. Select "Regex" under the "Path match" drop-down menu. Enter the string “\/trading\/.*” (without the quotes) as the regular expression (or Regex). This matches the requests for https://perroutewaf.com/trading/ Associate the above created Origin Pool. Under Advanced Options --> navigate to Security --> Web Application Firewall --> App Firewall --> Add Item. Create a WAF App firewall rule with Enforcement mode as “Blocking”. After attaching the WAF rule to the route, click on “Apply”. Repeat the above steps to create another route with Regex “.*” and the WAF rule Enforcement Mode ‘Monitoring’. Click on “Save and Exit” to save the Load Balancer configuration. Step 3: Validating perRouteWAF functionality - Output of /trading/.* route path: Open a browser and navigate to the login page of the application load balancer. try to generate SQL Injection attack to login as higher privileged user like admin. - Output of /.* route path: Try to access the Load Balancer with another route “/index.html”. Generate the SQL Injection attack to home page to get the privileged info. Step4: Logs Verification Monitor the security event log from F5 Distributed Cloud console, Navigate to WAAP --> Apps & APIs --> Security, select your LB and click on ‘Security Event’ tab. Conclusion: As you can see from the demonstration, F5 Distributed Cloud WAF has allowed and blocked the requests based on the route configuration and their associated WAF policies applied on the Load balancer. For further information click the links below: F5 Distributed Cloud Services F5 Distributed Cloud WAF
Shajiya_Shaik
Dec 27, 2022 Place Technical Articles
2.2KViews
7likes
2Comments
Getting started with the F5 Distributed Cloud Web App and API Protection Demo Guide
Overview Sometimes all it takes to get started learning something new is just a little guidance, for those times when we just don't know where to begin. Providing that direction is the purpose of the F5 Distributed Cloud Web App and API Protection (XC WAAP) demo guide. The guide and accompanying demo videos will run you through sample app deployment, as well as App, API, Bot, and DDoS Protection use cases. We provide the app, the testing tool, and the guidance, everything you need to get started and kick the tires. All you need to bring is an F5 Distributed Cloud Account (trial is sufficient for this demo guide) and a bit of time. The guide uses a representative customer app scenario: a Star Ratings application which collects user ratings and reviews/comments on various items. The app runs on Kubernetes, and can be deployed on any cloud, but for the purposes of the demo guide we will deploy it on F5 XC virtual Kubernetes (vK8s) and protect it with F5 XC WAAP. The Scenario The Guide https://github.com/f5devcentral/xcwaapdemoguide Video Series Part 1: Infrastructure Setup Video Series Part 2: WAF Configuration Video Series Part 3: API Protection Video Series Part 4: Bot & DDoS Detection and Protection "Nature is a mutable cloud, which is always and never the same." - Ralph Waldo Emerson We might not wax that philosophically around here, but our heads are in the cloud nonetheless! Join the F5 Distributed Cloud user group today and learn more with your peers and other F5 experts.
Cameron_Delano
Sep 28, 2022 Place Technical Articles
4.9KViews
7likes
0Comments
F5 Distributed Cloud Content Delivery Network: an overview and what's new
From a technical feature perspective, there's nothing new in the world of Content Delivery. You read that right. What's new about it, however, is F5's Distributed Cloud blend of Content Delivery: It marries network connectivity, ingress networking, web security, and, of course, caching, and delivers it in a way that no other CDN provider has before. "Nature is a mutable cloud, which is always and never the same." - Ralph Waldo Emerson We might not wax that philosophically around here, but our heads are in the cloud nonetheless! Join the F5 Distributed Cloud user group today and learn more with your peers and other F5 experts. Most apps nowadays aggregate content from many sources, and many don't use the same internal networks or even one specific cloud provider. Modern apps now pull content from everywhere, and depending on how frequently the content is accessed, it doesn't make sense to pay a premium to have all of it always available within milliseconds. This is where F5 Distributed Cloud CDN breathes new life and adds color to readily accessible on-demand content. If you're like me, you're probably wondering what's different in Content Delivery Networks today? Higher expectations and more specialization among providers. At F5, we see these trends grow by the day: Stronger user-driven demand for personalized content, live streaming, on-demand video, and other dynamic elements Increased expectations for strong application performance, availability, uptime, and a robust security posture to support a user-focused experience A growing need to deliver application logic closer to consumers using standard software development pipeline and lifecycle management More specialization – most CDN providers are now focusing primarily on: o Security, the fast-growing market segment o Online gaming o OTT (over-the-top) video o Web, email, and data o File sharing The first step for any CDN is to deliver content from the location closest to the point of origin. To do that, F5 uses its high-capacity global network to resolve DNS as close to that point as possible, and to direct clients to the closest regional point of presence. From there, F5 provides global DDoS protection at OSI model Layers 3 through 7 with its consolidated DNS, and Web App and API Protection (WAAP). Putting all the bits together, the F5 Distributed Cloud Console streamlines configuration for modern app types and API traffic (files, video, images), with integrated security control and advanced caching policies. The centralized control plane provides both management and observability into specific application traffic and events across all the endpoints, including those on different network. Now, let's see an example of how we can use the F5 CDN to distribute a modern app. Arcadia Finance is an example of a microservices app that we use at F5 to showcase new product features. It uses independent modules that can live in multiple cloud providers and on different networks. Frontend/Main - IBM Cloud Satellite, OpenShift k8s Backend - Azure AKS Money-Transfer - IBM Cloud Satellite, OpenShift k8s Refer-A-Friend - Google GKE Frontend/Main and Money-Transfer are workloads that run as pods in a k8s cluster on IBM OpenShift and are connected to the F5 Global Network using a Cluster-native k8s customer endpoint (CE), a workload managed by F5. Backend is a workload connected via F5 Distributed Cloud Customer Endpoint (CE) native to Azure. Refer-A-Friend is workload connected via F5 Distributed Cloud Customer Endpoint (CE) native to Google Cloud Service. To support the above app, the following configuration has been added as a distribution in the Distributed Cloud Console CDN service: metadata: name: arcadia-cdn labels: {} spec: domains: - arcadia-cdn.demo.internal http: dns_volterra_managed: true add_location: false more_option: cache_ttl_options: cache_ttl_default: 1m origin_pool: public_name: dns_name: ves-io-f85551e2-8a82-4fb4-88a4-b5c202e56d41.ac.vh.ves.io no_tls: {} origin_servers: - public_name: dns_name: ves-io-f85551e2-8a82-4fb4-88a4-b5c202e56d41.ac.vh.ves.io dns_info: [] state: VIRTUAL_HOST_READY auto_cert_info: auto_cert_state: AutoCertDisabled dns_records: [] service_domains: - domain: arcadia-cdn.demo.internal service_domain: ves-io-cdn-arcadia-cdn-demo-internal.autocerts.ves.volterra.io When a user accesses and logs into the Arcadia App, F5 Distributed Cloud CDN first screens each request and then passes it through to the backend, in this case, Frontend/Main. The main pod then works to pull content from the backend, money-transfer, and refer-a-friend modules, all of which are available as different internal endpoints and virtual servers accessible only from other pods within the F5 Global Network. Only after the content has been successfully fetched by Frontend is the landing page finally presented to the user. In the context of CDN, we refer to this first case as a Cache-Miss. % curl -I http://arcadia-cdn.demo.internal/images/image1.jpg HTTP/1.1 200 OK Date: Thu, 15 Sep 2022 00:38:22 GMT Content-Type: image/jpeg Content-Length: 54142 Connection: keep-alive last-modified: Wed, 10 Aug 2022 18:48:47 GMT etag: "62f3fd8f-d37e" x-envoy-upstream-service-time: 5 Server: volt-cdn x-cache-status: MISS Accept-Ranges: bytes When Arcadia Finance is front ended with the Distributed Cloud CDN, content no longer needs to be fetched by Frontend/Main every time the user accesses the page. To reduce load on the app modules, the CDN caches all the content and delivers it to the user upon subsequent hits. This is known as a Cache-Hit. % curl -I http://arcadia-cdn.demo.internal/images/image1.jpg HTTP/1.1 200 OK Date: Thu, 15 Sep 2022 00:38:25 GMT Content-Type: image/jpeg Content-Length: 54142 Connection: keep-alive last-modified: Wed, 10 Aug 2022 18:48:47 GMT etag: "62f3fd8f-d37e" x-envoy-upstream-service-time: 31 Server: volt-cdn x-cache-status: HIT Accept-Ranges: bytes When using Distributed Cloud CDN to distribute frontend apps, even when there's a Cache-Miss, the user experience will be improved vs going to the app directly because the CDN directs the connection to F5's closest regional point of presence (PoP), eliminating much of the uncontrolled and variable latency inherent on the Internet. After accessing the Arcadia Finance app for some time, even when the cached page Time To Live (TTL) policy is set to a very low value of 1 minute, we're still able to see a good amount of caching provided by F5's CDN. Viewing the app's distribution performance in the Distributed Cloud Console, we can see the percentage of hits vs. misses, what the returned latency is for each, how much of the app is returning HTTP 2xx, 3xx, 4xx, or 5xx status codes, and even which versions of SSL and HTTP the connections use. Overall, F5's CDN pulls out all the stops when it comes to safeguarding your environments. Regardless of whether an app's content sprawls multiple private and public networks, F5's CDN can connect to it securely at the app level and cache it. Endpoint-specific security policies within the CDN can be added with a few clicks and the use of a Swagger file to further restrict the operations and content allowed to prevent malicious actors. All in all, F5's Content Delivery Network delivers the best set of network connectivity and security-focused functionality to enable today's most modern applications. In the following video, I share some of the additional benefits of using the F5 Distributed Cloud CDN and show the difference that users will notice when the CDN provides more content from the cache. Additional Resources For more information about this product as well as details on how to configure it, go to the following additional resources. CDN product information CDN product documentation F5 Distributed Cloud Secure CDN Solution: CDN + WAAP (Web App & API Security)
Dave_Potter
Sep 27, 2022 Place Technical Articles
2KViews
7likes
1Comment

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_MetaNav\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[],\"name\":\"TagPage\",\"props\":{},\"url\":\"https://community.f5.com/tag/F5%20Distributed%20Cloud%20WAAP\"}}})":{"__typename":"ComponentRenderResult","html":"

Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Beta_Footer\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[],\"name\":\"TagPage\",\"props\":{},\"url\":\"https://community.f5.com/tag/F5%20Distributed%20Cloud%20WAAP\"}}})":{"__typename":"ComponentRenderResult","html":" "}},"componentScriptGroups({\"componentId\":\"custom.widget.Tag_Manager_Helper\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"component({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"Component","render({\"context\":{\"component\":{\"entities\":[],\"props\":{}},\"page\":{\"entities\":[],\"name\":\"TagPage\",\"props\":{},\"url\":\"https://community.f5.com/tag/F5%20Distributed%20Cloud%20WAAP\"}}})":{"__typename":"ComponentRenderResult","html":"

"}},"componentScriptGroups({\"componentId\":\"custom.widget.Consent_Blackbar\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/OverflowNav\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageView/MessageViewInline\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/Pager/PagerLoadMore\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/customComponent/CustomComponent\"]})":[{"__ref":"CachedAsset:text:en_US-components/customComponent/CustomComponent-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageUnreadCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageViewCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageViewCount-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/kudos/KudosCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/kudos/KudosCount-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRepliesCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1743097587452"}],"cachedText({\"lastModified\":\"1743097587452\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1743097587452"}]},"CachedAsset:pages-1742463026728":{"__typename":"CachedAsset","id":"pages-1742463026728","value":[{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.MvpProgram","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/mvp-program","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.AdvocacyProgram","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/advocacy-program","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp.NonCustomer","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/non-customer","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp.F5Customer","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/f5-customer","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetInvolved","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.Learn","type":"COMMUNITY","urlPath":"/c/how-do-i/learn","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1739501996000,"localOverride":null,"page":{"id":"Test","type":"CUSTOM","urlPath":"/custom-test-2","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp.Community","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/community","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetInvolved.ContributeCode","type":"COMMUNITY","urlPath":"/c/how-do-i/get-involved/contribute-code","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.Learn.AboutIrules","type":"COMMUNITY","urlPath":"/c/how-do-i/learn/about-irules","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp.F5Support","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/f5-support","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI.GetHelp.SecurityIncident","type":"COMMUNITY","urlPath":"/c/how-do-i/get-help/security-incident","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1742463026728,"localOverride":null,"page":{"id":"HowDoI","type":"COMMUNITY","urlPath":"/c/how-do-i","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Former Member","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"dd-MMM-yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US"]}},"deleted":false},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"CachedAsset:theme:customTheme1-1742463026290":{"__typename":"CachedAsset","id":"theme:customTheme1-1742463026290","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["custom"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"JimmyPackets-512-1702592938213.png","imageLastModified":"1702592945815","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"f5_logo_fix-1704824537976.svg","imageLastModified":"1704824540697","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1600px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_PAGE_CONTENT","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"5px","borderRadius":"5px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"14px","paddingXHero":"42px","fontStyle":"NORMAL","fontWeight":"400","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-400)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-400-h), var(--lia-bs-gray-400-s), calc(var(--lia-bs-gray-400-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-300)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-300-h), var(--lia-bs-gray-300-s), calc(var(--lia-bs-gray-300-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"NONE","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.06)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.15)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-primary)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","forumColor":"#0C5C8D","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#62C026","blogColor":"#730015","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#C20025","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#F3704B","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#EE4B5B","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#491B62","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#949494","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0C5C8D","secondary":"#333333","bodyText":"#222222","bodyBg":"#F5F5F5","info":"#1D9CD3","success":"#62C026","warning":"#FFD651","danger":"#C20025","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#C20025","#081B85","#009639","#B3C6D7","#7CC0EB","#F29A36"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Inter","fontStyle":"NORMAL","fontWeight":"600","h1FontSize":"30px","h2FontSize":"25px","h3FontSize":"20px","h4FontSize":"18px","h5FontSize":"16px","h6FontSize":"16px","lineHeight":"1.2","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":null,"imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"14px","defaultMessageHeaderMarginBottom":"10px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"14px","specialMessageHeaderMarginBottom":"10px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Atkinson