F5 Essential App Protect FAQ

Q: What is a Threat Campaign?

Threat Campaigns provide targeted signatures to protect organizations from pervasive attacks that are often coordinated by organized crime and nation states. Based on F5 Labs research, Threat Campaigns provide critical intelligence to fingerprint and mitigate sophisticated attacks with nearly real-time updates.

_images/CS-Security-Threat.Campaigns.png

Q: What is Malicious IP?

A malicious IP is an IP address or security category associated with malicious activity. Turning on the Malicious IP service enhances automated security decisions with IP reputation intelligence. IP Intelligence Services can incorporate dynamic lists of threatening IP addresses from third parties into the F5 Cloud Services platform, adding context and automation to WAF mitigation decisions. IP Intelligence Services are available as an add-on service. A detailed list of the Malicious IP Categories can be found in the security details page.

_images/CS-Security-Malicious.IP.png

Q: What is High-Risk Attack mitigation?

High-Risk Attack Mitigation is an automatic attack mitigation feature that will calculate the likelihood of an incoming attack based on the type of violations that the specific request will trigger and will allow immediate request blocking.


Q: What is Baseline Sec Protection?

Baseline Sec Protection is part of the High-Risk Attack Mitigation providing a baseline policy that will contain an effective and friction-free security ruleset, which is set to protect the application from common exploits like these:

  • High Risk Attack Signatures
  • HTTP RFC validation
  • Enforcement of Evasion Techniques
  • Method enforcements
  • Malicious file type enforcement
  • Geo-location enforcement (with provided templates);
  • Response Scrubbing to prevent sensitive data leakage (e.g. credit card numbers)
  • Base API Protection

Q: How does F5 Essential App Protect Service compare to AWS WAF?

Essential App Protect offers a number of unique or enhanced benefits:

  • Multi-cloud service options.
  • More security functionality built-in than the AWS WAF, providing a broader range of security application protections.
  • Simpler user interface and easy, configurable check-box security options.  Essential App Protect provides a very interactive user experience making it easier to see an issue via the interactive map and take action on that threat.
  • Fewer false positives/negatives.

AWS WAF offers:

  • Exists as part of the ALB flow (which we will be as well eventually)
  • Relatively cheap for a WAF SaaS solution
  • Declarative API allows for fast and easy CI/CD integration
  • Good API documentation and references

Q: What is attack probability?

Attack probability is a rating of the likelihood that a request that Essential App Protect reports as a detection event is actually a real attack. You can examine the requests that cause detection events to determine whether the requests are real attacks or false positives. To simplify the task of identifying false positives, each transaction with one or more detection events has an attack probability rating associated with it. The attack probability rating ranks the transactions and reports those that are either High or Very High. This table explains how to interpret the attack probability ratings.

Rating Description
Very High Request is most likely a threat.
High Request looks like a threat but requires examination.

The system assigns the attack probability rating by assessing the combination of detection events occurring in a transaction. The rating is assigned to the transaction as a whole rather than the individual detection events in the request. This is because real attacks often include multiple detection events within one transaction. The attack probability rating takes into consideration the impact of the detection events on the business.


Q: Why do I see asterisks in my parameter value pair?

Essential App Protect is treating these parameters as “sensitive” parameters. For more information, see the next section protecting sensitive information and parameters.


Q: How do I protect sensitive information and parameters?

Essential App Protect provides two mechanisms for masking sensitive information: Data Guard and Sensitive Parameters.

Data Guard: In some web applications, a response may contain sensitive user information, such as credit card numbers or social security numbers. The Data Guard feature can prevent responses from exposing sensitive information by masking the data (this is also known as response scrubbing). Data Guard scans text in responses looking for the types of sensitive information that you enable and then masks the value in the response to obscure from all downstream views or logs. Essential App Protect provides protection for credit cards if Data Guard is enabled and “cc” and “ssn” are turned on.

Sensitive Parameters: Traffic between an application server and a web server can have many parameters that contain sensitive information. In addition to credit cards and social security numbers, you might have account numbers, passwords, medical, or any privacy information that you don’t want to expose. By adding these parameter names to the sensitive parameters list, Essential App Protect will mask the contents of those parameters from any display or logging that is performed as part of the service. Unlike Data Guard, the Sensitive Parameters feature will not change the parameter value that is passed between the application server and web server.

