Where are F5's archived deployment guides?
Archived F5 Deployment Guides This article contains an index of F5’s archived deployment guides, previously hosted on F5 | Multi-Cloud Security and Application Delivery. They are all now hosted on cdn.f5.com. Archived guides... are no longer supported and no longer being updated - provided for reference only. may refer to products or versions, by F5 or 3rd parties that are end-of-life (EOL) or end-of-support (EOS). may refer to iApp templates that are deprecated. For current/updated iApps and FAST templates see myF5 K13422: F5-supported and F5-contributed iApp templates Current F5 Deployment Guides Deployment Guides (https://www.f5.com/resources/deployment-guides) IMPORTANT: The guidance found in archived guides is no longer supported by F5, Inc. and is supplied for reference only. For assistance configuring F5 devices with 3 rd party applications we recommend contacting F5 Professional Services here: Request Professional Services | F5 Archived Deployment Guide Index Deployment Guide Name (links to off-platform) Written for… CA Bundle Iapp BIG-IP V11.5+, V12.X, V13 Microsoft Internet Information Services 7.0, 7.5, 8.0, 10 BIG-IP V11.4 - V13: LTM, AAM, AFM Microsoft Exchange Server 2016 BIG-IP V11 - V13: LTM, APM, AFM Microsoft Sharepoint 2016 BIG-IP V11.4 - V13: LTM, APM, ASM, AFM, AAM Microsoft Active Directory Federation Services BIG-IP V11 - V13: LTM, APM SAP Netweaver: Erp Central Component BIG-IP V11.4: LTM, AAM, AFM, ASM SAP Netweaver: Enterprise Portal BIG-IP V11.4: LTM, AAM, AFM, ASM Microsoft Dynamics CRM 2013 And 2011 BIG-IP V11 - V13: LTM, APM, AFM IBM Qradar BIG-IP V11.3: LTM Microsoft Dynamics CRM 2016 and 2015 BIG-IP V11 - V13: LTM, APM, AFM SSL Intercept V1.5 BIG-IP V12.0+: LTM IBM Websphere 7 BIG-IP LTM, WEBACCELERATOR, FIREPASS Microsoft Dynamics CRM 4.0 BIG-IP V9.X: LTM SSL Intercept V1.0 BIG-IP V11.4+, V12.0: LTM, AFM SMTP Servers BIG-IP V11.4, V12.X, V13: LTM, AFM Oracle E-Business Suite 12 BIG-IP V11.4 - V13: LTM, AFM, AAM HTTP Applications BIG-IP V11.4 - V13: LTM, AFM, AAM Amazon Web Services Availability Zones BIG-IP LTM VE: V12.1.0 HF2+, V13 Oracle PeopleSoft Enterprise Applications BIG-IP V11.4+: LTM, AAM, AFM, ASM HTTP Applications: Downloadable IApp: BIG-IP V11.4 - V13: LTM, APM, AFM, ASM Oracle Weblogic 12.1, 10.3 BIG-IP V11.4: LTM, AFM, AAM IBM Lotus Sametime BIG-IP V10: LTM Analytics BIG-IP V11.4 - V14.1: LTM, APM, AAM, ASM, AFM Cacti Open Source Network Monitoring System BIG-IP V10: LTM NIST SP-800-53R4 Compliance BIG-IP: V12 Apache HTTP Server BIG-IP V11, V12: LTM, APM, AFM, AAM Diameter Traffic Management BIG-IP V10: LTM Nagios Open Source Network Monitoring System BIG-IP V10: LTM F5 BIG-IP Apm With IBM, Oracle and Microsoft BIG-IP V10: APM Apache Web Server BIG-IP V9.4.X, V10: LTM, WA DNS Traffic Management BIG-IP V10: LTM Diameter Traffic Management BIG-IP V11.4+, V12: LTM Citrix XenDesktop BIG-IP V10: LTM F5 As A SAML 2.0 Identity Provider For Common SaaS Applications BIG-IP V11.3+, V12.0 Apache Tomcat BIG-IP V10: LTM Citrix Presentation Server BIG-IP V9.X: LTM Npath Routing - Direct Server Return BIG-IP V11.4 - V13: LTM Data Center Firewall BIG-IP V11.6+, V12: AFM, LTM Citrix XenApp Or XenDesktop Iapp V2.3.0 BIG-IP V11, V12: LTM, APM, AFM Citrix XenApp Or XenDesktop BIG-IP V10.2.1: APMGetting Started on DevCentral
DevCentral, supported by F5, is an online community of technical peers dedicated to learning, exchanging ideas, and solving problems - together. Here are some tips to get you started, so you can maximize the value from this community space. Register a free user account Click the Register link at the top right of every DevCentral page Authenticate with any valid email address. TIP: You may use the same email address as your MyF5 profile (this will enable a simpler, Single Sign On (SSO) experience between my.f5.com and community.f5.com) or you may opt to use a personal email address for your community profile. Using a personal email address for community usually requires a separate login, using a customer email account, to access support and subscription information via my.f5.com. Next you will be taken to a confirmation page Email Verification You will receive an email from <noreply@mail.account.f5.com> Click the Activate Account button in the confirmation email in order to activate your new account. Setting up MFA / 2-step Authentication Successful email activation brings you to 2-Step Authentication setup. Mandatory: Choose one or more of the available 2-step modes to secure your account and follow the steps provided. Complete (DevCentral) Registration Once you have finished with 2-step Authentication you will be asked to Choose a unique username Accept the Terms of Service. Click the Complete button TIP: You will receive confirmation email from noreply@mail.account.f5.com related to your SSO account AND email from replies-disabled@community-mail.f5.com welcoming you to the community or alerting you to badges earned, etc. To be notified in the future of content updates you choose to follow - be sure to allow email from replies-disabled@community-mail.f5.com You may also choose to limit