Hyperlegible","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.3","fontSizeBase":"15px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"13px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1743097587452","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1743097587452","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/tags/TagPage-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-pages/tags/TagPage-1743097587452","value":{"tagPageTitle":"Tag:\"{tagName}\" | {communityTitle}","tagPageForNodeTitle":"Tag:\"{tagName}\" in \"{title}\" | {communityTitle}","name":"Tags Page","tag":"Tag: {tagName}"},"localOverride":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bi0zNC0xM2k0MzE3N0Q2NjFBRDg5NDAy\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bi0zNC0xM2k0MzE3N0Q2NjFBRDg5NDAy","mimeType":"image/png"},"Category:category:Articles":{"__typename":"Category","id":"category:Articles","entityType":"CATEGORY","displayId":"Articles","nodeType":"category","depth":1,"title":"Articles","shortTitle":"Articles","parent":{"__ref":"Category:category:top"},"categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top"},"Tkb:board:TechnicalArticles":{"__typename":"Tkb","id":"board:TechnicalArticles","entityType":"TKB","displayId":"TechnicalArticles","nodeType":"board","depth":2,"conversationStyle":"TKB","title":"Technical Articles","description":"F5 SMEs share good practice.","avatar":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bi0zNC0xM2k0MzE3N0Q2NjFBRDg5NDAy\"}"},"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:Articles"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:zihoc95639"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:Articles"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}},"canReadNode":{"__typename":"PolicyResult","failureReason":null}},"tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"shortTitle":"Technical Articles","tagPolicies":{"__typename":"TagPolicies","canSubscribeTagOnNode":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","args":[]}},"canManageTagDashboard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","args":[]}}}},"CachedAsset:quilt:f5.prod:pages/tags/TagPage:board:TechnicalArticles-1743097590090":{"__typename":"CachedAsset","id":"quilt:f5.prod:pages/tags/TagPage:board:TechnicalArticles-1743097590090","value":{"id":"TagPage","container":{"id":"Common","headerProps":{"removeComponents":["community.widget.bannerWidget"],"__typename":"QuiltContainerSectionProps"},"items":[{"id":"tag-header-widget","layout":"ONE_COLUMN","bgColor":"var(--lia-bs-white)","showBorder":"BOTTOM","sectionEditLevel":"LOCKED","columnMap":{"main":[{"id":"tags.widget.TagsHeaderWidget","__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"},{"id":"messages-list-for-tag-widget","layout":"ONE_COLUMN","columnMap":{"main":[{"id":"messages.widget.messageListForNodeByRecentActivityWidget","props":{"viewVariant":{"type":"inline","props":{"useUnreadCount":true,"useViewCount":true,"useAuthorLogin":true,"clampBodyLines":3,"useAvatar":true,"useBoardIcon":false,"useKudosCount":true,"usePreviewMedia":true,"useTags":false,"useNode":true,"useNodeLink":true,"useTextBody":true,"truncateBodyLength":-1,"useBody":true,"useRepliesCount":true,"useSolvedBadge":true,"timeStampType":"conversation.lastPostingActivityTime","useMessageTimeLink":true,"clampSubjectLines":2}},"panelType":"divider","useTitle":false,"hideIfEmpty":false,"pagerVariant":{"type":"loadMore"},"style":"list","showTabs":true,"tabItemMap":{"default":{"mostRecent":true,"mostRecentUserContent":false,"newest":false},"additional":{"mostKudoed":true,"mostViewed":true,"mostReplies":false,"noReplies":false,"noSolutions":false,"solutions":false}}},"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"}],"__typename":"QuiltContainer"},"__typename":"Quilt"},"localOverride":false},"CachedAsset:quiltWrapper:f5.prod:Common:1742462921290":{"__typename":"CachedAsset","id":"quiltWrapper:f5.prod:Common:1742462921290","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":"header.jpg","backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"LEFT_CENTER","lastModified":"1702932449000","__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.Beta_MetaNav","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"community.widget.navbarWidget","props":{"showUserName":false,"showRegisterLink":true,"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","linkFontWeight":"700","controllerHighlightColor":"hsla(30, 100%, 50%)","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkFontSize":"15px","linkBoxShadowHover":"none","backgroundOpacity":0.4,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","linkTextBorderBottom":"none","hamburgerColor":"var(--lia-nav-controller-icon-color)","brandLogoHeight":"48px","linkLetterSpacing":"normal","linkBgHoverColor":"transparent","collapseMenuDividerOpacity":0.16,"paddingBottom":"10px","dropdownPaddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"0","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","linkJustifyContent":"center","linkColor":"var(--lia-bs-primary)","collapseMenuDividerBg":"var(--lia-nav-link-color)","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-primary)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid #0C5C8D","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","linkPaddingX":"10px","paddingTop":"10px","linkPaddingY":"5px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkBgColor":"transparent","linkDropdownPaddingY":"9px","controllerIconColor":"#0C5C8D","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"#0C5C8D"},"links":{"sideLinks":[],"mainLinks":[{"children":[{"linkType":"INTERNAL","id":"migrated-link-1","params":{"boardId":"TechnicalForum","categoryId":"Forums"},"routeName":"ForumBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-2","params":{"boardId":"WaterCooler","categoryId":"Forums"},"routeName":"ForumBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-0","params":{"categoryId":"Forums"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-4","params":{"boardId":"codeshare","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-5","params":{"boardId":"communityarticles","categoryId":"CrowdSRC"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-3","params":{"categoryId":"CrowdSRC"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-7","params":{"boardId":"TechnicalArticles","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"article-series","params":{"boardId":"article-series","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"security-insights","params":{"boardId":"security-insights","categoryId":"Articles"},"routeName":"TkbBoardPage"},{"linkType":"INTERNAL","id":"migrated-link-8","params":{"boardId":"DevCentralNews","categoryId":"Articles"},"routeName":"TkbBoardPage"}],"linkType":"INTERNAL","id":"migrated-link-6","params":{"categoryId":"Articles"},"routeName":"CategoryPage"},{"children":[{"linkType":"INTERNAL","id":"migrated-link-10","params":{"categoryId":"CommunityGroups"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"migrated-link-11","params":{"categoryId":"F5-Groups"},"routeName":"CategoryPage"}],"linkType":"INTERNAL","id":"migrated-link-9","params":{"categoryId":"GroupsCategory"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-12","params":{"boardId":"Events","categoryId":"top"},"routeName":"EventBoardPage"},{"children":[],"linkType":"INTERNAL","id":"migrated-link-13","params":{"boardId":"Suggestions","categoryId":"top"},"routeName":"IdeaBoardPage"},{"children":[],"linkType":"EXTERNAL","id":"Common-external-link","url":"https://community.f5.com/c/how-do-i","target":"SELF"}]},"className":"QuiltComponent_lia-component-edit-mode__lQ9Z6","showSearchIcon":false},"__typename":"QuiltComponent"},{"id":"community.widget.bannerWidget","props":{"backgroundColor":"transparent","visualEffects":{"showBottomBorder":false},"backgroundImageProps":{"backgroundSize":"COVER","backgroundPosition":"CENTER_CENTER","backgroundRepeat":"NO_REPEAT"},"fontColor":"#222222"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"var(--lia-bs-primary)","linkHighlightColor":"#FFFFFF","visualEffects":{"showBottomBorder":false},"backgroundOpacity":60,"linkTextColor":"#FFFFFF"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"var(--lia-bs-body-color)","items":[{"id":"custom.widget.Beta_Footer","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Tag_Manager_Helper","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.Consent_Blackbar","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1743097587452","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.Beta_MetaNav-en-1742463042522":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_MetaNav-en-1742463042522","value":{"component":{"id":"custom.widget.Beta_MetaNav","template":{"id":"Beta_MetaNav","markupLanguage":"HANDLEBARS","style":null,"texts":null,"defaults":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_MetaNav","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"MetaNav menu at the top of every page.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Beta_Footer-en-1742463042522":{"__typename":"CachedAsset","id":"component:custom.widget.Beta_Footer-en-1742463042522","value":{"component":{"id":"custom.widget.Beta_Footer","template":{"id":"Beta_Footer","markupLanguage":"HANDLEBARS","style":null,"texts":null,"defaults":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Beta_Footer","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"DevCentral´s custom footer.","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Tag_Manager_Helper-en-1742463042522":{"__typename":"CachedAsset","id":"component:custom.widget.Tag_Manager_Helper-en-1742463042522","value":{"component":{"id":"custom.widget.Tag_Manager_Helper","template":{"id":"Tag_Manager_Helper","markupLanguage":"HANDLEBARS","style":null,"texts":null,"defaults":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Tag_Manager_Helper","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"Helper widget to inject Tag Manager scripts into head element","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:component:custom.widget.Consent_Blackbar-en-1742463042522":{"__typename":"CachedAsset","id":"component:custom.widget.Consent_Blackbar-en-1742463042522","value":{"component":{"id":"custom.widget.Consent_Blackbar","template":{"id":"Consent_Blackbar","markupLanguage":"HTML","style":null,"texts":null,"defaults":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.Consent_Blackbar","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"TEXTHTML","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":null,"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1743097587452","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagsHeaderWidget-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagsHeaderWidget-1743097587452","value":{"tag":"{tagName}","topicsCount":"{count} {count, plural, one {Topic} other {Topics}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1743097587452","value":{"title@userScope:other":"Recent Content","title@userScope:self":"Contributions","title@board:FORUM@userScope:other":"Recent Discussions","title@board:BLOG@userScope:other":"Recent Blogs","emptyDescription":"No content to show","MessageListForNodeByRecentActivityWidgetEditor.nodeScope.label":"Scope","title@instance:1706288370055":"Content Feed","title@instance:1743095186784":"Most Recent Updates","title@instance:1704317906837":"Content Feed","title@instance:1743095018194":"Most Recent Updates","title@instance:1702668293472":"Community Feed","title@instance:1743095117047":"Most Recent Updates","title@instance:1704319314827":"Blog Feed","title@instance:1743095235555":"Most Recent Updates","title@instance:1704320290851":"My Contributions","title@instance:1703720491809":"Forum Feed","title@instance:1743095311723":"Most Recent Updates","title@instance:1703028709746":"Group Content Feed","title@instance:VTsglH":"Content Feed"},"localOverride":false},"Category:category:Forums":{"__typename":"Category","id":"category:Forums","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:TechnicalForum":{"__typename":"Forum","id":"board:TechnicalForum","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Forum:board:WaterCooler":{"__typename":"Forum","id":"board:WaterCooler","forumPolicies":{"__typename":"ForumPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:DevCentralNews":{"__typename":"Tkb","id":"board:DevCentralNews","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:GroupsCategory":{"__typename":"Category","id":"category:GroupsCategory","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:F5-Groups":{"__typename":"Category","id":"category:F5-Groups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CommunityGroups":{"__typename":"Category","id":"category:CommunityGroups","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Occasion:board:Events":{"__typename":"Occasion","id":"board:Events","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"occasionPolicies":{"__typename":"OccasionPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Idea:board:Suggestions":{"__typename":"Idea","id":"board:Suggestions","boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"ideaPolicies":{"__typename":"IdeaPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:CrowdSRC":{"__typename":"Category","id":"category:CrowdSRC","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:codeshare":{"__typename":"Tkb","id":"board:codeshare","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:communityarticles":{"__typename":"Tkb","id":"board:communityarticles","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:security-insights":{"__typename":"Tkb","id":"board:security-insights","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Tkb:board:article-series":{"__typename":"Tkb","id":"board:article-series","tkbPolicies":{"__typename":"TkbPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Conversation:conversation:303789":{"__typename":"Conversation","id":"conversation:303789","topic":{"__typename":"TkbTopicMessage","uid":303789},"lastPostingActivityTime":"2024-06-06T12:06:46.261-07:00","solved":false},"User:user:217018":{"__typename":"User","uid":217018,"login":"Cameron_Delano","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0yMTcwMTgtMTc1MzZpRjhDN0JBMTNEN0U3RTIyMg"},"id":"user:217018"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjA1NzdpNzI4NUUyQkVFQzA5N0VEQw?revision=34\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjA1NzdpNzI4NUUyQkVFQzA5N0VEQw?revision=34","title":"CatShadow.png","associationType":"COVER","width":907,"height":907,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDlpRkEwMzhBMTg4QzQ1MDBGQg?revision=34\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDlpRkEwMzhBMTg4QzQ1MDBGQg?revision=34","title":"Screenshot 2023-07-06 at 12.00.34 PM.png","associationType":"BODY","width":1499,"height":463,"altText":"Screenshot 2023-07-06 at 12.00.34 PM.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDhpQjc3RUEyQzk4RDdBNzRCMQ?revision=34\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDhpQjc3RUEyQzk4RDdBNzRCMQ?revision=34","title":"Screenshot 2023-07-06 at 11.48.52 AM.png","associationType":"BODY","width":1501,"height":519,"altText":"Screenshot 2023-07-06 at 11.48.52 AM.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDdpRjkwOTQwMEU0RDg0M0NCQg?revision=34\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDdpRjkwOTQwMEU0RDg0M0NCQg?revision=34","title":"Screenshot 2023-07-06 at 11.46.16 AM.png","associationType":"BODY","width":1689,"height":734,"altText":"Screenshot 2023-07-06 at 11.46.16 AM.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NTBpRDNBODRDODcxOTMzNEJGNA?revision=34\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NTBpRDNBODRDODcxOTMzNEJGNA?revision=34","title":"Screenshot 2023-07-06 at 12.16.31 PM.png","associationType":"BODY","width":1526,"height":1042,"altText":"Screenshot 2023-07-06 at 12.16.31 PM.png"},"TkbTopicMessage:message:303789":{"__typename":"TkbTopicMessage","subject":"Out of the Shadows: API Discovery and Security","conversation":{"__ref":"Conversation:conversation:303789"},"id":"message:303789","revisionNum":34,"uid":303789,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:217018"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" With F5 Distributed Cloud Web App and API protection security teams can discover, inventory, and secure their critical APIs. Helping bring those rogue Shadow APIs into the light. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":8597},"postTime":"2022-11-07T08:10:26.077-08:00","lastPublishTime":"2024-06-06T12:06:46.261-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" APIs are everywhere \n The connected world runs on APIs. Your banking app uses them, your ride share app uses them, even that weather app you check before walking out the door, it gets that data from an API. We interact with them multiple times throughout our daily life, to do everything from the most essential to the most mundane. They are simply everywhere and more and more are being published every day. \n As you would expect, this proliferation of APIs has marked them as a prime target for malicious actors. In the last couple years there have been quite a few well publicized attacks. From social media to fitness firms, no industry seems to be safe. With recent reports indicating that API vulnerabilities are costing businesses billions of dollars annually, it’s no wonder they are at the top of mind of many cyber security professionals. \n See how F5 is building the most comprehensive API security solution in the industry. \n Documentation and Inventory \n With APIs being such an attractive target for the bad guys, it is important to have a solid process for publishing them. Part of this process is proper documentation of how the API behaves and how it interacts with other APIs. In the case of RESTful APIs, this documentation is done using the OpenAPI aka Swagger specification. With F5 Distributed Cloud Web App and API Protection (XC WAAP), security teams can take that specification file, upload it to the platform, and use it to build a comprehensive inventory of all known APIs, their endpoints, and expected operations (HTTP methods). \n This inventory is then used to build an effective security policy to protect your APIs. But as most of us know, when it comes to deadlines, one of the first things that gets dropped is documentation. You can't protect what you can't see. \n Hidden Vulnerabilities \n In the dark corners of the application landscape lurk the Shadow APIs. These are rogue APIs that are published outside of defined management and security processes and are a prime target for attackers. Whether they are simply undocumented or third-part APIs outside of your control, they are unseen by your security infrastructure and unprotected. These can be a severe risk to an organization, so much so that they have been included in the OWASP API Security project as part of API9:2019 Improper Assets Management. Discovering, inventorying, and protecting these APIs is of critical importance. \n Shining a Light - API Discovery \n The most effective tool we have available to bring these nefarious APIs out of the shadows, is API Discovery. The F5 XC WAAP platform learns the schema structure of the Shadow API by analyzing sampled request data, then reverse-engineering the schema to generates an OpenAPI spec. This can then be ingested and inventoried, just like our properly documented APIs, closing the security loophole. This learning process runs periodically, ensuring the API inventory is as up to date as possible. This doesn't mean we can be lazy in our documentation; it means we can catch things that get missed or are out of our control. \n \n Schema Validation \n Schema validation based on the OpenAPI Specification is a critical component of a robust API security strategy. It ensures that API requests and responses align with the schema defined in our specification, reinforcing data structure conformity and validating input/output data. By implementing schema validation, organizations can bolster the integrity, security, and interoperability of their APIs while proactively addressing potential vulnerabilities. The F5 XC WAAP platform provides flexible configuration options, allowing you to apply schema validation to all or specific endpoints within your API Definition. With multiple enforcement types and a customizable set of properties to validate against your specification, you have granular control over the validation process. Additionally, the platform supports the creation of fall-through rules to effectively handle any shadow APIs that may arise. \n \n Visibility and Dashboards \n In today's dynamic API landscape, maintaining comprehensive visibility into the security posture of your endpoints is paramount. Dashboards play a crucial role in providing this visibility, allowing you to effortlessly monitor and assess the security of your APIs. The F5 XC WAAP platform goes beyond basic API inventory management by offering advanced dashboards that present essential security information based on actual and attack traffic. Within the API Endpoints Dashboard, you gain valuable insights into critical security aspects. You are presented with the Top Attacked APIs by percentage of attacks, Top Sensitive Data types found, Total API calls broken down by response code, and Most Active APIs. In the table view of the inventory, you can easily access information such as discovered sensitive data types, threat levels determined by attack traffic, authentication status, API category, and the risk score assigned by the platform. This consolidated view enables you to quickly identify potential vulnerabilities, prioritize remediation efforts, and make informed decisions to strengthen the overall security posture of your APIs. \n \n The threat cannot be ignored \n We increasingly rely on applications for some of the most important aspects of our lives. Given the sensitive nature of the data that can be exposed by unprotected APIs, the need for effective security cannot be stressed enough. Recent breaches have exposed everything from your credit score to your age, gender, and even how often you work out. Worst of all we have seen unprotected APIs expose Personally Identifiable Information and login credentials of 37 million people. The threat is real and cannot be ignored. \n With F5 Distributed Cloud Web App and API protection security teams can discover, inventory, and secure their critical APIs. Helping you defend your known endpoints and bring those rogue Shadow APIs into the light. \n DevSecOps and F5 Distributed Cloud API Security \n No modern security strategy is complete without incorporating DevSecOps practices. Integrating security into the entire software delivery lifecycle is essential for delivering secure applications with speed and quality. Deploy the API Discovery and Security discussed in this article using Infrastructure as Code and GitHub Actions. The F5 Distributed Cloud WAAP Terraform Examples repository is a great jumping off point for organizations looking to deploy the F5 XC solutions showcased here using DevSecOps practices. \n Deployment Workflow Guides \n Get started with Distributed Cloud runtime API Protection using our deployment guides covering both console and automation workflows. \n Deploy F5 XC API Security on XC Regional Edges \n Deploy F5 XC API Security on XC Regional Edges + AppConnect \n Deploy F5 XC API Security on XC Customer Edges \n Discovery in Action \n \n \n \n Additional Resources \n Deploy F5 Distributed Cloud API Discovery and Security: F5 Distributed Cloud WAAP Terraform Examples GitHub Repo \n Deploy F5 Hybrid Architectures API Discovery and Security: F5 Distributed Cloud Hybrid Security Architectures GitHub Repo \n F5 Distributed Cloud Documentation: F5 Distributed Cloud Terraform Provider Documentation F5 Distributed Cloud Services API Documentation ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"7636","kudosSumWeight":16,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjA1NzdpNzI4NUUyQkVFQzA5N0VEQw?revision=34\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDlpRkEwMzhBMTg4QzQ1MDBGQg?revision=34\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDhpQjc3RUEyQzk4RDdBNzRCMQ?revision=34\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NDdpRjkwOTQwMEU0RDg0M0NCQg?revision=34\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDM3ODktMjQ4NTBpRDNBODRDODcxOTMzNEJGNA?revision=34\"}"}}],"totalCount":5,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlL0RuREVjS1NDNEhnP3NpPVFSR2VsdUEwZ3VBY3VuOWx8MHwyNTsyNXx8","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/DnDEcKSC4Hg?si=QRGeluA0guAcun9l","thumbnail":"https://i.ytimg.com/vi/DnDEcKSC4Hg/hqdefault.jpg","uploading":false,"height":240,"width":320,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:303142":{"__typename":"Conversation","id":"conversation:303142","topic":{"__typename":"TkbTopicMessage","uid":303142},"lastPostingActivityTime":"2023-02-07T10:30:03.247-08:00","solved":false},"User:user:418292":{"__typename":"User","uid":418292,"login":"Dave_Potter","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS00MTgyOTItMTg3MjFpQjk4MDYyMjM5NTk2MUI5Nw"},"id":"user:418292"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTBpMjlDRkVGMDg0MzA4NTIxMg?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTBpMjlDRkVGMDg0MzA4NTIxMg?revision=10","title":"ruth-paradis-yhPIRUOdHVs-unsplash.jpg","associationType":"COVER","width":4608,"height":3072,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTFpMTM2MEFGNjUxQ0UwMjcwMg?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTFpMTM2MEFGNjUxQ0UwMjcwMg?revision=10","title":"Slide2.jpeg","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTJpNjM4QzBCQ0I3OUJDNzQ5RQ?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTJpNjM4QzBCQ0I3OUJDNzQ5RQ?revision=10","title":"Slide4.jpeg","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTNpMkJGQUEzQzkxRDg0MzkzMQ?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTNpMkJGQUEzQzkxRDg0MzkzMQ?revision=10","title":"Slide5.jpeg","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTRpQTNCRTYxOTk5OERFOEE4Rg?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTRpQTNCRTYxOTk5OERFOEE4Rg?revision=10","title":"CDN-WAAP-Step2 DNS.png","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTVpQ0VFODE1N0Q2OEZGMTNCOA?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTVpQ0VFODE1N0Q2OEZGMTNCOA?revision=10","title":"CDN-WAAP-1.jpg","associationType":"BODY","width":1316,"height":314,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTZpQzA1RTdDQTI3QjVDMjhDNg?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTZpQzA1RTdDQTI3QjVDMjhDNg?revision=10","title":"CDN-WAAP-Step4.png","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTdpOTNBREM0RUM4QjQwMEZCRg?revision=10\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTdpOTNBREM0RUM4QjQwMEZCRg?revision=10","title":"CDN-WAAP-Step5.png","associationType":"BODY","width":1920,"height":1080,"altText":null},"TkbTopicMessage:message:303142":{"__typename":"TkbTopicMessage","subject":"Use F5 Distributed Cloud to service chain WAAP and CDN","conversation":{"__ref":"Conversation:conversation:303142"},"id":"message:303142","revisionNum":10,"uid":303142,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:418292"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":7638},"postTime":"2022-11-01T09:00:00.015-07:00","lastPublishTime":"2023-02-07T10:30:03.247-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n The Content Delivery Network (CDN) market has become increasingly commoditized. Many providers have augmented their CDN capabilities with WAFs/WAAPs, DNS, load balancing, edge compute, and networking. Managing all these solutions together creates a web of operational complexity, which can be confusing. \n F5’s synergistic bundling of CDN with Web Application and API Protection (WAAP) benefits those looking for simplicity and ease of use. It provides a way around the complications and silos that many resource-strapped organizations face with their IT systems. \n This bundling also signifies how CDN has become a commodity product often not purchased independently anymore. This trend is encouraging many competitors to evolve their capabilities to include edge computing – a space where F5 has gained considerable experience in recent years. \n F5 is rapidly catching up to other providers’ CDNs. F5’s experience and leadership building the world’s best-of-breed Application Delivery Controller (ADC), the BIG-IP load balancer, put it in a unique position to offer the best application delivery and security services directly at the edge with many of its CDN points of presence. With robust regional edge capabilities and a global network, F5 has entered the CDN space with a complementary offering to an already compelling suite of features. This includes the ability to run microservices and Kubernetes workloads anywhere, with a complete range of services to support app infrastructure deployment, scale, and lifecycle management all within a single management console. \n \n \n With advancements made in the application security space at F5, WAAP capabilities are directly integrated into the Distributed Cloud Platform to protect both web apps and APIs. Features include (yet not limited to): \n \n Web Application Firewall: Signature + Behavioral WAF functionality \n Bot Defense: Detect client signals, determining if clients are human or automated \n DDoS Mitigation: Fully managed by F5 \n API Security: Continuous inspection and detection of shadow APIs \n \n Solution \n Combining the Distributed Cloud WAAP with CDN as a form of service chaining is a straightforward process. This not only gives you the best security protection for web apps and APIs, but also positions apps regionally to deliver them with low latency and minimal compute per request. \n In the following solution, we’ve combined Distributed Cloud WAAP and CDN to globally deliver an app protected by a WAF policy from the closest regional point of presence to the user. Follow along as I demonstrate how to configure the basic elements. \n \n Configuration \n \n Log in to the Distributed Cloud Console and navigate to the DNS Management service. Decide if you want Distributed Cloud to manage the DNS zone as a Primary DNS server or if you’d rather delegate the fully qualified domain name (FQDN) for your app to Distributed Cloud with a CNAME. While using Delegation or Managed DNS is optional, doing so makes it possible for Distributed Cloud to automatically create and manage the SSL certificates needed to securely publish your app. \n \n Next, in Distributed Cloud Console, navigate to the Web App and API Protection service, then go to App Firewall, then Add App Firewall. This is where you’ll create the security policy that we’ll later connect our HTTP LB. Let’s use the following basic WAF policy in YAML format, you can paste it directly in to the Console by changing the configuration view to JSON and then changing the format to YAML. Note: This uses the namespace “waap-cdn”, change this to match your individual tenant’s configuration. \n metadata:\n name: buytime-waf\n namespace: waap-cdn\n labels: {}\n annotations: {}\n disable: false\nspec:\n blocking: {}\n detection_settings:\n signature_selection_setting:\n default_attack_type_settings: {}\n high_medium_low_accuracy_signatures: {}\n enable_suppression: {}\n enable_threat_campaigns: {}\n default_violation_settings: {}\n bot_protection_setting:\n malicious_bot_action: BLOCK\n suspicious_bot_action: REPORT\n good_bot_action: REPORT\n allow_all_response_codes: {}\n default_anonymization: {}\n use_default_blocking_page: {} \n With the WAF policy saved, it’s time to configure the origin server. Navigate to Load Balancers > Origin Pools, then Add Origin Pool. The following YAML uses a FQDN DNS name reach the app server. Using an IP address for the server is possible as well. \n metadata:\n name: buytime-pool\n namespace: waap-cdn\n labels: {}\n annotations: {}\n disable: false\nspec:\n origin_servers:\n - public_name:\n dns_name: webserver.f5-cloud-demo.com\n labels: {}\n no_tls: {}\n port: 80\n same_as_endpoint_port: {}\n healthcheck: []\n loadbalancer_algorithm: LB_OVERRIDE\n endpoint_selection: LOCAL_PREFERRED \n With the supporting WAF and Origin Pool resources configured, it’s time to create the HTTP Load Balancer. Navigate to Load Balancers > HTTP Load Balancers, then create a new one. Use the following YAML to create the LB and use both resources created above. \n metadata:\n name: buytime-online\n namespace: waap-cdn\n labels: {}\n annotations: {}\n disable: false\nspec:\n domains:\n - buytime.waap.f5-cloud-demo.com\n https_auto_cert:\n http_redirect: true\n add_hsts: true\n port: 443\n tls_config:\n default_security: {}\n no_mtls: {}\n default_header: {}\n enable_path_normalize: {}\n non_default_loadbalancer: {}\n header_transformation_type:\n default_header_transformation: {}\n advertise_on_public_default_vip: {}\n default_route_pools:\n - pool:\n tenant: your-tenant-uid\n namespace: waap-cdn\n name: buytime-pool\n kind: origin_pool\n weight: 1\n priority: 1\n endpoint_subsets: {}\n routes: []\n app_firewall:\n tenant: your-tenant-uid\n namespace: waap-cdn\n name: buytime-waf\n kind: app_firewall\n add_location: true\n no_challenge: {}\n user_id_client_ip: {}\n disable_rate_limit: {}\n waf_exclusion_rules: []\n data_guard_rules: []\n blocked_clients: []\n trusted_clients: []\n ddos_mitigation_rules: []\n service_policies_from_namespace: {}\n round_robin: {}\n disable_trust_client_ip_headers: {}\n disable_ddos_detection: {}\n disable_malicious_user_detection: {}\n disable_api_discovery: {}\n disable_bot_defense: {}\n disable_api_definition: {}\n disable_ip_reputation: {}\n disable_client_side_defense: {}\nresource_version: \"517528014\" \n With the HTTP LB successfully deployed, check that its status is ready on the status page. \n \n You can verify the LB is working by sending a basic request using the command line tool, curl. Confirm that the value of the HTTP header “Server” is “volt-adc”. \n da.potter@lab ~ % curl -I https://buytime.waap.f5-cloud-demo.com\nHTTP/2 200 \ndate: Mon, 17 Oct 2022 23:23:55 GMT\ncontent-type: text/html; charset=UTF-8\ncontent-length: 2200\nvary: Origin\naccess-control-allow-credentials: true\naccept-ranges: bytes\ncache-control: public, max-age=0\nlast-modified: Wed, 24 Feb 2021 11:06:36 GMT\netag: W/\"898-177d3b82260\"\nx-envoy-upstream-service-time: 136\nstrict-transport-security: max-age=31536000\nset-cookie: 1f945=1666049035840-557942247; Path=/; Domain=f5-cloud-demo.com; Expires=Sun, 17 Oct 2032 23:23:55 GMT\nset-cookie: 1f9403=viJrSNaAp766P6p6EKZK7nyhofjXCVawnskkzsrMBUZIoNQOEUqXFkyymBAGlYPNQXOUBOOYKFfs0ne+fKAT/ozN5PM4S5hmAIiHQ7JAh48P4AP47wwPqdvC22MSsSejQ0upD9oEhkQEeTG1Iro1N9sLh+w+CtFS7WiXmmJFV9FAl3E2; path=/\nx-volterra-location: wes-sea\nserver: volt-adc \n Now it’s time to configure the CDN Distribution and service chain it to the WAAP HTTP LB. Navigate to Content Delivery Network > Distributions, then Add Distribution. The following YAML creates a basic CDN configuration that uses the WAAP HTTP LB above. \n metadata:\n name: buytime-cdn\n namespace: waap-cdn\n labels: {}\n annotations: {}\n disable: false\nspec:\n domains:\n - buytime.f5-cloud-demo.com\n https_auto_cert:\n http_redirect: true\n add_hsts: true\n tls_config:\n tls_12_plus: {}\n add_location: false\n more_option:\n cache_ttl_options:\n cache_ttl_override: 1m\n origin_pool:\n public_name:\n dns_name: buytime.waap.f5-cloud-demo.com\n use_tls:\n use_host_header_as_sni: {}\n tls_config:\n default_security: {}\n volterra_trusted_ca: {}\n no_mtls: {}\n origin_servers:\n - public_name:\n dns_name: buytime.waap.f5-cloud-demo.com\n follow_origin_redirect: false\nresource_version: \"518473853\" \n After saving the configuration, verify that the status is “Active”. You can confirm the CDN deployment status for each individual region by going to the distribution’s action button “Show Global Status”, and scrolling down to each region to see that each region’s “site_status.status” value is “DEPLOYMENT_STATUS_DEPLOYED”. \n \n Verification \n With the CDN Distribution successfully deployed, it’s possible to confirm with the following basic request using curl. Take note of the two HTTP headers “Server” and “x-cache-status”. The Server value will now be “volt-cdn”, and the x-cache-status will be “MISS” for the first request. \n da.potter@lab ~ % curl -I https://buytime.f5-cloud-demo.com \nHTTP/2 200 \ndate: Mon, 17 Oct 2022 23:24:04 GMT\ncontent-type: text/html; charset=UTF-8\ncontent-length: 2200\nvary: Origin\naccess-control-allow-credentials: true\naccept-ranges: bytes\ncache-control: public, max-age=0\nlast-modified: Wed, 24 Feb 2021 11:06:36 GMT\netag: W/\"898-177d3b82260\"\nx-envoy-upstream-service-time: 63\nstrict-transport-security: max-age=31536000\nset-cookie: 1f945=1666049044863-471593352; Path=/; Domain=f5-cloud-demo.com; Expires=Sun, 17 Oct 2032 23:24:04 GMT\nset-cookie: 1f9403=aCNN1JINHqvWPwkVT5OH3c+OIl6+Ve9Xkjx/zfWxz5AaG24IkeYqZ+y6tQqE9CiFkNk+cnU7NP0EYtgGnxV0dLzuo3yHRi3dzVLT7PEUHpYA2YSXbHY6yTijHbj/rSafchaEEnzegqngS4dBwfe56pBZt52MMWsUU9x3P4yMzeeonxcr; path=/\nx-volterra-location: dal3-dal\nserver: volt-cdn\nx-cache-status: MISS\nstrict-transport-security: max-age=31536000 \n To see a security violation detected by the WAF in real-time, you can simulate a simple XSS exploit with the following curl: \n da.potter@lab ~ % curl -Gv \"https://buytime.f5-cloud-demo.com?