In the preview version, Essential App Protect defaults to enabling Data Guard and Sensitive Parameters, but there are no parameters declared as sensitive. You can add parameters to the list using either the API or the UI. To make changes through the UI, click on the PROTECT APPLICATION card on the Essential App Protect dashboard viewing your protected application and making changes in the COMPLIANCE & PRIVACY section of the General tab–compliance details. .. compliance details: f5-cloud-services-Security-WorkWith.html#protect-application

To change compliance settings with the API, you can simply change the data_guard and sensitive_parameters variables in the policy/compliance_enforcement section of the Essential App Protect subscription update payload, as shown below:

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{SUBSCRIPTION_ID}}

– PAYLOAD:

{
    "service_type": "waf",
    "service_instance_name": "{PROTECTED_APP}",
    "configuration": {
        "waf_service": {
            ...
            "policy": {
                "compliance_enforcement": {
                    "data_guard": {
                        "cc": true,
                        "enabled": true,
                        "ssn": true
                    },
                    "sensitive_parameters": {
                        "enabled": true,
                        "parameters": [
                           "password",
                           "creditcard"
                        ]
                    }
                },
            ...
           }
        }
    }
}

This will flag these parameters as sensitive parameters. When you create sensitive parameters, the system replaces the sensitive data in the stored request and in logs with asterisks (***), keeping the sensitive data in these parameters private.


Q: Which AWS deployment regions are supported by Essential App Protect?

AWS Region Region Name
US East (N. Virginia) us-east-1
US East (Ohio) us-east-2
US West (Oregon) us-west-2
Europe (Frankfurt) eu-central-1
Europe (London) eu-west-2
Europe (Paris) eu-west-3
Asia Pacific (Tokyo) ap-northeast-1
Asia Pacific (Singapore) ap-southeast-1
Asia Pacific (Sydney) ap-southeast-2
Canada (Central) ca-central-1

Q: How do I add multiple IP endpoints for my application?

This is done by modifying the JSON to include multiple IP endpoints. In the UI, use the JSON Configuration section to modify the JSON. The API solution is basically the same–modify the payload JSON to have multiple endpoints, and either create or modify the subscription. See the JSON example below showing multiple IP endpoints.

Use this API request to create a subscription instance with multiple endpoints:

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions

or this one to add endpoints to an existing instance:

PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}

– PAYLOAD

{
    ...
    "configuration": {
        "waf_service": {
                ...
                "waf_regions": {
                    "aws": {
                        "us-east-1": {
                            "endpoint": {
                                "domain": "<region1.yourdomain.com>",
                                "port": 80,
                                "use_TLS": false
                            }
                        },
                        "us-west-2": {
                            "endpoint": {
                                "domain": "<region2.yourdomain.com>",
                                "port": 80,
                                "use_TLS": false
                            }
                        }
                    }
        ...
}

Q: How do I delete/retire an Essential App Protect Service instance?

The first step is to remove the CNAME record in your DNS settings that redirects your application’s traffic through your Essential App Protect Service instance. For more information, see Protect Application - DNS Settings, Step 2.

Important

When you suspend or retire a subscription, you are turning off all functions of the Essential App Protect Service instance for your application. That also means that if you still have the CNAME record in your DNS settings that you added when you created your Essential App Protect Service instance, all of your application’s traffic will be going through a non-functional proxy, effectively blocking all communication with your application. It is very important that you remove the CNAME record from your DNS settings prior to suspending or retiring an Essential App Protect Service instance.

To delete a service instance with the UI, go to the dashboard and use the View dropdown to choose All my applications. This will show a list of all your service instances. Check the box to the left of the service instance you wish to delete, and press the Delete button in the upper right. For more information, see the Dashboard section.