what email you want to see and/or how often you want to see it by configuring your Follows & Notification Preferences under My Profile > My Settings. Congratulations! Your DevCentral community profile is complete. Build Community Profile To maximize the value of your community experience visit My Settings to adjust the behavior of the community to suit your needs. Settings include Personal details, global Preferences, settings under Follows & Notifications to control platform alerts and email, and Security & Account settings to control your data. Click on your profile avatar in the top right of the page and go to My Settings. Personal Information Change your username, avatar, Bio, Personal Notes, and Personal Site URL at any time. RE: Email Addresses At this time email addresses are key and cannot be changed directly. To update an email address on an existing DevCentral profile contact us at DevCentralFeedback@f5.com and ask to help updating your email address. Preferences At this time preference options are limited to Date and TimeZone choices. Follows & Notifications See the content you are Following. You can filter the way this displays using the dropdown at the top. A revealed ellipses at right lets you unfollow. Below that is the Email Notification preferences. Including global enable/disable and choices for delivery timing for all manner of triggers. Security & Account Personal information related to IP Addresses and the ability to download a copy of your data from the community is here. Only you can see this information. Still need help? If you still can’t find what you need, send a message to DevCentralFeedback@f5.com and we’ll work to get your issue sorted.DevCentral MVP Program
Every day, all over the world, smart, passionate people are doing amazing things with their F5 gear and sharing that knowledge with their peers. The DevCentral Community MVP program shines a spotlight on the best, brightest and most active members of our community, and rewards them for their efforts. The DevCentral Community MVP is an annual award given to a select cohort of the best, brightest, and most active members of our community - users who actively improve F5 user communities and the broader tech industry by sharing their technical experience and expertise with others. We like to reward people who help make our technical user communities healthy and a place users want to interact, and would like to say thank-you to you specifically for making our communities a valuable resource for all users. MVPs get a special badge on their profile for the calendar year of their cohort, so users can know at a glance who they are. Among other things, they also get exclusive swag, invitations to technical deep-dive and sneak-preview sessions presented by F5 SMEs, invitations to the MVP Group and are often highlighted in our monthly Featured Member articles. Here's the announcement of the 2023 cohort! To nominate someone who has helped you to be an MVP, click HERE.DevCentral Resources
DevCentral offers resources that let you get a closer look at F5 products and the code behind them. API Documentation - Here's where you'll find documentation on iRules, iControl, and iApps; advanced design and configuration techniques, and more. Downloads - Get a comprehensive, fully sortable, list of downloads of interest to devs. Developer License - Buy a low-cost Developer License so you can try F5 products in your own development and test environments. Support Self-solve issues with Knowledge Base articles, the iHealth Diagnostic Tool, technical product documentation, and more - all on F5 Support. Knowledge Center Articles Product Documentation iHealth Diagnostic Tool Resources on F5.com F5's corporate site offers everything from the latest deployment guides to training opportunities. Deployment Guides Training and Certification F5 LabsDEVCENTRAL END-USER LICENSE AGREEMENT
DEVCENTRAL END-USER LICENSE AGREEMENT Effective: January 24, 2022 IMPORTANT-READ CAREFULLY: This F5 End User License Agreement (“License”) is a legal agreement between you (either an individual or a single entity) and F5, Inc. for materials obtained from and participation in the F5 DevCentral site, which includes computer software and may include associated media, printed materials, and “online” or electronic documentation (“Software Product”). By installing, copying, or otherwise using the Software Product, you agree to be bound by the terms of this License. If you do not agree to the terms of this License, do not install or use the Software Product. The Software Product is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The Software Product is licensed, not sold. GRANT OF LICENSE (a) This License grants you the following rights: Software Product. F5 grants to you a non-transferable, nonexclusive license to make and use copies of the Software Product for the sole purposes of designing, developing, and testing your software product(s). You may install copies of the Software Product on an unlimited number of computers within your organization provided that you remain responsible for the compliance of each user with the terms and conditions