In this blog

Introduction

The threat landscape is different than it was years ago, emerging technologies are required to protect our networks and data centers from threats and attacks. This article lets us learn how we could configure an F5 AFM and AWAF (Advanced Web Application Firewall) on a BIG-IP device that would help protect the Network and Datacenters from threats and attacks.

F5 AFM (Advanced Firewall Manager)

BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network security module that protects your data centers from threats utilizing the most prevalent protocols.

BIG-IP AFM is based on the F5 Traffic Management Operating System (TMOS) and offers core features for protecting data centers from external network threats and determining the types of threats to which they are vulnerable.

F5 AWAF (Advanced Web Application Firewall)

F5's AWAF is designed to safeguard online applications in on-premises, virtual, and cloud IT environments. The system delivers network device configuration, centralized security policy administration, and easy-to-read audit reports through a single pane of glass, protecting against both known and new vulnerabilities and validating compliance with important regulatory mandates.

AWAF's sophisticated security policies protect web applications from common application layer risks. Security policies are a core component of AWAF's functionality. F5 AWAF comes with policy templates for quickly building security policies for common applications. AWAF can automatically construct a security policy that allows policies to dynamically react to observed traffic.  This allows for continually adaptive security controls. 

Alternatively, customers can manually create their own security policies giving them the ultimate level of control. F5 AWAF is the most customizable WAF on the market and can secure both standard and non-standard web, mobile apps, and API protection.  

AFM configuration

The configuration steps are divided into the following high-level sections:

  • Protocol Inspection (IPS) with AFM Network Configuration
  • Create an AFM Protocol Inspection Policy
  • Attach Virtual Servers to an AFM Protocol Inspection Policy

Protocol Inspection (IPS) with AFM: network configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out to the other interface. 

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

0151T000003pk0iQAA.png

Give it a name, ingress1 in this example. Set the Interface to 5.0. Set Tagging to Untagged then click Add. Interface 5.0 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

Note: In this example interface 5.0 will receive decrypted traffic from sslo1.

0151T000003pk0nQAA.png

Give it a name, egress1 in this example. Set the Interface to 6.0. Set Tagging to Untagged then click Add. Interface 6.0 (untagged) should be visible like in the image below. Click Finished when done.

Note: In this example interface 6.0 will receive decrypted traffic from sslo1.

0151T000003pk0sQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2

It should look something like this when done:

0151T000003pk0xQAA.png

Note: In this example Interface 3.0 and 4.0 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

0151T000003pk12QAA.png

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

0151T000003pk0yQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators.  Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:

0151T000003pk0zQAA.png

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Create an AFM Protocol Inspection policy

You can skip this step if you already have an AFM Protocol Inspection policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Protocol Inspection with Signatures and Compliance enabled.

From Security select Protocol Security > Inspection Profiles > Add > New.

0151T000003pk17QAA.png

Give it a name, IPS in this example. For Services, select the Protocol(s) you want to inspect, HTTP in this example.

0151T000003pk0uQAA.png

Optionally check the box to enable automatic updates and click Commit Changes to System.

0151T000003pk0aQAA.png

Attach Virtual Servers to an AFM Protocol Inspection policy

Attach the Protocol Inspection Profile to the Virtual Server(s) you wish to protect. From Local Traffic select Virtual Servers. Click the name of the Virtual Server you want to apply the profile to, 10.4.11.52 in this example.

0151T000003pk0oQAA.png

Click Security > Policies.

0151T000003pk1HQAQ.png

Set the Protocol Inspection Profile to Enabled, then select the Profile created previously, IPS in this example. Click Update when done.

0151T000003pk0bQAA.png

Repeat this process to attach the IPS Profile to the remaining Virtual Servers.