Using the API, “deleting” a service is done by retiring the service instance based on it’s subscription ID. The subscription ID gets created as part of the service instance creation and returned in the response JSON as subscription_id. You can also get all of your subscription IDs with the following request:

GET https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions?catalogId=c-aa9N0jgHI4&account_id={{ACCOUNT_ID}}&service_type=waf

– RESULT

{
    "subscriptions": [
        {
            "subscription_id": "s-aadIkDJUJV",
            "account_id": "a-aaQsw6MlaD",
            "user_id": "u-aaiJJFFvZE",
            "catalog_id": "c-aa9N0jgHI4",
            "service_instance_id": "waf-aaid2NxVnX",
            "status": "ACTIVE",
            "service_instance_name": "Example Application",
            "deleted": false,
            "service_type": "waf",
            "configuration": {
                <!-- service specific configuration content -->
            },
            <!-- service specific content -->
        },
        {
            "subscription_id": "s-aaVf7muxD9",
            "account_id": "a-aaQsw6MlaD",
            "user_id": "u-aaiJJFFvZE",
            "catalog_id": "c-aa9N0jgHI4",
            "service_instance_id": "waf-aaOjMlcBmW",
            "status": "ACTIVE",
            "service_instance_name": "Example2",
            "deleted": false,
            "service_type": "waf",
            "configuration": {
                <!-- service specific configuration content -->
            },
            <!-- service specific content -->
        },
    ],
    <!-- subscriptions details -->
}

Once you have the correct subscription ID, you can then use the following request to retire the subscription. Remember to change the subscription_id to the one assigned to the service instance you want to retire.

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}/retire

– RESULT

{
    "status": "RETIRED",
    "service_state": "UNDEPLOYED",
    "subscription_id": "s-aaVf7muxD9"
}

Q: What happens when I suspend Essential App Protect for my application?

When you suspend an Essential App Protect service instance, you are turning it off. That means it will not perform any actions, and it will not act as a pass through to your application. Therefore it is very important that before you suspend service for an application you must first remove the CNAME record in your DNS settings that redirects your application’s traffic through your Essential App Protect Service instance. For more information, see Protect Application - DNS Settings, Step 2.

Important

When you suspend or retire a subscription, you are turning off all functions of the Essential App Protect Service instance for your application. That also means that if you still have the CNAME record in your DNS settings that you added when you created your Essential App Protect Service instance, all of your application’s traffic will be going through a non-functional proxy, effectively blocking all communication with your application. It is very important that you remove the CNAME record from your DNS settings prior to suspending or retiring an Essential App Protect Service instance.

To suspend an application, use the following request. Remember to change the subscription_id to the one assigned to the service instance you want to retire.

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{subscription_id}}/suspend

– RESULT

{
    "status": "STATUS_ACTIVE",
    "service_state": "UNDEPLOYING",
    "subscription_id": "s-aaVf7muxD9"
}

After a few moments, the service_state will become “UNDEPLOYED”, which you can verify by getting the subscription status. You can later “unsuspend” by activating the susbcription for this service instance (the example shown has the subscription_id already inserted into the request URL).

POST https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/s-aaVf7muxD9/activate

– RESPONSE

{
   "status": "STATUS_ACTIVE",
   "service_state": "DEPLOYING",
   "subscription_id": "s-aaVf7muxD9"
}

Q: What is a CNAME?

A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone wlil have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. If the DNS system is looking for example.com and finds it in the NAME of a CNAME record, then it will switch to looking for the URL in the VALUE field. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.

For more information, see the following references:


Q: How can I create a new Essential App Protect service instance for my application?

If you are using the API, refer to API Guidelines Document, Section 6.

If you are using the UI, and this is the first application you will be protecting, refer to this section: Set up the Essential App Protect Service. If you have already created one or more service instances, then you can create another from the dashboard while viewing all your applications.

_images/CS-EAP-Dashboard-View-All.my.applications.png

Press the Create button to show the multi-step slide panel on the right side of the screen to create a new service instance. For details on the creation process, refer to this section: Set up the Essential App Protect Service.


Q: What is monitoring mode vs. blocking mode?

Each of the three event categories, High-risk Attack Mitigation, Malicious IP, and Threat Campaigns can be used in either Monitoring Mode or Blocking mode, as shown below:

_images/CS-EAP-Protect.Application-Malicious.IP.png

Blocking Mode means that Essential App Protect will block all disallowed requests, whereas Monitoring Mode will allow the request but log it as suspicious for future review. The VIEW EVENTS card will show both blocked and monitored events, but the status will be Blocked or Not blocked respectively.