hereof. Electronic Documents. Solely with respect to electronic documents included with the Software Product, you may make an unlimited number of copies (either in hardcopy or electronic form), provided that such copies shall be used only for internal purposes and are not republished or distributed to any third party. iii. Storage/Network Use. You may also store or install a copy of the Software Product on a storage device, such as a network server, used only to install or run the Software Product on your other computers over an internal network. (b) Control Library and Sample Code. In addition to the rights granted in Section 1(a.i), in the event the Software Product you are licensing is part of an iControl library or sample code identified in the F5 code share, F5 grants you a non-exclusive, royalty-free right to modify the source code version of those portions of the Software Product for the sole purposes of designing, developing, and testing your software product(s), provided that you comply with Section 1(b.iii), below. Redistributable Files. In addition to the rights granted in Section 1( b.i. ), F5 grants you a nonexclusive, royalty-free right to reproduce and distribute in object code form only the iControl library and sample code, provided that you comply with Section 1( b.iii. ), below. iii. Redistribution Requirements. If you wish to distribute the Redistributable Files (or any portion thereof), you agree to: ( 1 ) distribute the Redistributable Files in object code only in conjunction with and as a part of a software product (each, a “Licensee Product”) developed by you that is based on the Software Product and adds significant and primary functionality to an F5 product; (2) not use F5’s name, logo, or trademarks to market your Licensee Product unless you have obtained prior written approval from F5; (3) include a valid copyright notice on your Licensee Product and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (4) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of your Licensee Product or your distribution of the Redistributable Files; (5) distribute all of the files listed under each of the headings in the Samples Directory; (6) not permit further distribution of the Redistributable Files, except as specifically provided for in this Agreement. Other than for iControl libraries and sample code, Software Products may not be redistributed without the prior written consent of F5. (c) The following exceptions apply to subsection 1( b.iii )(6), above: (A) you may permit further redistribution of the Limited Use Redistributable Files by your distributors to your end-user customers if your distributors only distribute the Limited Use Redistributable Files in conjunction with, and as part of, your Licensee Product and you and your distributors comply with all other terms of this License; (B) you may permit your end users to reproduce and distribute the object code version of the Limited-Use Redistributable files for use in development of an application created by your end user (“End User Application”), provided that your end user agrees in writing to: (i) distribute the Limited-Use Redistributable Files in object code only in conjunction with and as a part of a software application product developed by them that adds significant and primary functionality to the Limited-Use Redistributable Files (“End User Application”); (ii) not use F5’s name, logo, or trademarks to market the End User Application unless it has obtained prior written approval from F5; (iii) include a valid copyright notice on the End User Application and not remove any copyright, trademark, or other proprietary notices including attribution information, credits, and notices already placed in the Software Product; (iv) indemnify, hold harmless, and defend F5 from and against any claims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the End User Application; (v) disclaim all express and implied warranties on behalf of F5, and exclude liability of F5 and its licensors for any special, indirect, exemplary, incidental or consequential damages; (vi) not distribute less than all of the files listed under each of the headings in the Samples Directory file if your end user distributes any one or more of such files in an End User Application; and (vii) not permit further distribution of the Limited-Use Redistributable Files by the user of the End User Application. Limited-Use Redistributable Files: the Limited-Use Redistributable Files are all of the files listed in an iControl library or sample code identified in the F5 code share, except those in Section 3. COPYRIGHT. All title and copyrights in and to the Software Product (including but not limited to any images, photographs, and text incorporated into the Software Product), the accompanying printed materials, and any copies of the Software Product are owned by F5 and their respective copyright owners. The Software Product is protected by copyright laws and international treaty provisions. Therefore, you must treat the Software Product like any other copyrighted material except that you may install the Software Product on a single computer provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the Software Product. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS (a) Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the Software Product, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. (b) Separation of Components. The Software Product is licensed as a single product. Its component parts may not be separated for use on more than one computer. (c) Rental. You may not rent, lease, or lend the Software Product. (d) Support Services. F5 may, but shall be under no obligation to, correct any defects in the Software Product and/or provide updates to licensees of the Software Product. You shall make reasonable efforts to promptly report to F5 any defects you find in the Software Product, as an aid to creating improved revisions of the Software Product. You shall be solely responsible for, and F5 shall have no obligation to honor, any warranties that you provide to your customers or to end users with respect to the Software Product or Licensee Products. You shall defend any claim against F5 arising in connection with any such warranties, express, implied, statutory, or otherwise, and shall pay any settlements or damages awarded against F5 that are based on any such warranties. (e) Assignment. This Agreement shall be binding upon and inure to the benefit of the parties and their respective successors and assigns, provided, however that you may not assign this Agreement or any rights or obligation hereunder, directly or indirectly, by operation of law or otherwise, without the prior written consent of F5, and any such attempted assignment shall be void. Notwithstanding the foregoing, ( i ) you may assign this Agreement to a successor to all or substantially all of your business or assets to which this Agreement relates that is not a competitor of F5, and (ii) you shall have the right to transfer your rights hereunder to any company which is wholly owned by you provided such successor or subsidiary agrees in writing to be bound by all the terms and conditions of this Agreement that are applicable to you. (f) Termination. Without prejudice to any other rights, F5 may terminate this License if you fail to comply with the terms and conditions of this License. In such event, you must destroy all copies of the Software Product and all of its component parts. (g) No Other Rights Granted. Apart from the license rights expressly set forth in this Agreement, F5 does not grant and you do not receive any ownership right, title or interest nor any security interest or other interest in any intellectual property rights relating to the Software Product, nor in any copy of any part of the foregoing. You shall not use, license, sell or otherwise distribute the Software Product or any Licensee Product except as provided in this Agreement. U.S. GOVERNMENT RESTRICTED RIGHTS. The Software Product and documentation are provided with RESTRICTED RIGHTS. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c )(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs ( c )(1) and (2) of the Commercial Computer Software-Restricted Rights at 48 CFR 52.227-19, as applicable. Manufacturer is F5, Inc./801 5 th Ave West/Seattle, WA 98104. EXPORT RESTRICTIONS. You agree that neither you nor your customers intend to or will, directly or indirectly, export or transmit ( i ) the SOFTWARE or related documentation and technical data or (ii) your software product as described in Section 1( f ) of this License (or any part thereof), or process, or service that is the direct product of the SOFTWARE, to any country to which such export or transmission is restricted by any applicable U.S. regulation or statute, without the prior written consent, if required, of the Bureau of Export Administration of the U.S. Department of Commerce, or such other governmental entity as may have jurisdiction over such export or transmission. PARTICIPATION IN THE DEVCENTRAL COMMUNITY. You agree to comply with the Terms of Use for the F5 website on which DevCentral is hosted. Any personal information you provide when participating in the DevCentral community will be treated in accordance with the F5 Privacy Notice. LIMITATION OF LIABILITY. (a) THE INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES INCLUDED IN OR AVAILABLE THROUGH THE DevCentral WEB SITE MAY INCLUDE INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN. DevCentral AND/OR ITS SUPPLIERS MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE DevCentral WEB SITE AT ANY TIME. ADVICE RECEIVED VIA THE DevCentral WEB SITE SHOULD NOT BE RELIED UPON FOR PERSONAL, MEDICAL, LEGAL OR FINANCIAL DECISIONS AND YOU SHOULD CONSULT AN APPROPRIATE PROFESSIONAL FOR SPECIFIC ADVICE TAILORED TO YOUR SITUATION. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE DevCentral WEB SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE DevCentral WEB SITE. Service Contact: devcentral@f5.com. (b) THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE Software Product IS PROVIDED “AS IS” AND F5 AND ITS SUPPLIERS DISCLAIM ALL OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR CONDUCT WITH LICENSEE, OR OTHERWISE. F5 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THE Software Product OR ANY UPGRADES TO OR DOCUMENTATION FOR THE Software Product. WITHOUT LIMITATION OF THE ABOVE, F5 GRANTS NO WARRANTY THAT THE Software Product IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION, AND GRANTS NO WARRANTY REGARDING ITS USE OR THE RESULTS THEREFROM INCLUDING, WITHOUT LIMITATION, ITS CORRECTNESS, ACCURACY OR RELIABILITY. NOTWITHSTANDING THE FOREGOING, F5 WARRANTS THAT IT HAS ALL THIRD PARTY LICENSE RIGHTS THAT ARE NECESSARY TO GRANT THE LICENSE RIGHTS SET FORTH HEREIN. (c) IN NO EVENT SHALL F5 HAVE ANY LIABILITY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER FOR BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE, ARISING OUT OF THIS AGREEMENT, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, EVEN IF F5 HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS SHALL APPLY NOTWITHSTANDING ANY FAILURE OF ESSENTIAL PURPOSE OF ANY LIMITED REMEDY. EXCEPT WITH RESPECT TO THE WARRANTY SET FORTH IN THE LAST SENTENCE OF THE “LIMITED WARRANTY” SECTION ABOVE, F5’s ENTIRE LIABILITY AND YOUR EXCLUSIVE REMEDY UNDER THIS License SHALL NOT EXCEED ONE HUNDRED DOLLARS (US{0}00.00). MISCELLANEOUS. If you acquired this product in the United States, this License is governed by the laws of the State of Washington. If this product was acquired outside the United States, then local law may apply. Should you have any questions concerning this License, or if you desire to contact F5 for any reason, please contact the F5 location serving your country, or write: F5, Inc./Attn: Legal Department/801 5th Ave/Seattle, WA 98104. If you have a specific question regarding the licensing of redistributable files, you may call contact F5 at info@f5.com inquiries via fax to F5 SDK for iControl (206) 272-5556 (United States only).
Making WAF Simple: Introducing the OWASP Compliance Dashboard
Whether you are a beginner or an expert, there is a truth that I want to let you in on; building and maintaining Web Application Firewall (WAF) security policies can be challenging. How much security do you really need? Is your configuration too much or too little? Have you created an operational nightmare? Many well-intentioned administrators will initially enable every available feature, thinking that it is providing additional security to the application, when in truth, it is hindering it. How, you may ask? False positives and noise. The more noise and false positives, the harder it becomes to find the real attacks and the increased likelihood that you begin disabling features that ARE providing essential security for your applications. So… less is better then? That isn't the answer either, what good are our security solutions if they aren't protecting against anything? The key to success and what we will look at further in this article, is implementing best practice controls that are both measurable and manageable for your organization. The OWASP Application Security Top 10 is a well-respected list of the ten most prevalent and dangerous application layer attacks that you almost certainly should protect your applications from. By first focusing your security controls on the items in the OWASP Top 10, you are improving the manageability of your security solution and getting the most "bang for your buck". Now, the challenge is, how do you take such a list and build real security protections for your applications? Introducing the OWASP Compliance Dashboard Protecting your applications against the OWASP Top 10 is not a new thing, in fact, many organizations have been taking this approach for quite some time. The challenge is that most implementations that claim to "protect" against the OWASP Top 10 rely solely on signature-based protections for only a small subset of the list and provide zero insight into your compliance status. The OWASP Compliance Dashboard introduced in version 15.0 on BIG-IP Advanced WAF reinvents this idea by providing a holistic and interactive dashboard that clearly measures your compliancy against the OWASP Application Security Top 10. The Top 10 is then broken down into specific security protections including both positive and negative security controls that can be enabled, disabled, or ignored directly on the dashboard. We realize that a WAF policy alone may not provide complete protection across the OWASP Top 10, this is why the dashboard also includes the ability to review and track the compliancy of best practices outside the scope of a WAF alone, such as whether the application is subject to routine patching or vulnerability scanning. To illustrate this, let’s assume I have created a brand new WAF policy using the Rapid Deployment policy template and accepted all default settings, what compliance score do you think this policy might have? Let's take a look. Interesting. The policy is 0/10 compliant and only A2 Broken Authentication and A3 Sensitive Data Exposure have partial compliance. Why is that? The Rapid Deployment template should include some protections by default, shouldn't it? Expanding A1 Injection, we see a list of protections required in order to be marked as compliant. Hovering over the list