<script>('alert:XSS')</script>\"\n* Trying x.x.x.x:443...\n* Connected to buytime.f5-cloud-demo.com (x.x.x.x) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/cert.pem\n* CApath: none\n* (304) (OUT), TLS handshake, Client hello (1):\n* (304) (IN), TLS handshake, Server hello (2):\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384\n* ALPN, server accepted to use h2\n* Server certificate:\n* subject: CN=buytime.f5-cloud-demo.com\n* start date: Oct 14 23:51:02 2022 GMT\n* expire date: Jan 12 23:51:01 2023 GMT\n* subjectAltName: host \"buytime.f5-cloud-demo.com\" matched cert's \"buytime.f5-cloud-demo.com\"\n* issuer: C=US; O=Let's Encrypt; CN=R3\n* SSL certificate verify ok.\n* Using HTTP2, server supports multiplexing\n* Connection state changed (HTTP/2 confirmed)\n* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0\n* Using Stream ID: 1 (easy handle 0x14f010000)\n> GET /?<script>('alert:XSS')</script> HTTP/2\n> Host: buytime.f5-cloud-demo.com\n> user-agent: curl/7.79.1\n> accept: */*\n> \n* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!\n< HTTP/2 200 \n< date: Sat, 22 Oct 2022 01:04:39 GMT\n< content-type: text/html; charset=UTF-8\n< content-length: 269\n< cache-control: no-cache\n< pragma: no-cache\n< set-cookie: 1f945=1666400679155-452898837; Path=/; Domain=f5-cloud-demo.com; Expires=Fri, 22 Oct 2032 01:04:39 GMT\n< set-cookie: 1f9403=/1b+W13c7xNShbbe6zE3KKUDNPCGbxRMVhI64uZny+HFXxpkJMsCKmDWaihBD4KWm82reTlVsS8MumTYQW6ktFQqXeFvrMDFMSKdNSAbVT+IqQfSuVfVRfrtgRkvgzbDEX9TUIhp3xJV3R1jdbUuAAaj9Dhgdsven8FlCaADENYuIlBE; path=/\n< x-volterra-location: dal3-dal\n< server: volt-cdn\n< x-cache-status: MISS\n< strict-transport-security: max-age=31536000\n< \n<html><head><title>Request Rejected</title></head>\n<body>The requested URL was rejected. Please consult with your administrator.<br/><br/>\nYour support ID is 85281693-eb72-4891-9099-928ffe00869c<br/><br/><a href='javascript&colon;history.back();'>[Go Back]</a></body></html>\n* Connection #0 to host buytime.f5-cloud-demo.com left intact \n Notice that the above request intentionally by-passes the CDN cache and is sent to the HTTP LB for the WAF policy to inspect. With this request rejected, you can confirm the attack by navigating to the WAAP HTTP LB Security page under the WAAP Security section within Apps & APIs. After refreshing the page, you’ll see the security violation under the “Top Attacked” panel. \n \n Demo \n To see all of this in action, watch my video below. This uses all of the configuration details above to make a WAAP + CDN service chain in Distributed Cloud. \n \n Additional Guides \n Virtually deploy this solution in our product simulator, or hands-on with step-by-step comprehensive demo guide. The demo guide includes all the steps, including those that are needed prior to deployment, so that once deployed, the solution works end-to-end without any tweaks to local DNS. The demo guide steps can also be automated with Ansible, in case you'd either like to replicate it or simply want to jump to the end and work your way back. \n Conclusion \n This shows just how simple it can be to use the Distributed Cloud CDN to frontend your web app protected by a WAF, all natively within the F5 Distributed Cloud’s regional edge POPs. The advantage of this solution should now be clear – the Distributed Cloud CDN is cloud-agnostic, flexible, agile, and you can enforce security policies anywhere, regardless of whether your web app lives on-prem, in and across clouds, or even at the edge. \n For more information about Distributed Cloud WAAP and Distributed Cloud CDN, visit the following resources: Product website: https://www.f5.com/cloud/products/cdn Distributed Cloud CDN & WAAP Demo Guide: https://github.com/f5devcentral/xcwaapcdnguide Video: https://youtu.be/OUD8R6j5Q8o Simulator: https://simulator.f5.com/s/waap-cdn Demo Guide: https://github.com/f5devcentral/xcwaapcdnguide \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"14788","kudosSumWeight":10,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTBpMjlDRkVGMDg0MzA4NTIxMg?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTFpMTM2MEFGNjUxQ0UwMjcwMg?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTJpNjM4QzBCQ0I3OUJDNzQ5RQ?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTNpMkJGQUEzQzkxRDg0MzkzMQ?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTRpQTNCRTYxOTk5OERFOEE4Rg?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTVpQ0VFODE1N0Q2OEZGMTNCOA?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTZpQzA1RTdDQTI3QjVDMjhDNg?revision=10\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDMxNDItMjAxOTdpOTNBREM0RUM4QjQwMEZCRg?revision=10\"}"}}],"totalCount":8,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlL09VRDhSNmo1UThvfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/OUD8R6j5Q8o","thumbnail":"https://i.ytimg.com/vi/OUD8R6j5Q8o/hqdefault.jpg","uploading":false,"height":338,"width":600,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:313079":{"__typename":"Conversation","id":"conversation:313079","topic":{"__typename":"TkbTopicMessage","uid":313079},"lastPostingActivityTime":"2024-05-01T12:37:27.568-07:00","solved":false},"User:user:305638":{"__typename":"User","uid":305638,"login":"Valentin_Tobi","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0zMDU2MzgtMjE5NThpMzEwNzRGNTRCM0ZCREU4Rg"},"id":"user:305638"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjM0MjVpMENGN0UxQ0UxMkQxRkRBQQ?revision=25\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjM0MjVpMENGN0UxQ0UxMkQxRkRBQQ?revision=25","title":"DCCover-_0008_jerry-zhang-dBmXY-9CnF8-unsplash.jpg","associationType":"COVER","width":500,"height":500,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDNpRUVFQTQ0NzQyNTI2QjQ5RA?revision=25\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDNpRUVFQTQ0NzQyNTI2QjQ5RA?revision=25","title":"Valentin_Tobi_0-1693342152948.png","associationType":"BODY","width":1726,"height":978,"altText":"Valentin_Tobi_0-1693342152948.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDRpMTQ4NzQyMjk1MEQxRTdBNA?revision=25\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDRpMTQ4NzQyMjk1MEQxRTdBNA?revision=25","title":"Valentin_Tobi_1-1693342234212.png","associationType":"BODY","width":1692,"height":980,"altText":"Valentin_Tobi_1-1693342234212.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDVpRjE1MkM2M0E2MkFCN0VFQw?revision=25\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDVpRjE1MkM2M0E2MkFCN0VFQw?revision=25","title":"Valentin_Tobi_2-1693342315503.png","associationType":"BODY","width":1682,"height":968,"altText":"Valentin_Tobi_2-1693342315503.png"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDZpMzg0N0E2MkI4NEM0MjBGQg?revision=25\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDZpMzg0N0E2MkI4NEM0MjBGQg?revision=25","title":"Valentin_Tobi_3-1693342372022.png","associationType":"BODY","width":1684,"height":976,"altText":"Valentin_Tobi_3-1693342372022.png"},"TkbTopicMessage:message:313079":{"__typename":"TkbTopicMessage","subject":"Deploy WAF on any Edge with F5 Distributed Cloud (SaaS Console, Automation)","conversation":{"__ref":"Conversation:conversation:313079"},"id":"message:313079","revisionNum":25,"uid":313079,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:305638"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" F5 XC WAAP/WAF presents a clear advantage over classical WAAP/WAFs in that it can be deployed on a variety of environments without loss of functionality. In this first article of a series, we present an overview of the main deployment options for XC WAAP while follow-on articles will dive deeper into the details of the deployment procedures. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":6298},"postTime":"2023-05-30T05:00:00.034-07:00","lastPublishTime":"2024-05-01T12:37:27.568-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n Introduction \n The target deployment environment has long been a critical factor in selecting WAF products as, typically, specific WAFs were better suited for some but not all environments. Appliance-based WAFs, with their superior throughput performance and larger footprint were perfect for on-prem deployments but not the best candidates for Cloud environments. As-a-service deployments where born in the Cloud but did not fit a lab-based Kubernetes use case very well. Modern enterprises tend to deploy their applications in a variety on environments so selecting a WAF specialized for one (primary) environment would mean accepting limitations when deployed in others or buying separate products that would increase management complexity. This should not be the case anymore as F5 Distributed Cloud (XC) can abstract away the underlaying environment and allow for to be deployed in a multitude of environments maintaining full functionality. \n This is the first article in a series that will explore the various ways to deploy XC WAF on any Edge and we will start with an overview of XC WAF deployment options. We will showcase the deployment process in both XC Console and through Terraform automation. Both the XC Console user guides and Terraform automations are hosted in a GitHub repo, F5 XC Terraform Examples, where \"Deploy WAF on any Edge with F5 XC\" is just the first major use case, others following soon. For examples of hybrid F5 XC deployments (alongside NGINX App Protect and BIG-IP Advanced WAF) on multi-cloud and on-premises, check out the F5 XC Hybrid Security Architecture Deployments GitHub repository. \n \n WAF on XC RE (Regional Edge) deployment mode \n This deployment mode is better suited when protecting backend applications which are already public (accessible from the Interned via FQDN or Public IP). \n Architecture \n XC WAF is deployed on the REs, where the services are being advertised to the Internet through Anycast IPs. The end users will connect to their closest RE and the traffic will be inspected by the WAF security policy. The traffic will then be forwarded across the XC Global Network towards an egress RE and then towards the customer site as regular Internet traffic. The customer will filter the traffic, only allowing traffic forwarded by the XC platform. \n Key Security Capabilities \n \n Web Application Firewall \n Bot Protection \n API Protection \n HTTPS SSL Termination \n L3 DDoS protection \n L7 DDoS protection \n \n Implementation examples \n Deploying F5 XC WAF on Regional Edge - XC Console user guide & Terraform automation available \n \n \n WAF (on RE) + AppConnect deployment mode \n This deployment model is the best solution when the backend applications are not yet accessible from the Internet (no FQDN / Public IP). In this case, CE (Customer Edge) sites can be deployed to connect these “private” customer sites to the XC Global Network via IPSEC tunnels opened from XC CE(s) to the closest two REs sites. \n Architecture \n XC WAF is deployed on the REs, where the services are being advertised to the Internet through Anycast IPs. CE(s) are being deployed on the customer sites and connect to the closest two REs through IPSEC tunnels. The end users will connect to their closest RE and the traffic will be inspected by the WAAP security policy. The traffic will then be forwarded across the XC Global Network towards an egress RE and then tover an IPSEC tunnel to the CE site where it will be forwarded to the backend application as pure IP-based traffic. \n Key Security Capabilities \n \n Web Application Firewall \n Bot Protection \n API Protection \n HTTPS SSL Termination \n L3 DDoS protection \n L7 DDoS protection \n \n Implementation examples \n Deploying F5 XC WAF on RE + AppConnect (backend app deployed on VM) - XC Console user guide & Terraform automation available \n Deploying F5 XC WAF on RE + AppConnect (backend app deployed on K8s) - XC Console user guide & Terraform automation available \n Protect LLM applications against Model Denial of Service - XC Console user guide available (Terraform automation coming soon) \n Deploying F5 XC’s Customer Edge using ESXi on VMware Private Cloud - XC Console user guide available \n Deploying F5 XC’s Customer Edge using KVM on OpenStack’s Private Cloud - XC Console user guide available \n WAF on CE (Customer Edge) deployment mode \n This deployment mode is better suited when protecting backend applications that require Internet traffic to be directed to them with no intermediary processing, for security or privacy purposes. Another use case is local traffic (all traffic is sourced and destined for the same customer site). \n Architecture \n XC WAF is configured on the CE(s) deployed on the customer sites. The end users will connect directly to the CEs, bypassing the XC Global Network. The CE sites will be still managed through the XC Cloud-based Console. \n Key Security Capabilities \n \n Web Application Firewall \n Bot Protection \n API Protection \n HTTPS SSL Termination \n No L3 DDoS protection \n L7 DDoS protection \n Best compliance with local regulations \n \n Implementation examples \n Deploying F5 XC WAF on Customer Edge (Single cloud scenario - Azure) - XC Console user guide & Terraform automation available \n Deploying F5 XC WAF on Customer Edge (Single cloud scenario - AWS) - XC Console user guide & Terraform automation available \n Deploying F5 XC WAF on Customer Edge (Single cloud scenario - GCP) - XC Console user guide & Terraform automation available \n \n WAF on Kubernetes deployment mode \n Best fit for closely-coupled protection of workloads deployed in Kubernetes environments. \n Architecture(s) \n XC WAF can be configured on CEs deployed either outside the Kubernetes cluster or inside, as a regular k8s workload. Through the XC Console, XC WAAP can be automated and integrated in CI/CD pipelines as required by the modern apps development methodologies. \n Key Security Capabilities \n \n Web Application Firewall \n Bot Protection \n API Protection \n HTTPS SSL Termination \n No L3 DDoS protection \n L7 DDoS protection \n Best compliance with local regulations \n Best support for DevSecOps practices \n \n Implementation examples \n F5 Distributed Cloud WAF deployment on k8s - XC Console user guide & Terraform automation available \n Conclusion \n F5 XC WAF presents a clear advantage over classical WAFs in that it can be deployed on a variety of environments without loss of functionality. In this first article of a series, we presented an overview of the main deployment options for XC WAF on any Edge while follow-on articles will dive deeper into the details of the deployment procedures. \n For further information or to get started: \n \n F5 Distributed Cloud Terraform Examples GitHub Repository \n F5 Distributed Cloud Platform \n F5 Distributed Cloud WAAP (Web Application and API Protection) Services \n F5 Distributed Cloud WAAP (Web Application and API Protection) YouTube series \n F5 Distributed Cloud WAAP (Web Application and API Protection) Get Started \n F5 Distributed Cloud WAAP - Introducing the Distributed Cloud Web Application Firewall \n F5 Hybrid Security Architectures: One WAF Engine, Total Flexibility (Intro) \n F5 Distributed Cloud Web App and API Protection hybrid architecture for DevSecOps \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"7336","kudosSumWeight":9,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjM0MjVpMENGN0UxQ0UxMkQxRkRBQQ?revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDNpRUVFQTQ0NzQyNTI2QjQ5RA?revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDRpMTQ4NzQyMjk1MEQxRTdBNA?revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDVpRjE1MkM2M0E2MkFCN0VFQw?revision=25\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMTMwNzktMjU1NDZpMzg0N0E2MkI4NEM0MjBGQg?revision=25\"}"}}],"totalCount":5,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:300887":{"__typename":"Conversation","id":"conversation:300887","topic":{"__typename":"TkbTopicMessage","uid":300887},"lastPostingActivityTime":"2023-03-23T14:25:26.299-07:00","solved":false},"User:user:193857":{"__typename":"User","uid":193857,"login":"Matt_Dierick","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0xOTM4NTctMTk5ODBpQjM4NEUzMzg1RkUyOEZBMw"},"id":"user:193857"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTk0MDlpMkZEMEQwRkFBNjUzNUQyNA?revision=4\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTk0MDlpMkZEMEQwRkFBNjUzNUQyNA?revision=4","title":"Screenshot 2022-09-09 at 17.47.29.png","associationType":"COVER","width":2328,"height":2440,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTkzODhpQjNCQjI0OEEyNzczNEU4NA?revision=4\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTkzODhpQjNCQjI0OEEyNzczNEU4NA?revision=4","title":"Matthieu_Dieric_0-1662625845566.png","associationType":"BODY","width":2308,"height":2552,"altText":null},"TkbTopicMessage:message:300887":{"__typename":"TkbTopicMessage","subject":"Protect an application spread across several locations with F5 XC WAAP and Multi-Cloud Networking","conversation":{"__ref":"Conversation:conversation:300887"},"id":"message:300887","revisionNum":4,"uid":300887,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:193857"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Understand in less than 5 minutes how F5XC WAAP can protect an application deployed in several locations and environments. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":2458},"postTime":"2022-09-21T05:00:00.055-07:00","lastPublishTime":"2023-03-23T14:25:26.299-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n \n The use case \n In this use case, a modern application (or piece of the app) is running in a private/public (not exposed) cloud or on-premises location. In few words, the application or some pieces of the application are not exposed on Internet and NetOps + SecOps are looking for a simple solution to expose and protect this application. \n With F5 Distributed Cloud Web App and API Protection (XC WAAP), we will protect with: \n \n L3/L4 DDoS Protection, unlimited \n WAF \n Bot Protection (signature based) \n API protection \n Rate Limiting \n \n \n The architecture \n \n The users will connect to F5 XC Global Network where the application is exposed (exposed on all F5 XC pops all over the world), and F5 XC multi-cloud networking solution will route the traffic to the application hosted in Azure in the example above (or in the Datacenter) \n To do so, a F5 XC Mesh Node has been deployed automatically by the F5 XC console in Azure tenant and is directly connected (vnet subnet) with the application. \n \n Solution overview and services offered \n F5 XC WAAP offers by default \n \n 1 anycast VIP \n 1 Distributed LB \n 2 Delegated DNS domain \n Unlimited L3/L4 protection \n WAAP protection\n \n WAF Policy (based on BIG-IP and Nginx WAF engine) \n Bot Signature protection \n API Protection (Swagger enforcement) \n \n \n \n But more advanced services are available \n \n Advanced Bot Protection (Shape) \n Advanced API Protection with API discovery \n Malicious User Detection and Mitigation (AI/ML) \n \n \n Use Case video \n In this video, we explain in details this use case and the solution. \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"1687","kudosSumWeight":9,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTk0MDlpMkZEMEQwRkFBNjUzNUQyNA?revision=4\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDA4ODctMTkzODhpQjNCQjI0OEEyNzczNEU4NA?revision=4\"}"}}],"totalCount":2,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlL3N6SklXcjFEYnYwfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/szJIWr1Dbv0","thumbnail":"https://i.ytimg.com/vi/szJIWr1Dbv0/hqdefault.jpg","uploading":false,"height":338,"width":600,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:309285":{"__typename":"Conversation","id":"conversation:309285","topic":{"__typename":"TkbTopicMessage","uid":309285},"lastPostingActivityTime":"2023-02-12T23:56:48.279-08:00","solved":false},"User:user:421887":{"__typename":"User","uid":421887,"login":"Salini_K","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS00MjE4ODctMjYwMzZpNzhGQkJCMDQwMjJDMjA1Nw"},"id":"user:421887"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMjJpMkE4NjNCMzIyRkVFQTNDMA?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMjJpMkE4NjNCMzIyRkVFQTNDMA?revision=7","title":"Salini_K_3-1675040754095.png","associationType":"BODY","width":1542,"height":693,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzRpMUIxMUZCMTU3OUExNzlGQg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzRpMUIxMUZCMTU3OUExNzlGQg?revision=7","title":"JBOriginPool.PNG","associationType":"BODY","width":1905,"height":1169,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzVpNDdBOUI2OTdFNzk3OTVERA?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzVpNDdBOUI2OTdFNzk3OTVERA?revision=7","title":"LB_snip.PNG","associationType":"BODY","width":2488,"height":1808,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzZpQjY3RjI4NTM3REU4Q0ZGNw?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzZpQjY3RjI4NTM3REU4Q0ZGNw?revision=7","title":"Enable TCIP.PNG","associationType":"BODY","width":2542,"height":1176,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzlpQjRENjUxQ0ZEM0Y2MTI2Mg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzlpQjRENjUxQ0ZEM0Y2MTI2Mg?revision=7","title":"CDN1.PNG","associationType":"BODY","width":2519,"height":1338,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzhpN0RDMUZBRjIxNzYwN0U1NA?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzhpN0RDMUZBRjIxNzYwN0U1NA?revision=7","title":"CDN Origin pool.PNG","associationType":"BODY","width":2542,"height":1055,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDFpNDg5N0UwMkRGQ0EyREQ2OQ?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDFpNDg5N0UwMkRGQ0EyREQ2OQ?revision=7","title":"airline output.PNG","associationType":"BODY","width":3003,"height":1345,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDJpMTc4M0M1NTVBOTY4NjFGQg?revision=7\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDJpMTc4M0M1NTVBOTY4NjFGQg?revision=7","title":"waf2.PNG","associationType":"BODY","width":3179,"height":497,"altText":null},"TkbTopicMessage:message:309285":{"__typename":"TkbTopicMessage","subject":"Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform","conversation":{"__ref":"Conversation:conversation:309285"},"id":"message:309285","revisionNum":7,"uid":309285,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:421887"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":2912},"postTime":"2023-02-12T05:00:00.026-08:00","lastPublishTime":"2023-02-12T05:00:00.026-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n Introduction: \n With day-to-day enhancements in security architecture, a request initiated at the source point traverses through multiple hops before it reaches the destination point. By design, if a request passes through any CDN/ Proxy that is present between the real client and the load balancer, we will no longer see the client’s IP address as the source address in the Load Balancer but the CDN/Proxy IP instead. Identification of real Client IP address is sometimes necessary for monitoring, logging, defining allow/deny policies and other purposes. \n “Trusted Client IP Header” feature of F5 Distributed Cloud platform solves the above concern and provides the ability to identify the real client IP address that initiated the connection. Security events and request logs will show this real client IP address as the source IP, when this feature is enabled. Trusted Client IP Header feature in F5 Distributed Cloud platform allows the admin to configure Client IP Headers. The admin can define a list of one or more Client IP Headers as Trusted headers. \n Below are some key points to be considered while configuring headers list: \n \n When multiple headers are configured, F5 Distributed Cloud platform follows top to bottom precedence, which means initially first header is considered and system checks for its availability in the request. If not present in the request, the system will proceed to check for the second header, and so on, until one of the listed headers is found. \n When none of the defined headers exists, or the value of the configured header is not an IP address, then the system will use the source IP of the packet. \n When multiple IP addresses are available in header value, the system will read the rightmost IP address and considers it as real Client IP address. But when using X-Forwarded-For Header and if multiple IPs are available in value, the system reads the rightmost-1 IP address and considers it as real client IP address. \n \n Below video provies brief introduction to Trusted Client IP Headers feature: \n Demonstration: \n In this demonstration, we will see how to identify the real client IP address using “Trusted Client IP headers” option in F5 Distributed Cloud platform. \n We are using \n \n F5 Distributed Cloud Content Distribution Network (check references for more details) \n Load-balancer configured with “Trusted Client IP Header” option enabled \n Airlines test application as a backend origin server. \n \n As shown in the below demo architecture, the request initiated at the client initially reaches to the available F5 CDN server and then the request from CDN hits the load balancer. Load balancer validates the request for configured headers availability, identifies the true client IP address and displays it rather than the CDN IP. The request from load balancer finally hits the backend application. \n \n \n \n Step 1: Creation of Origin Pool \n \n From your desired namespace, navigate to Manage -> Load Balancers -> Origin pools \n Click on \"Add Origin Pool\" \n Provide a name for Origin pool \n Configure Origin server details with valid Port details. \n Proceed with “Save and Exit” \n \n \n \n Step 2: Creation of Load Balancer with Trusted Client IP Header enabled \n \n From your desired namespace, Navigate to Manage -> Load Balancers -> HTTP Load Balancers \n Click on \"Add HTTP load balancer\" \n Provide a name for the Load Balancer \n Provide valid domain name and choose appropriate load balancer type under Basic Configuration \n Associate the above created Origin Pool in the load balancer \n \n \n \n In Other Settings, Enable Trusted Client IP Headers \n Provide a list of one or more Client Headers. Admin can configure any header which is used to find client IP address. \n \n \n \n \n Click on “Save and Exit” to save the Load Balancer configuration. \n \n Step 3: Create any Content Delivery Network or Proxy \n Here we are using F5 XC CDN between the client and the load balancer. CDN is a server that is used to serve web content quickly. CDN servers are distributed globally, and the main aim is to reduce latency and delay in end-to-end communication and thereby increases the efficiency. Check references for more exploration links. \n \n Navigate to Home -> Content Delivery Network -> Manage -> Distributions \n Click on “Add Distribution” \n Provide a name for the CDN \n Provide a valid domain name \n Choose appropriate CDN type \n \n \n \n Create a CDN Origin Pool by clicking on “Configure” \n Provide your HTTP Load Balancer domain name which is created above in the DNS name \n Add above created HTTP Load balancer domain name in the list of Origin Servers of CDN Origin pool \n Click on “Apply” twice \n \n \n \n CDN Origin pool gets created and associated with the CDN \n Click on “Save and Exit” \n \n Note: F5 CDN has provided a dedicated header called “X-F5-True-Client-Ip” to extract the real client address. Customers who are using F5 CDN can use this header to identify the client IP address. Similarly, customer can configure any headers or custom headers to identify the client IP. \n Step 4: Access the backend Origin Server \n \n Open a browser \n Access the backend server using the configured domain \n Observe that request hits the backend server and response page is visible \n \n \n Step 5: Validate logs and source IP \n \n To check the source IP, in F5 Distributed Cloud Console, Navigate to Home -> Load Balancer -> Virtual Hosts -> HTTP Load Balancers \n Choose the appropriate load balancer and open Security Monitoring -> Requests \n Observe the Client IP and validate it with the client public IP address. Client IP address should be displayed in the logs rather than the CDN/Proxy IP as the feature is enabled. \n This source IP can further be used in WAF Exclusions rules, to block or allow clients. \n \n \n Conclusion: \n As you can see from the above demonstration, with Trusted Client IP Headers option enabled in F5 Distributed Cloud platform, the request logs and security events are getting logged with the real client IP address as the source IP rather than the CDN IP. \n Reference Links: \n \n F5 Distributed Cloud Services \n F5 Distributed Cloud WAF \n F5 XC CDN Exploration \n Configure CDN Distribution \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"6669","kudosSumWeight":8,"repliesCount":1,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMjJpMkE4NjNCMzIyRkVFQTNDMA?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzRpMUIxMUZCMTU3OUExNzlGQg?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzVpNDdBOUI2OTdFNzk3OTVERA?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzZpQjY3RjI4NTM3REU4Q0ZGNw?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzlpQjRENjUxQ0ZEM0Y2MTI2Mg?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyMzhpN0RDMUZBRjIxNzYwN0U1NA?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDFpNDg5N0UwMkRGQ0EyREQ2OQ?revision=7\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDkyODUtMjIyNDJpMTc4M0M1NTVBOTY4NjFGQg?revision=7\"}"}}],"totalCount":8,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlLzhUWXgxS0lFa21nfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/8TYx1KIEkmg","thumbnail":"https://i.ytimg.com/vi/8TYx1KIEkmg/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:323254":{"__typename":"Conversation","id":"conversation:323254","topic":{"__typename":"TkbTopicMessage","uid":323254},"lastPostingActivityTime":"2025-02-18T09:47:20.371-08:00","solved":false},"User:user:194786":{"__typename":"User","uid":194786,"login":"Janibasha","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0xOTQ3ODYtMjA5NDJpMEI1Q0JDRDNGRkQ2MUM0Mw"},"id":"user:194786"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjM4OTZpQTE0Q0ZFMTVFMTBCOEFFMw?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjM4OTZpQTE0Q0ZFMTVFMTBCOEFFMw?revision=37","title":"DC-Cover_0001_mateusz-klein-ADvHWx2wV5Y-unsplash.jpg","associationType":"COVER","width":500,"height":500,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxNDBpREJBODhBMjUwNzVGNDdERA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxNDBpREJBODhBMjUwNzVGNDdERA?revision=37","title":"ccn-postman.JPG","associationType":"BODY","width":2800,"height":1526,"altText":"ccn-postman.JPG"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTNpMkRGNjE4N0M3MkE0MjgwRQ?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTNpMkRGNjE4N0M3MkE0MjgwRQ?revision=37","title":"dataguard-config.jpg","associationType":"BODY","width":2189,"height":1114,"altText":"dataguard-config.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzZpRUQ3N0FGNzlERDJFOEEzOQ?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzZpRUQ3N0FGNzlERDJFOEEzOQ?revision=37","title":"dataguard-mask.JPG","associationType":"BODY","width":2763,"height":1754,"altText":"dataguard-mask.JPG"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTFpQzczOTBEMkQ1MjgxOUM2RA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTFpQzczOTBEMkQ1MjgxOUM2RA?revision=37","title":"dataguard-postman.jpg","associationType":"BODY","width":3080,"height":1535,"altText":"dataguard-postman.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTJpRkEyRDlFRTA5RTNGNUJFNQ?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTJpRkEyRDlFRTA5RTNGNUJFNQ?revision=37","title":"dataguard-log.jpg","associationType":"BODY","width":3195,"height":2055,"altText":"dataguard-log.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzdpREM5NDVFNTBCMTg4OUFGNg?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzdpREM5NDVFNTBCMTg4OUFGNg?revision=37","title":"injection-postman.JPG","associationType":"BODY","width":3026,"height":1457,"altText":"injection-postman.JPG"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzRpRkU1OUVGMDA3NjFBRjQ3Mg?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzRpRkU1OUVGMDA3NjFBRjQ3Mg?revision=37","title":"sqli-block.jpg","associationType":"BODY","width":3825,"height":2037,"altText":"sqli-block.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzVpNTEyRkFGMTBDRkE0MUNFNA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzVpNTEyRkFGMTBDRkE0MUNFNA?revision=37","title":"sqli-log.jpg","associationType":"BODY","width":3791,"height":2287,"altText":"sqli-log.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzFpQzkyQjg0Nzg2MDhGNDMyOA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzFpQzkyQjg0Nzg2MDhGNDMyOA?revision=37","title":"bots-config.jpg","associationType":"BODY","width":3781,"height":2277,"altText":"bots-config.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzJpQzJDQkZBMUQxMkVGMDFDNA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzJpQzJDQkZBMUQxMkVGMDFDNA?revision=37","title":"bots-postman.jpg","associationType":"BODY","width":3127,"height":2067,"altText":"bots-postman.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzNpRThFQkRDNTYwMEI3Nzk0NA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzNpRThFQkRDNTYwMEI3Nzk0NA?revision=37","title":"bots.jpg","associationType":"BODY","width":3795,"height":2251,"altText":"bots.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMjlpM0Y0QkY4NTRBM0JBRkYyRA?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMjlpM0Y0QkY4NTRBM0JBRkYyRA?revision=37","title":"rate-limit.jpg","associationType":"BODY","width":3789,"height":2297,"altText":"rate-limit.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzBpMEYwNzM4ODY5M0VGMEVBQg?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzBpMEYwNzM4ODY5M0VGMEVBQg?revision=37","title":"rate-block.JPG","associationType":"BODY","width":2962,"height":1633,"altText":"rate-block.JPG"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzhpRTc5QTFGODZENDA1MDgwRg?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzhpRTc5QTFGODZENDA1MDgwRg?revision=37","title":"rate-limiting-web.jpg","associationType":"BODY","width":3840,"height":2400,"altText":"rate-limiting-web.jpg"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVFpEQ0ZF?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVFpEQ0ZF?revision=37","title":"Screenshot 2025-01-10 at 4.33.05 PM.png","associationType":"BODY","width":3422,"height":1548,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtR0JHWDl0?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtR0JHWDl0?revision=37","title":"42b22f73-2c73-433b-a4d0-a13cc6c136a2.png","associationType":"BODY","width":2632,"height":1658,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNWN2WGN4?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNWN2WGN4?revision=37","title":"Screenshot 2025-01-10 at 4.53.49 PM.png","associationType":"BODY","width":3180,"height":1810,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtcUE4TG4y?