Back to all videos

Managing WAF Policy in F5 NGINX One Console

By F5 DevCentral Community

Web Application Firewall (WAF) ManagementApplication SecurityNetwork SecurityPolicy Enforcement
Share:

Key Concepts

  • WAFT (Web Application Firewall Technology): A security technology designed to protect web applications from various attacks.
  • EngineX1 Console: A centralized management platform for EngineX products.
  • Policy Management: The process of defining, implementing, and maintaining security policies.
  • Distributed Applications: Applications that run across multiple interconnected computers or nodes.
  • Transparent Mode: A WAF mode where malicious requests are logged but allowed to reach the application.
  • Blocking Mode: A WAF mode where malicious requests are blocked and prevented from reaching the application.
  • Config Sync Group: A group of EngineX configurations that are synchronized.
  • Diff View: A feature that shows the differences between two versions of a configuration.
  • Publish: The action of applying configuration changes.
  • Signature Database: A collection of known attack patterns used by WAFs to detect threats.
  • Policy Bundle: A collection of WAF policies.

Centralized WAFT Policy Management with F5 W for EngineX

Managing WAFT policies for distributed applications presents significant challenges, often leading to manual, error-prone workflows that reduce operational efficiency. Inconsistent policy application across systems and environments causes confusion and increases the risk of execution errors. A lack of visibility into policy coverage further complicates compliance and risk management, making it difficult to ensure adequate protection.

F5 W for EngineX addresses these issues by introducing centralized policy management within the EngineX1 console. This allows organizations to define and implement WAFT policies across all deployments from a single location. The user-friendly basic editor simplifies policy creation and adjustment, eliminating manual processes, saving time, and ensuring secure, up-to-date environments.

Creating and Deploying a WAFT Policy

The process of creating and deploying a WAFT policy involves the following steps:

  1. Navigate to Policies: Access the "Policies" section under the "App Protect" area within the EngineX1 console.
  2. Add New Policy: Click "Add Policy" to create a new policy.
    • Name: Assign a descriptive name (e.g., "blocking page").
    • Description: Provide a brief explanation of the policy's purpose.
    • Enforcement Mode: Select either "Transparent" (logs attacks but allows them) or "Blocking" (blocks malicious requests). For initial testing, "Transparent" mode is recommended.
  3. Customize Policy: Start with the default base policy and customize it to meet specific business needs. This includes adding custom response pages.
  4. Apply Policy to Instance:
    • Click "Add Deployment" to apply the created policy to a specific instance or a config sync group.
    • Select the instance with the EngineX WAFT module installed.
    • Specify the policy file path name (either default or custom).
  5. Add EngineX WAFT Configuration: Copy the provided snippet to add the EngineX WAFT configuration.
  6. Review Changes (Diff View): The "Diff View" allows for side-by-side or line-by-line comparison of changes, simplifying the review process.
  7. Publish Configuration: Click "Publish" to apply the configuration changes and deploy the policy.

Verifying Policy Deployment and Transparent Mode

After publishing, the policy status on the instance should show as active. Accessing the demo application and simulating a SQL injection attack will demonstrate the policy's behavior. In transparent mode, the attack will be logged but not blocked, allowing the request to reach the application.

Applying Multiple Policies and Strict Enforcement

It is possible to apply multiple policies to the same instance for different use cases. To add a strict policy to a second API endpoint:

  1. Create a New Policy: Follow steps 1-3 from the "Creating and Deploying a WAFT Policy" section, enabling transparent mode.
  2. Apply to the Same Instance:
    • Click "Add Deployment" and select the same instance.
    • Specify the policy file path name.
  3. Add EngineX WAFT Configuration: Paste the snippet for the second API endpoint.
  4. Review Changes (Diff View): Utilize the "Diff View" for comparison.
  5. Publish Configuration: Click "Publish" to apply the changes.

Verifying this policy on the application's coffee API, even with a simulated SQL injection attack, will show that requests are still not blocked due to transparent mode.

Switching to Blocking Mode

To switch a policy to blocking mode and actively block malicious requests:

  1. Edit Policy:
    • Return to the "Policies" section and select the policy to edit (e.g., "blocking page").
    • Navigate to the "Policy JSON" tab and click "Edit".
    • Change the "enforcement mode" from "transparent" to "blocking".
    • Click "Save Policy".
  2. Deploy New Version:
    • Go to the "Version" tab to see the latest policy version with blocking mode enabled.
    • Under "Actions," click "Deploy this version."
    • Choose the target instance.
    • Select whether to update the policy path with the existing name or create a new one. Click "Update."
  3. Review Changes (Diff View): Use the "Diff View" to compare the updated policy.
  4. Publish Configuration: Click "Publish" to apply the changes.

Verifying Blocking Mode

After publishing the updated policy, simulating a SQL injection attack on the application will now result in the WAFT successfully blocking malicious requests, demonstrating its security effectiveness.

Streamlined Signature Database Updates

Updating the signature database has been significantly simplified. SECOPS teams can now update signature sets to the latest versions directly from the dashboard with minimal effort, reducing the time and resources required.

To update signatures for a specific policy bundle:

  1. Navigate to Policies: Go to the "Policies" section.
  2. Select Policy: Choose the desired policy.
  3. Update Signatures: Click the "Action" tab on the right and select "Update Signatures."

Conclusion

The F5 W for EngineX1 console simplifies the management of EngineX WAFT policies. The demo showcased the creation and deployment of policies on single instances or config sync groups, as well as the modification of policies between transparent and blocking modes. This allows for flexible customization of security measures to meet diverse application requirements.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "Managing WAF Policy in F5 NGINX One Console". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video