of attack signatures, we see that each category of signature is in 'Staging' mode, aha! Signatures in staging mode are not enforced and therefore cannot block traffic. Until the signature set is in enforced, we do not mark that protection as compliant. For those of you who have mistakenly left entities such as Signatures in staging for longer than desired, this is also a GREAT way to quickly find them. I also told you we could also interact with the dashboard to influence the compliancy score, lets demonstrate that. Each item can be enforced DIRECTLY on the dashboard by selecting the "Enforce" checkmark on the right. No need to go into multiple menus, you can enforce all these security settings on a single page and preview the compliance status immediately. If you are happy with your selection, click on "Review & Update" to perform a final review of what the dashboard will be configuring on your behalf before you can click on "Save & Apply Policy". Note: Enforcing signatures before a period of staging may not be a good idea depending on your environment. Staging provides a period to assess signature matches in order to eliminate false positives. Enforcing these signatures too quickly could result in the denying of legitimate traffic. Let's review the compliancy of our policy now with these changes applied. As you can see, A1 Injection is now 100% compliant and other categories have also had their score updated as a result of enforcing these signatures. The reason for this is because there is overlap in the security controls applied across these other categories. Not all security controls can be fully implemented directly via the dashboard, and as mentioned previously, not all security controls are signature-based. A6 Cross-Site Scripting was recalculated as 50% complaint with the signatures we enforced previously so let's take a look at what else it required for full compliancy. The options available to us are to IGNORE the requirement, meaning we will be granted full compliancy for that item without implementing any protection, or we can manually configure the protection referenced. We may want to ignore a protection if it is not applicable to the application or if it is not in scope for your deployment. Be mindful that ignoring an item means you are potentially misrepresenting the score of your policy, be very certain that the protection you are ignoring is in fact not applicable before doing so. I've selected to ignore the requirement for "Disallowed Meta Characters in Parameters" and my policy is now 100% compliance for A7 Cross-Site Scripting (XSS). Lastly, we will look at items within the dashboard that fall outside the scope of WAF protections. Under A9 Using Components with Known Vulnerabilities, we are presented with a series of best practices such as “Application and system hardening”, “Application and system patching” and “Vulnerability scanner integration”. Using the dashboard, you can click on the checkmark to the right for "Requirement fulfilled" to indicate that your organization implements these best practices. By doing so, the OWASP Compliance score updates, providing you with real-time visibility into the compliancy for your application. Conclusion The OWASP Compliance Dashboard on BIG-IP Advanced WAF is a perfect fit for the security administrator looking to fine-tune and measure either existing or new WAF policies against the OWASP App Security Top 10. The OWASP Compliance Dashboard not only tracks WAF-specific security protections but also includes general best practices, allowing you to use the dashboard as your one-stop-shop to measure the compliancy for ALL your applications. For many applications, protection against the OWASP Top 10 may be enough, as it provides you with best practices to follow without having to worry about which features to implement and where. Note: Keep in mind that some applications may require additional controls beyond the protections included in the OWASP Top 10 list. For teams heavily embracing automation and CI/CD pipelines, logging into a GUI to perform changes likely does not sound appealing. In that case, I suggest reading more about our Declarative Advanced WAF policy framework which can be used to represent the WAF policies in any CI/CD pipeline. Combine this with the OWASP Compliance Dashboard for an at-a-glance assessment of your policy and you have the best of both worlds. If you're not already using the OWASP Compliance Dashboard, what are you waiting for? Look out for Bill Brazill, Victor Granic and myself (Kyle McKay) on June 10th at F5 Agility 2020 where we will be presenting and facilitating a class called "Protecting against the OWASP Top 10". In this class, we will be showcasing the OWASP Compliance Dashboard on BIG-IP Advanced WAF further and providing ample hands-on time fine-tuning and measuring WAF policies for OWASP Compliance. Hope to see you there! To learn more, visit the links below. Links OWASP Compliance Dashboard: https://support.f5.com/csp/article/K52596282 OWASP Application Security Top 10: https://owasp.org/www-project-top-ten/ Agility 2020: https://www.f5.com/agility/attendWhat is BIG-IP Next?
