Lab 2.1 - Prepping the Lab

By default, security events are not logged, in this lab the student will create a security logging profile with Application Security, Bot Defense and DOS Protection enabled. The student will also place the waf policy in trasnparent to show the difference in behavior when client traffic that is deemed malicious is and is not blocked.

Task 1 - Add Vulnerable API

  1. From the web browser, navigate to API Protection >> Profile. Click Profile to modify the previously created API protection Profile (not the + Plus symbol)

image48

  1. Click API-Protection

image64

  1. Click Edit Under Per-Request Policy

image49

  1. Click the + (Plus Symbol) located between Start and OAuth Scope Check AuthZ

image101

  1. Select the Classification tab
  2. Select Request Classification
  3. Click Add Item

image102

  1. Select Branch Rules
  2. Click Add Branch Rule
  3. Enter name ** GET /vulnerable**
  4. Click Change

image103

  1. Click Add Expression

image104

  1. Select Request from the Context dropdown
  2. Click Add Expression

image105

  1. Click Add Expression on the AND line

image106

  1. Select Path (value) from the Request dropdown
  2. Enter /vulnerable in the empty text box
  3. Click Add Expression

image107

  1. Click Finished

image108

  1. Click Save

image109

  1. Click the + Plus Symbol on the GET /vulnerable branch

image110

  1. Click API Server Selection
  2. Click Add Item

image111

  1. Select api-protection_server1 from the dropdown
  2. Click Save

image112

  1. Click the Reject terminal at the end of API Server Selection

image113

  1. Select Allow
  2. Click Save

image114

  1. The completed policy should look like the below.

image115

Task 2 - Create and assign a Security Logging Profile to the virtual

Note

Ensure you are logged into BIGIP1

  1. From the web browser, click on the Security -> Event Logs -> Logging Profile and click Create.
  2. For the Profile Name enter api.acme.com_logprofile.

module2Lab1Task2-image1

  1. Enable Application Security a Application Security configuration menu will open up at the bottom. Change the Request Type from Illegal requests only to All requests.

module2Lab1Task2-image2

  1. Enable DoS Protection, a DoS Protection configuration menu will open up at the bottom. Enable Local Publisher

module2Lab1Task2-image3

  1. Enable Bot Defense, a Bot Defense configuration menu will open up at the bottom. Enable Local Publisher and all other checkboxes, leave Remote Publisher set to none.

module2Lab1Task2-image4

  1. Click Create
  2. Apply the bot profile to the api.acme.com virtual by navigating to Local Traffic -> Virtual Servers -> api.acme.com -> Security -> Policies and set the Selected Log Profile to api.acme.com_logprofile.

module2Lab1Task2-image5

  1. Click Update. The virtual will now log Application Security, DoS and Bot related events under Security -> Event Logs when an appropriate security profiles have been applied to the virtual.

Task 3 - Set the WAF policy to Transparent and assign it to the virtual

  1. From the web browser, click on the Security -> Application Security -> Security Policies -> Policies List. Click api-protection. Notice the Enforcement Mode is set to Blocking. Set the Enforcement Mode to Transparent. Be sure to click Save, then Apply Policy.

module2Lab1Task3-image1

  1. Apply the waf policy to the api.acme.com virtual by navigating to Local Traffic -> Virtual Servers -> api.acme.com -> Security -> Policies and set the Application Security Policy to enabled and the Policy to api-protection.

module2Lab1Task3-image2

  1. Click Update.