Malicious IP violations have an extra level of selection, as shown above. In Blocking Mode, the default is to block all malicious IP categories; however, you can uncheck any individual category to unblock it. Unblocked categories revert to being just monitored, but you can uncheck the associated Monitor checkbox to completely ignore the category.

If Monitoring Mode is selected, then blocking is not availabe for any category, and all categories are monitored by default, but you can uncheck the associated Monitor checkbox to completely ignore the category.

Q: How do I switch between my applications?

On the Essential App Protect dashboard, you can use the View: dropdown to see your protected applications and select the one you wish to view.

_images/CS-EAP-Dashboard-View-Switch.png

Q: How do I import an SSL/TLS X.509 certificate?

Here are some requirements for certificates that Essential App Protect can support:

  • You can import a certificate which is self signed, or a certificate which is signed by an external certificate authority. If the certificate is signed by an external certificate authority, you must also include the certificate chain.

  • The certificate must use one of the following algorithms and key sizes:

    • 1024-bit RSA
    • 2048-bit RSA
    • 4096-bit RSA
  • The certificate, private key, and certificate key chain must be PEM encoded. If your certificate is not PEM encoded, you may be able to convert it to the PEM format–see https://stackoverflow.com/questions/991758/how-to-get-pem-file-from-key-and-crt-files

  • The private key PEM block may be encrypted; however, if it is encrypted, you must provide the passphrase.

  • The private key must be in PKCS#1, ASN.1 DER form.

Add certificate with API

To add a new service instance with a certificate (for https:), use the onboarding instructions, Essential App Protect Service API Overview and Example.

Adding the certificate to an existing service instance is a two step process.

  1. Upload the certificate to Essential App Protect and get a certificate id. Refer to Add SSL/TLS Certificate for details.

  2. Tell Essential App Protect to use the returned certificate id by updating your service instance with a “tls” section added containing the returned certificate id as shown below.

    PUT https://api.cloudservices.f5.com/v1/svc-subscription/subscriptions/{{SUBSCRIPTION_ID}}
    

    – RESULT

    {
        "account_id": "{{ACCOUNT_ID}}",
        "catalog_id": "c-aa9N0jgHI4",
        "service_type": "waf",
        "service_instance_name": "My Test Site",
        "configuration": {
            "waf_service": {
                "application": {
                    "domain": "example.com",
                    "remark": "DVWA - TLS",
                    "tls": {
                        "certificate_id": "{{CERTIFICATE_ID}}",
                        "enabled": true
                    },
                    "waf_regions": {...}
                },
                "event_logging": {...},
                "industry": "finance",
                "policy": {...}
            }
        }
    }
    

Add certificate with the UI

To add a new service instance with a certificate (for https:), use the onboarding instructions, Set up the Essential App Protect Service.


Q: What happens when I mark an event as an exception?

Essential App Protect examines every request coming into your application, evaluates the threat level, and then determines whether or not the it’s a violation. There may be cases where you determine that an event flagged as a violation is a false positive–meaning it’s an expected type of request and therefore not a violation. You can tell your Essential App Protect service instance to allow future events like this one to pass through to the application and not be considered a threat. This is done by selecting Mark as exception from the kabob menu () on the line logging the event. You can also click on the line to show the details slide bar and click the Mark as exception at the bottom.

_images/CS-EAP-View.Events-Mark.as.exception.png

The details of what specifically happens is dependent on the category and violation type for the event.

Category Sub Violation Mark as exception specifics
Malicious IP All This will add the IP address of the event to the IP ENFORCEMENT RULES and list it’s IP Action to Allow. This means that all traffic from this IP address will pass through to the application. You have the option to continue logging the events in the IP ENFORCEMENT RULES table.
High-risk Attack Signatures The specific Attack type will be allowed for all future events, but only in the same context. For instance if the signature was found in the header, marking it as an exception will only allow it for the future in a header.
Geo Location The specific Source location will be allowed for all future events.
Disallowed File Types The specific file type (extension) will be allowed for all future events.
Disallowed HTTP Method The specific method will be allowed for all future events.
other sub violations The specific sub violation will be allowed for all future events.
Threat Campaigns All The specific threat campaign will be allowed for all future events.

Q: Who should I contact for help regarding F5 Cloud Services?

Visit the F5 Cloud Services Support page to see all of your support options.