BIG-IP Next LTM and BIG-IP Next WAF hit general availability back in October, and we hit the road for a tour around North America for its arrival party! Those who attended one of our F5 Academy sessions got a deep-dive presentation into BIG-IP Next conceptually, and then a lab session to work through migrating workloads and deploying them. I got to attend four of the events and discuss with so many fantastic community members what's old, what's new, what's borrowed, what's blue...no wait--this is no wedding! But for those of us who've been around the block with BIG-IP for a while, if not married to the tech, we definitely have a relationship with it, for better and worse, right? And that's earned. So any time something new, or in our case "Next" comes around, there's risk and fear involved personally. But don't fret. Seriously. It's going to be different in a lot of ways, but it's going to be great. And there are a crap-ton (thank you Mark Rober!) of improvements that once we all make it through the early stages, we'll embrace and wonder why we were even scared in the first place. So with all that said, will you come on the journey with me? In this first of many articles to come from me this year, I'll cover the high-level basics of what is so next about BIG-IP Next, and in future entries we'll be digging into the tech and learning together. BIG-IP and BIG-IP Next Conceptually - A Comparison BIG-IP has been around since before the turn of the century (which is almost old enough to rent a car here in the United States) and this year marks the 20 year anniversary of TMOS. That the traffic management microkernel (TMM) is still grokking like a boss all these years later is a testament to that early innovation! So whereas TMOS as a system is winding down, it's heart, TMM, will go on (cue sappy Celine Dion ditty in 3, 2, 1...) Let's take a look at what was and what is. With TMOS, the data plane and control plane compete for resources as it's one big system. With BIG-IP, the separation of duties is more explicit and intentionally designed to scale on the control plane. Also, the product modules are no longer either completely integrated in TMM or plugins to TMM, but rather, isolated to their own container structures. The image above might convey the idea that LTM or WAF or any of the other modules are single containers, but that's just shown that way for brevity. Each module is an array of containers. But don't let that scare you. The underlying kubernetes architecture is an abstraction that you may--but certainly are not required to--care about. TMM continues to be its awesome TMM self. The significant change operationally is how you interact with BIG-IP. With TMOS, historically you engage directly with each device, even if you have some other tools like BIG-IQ or third-party administration/automation platforms. With BIG-IP Next, everything is centralized on Central Manager, and the BIG-IP Next instances, whether they are running on rSeries, VELOS, or Virtual Edition, are just destinations for your workloads. In fact, outside of sidecar proxies for troubleshooting, instance logins won't even be supported! Yes, this is a paradigm shift. With BIG-IP Next, you will no longer be configuration-object focused. You will be application-focused. You'll still have the nerd-knobs to tweak and turn, but they'll be done within the context of an application declaration. If you haven't started your automation journey yet, you might not be familiar with AS3. It's been out now for years and works with BIG-IP to deploy applications declaratively. Instead of following a long pre-flight checklist with 87 steps to go from nothing to a working application, you simply define the parameters of your application in a blob of JSON data and click the easy button. For BIG-IP Next, this is the way. Now, in the Central Manager GUI, you might interact with FAST templates that deliver a more traditional view into configuring applications, but the underlying configuration engine is all AS3. For more, I hosted a series of streams in December to introduce AS3 Foundations, I highly recommend you take the time to digest the basics. Benefits I'm Excited About There are many and you can read about them on the product page on F5.com. But here's my short list: API-first. Period. BIG-IP had APIs with iControl from the era before APIs were even cool, but they were not first-class citizens. The resulting performance at scale requires effort to manage effectively. Not only performance, but feature parity among iControl REST, iControl SOAP, tmsh, and the GUI has been a challenge because of the way development occurred over time. Not so with BIG-IP Next. Everything is API-first, so all tooling is able to consume everything. This is huge! Migration assistance. Central Manager has the JOURNEYS tool on sterroids built-in to the experience. Upload your UCS, evaluate your applications to see what can be migrated without updates, and deploy! It really is that easy. Sure, there's work to be done for applications that aren't fully compatible yet, but it's a great start. You can do this piece (and I recommend that you do) before you even think about deploying a single instance just to learn what work you have ahead of you and what solutions you might need to adapt to be ready. Simplified patch/upgrade process. If you know, you know...patches are upgrades with BIG-IP, and not in place at that. This is drastically improved with BIG-IP Next! Because of the