Advanced WAF configuration

The configuration steps are divided into the following high level sections:

  • Advanced WAF Network Configuration
  • Attach Virtual Servers to an Advanced WAF Policy

AWAF: Network configuration

The BIG-IP will be deployed with VLAN Groups. This combines 2 interfaces to act as an L2 bridge where data flows into one interface and is passed out the other interface. Vwire configuration will be covered later.

From the F5 Configuration Utility go to Network > VLANs. Click Create on the right.

0151T000003pjzVQAQ.png

Give it a name, ingress1 in this example. Set the Interface to 2.1. Set Tagging to Untagged then click Add.

0151T000003pjzbQAA.png

Note: In this example interface 2.1 will receive decrypted traffic from sslo1 

Interface 2.1 (untagged) should be visible like in the image below. Click Repeat at the bottom to create another VLAN.

0151T000003pjzfQAA.png

Give it a name, egress1 in this example. Set the Interface to 2.2. Set Tagging to Untagged then click Add.

0151T000003pjzkQAA.png

Note: In this example interface 2.2 will send decrypted traffic back to sslo1

Interface 2.2 (untagged) should be visible like in the image below. Click Finished.

0151T000003pjzzQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure VLANs for the two interfaces connected to sslo2. These VLANs should be named in a way that you can differentiate them from the others. Example: ingress2 and egress2

It should look something like this when done:

0151T000003pjzWQAQ.png

Note: In this example Interface 2.3 and 2.4 are physically connected to sslo2.

Click VLAN Groups then Create on the right.

0151T000003pjzgQAA.png

Give it a name, vlg1 in this example. Move ingress1 and egress1 from Available to Members. Set the Transparency Mode to Transparent. Check the box to Bridge All Traffic then click Finished.

0151T000003pjzvQAA.png

Note: This guide assumes you are setting up a redundant pair of SSL Orchestrators. Therefore, you should repeat these steps to configure a VLAN Group for the two interfaces connected to sslo2. This VLAN Group should be named in a way that you can differentiate it from the other, example: vlg1 and vlg2. It should look like the image below:

0151T000003pjzcQAA.png

For full Layer 2 transparency the following CLI option needs to be enabled:

(tmos)# modify sys db connection.vgl2transparent value enable

Attach Virtual Servers to an Advanced WAF policy

You can skip this step if you already have an Advanced WAF policy created and attached to one or more virtual servers. If not, we'll cover it briefly. In this example we configured Comprehensive Protection which includes Bot Mitigation, Layer 7 DoS and Application Security.

0151T000003pk00QAA.png

Give it a name, App_Protect1 in this example then click Save & Next.

0151T000003pk0TQAQ.png

Select the Enforcement Mode and Policy Type. Click Save & Next.

0151T000003pjzhQAA.png

Configure the desired Bot Defense options. Click Save & Next on the lower right.

0151T000003pk0UQAQ.png

Configure the desired DoS Profile Properties. Click Save & Next.

0151T000003pk0ZQAQ.png

Assign the policy to your application server(s) by moving them to Selected. Click Save & Next.

0151T000003pk02QAA.png

Click Finish/Deploy when done.

Conclusion

In this article, we learned how to configure AFM and AWAF on a BIG-IP device to provide security from threats to the network and datacenters. To learn more about the key features and advantages of F5 AFM and AWAF and how the products could prevent threats and provide security, go through the related links in the references for a brief explanation. 

"Check out the lab in the references for a hands-on experience for the steps involved and to work with AWAF as a service."

References

F5 SSLO Deployment Guides

F5 BIG-IP Advanced Firewall Manager (AFM) 

Advanced Application Threats Require an Advanced WAF

Leaked Credential Check With Advanced WAF

ATC Tests F5 SSLO in the Lab  

F5 BIG-IP SSL Orchestrator (SSLO) 

F5 BIG-IP Advanced Web Application Firewall (WAF) 

F5 BIG-IP Access Policy Manager (APM) 

Service Chain Management Process with F5 SSLO

Start Your Journey of F5 + WWT  

Service Chain Management Process With SSLO

Technologies