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtcUE4TG4y?revision=37","title":"Screenshot 2025-01-27 at 9.59.26 AM.png","associationType":"BODY","width":2972,"height":1418,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVjlwUWpI?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVjlwUWpI?revision=37","title":"Screenshot 2025-01-09 at 2.24.30 PM.png","associationType":"BODY","width":2488,"height":1556,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWW5rRUdE?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWW5rRUdE?revision=37","title":"Screenshot 2025-01-10 at 6.10.21 PM.png","associationType":"BODY","width":2646,"height":1768,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtTFA1NUQ4?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtTFA1NUQ4?revision=37","title":"Screenshot 2025-01-10 at 6.11.08 PM.png","associationType":"BODY","width":3456,"height":1160,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtV0gyeUdJ?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtV0gyeUdJ?revision=37","title":"Screenshot 2025-01-10 at 5.35.43 PM.png","associationType":"BODY","width":2492,"height":1498,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWnE4SXFG?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWnE4SXFG?revision=37","title":"Screenshot 2025-01-13 at 3.44.07 PM.png","associationType":"BODY","width":2456,"height":1340,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNkFyVzg4?revision=37\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNkFyVzg4?revision=37","title":"Screenshot 2025-01-10 at 6.21.02 PM.png","associationType":"BODY","width":2420,"height":1384,"altText":""},"TkbTopicMessage:message:323254":{"__typename":"TkbTopicMessage","subject":"Mitigating OWASP API Security Top 10 risks using F5 NGINX App Protect","conversation":{"__ref":"Conversation:conversation:323254"},"id":"message:323254","revisionNum":37,"uid":323254,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:194786"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":2611},"postTime":"2023-11-13T05:00:00.021-08:00","lastPublishTime":"2025-02-18T09:47:20.371-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n This 2019 API Security article covers the summary of OWASP API Security Top 10 – 2019 categories and newly published 2023 API security article covered introductory part of newest edition of OWASP API Security Top 10 risks – 2023. \n We will deep-dive into some of those common risks and how we can protect our applications against these vulnerabilities using F5 NGINX App Protect. \n \n \n Excessive Data Exposure \n Problem Statement: \n As shown below in one of the demo application API’s, Personal Identifiable Information (PII) data, like Credit Card Numbers (CCN) and U.S. Social Security Numbers (SSN), are visible in responses that are highly sensitive. So, we must hide these details to prevent personal data exploits. \n Solution: \n To prevent this vulnerability, we will use the DataGuard feature in NGINX App Protect, which validates all response data for sensitive details and will either mask the data or block those requests, as per the configured settings. First, we will configure DataGuard to mask the PII data as shown below and will apply this configuration. \n Next, if we resend the same request, we can see that the CCN/SSN numbers are masked, thereby preventing data breaches. \n If needed, we can update configurations to block this vulnerability after which all incoming requests for this endpoint will be blocked. \n If you open the security log and filter with this support ID, we can see that the request is either blocked or PII data is masked, as per the DataGuard configuration applied in the above section. \n \n Injection \n Problem Statement: \n Customer login pages without secure coding practices may have flaws. Intruders could use those flaws to exploit credential validation using different types of injections, like SQLi, command injections, etc. In our demo application, we have found an exploit which allows us to bypass credential validation using SQL injection (by using username as “' OR true --” and any password), thereby getting administrative access, as below: \n Solution: \n NGINX App Protect has a database of signatures that match this type of SQLi attacks. By configuring the WAF policy in blocking mode, NGINX App Protect can identify and block this attack, as shown below. \n If you check in the security log with this support ID, we can see that request is blocked because of SQL injection risk, as below. \n \n Insufficient Logging & Monitoring \n Problem Statement: \n Appropriate logging and monitoring solutions play a pivotal role in identifying attacks and also in finding the root cause for any security issues. Without these solutions, applications are fully exposed to attackers and SecOps is completely blind to identifying details of users and resources being accessed. \n Solution: \n NGINX provides different options to track logging details of applications for end-to-end visibility of every request both from a security and performance perspective. Users can change configurations as per their requirements and can also configure different logging mechanisms with different levels. Check the links below for more details on logging: \n \n https://www.nginx.com/blog/logging-upstream-nginx-traffic-cdn77/ \n https://www.nginx.com/blog/modsecurity-logging-and-debugging/ \n https://www.nginx.com/blog/using-nginx-logging-for-application-performance-monitoring/ \n https://docs.nginx.com/nginx/admin-guide/monitoring/logging/ \n https://docs.nginx.com/nginx-app-protect-waf/logging-overview/logs-overview/ \n \n \n Unrestricted Access to Sensitive Business Flows \n Problem Statement: \n By using the power of automation tools, attackers can now break through tough levels of protection. The inefficiency of APIs to detect automated bot tools not only causes business loss, but it can also adversely impact the services for genuine users of an application. \n Solution: \n NGINX App Protect has the best-in-class bot detection technology and can detect and label automation tools in different categories, like trusted, untrusted, and unknown. Depending on the appropriate configurations applied in the policy, requests generated from these tools are either blocked or alerted. Below is an example that shows how requests generated from the Postman automation tool are getting blocked. \n By filtering the security log with this support-id, we can see that the request is blocked because of an untrusted bot. \n \n Lack of Resources & Rate Limiting \n Problem Statement: \n APIs do not have any restrictions on the size or number of resources that can be requested by the end user. Above mentioned scenarios sometimes lead to poor API server performance, Denial of Service (DoS), and brute force attacks. \n Solution: \n NGINX App Protect provides different ways to rate limit the requests as per user requirements. A simple rate limiting use case configuration is able to block requests after reaching the limit, which is demonstrated below. \n Server-Side Request Forgery \n Problem Statement: \n In an SSRF attack, vulnerable API endpoint within the application is targeted and attacker sends an unauthorized request allowing it to access internal resources. One of the common reasons for this is limited or lack of user input data validation. \n Example: \n In the demo application below, click on ‘Contact Mechanic’ and provide required details like Mechanic name, Problem Description and send Service Request. \n \n Below image shows that ‘contact_mechanic’ endpoint is internally making a call to ‘mechanic_api’ URL. Since ‘mechanic_api’ parameter accepts URL as data, this can be vulnerable to SSRF attacks. \n \n Exploiting the vulnerable endpoint by modifying ‘mechanic_api’ URL call to www.google.com in POST data call got accepted by returning 200 OK as response. This vulnerability can be misused to gain access to internal resources. \n \n Solution: \n To prevent this vulnerability, we will use the WAF API Security Policy in NGINX App Protect, which validates all the API request parameters and will block the suspicious requests consisting of irrelevant parameters, as shown below. \n Restricted/updated swagger file with .json extension is added as below: \n \n Policy used: App Protect API Security \n \n Retrying the vulnerability with ‘mechanic_api’ URL call to www.google.com in POST data now getting blocked. \n \n Validating the support ID in the security log below: \n \n \n Mass Assignment \n Problem Statement: \n API Mass Assignment vulnerability arises when clients can modify immutable internal object properties via crafted requests, bypassing API Endpoint restrictions. Attackers exploit this by sending malicious HTTP requests to escalate privileges, bypass security mechanisms, or manipulate the API Endpoint's functionality. \n Placing an order with quantity as 1: \n \n Bypassing API Endpoint restrictions and placing the order with quantity as -1 is also successful. \n \n Solution: \n To overcome this vulnerability, we will use the WAF API Security Policy in NGINX App Protect which validates all the API Security event triggered and based on the enforcement mode set in the validation rules, the request will either get reported or blocked, as shown below. \n Restricted/updated swagger file with .json extension is added as below: \n \n Policy used: App Protect API Security \n \n Re-attempting to place the order with quantity as -1 is getting blocked. \n \n Validating the support ID in Security log as below: \n \n Conclusion: \n In short, this article covered some common API vulnerabilities and shows how NGINX App Protect can be used as a mitigation solution to prevent these OWASP API security risks. \n Related resources for more information or to get started: \n \n F5 NGINX App Protect \n OWASP API Security Top 10 2019 \n OWASP API Security Top 10 2023 \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"7893","kudosSumWeight":7,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjM4OTZpQTE0Q0ZFMTVFMTBCOEFFMw?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxNDBpREJBODhBMjUwNzVGNDdERA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTNpMkRGNjE4N0M3MkE0MjgwRQ?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzZpRUQ3N0FGNzlERDJFOEEzOQ?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTFpQzczOTBEMkQ1MjgxOUM2RA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMTJpRkEyRDlFRTA5RTNGNUJFNQ?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzdpREM5NDVFNTBCMTg4OUFGNg?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzRpRkU1OUVGMDA3NjFBRjQ3Mg?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzVpNTEyRkFGMTBDRkE0MUNFNA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzFpQzkyQjg0Nzg2MDhGNDMyOA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzJpQzJDQkZBMUQxMkVGMDFDNA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzNpRThFQkRDNTYwMEI3Nzk0NA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMjlpM0Y0QkY4NTRBM0JBRkYyRA?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzBpMEYwNzM4ODY5M0VGMEVBQg?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE1","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtMjYxMzhpRTc5QTFGODZENDA1MDgwRg?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE2","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVFpEQ0ZF?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE3","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtR0JHWDl0?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE4","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNWN2WGN4?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE5","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtcUE4TG4y?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDIw","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtVjlwUWpI?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDIx","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWW5rRUdE?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDIy","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtTFA1NUQ4?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDIz","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtV0gyeUdJ?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI0","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtWnE4SXFG?revision=37\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI1","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMjMyNTQtNkFyVzg4?revision=37\"}"}}],"totalCount":28,"pageInfo":{"__typename":"PageInfo","hasNextPage":true,"endCursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI1","hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:306887":{"__typename":"Conversation","id":"conversation:306887","topic":{"__typename":"TkbTopicMessage","uid":306887},"lastPostingActivityTime":"2023-11-06T08:56:20.784-08:00","solved":false},"User:user:406348":{"__typename":"User","uid":406348,"login":"Shubham_Mishra","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS00MDYzNDgtMTY0MzRpMzFFMjI4NjhDMzRGRjE0Mw"},"id":"user:406348"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjEzNDBpNENGMjE5RDRCRDE2NDFBRg?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjEzNDBpNENGMjE5RDRCRDE2NDFBRg?revision=41","title":"Shubham_Mishra_1-1671542949964.jpeg","associationType":"BODY","width":1340,"height":1137,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTVpMkU5MkIzOUVDNzdDQjgwRg?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTVpMkU5MkIzOUVDNzdDQjgwRg?revision=41","title":"Shubham_Mishra_0-1698303033427.jpeg","associationType":"BODY","width":3837,"height":1739,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTZpQTlFRjRFQzdFMDJBM0IxNw?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTZpQTlFRjRFQzdFMDJBM0IxNw?revision=41","title":"Shubham_Mishra_1-1698303107906.jpeg","associationType":"BODY","width":3834,"height":1993,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTdpMTREM0FGOUJEOUZBQzlBQw?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTdpMTREM0FGOUJEOUZBQzlBQw?revision=41","title":"Shubham_Mishra_2-1698303171858.jpeg","associationType":"BODY","width":3057,"height":307,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMThpN0RBNUNDMjM3QUVDM0MzRQ?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMThpN0RBNUNDMjM3QUVDM0MzRQ?revision=41","title":"Shubham_Mishra_3-1698303242724.jpeg","associationType":"BODY","width":2730,"height":1340,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTlpOTQzNTNGRDk0MkZDRDQwMA?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTlpOTQzNTNGRDk0MkZDRDQwMA?revision=41","title":"Shubham_Mishra_0-1698303389038.jpeg","associationType":"BODY","width":1101,"height":652,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjBpNjYxMzdDQzhGOTc2Q0MwNQ?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjBpNjYxMzdDQzhGOTc2Q0MwNQ?revision=41","title":"Shubham_Mishra_1-1698303500297.jpeg","associationType":"BODY","width":3330,"height":1033,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjFpMEUwM0I4MzIyQkQwMkRBQQ?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjFpMEUwM0I4MzIyQkQwMkRBQQ?revision=41","title":"Shubham_Mishra_2-1698303525809.jpeg","associationType":"BODY","width":3375,"height":1711,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjJpNTI3NzI3NTEyM0ZCQzc3MA?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjJpNTI3NzI3NTEyM0ZCQzc3MA?revision=41","title":"Shubham_Mishra_3-1698303554234.jpeg","associationType":"BODY","width":3375,"height":588,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjNpOTQ0NUVEMjczMzQ1N0NCNg?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjNpOTQ0NUVEMjczMzQ1N0NCNg?revision=41","title":"Shubham_Mishra_4-1698303658744.jpeg","associationType":"BODY","width":3403,"height":772,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjRpNTFEQTY5N0U5MjU5RTQ4NQ?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjRpNTFEQTY5N0U5MjU5RTQ4NQ?revision=41","title":"Shubham_Mishra_5-1698303714622.jpeg","associationType":"BODY","width":2727,"height":1601,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjVpNThCNENGMTQ3RURBQzE1NA?