containerized nature of the system, individual containers can be targeted for patching, and depending on the container, may not even require a downtime consideration. Release cycle. A more frequent release cadence might terrify the customers among us that like to space out their upgrades to once every three years or so, but for the rest of us, feature delivery to the tune of weeks instead of twice per year is an exciting development (pun intended!) Features I'm Excited About Versioning for iRules and policies. For those of us who write/manage these things, this is huge! Typically I'd version by including it in the title, and I know some who set release tags in repos. With Central Manager, it's built-in and you can deploy iRules and polices by version and do diffs in place. I'm super excited about this! Did I mention the API? On the API front...it's one API, for all functionality. No digging and scraping through the GUI, tmsh, iControl REST, iControl SOAP, building out a node.js app to deploy a custom API endpoint with iControl LX, if even possible with some of the modules like APM or ASM. Nope, it's all there in one API. Glorious. Centralized dashboards. This one is for the Ops teams! Who among us has spent many a day building custom dashboards to consume stats from BIG-IPs across your org to have a single pane of glass to manage? I for one, and I'm thrilled to see system, application, and security data centralized for analysis and alerting. Log/metric streaming. And finally, logs and metrics! Telemetry Streaming from the F5 Automation Toolchain doesn't come forward in BIG-IP Next, but the ideas behind it do. If you need your data elsewhere from Central Manager, you can set up remote logging with OpenTelemetry (see the link in the resources listed below for a first published example of this.) There are some great features coming with DNS, Access, and all the other modules when they are released as well. I'll cover those when they hit general availability. Let's Go! In the coming weeks, I'll be releasing articles on installation and licensing walk-throughs for Central Manager and the instances, and content from our awesome group of authors is already starting to flow as well. Here are a few entries you can feast your eyes on, including an instance Proxmox installation: For the kubernetes crowd, BIG-IP Next CNF Solutions for RedHat Openshift Installing BIG-IP Next Instance on Proxmox Remote Logging with BIG-IP Next and OpenTelemetry Are you ready? Grab a trial license from your MyF5 dashboard and get going! And make sure to join us in the BIG-IP Next Academy group here on DevCentral. The launch team is actively engaged there for next-related questions/issues, so that's the place to be in your early journey! Also...if you want the ultimate jump-start for all things BIG-IP Next, join us at AppWorld 2024 in SanJose next month!Happy Cybersecurity Awareness Month!
Oct. 3-7: All About Access Oct. 10-14: Helpers Behind the Scenes Oct. 17-21: Security Certifications Oct. 24-28: Scary Hack Stories Happy Cybersecurity Awareness Month from all of us at DevCentral! Cybersecurity Awareness Month is in October and is dedicated to helping individuals protect themselves online as threats to technology and confidential data become more commonplace . In honor of Cybersecurity Awareness Month, we've got some security content on the docket for October broken up into four weekly themes: Oct. 3-7: All About Access We're always on the lookout for content about APM, OAuth, Zero Trust, SSO and all other things access related. Keep an eye our for a user authentication APM use case from Scheff and bowlermj. And momahdy walks us through how to select Conditional Access Policies created at Azure AD. You want Modern Auth … for an app or client that’s stuck in the 2010s Zero Trust - Making use of a Powerful Identity Aware Proxy (Hands on lab) Leverage F5 BIG-IP APM and Azure AD Conditional Access Easy button Oct. 10-14: Helpers Behind the Scenes Keeping the internet safe from hackers and bad actors is hard work but somebody's gotta do it. This week we will profile people who work in security behind the scenes, including folks from the F5 SIRT team and F5 Labs. A Day in the Life of a Security Engineer from Tel Aviv Security Operations Center - Helpers Behind the Scenes F5 Labs - Helpers Behind the Scenes F5 Threat Intelligence - Helpers Behind the Scenes Oct. 17-21: Security Certifications Continuous learning is important but can also be difficult and time consuming. JRahm will take you on his Security+ certification journey as he goes through the course and takes the test. And AaronJB shares his thoughts on security certifications. Certifications for security professionals Oct. 24-28: Scary Hack Stories In the spirit of Halloween we're using this week to tell scary hack stories instead of scary ghost stories! Keep an eye out for our scary hack short stories on the DevCentral Youtube channel, brought to you by AubreyKingF5. And Dan Woods joins our weekly DevCentral Connects livestream on Tuesday, October 25. WorldTech IT - Who Ya Gonna Call? Scary Hack Story Scary Hack Stories presented by DevCentral Be sure to check out these F5 webinars as well: F5 Cybersecurity Summit October 20, 2022 (On-demand) It’s Fall: Time to Bundle Up and Secure Your Distributed Architecture October 26, 2022 (On-demand) We're hope you enjoy everything we've got coming your way in October. Happy Cybersecurity Month and Happy Spooky Season (to all who celebrate)!
