Blog F5 SSLO F5 Application Delivery Controllers Data Center Networking Network Security Networking Security Transformation
Blog 6 minute read

WAF as a Service (WAFaaS) With SSL Orchestrator

Learn the steps for configuring WAF (web application firewall) functionality as a service in the SSL Orchestrator inspection zone.

In this blog

Introduction

WAFaaS is the ability to insert ASM profiles into the SSL Orchestrator Service Chain for Inbound Topologies. This configuration is specific to a WAF policy running on the SSL Orchestrator device. WAF and SSL Orchestrator consume significant CPU cycles so care should be given when deploying both together. It is also possible to deploy WAF as a service on a separate BIG-IP device, in which case you'd simply configure an inline transparent proxy service. The ability to insert F5's WAF into the Service Chain presents a significant customer benefit.

SSL Orchestrator does not directly support inserting F5 WAF policies into the Service Chain. However, the F5 platform is flexible enough to handle many custom use cases. In this case, the ICAP service configuration exposes a framework that is useful for any number of specialized patterns, including adding a WAF policy to an SSLO service chain. We will configure an ICAP Service and attach the WAF policy to it.

Note: This guide assumes you already have WAF/ASM profile(s) configured, licensed and provisioned on BIG-IP and wish to add this functionality to an Inbound Topology. You could refer to the articles in the references section on how to configure the profiles. In order to run WAF and SSL Orchestrator on the same device you will need an LTM license with SSL Orchestrator as an add-on option. You cannot add a WAF license to an SSL Orchestrator stand-alone license.

Configure WAF as a service is completed in below steps

  1. Create ICAP(Internet Content Adaptation Protocol) Service
  2. Disable Strictness on the Service
  3. Disable TCP monitor for the ICAP Pool
  4. ICAP Adapt profiles removed from the Virtual Server
  5. Application Security Policy enabled and a Policy assigned under Security

 Step #1: Create ICAP Service

Note: These instructions assume an SSL Orchestrator Topology and Service Chain are already deployed and working properly. These instructions simply add WAFaaS to the existing Service Chain. It is entirely possible to create the WAFaaS during the initial Topology creation, in which case you would create the service during the workflow, then make the necessary changes after the topology has been created.

From the SSL Orchestrator Guided Configuration, click Services then Add.

0151T000002dplKQAQ.png

 

Scroll to the bottom, select Generic ICAP Service and click Add.

0151T000002dplPQAQ.png

Give it a name (WAFaaS in this example).

0151T000002dplUQAQ.png

For ICAP Devices, click Add on the right.

0151T000002dplVQAQ.png

Enter an IP Address (198.19.97.1 in this example) and click Done.

0151T000002dplWQAQ.png

 

Note: the IP address you use does not have to be the one above. It's just a local, non-routable address used as a placeholder in the service definition. This IP address will not be used.

IP addresses 198.19.97.0 to 198.19.97.255 are owned by network benchmark tests and located in private networks. 

Scroll to the bottom and click Save & Next.

0151T000002dpljQAA.png

 

The next screen is the Services Chain List. Click the name of the Service Chain you wish to add WAF functionality to, ssloSC_ServiceChain in this example.

0151T000002dploQAA.png

Note: The order of the Services in the Selected column is the order in which SSL Orchestrator will pass decrypted data to the device. This can be an important consideration if you want some devices to see, or not see, the actions taken by the WAF Service. 

Select the WAFaaS Service and click the right arrow to move it to Selected. Click Save.

0151T000002dplyQAA.png

Click Save & Next.

0151T000002dpm3QAA.png

Click Deploy.

0151T000002dpm8QAA.png

You should receive a Success message.

0151T000002dplzQAA.png

 Step #2: Disable Strictness on the Service

From the SSL Orchestrator Configuration screen select Services. Click the padlock to Unprotect Configuration.

0151T000002dpm9QAA.png

Note: Disabling Strictness on the ICAP Service is needed to modify it and attach the WAFaaS policy. Strictness must remain disabled on this service and disabling strictness on the service has no effect on any other part of the SSL Orchestrator configuration.

Click OK to Unprotect the Configuration

 Step #3: Disable tcp monitor for the ICAP Pool

From Local Traffic select Pools > Pool List

0151T000002dpmAQAQ.png

 

Select the WAFaaS Pool.

 

0151T000002dpmIQAQ.png

 

Under Active Health Monitors select tcp and click >> to move it to Available. This removes the Pool's Monitor because otherwise it would be marked as down or unavailable.

Click Update.

0151T000002dpmNQAQ.png

 

Note: The Health Monitor needs to be removed because there is no actual ICAP service to monitor.

 Step #4: ICAP Adapt profiles removed from the Virtual Server

From Local Traffic select Virtual Servers > Virtual Server List.

0151T000002dpmSQAQ.png

 

Locate the WAFaaS ICAP service that ends in "-t-4" virtual server and select it.

0151T000002dpm4QAA.png

 

Set the Request Adapt Profile and Response Adapt Profile to None to disable the default ICAP Profiles.

 

0151T000002dpm5QAA.png

 

Click Update.

 Step #5: Application Security Policy enabled and a Policy assigned under Security

For the WAFaaS-t-4 Virtual Server, click the Security tab.

0151T000002dpmXQAQ.png

Set Application Security Policy to Enabled.

0151T000002dpmcQAA.png

Select the Security Policy you wish to use. Click Update when done.

0151T000002dpmYQAQ.png

 

Note: In specific versions of SSL Orchestrator there is one extra configuration item that needs to be modified. This is NOT required in other versions. If this change is made, when performing an upgrade it is not necessarily required to back out this change.

Required versions:

  • SSLO version 5.9.15 available on TMOS 14.1.4
  • SSLO versions 6.0-6.5 available on TMOX 15.0.x

Navigate to Local Traffic ›› Profiles : Other : Service.

0EM1T000003L03f.png

Select the Service profile named "ssloS_WAFaaS-service."

0EM1T000003L03g.png

Change the "Type" from "ICAP" to "F5 Module."

0EM1T000003L03h.png

The configuration is now complete. Using the WAFaaS this way is functionally the same as using it by itself. There are no known limitations to this configuration.

 Conclusion

We explored the steps to configure WAF as a Service on SSLO Orchestrator. We could also configure WAF on a separate BIG-IP device and add it as a service to the SSL Orchestrator – the functionality would be the same. Check out the lab in the references for a hands-on experience for the steps involved and to work with configuring WAF as a service.

References

F5 Deployment basic article:

F5 SSLO Deployment Guides

F5 AFM article:

F5 BIG-IP Advanced Firewall Manager (AFM) 

Orchestrated Infrastructure Security - Protocol Inspection with AFM

F5 AWAF articles:

Orchestrated Infrastructure Security - Advanced WAF

Advanced Application Threats Require an Advanced WAF

Leaked Credential Check with Advanced WAF

Other SSLO articles:

ATC tests F5 SSLO in the Lab  

F5 BIG-IP SSL Orchestrator (SSLO) 

F5 BIG-IP Advanced Web Application Firewall (WAF) 

F5 BIG-IP Access Policy Manager (APM) 

Service Chain Management Process with F5 SSLO

Start your Journey of F5 + WWT  

Lab:

Service Chain Management Process with SSLO

Technologies