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjVpNThCNENGMTQ3RURBQzE1NA?revision=41","title":"Shubham_Mishra_6-1698303772253.jpeg","associationType":"BODY","width":3344,"height":1996,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjdpMjFENjZEMUE1NEY1QkYyRg?revision=41\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjdpMjFENjZEMUE1NEY1QkYyRg?revision=41","title":"Shubham_Mishra_8-1698303837524.jpeg","associationType":"BODY","width":3295,"height":732,"altText":null},"TkbTopicMessage:message:306887":{"__typename":"TkbTopicMessage","subject":"Mitigating OWASP API Security Risk: Mass Assignment using F5 XC Platform","conversation":{"__ref":"Conversation:conversation:306887"},"id":"message:306887","revisionNum":41,"uid":306887,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:406348"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":4709},"postTime":"2023-02-09T05:00:00.031-08:00","lastPublishTime":"2023-11-06T08:56:20.784-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Overview: \n This article is a continuation of the series of articles on OWASP API Security vulnerabilities and demonstrates a scenario for mitigating API Mass Assignment using F5 Distributed Cloud Platform (XC). \n \n Introduction to OWASP API Mass Assignment: \n \n APIs are the foundation building blocks for today’s modern applications and because of such high acceptance there are software frameworks available to help the developers with the implementation, but these frameworks sometimes allow developers to automatically bind client’s request parameters into the code variables, opening gates for the attackers to exploit the Mass Assignment vulnerability. \n API Mass Assignment vulnerability occurs when manually crafted requests from clients to modify immutable internal object properties are not restricted by API Endpoints. \n Attackers can take advantage of this vulnerability by framing an HTTP request to escalate user privilege, bypass security mechanisms or use any other approach to make the API Endpoints work in a way it was not designed to work. \n Note: Mass Assignment and Excessive Data Exposure which were a separate risk category in OWASP API Sec 2019 are now merged into a new risk category named Broken Object Property Level Authorization \n \n The above image is the pictorial representation of possible exploitation of Mass Assignment vulnerability. You can see the attacker is successfully able to escalate his privilege from normal user to admin by manipulating the JSON content of the API request. \n In the first step, the attacker sends a valid API request to add the user and gets a response back with a parameter carrying information about the role. \n In the second step, the attacker adds the role parameter to the JSON object in the API request eventually resulting in successful exploitation of the vulnerability. \n \n Prevention Steps: \n \n Automatic binding of client’s input data into application's internal code variables should be avoided. \n Allow/Deny list should be clearly defined for the properties that should or shouldn't be accessible by the clients. \n Application schema should be well defined and enforced on all incoming client requests. \n \n \n Demonstration: \n For this demonstration we’ve already hosted crAPI (completely ridiculous API) application by referring to the QuickStart guide in the repository. \n Also, in the XC console we added the hosted application as an origin server and attached it with the newly created HTTP Load Balancer (LB). \n Note: crAPI is a vulnerable application designed for training purposes and can be a helpful tool to understand the OWASP top 10 most critical API security risks. For more details you can refer to OWASP crAPI repository \n Attack Scenario: \n In the use case below we have an API endpoint which is used to order products. This endpoint has a vulnerable field named “quantity” that can be exploited for mass assignment by providing a negative value resulting in a successful purchase order with an increase in available balance. \n As shown below at the start of the demo, the available balance for a user account is 200 $. \n \n Step1: First step is to gather the endpoint and request payload data by placing a valid purchase order from GUI. \n \n In the above screenshot, you can see we have successfully placed the order from the GUI which resulted in a decrease of available balance by 10$. This is a valid customer use case scenario. \n Step2: Next, we will try to place an order for a product with negative quantity using the gathered endpoint and check if mass assignment vulnerability is present or not. \n \n As you can see in the above screenshot the order with the negative quantity is placed successfully and the available balance is increased by 10$ which is not expected. Hence, we can conclude that mass assignment vulnerability exists in this demo application. \n Prevention through F5 XC: \n As mentioned in the prevention steps for the purpose of schema validation we will upload OpenAPI specification file to XC and set up the validation rules on incoming client requests \n If a mismatch occurs, an API Security event will be triggered and based on the enforcement mode set in the validation rules, the request will either get reported or blocked. \n Step1: As shown in the below image, update the crAPI’s OpenAPI specification file (a.k.a. swagger file) by adding a “minimum” keyword with value as “1” for the “quantity” parameter to restrict the request carrying a negative quantity to bypass \n \n Step2: Import crAPI’s swagger file to the LB and create API Definitions \n \n Login to F5 XC console \n Navigate to your LB and start editing the applied configuration \n Scroll down to API Protection and select “Enable” in API Definition field \n Click “Add Item”, Enter a name \n Click “Upload Swagger file”, Enter a name and upload the swagger file for your application, Apply the changes \n Now from your LB main config page, select “Custom List” for “Validation” field and click Configure. \n Start configuring Validation List, click “Add Item”, Enter a name, select “Validate” for “OpenAPI Validation Request Processing Mode” field, select “Block” for field “Request Validation Enforcement Type” and select all available properties in “Request Validation Properties” field, below of the config page select “Base Path - /” for “Type” field, Apply the changes. Refer to the document for more details. \n \n \n Step3: Try to repeat the attack scenario of ordering a product with negative quantity. \n \n As you can see in the above screenshot the attack was blocked successfully by the XC. \n Step4: Monitor the “Security Analytics” logs from F5 XC console \n \n \n Conclusion: \n API Mass assignment vulnerability can illegally be exploited by attackers to cause some serious damage but as demonstrated, F5 XC API security solutions can help to detect and mitigate such vulnerabilities with the help of Open-API schema validation feature. \n \n For more details, follow below links: \n \n OWASP API Security Project \n OWASP API6:2019 Mass Assignment \n F5 Distributed Cloud Services \n F5 Distributed Cloud WAAP \n Overview of OWASP API Security Top 10 2019 \n Introduction to OWASP API Security Top 10 2023 \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"6338","kudosSumWeight":7,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjEzNDBpNENGMjE5RDRCRDE2NDFBRg?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTVpMkU5MkIzOUVDNzdDQjgwRg?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTZpQTlFRjRFQzdFMDJBM0IxNw?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTdpMTREM0FGOUJEOUZBQzlBQw?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMThpN0RBNUNDMjM3QUVDM0MzRQ?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMTlpOTQzNTNGRDk0MkZDRDQwMA?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjBpNjYxMzdDQzhGOTc2Q0MwNQ?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjFpMEUwM0I4MzIyQkQwMkRBQQ?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjJpNTI3NzI3NTEyM0ZCQzc3MA?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjNpOTQ0NUVEMjczMzQ1N0NCNg?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjRpNTFEQTY5N0U5MjU5RTQ4NQ?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjVpNThCNENGMTQ3RURBQzE1NA?revision=41\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDY4ODctMjYxMjdpMjFENjZEMUE1NEY1QkYyRg?revision=41\"}"}}],"totalCount":13,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:304079":{"__typename":"Conversation","id":"conversation:304079","topic":{"__typename":"TkbTopicMessage","uid":304079},"lastPostingActivityTime":"2023-01-04T10:46:05.930-08:00","solved":false},"User:user:228473":{"__typename":"User","uid":228473,"login":"Shajiya_Shaik","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://community.f5.com/t5/s/zihoc95639/images/dS0yMjg0NzMtMTgyOTBpMEQ1Mzk5MERDMDA1MTZCNQ"},"id":"user:228473"},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDNpMDY3REI2QTA3QTFFNkI2NQ?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDNpMDY3REI2QTA3QTFFNkI2NQ?revision=24","title":"Shajiya_Shaik_0-1667997220592.png","associationType":"BODY","width":2017,"height":960,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzVpOUQyOTQ4MDZENzBCNTkwQQ?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzVpOUQyOTQ4MDZENzBCNTkwQQ?revision=24","title":"Shajiya_Shaik_4-1667995787637.png","associationType":"BODY","width":2200,"height":1162,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzNpMzc0NUVDRkRDN0M0OTkxMQ?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzNpMzc0NUVDRkRDN0M0OTkxMQ?revision=24","title":"Shajiya_Shaik_2-1667995430810.png","associationType":"BODY","width":2036,"height":1283,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzZpRjE0MzUxNTVEN0Y2QTM3RA?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzZpRjE0MzUxNTVEN0Y2QTM3RA?revision=24","title":"Shajiya_Shaik_0-1667996475511.png","associationType":"BODY","width":2468,"height":819,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDRpRTJCRkIwNDJDMzhGMjcxNg?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDRpRTJCRkIwNDJDMzhGMjcxNg?revision=24","title":"Shajiya_Shaik_0-1667997352369.png","associationType":"BODY","width":1823,"height":501,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDVpMDU1OURFOUYwMjc4MDlBNQ?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDVpMDU1OURFOUYwMjc4MDlBNQ?revision=24","title":"Shajiya_Shaik_1-1667997408996.png","associationType":"BODY","width":3289,"height":1556,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDZpNUNDRDA0OEM1RTNDMThGRQ?revision=24\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDZpNUNDRDA0OEM1RTNDMThGRQ?revision=24","title":"Shajiya_Shaik_0-1667997539245.png","associationType":"BODY","width":2191,"height":1176,"altText":null},"TkbTopicMessage:message:304079":{"__typename":"TkbTopicMessage","subject":"Introduction to F5 Distributed Cloud Platform Per Route WAF Policy","conversation":{"__ref":"Conversation:conversation:304079"},"id":"message:304079","revisionNum":24,"uid":304079,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:228473"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":2182},"postTime":"2022-12-27T05:00:00.077-08:00","lastPublishTime":"2023-01-04T10:46:05.930-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Introduction: \n By default, F5 Distributed Cloud Platform supports WAF and routing at the domain level i.e the origin pool associated with the Load balancer. F5 Distributed Cloud WAF provides the feasibility to create multiple routes with specific paths and attach the WAF rules individually on each path. This article is specifically demonstrating the above use case. \n In general, when a load balancer of host type HTTP/HTTPS, the request can be further matched based on parameters like URLs, headers, query parameters, http methods, etc. Once the request is matched, it can be sent to a specific endpoint based on the routing configuration and policy rules. \n The route object is used to configure L7 routing decision and is made of 3 things. \n \n Matching condition for incoming request \n Actions to take if the matching condition is true \n Whether the custom java script is enabled for this route match. \n \n Parameters offered per route configuration: \n \n URL path \n Prefix \n Specific header or Regex \n \n Demonstration: \n In this demo we will see how to forward a HTTP request depending on the route configuration and their associated WAF rules from F5 Distributed Cloud Services to origin server endpoints. \n \n we are using \n \n F5 Distributed Cloud Platform as the Environment. \n Arcadia Application as an origin server. Refer \n Load-balancer configured with multiple routes which are associated with different WAF rules. \n \n We shall see the demonstration in the below video to know the flow of how to configure and validate F5 Distributed Cloud Per-Route WAF Policy. \n \n Procedure: \n Step 1: Origin Pool Creation \n \n From your desired namespace, navigate to Manage --> Load Balancers --> Origin pools \n Click on \"Add Origin Pool\" \n Give it a name \n Add the Origin server details along with Port info. \n Click on ‘Save and Exit’ \n \n Step 2: Load Balancer with Route config and WAF Rules \n \n From the WAAP --> Navigate to Manage --> Load Balancers --> HTTP Load Balancers \n Click on \"Add HTTP load balancer\" \n Give it a name \n Set the domain name under Basic Configuration \n Under Routes section, click on ‘Configure’, click on ‘Add Item’ \n Select the type of Route as \"Simple Route\". \n Select HTTP method as “Any”. \n Select \"Regex\" under the \"Path match\" drop-down menu. \n Enter the string “\\/trading\\/.*” (without the quotes) as the regular expression (or Regex). This matches the requests for https://perroutewaf.com/trading/ \n Associate the above created Origin Pool. \n Under Advanced Options --> navigate to Security --> Web Application Firewall --> App Firewall --> Add Item. \n Create a WAF App firewall rule with Enforcement mode as “Blocking”. \n After attaching the WAF rule to the route, click on “Apply”. \n Repeat the above steps to create another route with Regex “.*” and the WAF rule Enforcement Mode ‘Monitoring’. \n Click on “Save and Exit” to save the Load Balancer configuration. \n \n Step 3: Validating perRouteWAF functionality \n - Output of /trading/.* route path: \n \n Open a browser and navigate to the login page of the application load balancer. \n try to generate SQL Injection attack to login as higher privileged user like admin. \n \n - Output of /.* route path: \n \n Try to access the Load Balancer with another route “/index.html”. \n Generate the SQL Injection attack to home page to get the privileged info. \n \n Step4: Logs Verification \n \n Monitor the security event log from F5 Distributed Cloud console, Navigate to WAAP --> Apps & APIs --> Security, select your LB and click on ‘Security Event’ tab. \n \n Conclusion: \n As you can see from the demonstration, F5 Distributed Cloud WAF has allowed and blocked the requests based on the route configuration and their associated WAF policies applied on the Load balancer. \n For further information click the links below: \n \n F5 Distributed Cloud Services \n F5 Distributed Cloud WAF \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"4155","kudosSumWeight":7,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDNpMDY3REI2QTA3QTFFNkI2NQ?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzVpOUQyOTQ4MDZENzBCNTkwQQ?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzNpMzc0NUVDRkRDN0M0OTkxMQ?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1MzZpRjE0MzUxNTVEN0Y2QTM3RA?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDRpRTJCRkIwNDJDMzhGMjcxNg?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDVpMDU1OURFOUYwMjc4MDlBNQ?revision=24\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDQwNzktMjA1NDZpNUNDRDA0OEM1RTNDMThGRQ?revision=24\"}"}}],"totalCount":7,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlL2RkdmFrSmg2Z3prfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/ddvakJh6gzk","thumbnail":"https://i.ytimg.com/vi/ddvakJh6gzk/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:301462":{"__typename":"Conversation","id":"conversation:301462","topic":{"__typename":"TkbTopicMessage","uid":301462},"lastPostingActivityTime":"2022-11-15T13:05:43.338-08:00","solved":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMTk1NjRpQjg2QjUyM0M0NTEyQ0E5RA?revision=17\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMTk1NjRpQjg2QjUyM0M0NTEyQ0E5RA?revision=17","title":"waap_overview.png","associationType":"BODY","width":1680,"height":901,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=17\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=17","title":"f5xclogo.png","associationType":"BODY","width":100,"height":103,"altText":null},"TkbTopicMessage:message:301462":{"__typename":"TkbTopicMessage","subject":"Getting started with the F5 Distributed Cloud Web App and API Protection Demo Guide","conversation":{"__ref":"Conversation:conversation:301462"},"id":"message:301462","revisionNum":17,"uid":301462,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:217018"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":4900},"postTime":"2022-09-28T05:00:00.033-07:00","lastPublishTime":"2022-11-15T13:05:43.338-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n Overview \n Sometimes all it takes to get started learning something new is just a little guidance, for those times when we just don't know where to begin. Providing that direction is the purpose of the F5 Distributed Cloud Web App and API Protection (XC WAAP) demo guide. The guide and accompanying demo videos will run you through sample app deployment, as well as App, API, Bot, and DDoS Protection use cases. We provide the app, the testing tool, and the guidance, everything you need to get started and kick the tires. All you need to bring is an F5 Distributed Cloud Account (trial is sufficient for this demo guide) and a bit of time. \n The guide uses a representative customer app scenario: a Star Ratings application which collects user ratings and reviews/comments on various items. The app runs on Kubernetes, and can be deployed on any cloud, but for the purposes of the demo guide we will deploy it on F5 XC virtual Kubernetes (vK8s) and protect it with F5 XC WAAP. \n The Scenario \n \n \n The Guide \n https://github.com/f5devcentral/xcwaapdemoguide \n \n Video Series Part 1: Infrastructure Setup \n \n \n \n Video Series Part 2: WAF Configuration \n \n \n \n Video Series Part 3: API Protection \n \n \n \n Video Series Part 4: Bot & DDoS Detection and Protection \n \n \n \n \n \n \"Nature is a mutable cloud, which is always and never the same.\" - Ralph Waldo Emerson \n We might not wax that philosophically around here, but our heads are in the cloud nonetheless! Join the F5 Distributed Cloud user group today and learn more with your peers and other F5 experts. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"1717","kudosSumWeight":7,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMTk1NjRpQjg2QjUyM0M0NTEyQ0E5RA?revision=17\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDE0NjItMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=17\"}"}}],"totalCount":2,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PXl3RUstVDg4ME9FfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://www.youtube.com/watch?v=ywEK-T880OE","thumbnail":"https://i.ytimg.com/vi/ywEK-T880OE/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}},{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PU5na0RBbXFfcmFrfDF8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://www.youtube.com/watch?v=NgkDAmq_rak","thumbnail":"https://i.ytimg.com/vi/NgkDAmq_rak/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}},{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PXE3NnZ1bGFJdmF3fDJ8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://www.youtube.com/watch?v=q76vulaIvaw","thumbnail":"https://i.ytimg.com/vi/q76vulaIvaw/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}},{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3d3dy55b3V0dWJlLmNvbS93YXRjaD92PUNzaXN4eDBLT0k4fDN8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://www.youtube.com/watch?v=Csisxx0KOI8","thumbnail":"https://i.ytimg.com/vi/Csisxx0KOI8/hqdefault.jpg","uploading":false,"height":113,"width":200,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":4,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"Conversation:conversation:301389":{"__typename":"Conversation","id":"conversation:301389","topic":{"__typename":"TkbTopicMessage","uid":301389},"lastPostingActivityTime":"2023-06-25T19:26:21.611-07:00","solved":false},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDNpQUU5M0U4QThEOEY3NDUyOQ?revision=14\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDNpQUU5M0U4QThEOEY3NDUyOQ?revision=14","title":"jj-ying-8bghKxNU1j0-unsplash.jpg","associationType":"COVER","width":4032,"height":3024,"altText":""},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=14\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=14","title":"f5xclogo.png","associationType":"BODY","width":100,"height":103,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk1NDlpOUJCQjVCMjlCODU3QzZDOA?revision=14\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk1NDlpOUJCQjVCMjlCODU3QzZDOA?revision=14","title":"CDN RA.jpg","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDVpRjk2RTZGQzMxOTAzNEI2OA?revision=14\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDVpRjk2RTZGQzMxOTAzNEI2OA?revision=14","title":"CDN-visibility.jpg","associationType":"BODY","width":1920,"height":1080,"altText":null},"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDRpQTlDRjA4QzEwOUY0NDRFQw?revision=14\"}":{"__typename":"AssociatedImage","url":"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDRpQTlDRjA4QzEwOUY0NDRFQw?revision=14","title":"CDN-Dashboard.jpg","associationType":"BODY","width":1326,"height":992,"altText":null},"TkbTopicMessage:message:301389":{"__typename":"TkbTopicMessage","subject":"F5 Distributed Cloud Content Delivery Network: an overview and what's new","conversation":{"__ref":"Conversation:conversation:301389"},"id":"message:301389","revisionNum":14,"uid":301389,"depth":0,"board":{"__ref":"Tkb:board:TechnicalArticles"},"author":{"__ref":"User:user:418292"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":2020},"postTime":"2022-09-27T16:19:37.768-07:00","lastPublishTime":"2023-06-25T19:26:21.611-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n From a technical feature perspective, there's nothing new in the world of Content Delivery. You read that right. What's new about it, however, is F5's Distributed Cloud blend of Content Delivery: It marries network connectivity, ingress networking, web security, and, of course, caching, and delivers it in a way that no other CDN provider has before. \n \n \"Nature is a mutable cloud, which is always and never the same.\" - Ralph Waldo Emerson \n We might not wax that philosophically around here, but our heads are in the cloud nonetheless! Join the F5 Distributed Cloud user group today and learn more with your peers and other F5 experts. \n \n Most apps nowadays aggregate content from many sources, and many don't use the same internal networks or even one specific cloud provider. Modern apps now pull content from everywhere, and depending on how frequently the content is accessed, it doesn't make sense to pay a premium to have all of it always available within milliseconds. This is where F5 Distributed Cloud CDN breathes new life and adds color to readily accessible on-demand content. If you're like me, you're probably wondering what's different in Content Delivery Networks today? Higher expectations and more specialization among providers. At F5, we see these trends grow by the day: \n \n \n Stronger user-driven demand for personalized content, live streaming, on-demand video, and other dynamic elements \n Increased expectations for strong application performance, availability, uptime, and a robust security posture to support a user-focused experience \n A growing need to deliver application logic closer to consumers using standard software development pipeline and lifecycle management \n More specialization – most CDN providers are now focusing primarily on: o Security, the fast-growing market segment o Online gaming o OTT (over-the-top) video o Web, email, and data o File sharing \n \n \n The first step for any CDN is to deliver content from the location closest to the point of origin. To do that, F5 uses its high-capacity global network to resolve DNS as close to that point as possible, and to direct clients to the closest regional point of presence. From there, F5 provides global DDoS protection at OSI model Layers 3 through 7 with its consolidated DNS, and Web App and API Protection (WAAP). Putting all the bits together, the F5 Distributed Cloud Console streamlines configuration for modern app types and API traffic (files, video, images), with integrated security control and advanced caching policies. \n \n \n \n The centralized control plane provides both management and observability into specific application traffic and events across all the endpoints, including those on different network. Now, let's see an example of how we can use the F5 CDN to distribute a modern app. Arcadia Finance is an example of a microservices app that we use at F5 to showcase new product features. It uses independent modules that can live in multiple cloud providers and on different networks. Frontend/Main - IBM Cloud Satellite, OpenShift k8s Backend - Azure AKS Money-Transfer - IBM Cloud Satellite, OpenShift k8s Refer-A-Friend - Google GKE Frontend/Main and Money-Transfer are workloads that run as pods in a k8s cluster on IBM OpenShift and are connected to the F5 Global Network using a Cluster-native k8s customer endpoint (CE), a workload managed by F5. Backend is a workload connected via F5 Distributed Cloud Customer Endpoint (CE) native to Azure. Refer-A-Friend is workload connected via F5 Distributed Cloud Customer Endpoint (CE) native to Google Cloud Service. To support the above app, the following configuration has been added as a distribution in the Distributed Cloud Console CDN service: \n metadata:\n name: arcadia-cdn\n labels: {}\nspec:\n domains:\n - arcadia-cdn.demo.internal\n http:\n dns_volterra_managed: true\n add_location: false\n more_option:\n cache_ttl_options:\n cache_ttl_default: 1m\n origin_pool:\n public_name:\n dns_name: ves-io-f85551e2-8a82-4fb4-88a4-b5c202e56d41.ac.vh.ves.io\n no_tls: {}\n origin_servers:\n - public_name:\n dns_name: ves-io-f85551e2-8a82-4fb4-88a4-b5c202e56d41.ac.vh.ves.io\n dns_info: []\n state: VIRTUAL_HOST_READY\n auto_cert_info:\n auto_cert_state: AutoCertDisabled\n dns_records: []\n service_domains:\n - domain: arcadia-cdn.demo.internal\n service_domain: ves-io-cdn-arcadia-cdn-demo-internal.autocerts.ves.volterra.io\n \n When a user accesses and logs into the Arcadia App, F5 Distributed Cloud CDN first screens each request and then passes it through to the backend, in this case, Frontend/Main. The main pod then works to pull content from the backend, money-transfer, and refer-a-friend modules, all of which are available as different internal endpoints and virtual servers accessible only from other pods within the F5 Global Network. Only after the content has been successfully fetched by Frontend is the landing page finally presented to the user. In the context of CDN, we refer to this first case as a Cache-Miss. \n % curl -I http://arcadia-cdn.demo.internal/images/image1.jpg\nHTTP/1.1 200 OK\nDate: Thu, 15 Sep 2022 00:38:22 GMT\nContent-Type: image/jpeg\nContent-Length: 54142\nConnection: keep-alive\nlast-modified: Wed, 10 Aug 2022 18:48:47 GMT\netag: \"62f3fd8f-d37e\"\nx-envoy-upstream-service-time: 5\nServer: volt-cdn\nx-cache-status: MISS\nAccept-Ranges: bytes \n When Arcadia Finance is front ended with the Distributed Cloud CDN, content no longer needs to be fetched by Frontend/Main every time the user accesses the page. To reduce load on the app modules, the CDN caches all the content and delivers it to the user upon subsequent hits. This is known as a Cache-Hit. \n % curl -I http://arcadia-cdn.demo.internal/images/image1.jpg\nHTTP/1.1 200 OK\nDate: Thu, 15 Sep 2022 00:38:25 GMT\nContent-Type: image/jpeg\nContent-Length: 54142\nConnection: keep-alive\nlast-modified: Wed, 10 Aug 2022 18:48:47 GMT\netag: \"62f3fd8f-d37e\"\nx-envoy-upstream-service-time: 31\nServer: volt-cdn\nx-cache-status: HIT\nAccept-Ranges: bytes When using Distributed Cloud CDN to distribute frontend apps, even when there's a Cache-Miss, the user experience will be improved vs going to the app directly because the CDN directs the connection to F5's closest regional point of presence (PoP), eliminating much of the uncontrolled and variable latency inherent on the Internet. After accessing the Arcadia Finance app for some time, even when the cached page Time To Live (TTL) policy is set to a very low value of 1 minute, we're still able to see a good amount of caching provided by F5's CDN. Viewing the app's distribution performance in the Distributed Cloud Console, we can see the percentage of hits vs. misses, what the returned latency is for each, how much of the app is returning HTTP 2xx, 3xx, 4xx, or 5xx status codes, and even which versions of SSL and HTTP the connections use. \n \n Overall, F5's CDN pulls out all the stops when it comes to safeguarding your environments. Regardless of whether an app's content sprawls multiple private and public networks, F5's CDN can connect to it securely at the app level and cache it. Endpoint-specific security policies within the CDN can be added with a few clicks and the use of a Swagger file to further restrict the operations and content allowed to prevent malicious actors. All in all, F5's Content Delivery Network delivers the best set of network connectivity and security-focused functionality to enable today's most modern applications. In the following video, I share some of the additional benefits of using the F5 Distributed Cloud CDN and show the difference that users will notice when the CDN provides more content from the cache. \n \n \n Additional Resources \n For more information about this product as well as details on how to configure it, go to the following additional resources. \n \n CDN product information CDN product documentation \n F5 Distributed Cloud Secure CDN Solution: CDN + WAAP (Web App & API Security) ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8266","kudosSumWeight":7,"repliesCount":1,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDNpQUU5M0U4QThEOEY3NDUyOQ?revision=14\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMjA0MTJpQ0JCN0FGQjI5MzBFN0VDOQ?revision=14\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk1NDlpOUJCQjVCMjlCODU3QzZDOA?revision=14\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDVpRjk2RTZGQzMxOTAzNEI2OA?revision=14\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuMnwyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://community.f5.com/t5/s/zihoc95639/images/bS0zMDEzODktMTk2NDRpQTlDRjA4QzEwOUY0NDRFQw?revision=14\"}"}}],"totalCount":5,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[{"__typename":"VideoEdge","cursor":"MHxodHRwczovL3lvdXR1LmJlL1dtcDgtck1ja2NVfDB8MjU7MjV8fA","node":{"__typename":"AssociatedVideo","videoTag":{"__typename":"VideoTag","vid":"https://youtu.be/Wmp8-rMckcU","thumbnail":"https://i.ytimg.com/vi/Wmp8-rMckcU/hqdefault.jpg","uploading":false,"height":338,"width":600,"title":null},"videoAssociationType":"INLINE_BODY"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}}},"CachedAsset:text:en_US-components/community/Navbar-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1743097587452","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","migrated-link-9":"Groups","migrated-link-7":"Technical Articles","migrated-link-8":"DevCentral News","migrated-link-1":"Technical Forum","migrated-link-10":"Community Groups","migrated-link-2":"Water Cooler","migrated-link-11":"F5 Groups","Common-external-link":"How Do I...?","migrated-link-0":"Forums","article-series":"Article Series","migrated-link-5":"Community Articles","migrated-link-6":"Articles","security-insights":"Security Insights","migrated-link-3":"CrowdSRC","migrated-link-4":"CodeShare","migrated-link-12":"Events","migrated-link-13":"Suggestions"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1743097587452","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1743097587452","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1743097587452","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1743097587452","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1743097587452","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagSubscriptionAction-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagSubscriptionAction-1743097587452","value":{"success.follow.title":"Following Tag","success.unfollow.title":"Unfollowed Tag","success.follow.message.followAcrossCommunity":"You will be notified when this tag is used anywhere across the community","success.unfollowtag.message":"You will no longer be notified when this tag is used anywhere in this place","success.unfollowtagAcrossCommunity.message":"You will no longer be notified when this tag is used anywhere across the community","unexpected.error.title":"Error - Action Failed","unexpected.error.message":"An unidentified problem occurred during the action you took. Please try again later.","buttonTitle":"{isSubscribed, select, true {Unfollow} false {Follow} other{}}","unfollow":"Unfollow"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListTabs-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListTabs-1743097587452","value":{"mostKudoed":"{value, select, IDEA {Most Votes} other {Most Likes}}","mostReplies":"Most Replies","mostViewed":"Most Viewed","newest":"{value, select, IDEA {Newest Ideas} OCCASION {Newest Events} other {Newest Topics}}","newestOccasions":"Newest Events","mostRecent":"Most Recent","noReplies":"No Replies Yet","noSolutions":"No Solutions Yet","solutions":"Solutions","mostRecentUserContent":"Most Recent","trending":"Trending","draft":"Drafts","spam":"Spam","abuse":"Abuse","moderation":"Moderation","tags":"Tags","PAST":"Past","UPCOMING":"Upcoming","sortBymostRecent":"Sort By Most Recent","sortBymostRecentUserContent":"Sort By Most Recent","sortBymostKudoed":"Sort By Most Likes","sortBymostReplies":"Sort By Most Replies","sortBymostViewed":"Sort By Most Viewed","sortBynewest":"Sort By Newest Topics","sortBynewestOccasions":"Sort By Newest Events","otherTabs":" Messages list in the {tab} for {conversationStyle}","guides":"Guides","archives":"Archives"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1743097587452","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1743097587452","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/OverflowNav-1743097587452","value":{"toggleText":"More"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewInline-1743097587452","value":{"bylineAuthor":"{bylineAuthor}","bylineBoard":"{bylineBoard}","anonymous":"Anonymous","place":"Place {bylineBoard}","gotoParent":"Go to parent {name}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Pager/PagerLoadMore-1743097587452","value":{"loadMore":"Show More"},"localOverride":false},"CachedAsset:text:en_US-components/customComponent/CustomComponent-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/customComponent/CustomComponent-1743097587452","value":{"errorMessage":"Error rendering component id: {customComponentId}","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1743097587452","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1743097587452","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1743097587452","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1743097587452","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageUnreadCount-1743097587452","value":{"unread":"{count} unread","comments":"{count, plural, one { unread comment} other{ unread comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageViewCount-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageViewCount-1743097587452","value":{"textTitle":"{count, plural,one {View} other{Views}}","views":"{count, plural, one{View} other{Views}}"},"localOverride":false},"CachedAsset:text:en_US-components/kudos/KudosCount-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/kudos/KudosCount-1743097587452","value":{"textTitle":"{count, plural,one {{messageType, select, IDEA{Vote} other{Like}}} other{{messageType, select, IDEA{Votes} other{Likes}}}}","likes":"{count, plural, one{like} other{likes}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRepliesCount-1743097587452","value":{"textTitle":"{count, plural,one {{conversationStyle, select, IDEA{Comment} OCCASION{Comment} other{Reply}}} other{{conversationStyle, select, IDEA{Comments} OCCASION{Comments} other{Replies}}}}","comments":"{count, plural, one{Comment} other{Comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1743097587452","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1743097587452":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1743097587452","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false}}}},"page":"/tags/TagPage/TagPage","query":{"messages.widget.messagelistfornodebyrecentactivitywidget-tab-main-messages-list-for-tag-widget-0":"mostKudoed","nodeId":"board:TechnicalArticles","tagName":"F5 Distributed Cloud WAAP"},"buildId":"q_bLpq2mflH0BeZigxpj6","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"f5","openTelemetryServiceVersion":"25.2.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/customComponent/CustomComponent/CustomComponent.tsx","./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/tags/TagsHeaderWidget/TagsHeaderWidget.tsx","./components/messages/MessageListForNodeByRecentActivityWidget/MessageListForNodeByRecentActivityWidget.tsx","./components/tags/TagSubscriptionAction/TagSubscriptionAction.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/ListGroup/ListGroup.tsx","./components/messages/MessageView/MessageView.tsx","./components/messages/MessageView/MessageViewInline/MessageViewInline.tsx","../shared/client/components/common/Pager/PagerLoadMore/PagerLoadMore.tsx","./components/customComponent/CustomComponentContent/HtmlContent.tsx","./components/customComponent/CustomComponentContent/CustomComponentScripts.tsx"],"appGip":true,"scriptLoader":[]}