Work with the F5 Essential App Protect Service

Essential App Protect provides instant, out-of-the-gate protection from common web exploits, malicious IPs and coordinated attack types. This document will show you how to set up Essential App Protect and how to use it once protection is active.

Note

This release of the F5 Essential App Protect Service is considered a “Preview Service” under the F5 Cloud Services Subscription Terms. As such, the Essential App Protect Service is provided on a Preview Service-basis for a limited time for your internal demonstration, testing, or evaluation purposes only and not for use in a production environment. This also requires that you not submit any personal information (such as a person’s name or identification number or location data) to the Preview Service. For more details, please refer to the F5 Cloud Services Subscription Terms.


Set up the Essential App Protect Service

The Essential App Protect Service can be set up using either the API or the user interface through a series of forms. Setup instructions using the API can be found in the API Guidelines document API Guidelines Document, Section 6. To set up the Essential App Protect Service with the UI, follow the steps below:

  1. On Your F5 Cloud, click the Essential App Protect tab in the Cloud Services navigation menu. Since you don’t have any protected applications, you will see the WorldWide Threat Map view.

  2. On the WorldWide Threat Map view, click the Start protecting your application button. This will show a multi-step slide panel on the right side of the screen. Enter the following fields:

    • Fully Qualified Domain Name (FQDN) - This is the domain you wish to protect.
    • Name this application - This is how Essential App Protect will refer to this instance of the service. For example, this is the name you will select in the View menu to see this service.
    • Add a description (optional) - Add a longer, more detailed description of this service.
    • Choose an application encoding - This tells Essential App Protect which type of characters are used for your application. If you’re not sure, use the default since over 90% use UTF-8.
    _images/CS-EAP-Signup-App.png

    When you are finished, press Save & Continue.

  3. Essential App protect will look for the FQDN you entered and show you the results. If this is correct, you can select the appropriate region for this IP endpoint.

    Note

    If you have multiple endpoints and multiple regions, you can add these later. See the multiple IP endpoints topic in the FAQ for Essential App Protect.

If you make changes on this tab, press the Update button to save the changes.

_images/CS-EAP-Signup-Confirm.Endpoints.png

Press Save & Continue to move to the next step.

  1. If your application encrypts data between server and browser (uses HTTPS), then you must add an SSL or a TLS certificate so that Essential App Protect can work with your application’s encrypted communications. You have the option to add the certificate later, but then you will only have protection when your site is used without encryption (uses HTTP).

    To add a certificate, you can select an existing certificate from the dropdown menu, or at the bottom of the menu there is an option to Add a new one.

    _images/CS-EAP-Signup-No.Certificate.png _images/CS-EAP-Signup-No.Certificate.Add.png

    To add a new certificate, either paste your certificate and private key into the respective fields, or use the + select a file buttons to upload them from your computer. You must provide both a certificate and its associated private key. If your private key is encrypted with a passphrase, then you must also enter the passphrase. If you have multiple certificates including both root CAs and intermediate CAs forming a certificate chain, then you must check the Add a certificate chain (optional) checkbox and enter the chain into the field below it.

    _images/CS-EAP-Signup-Certificate.png

    Press Save & Continue to move to the next step.

  2. The APP PROTECT FEATURES step gives you the ability to enable the various methods of protection offered by Essential App Protect. Regardless of your choice, you can change the feature later by clicking on the PROTECT APPLICATION card on the Essential App Protect dashboard while viewing your protected application. You can get more details on each feature by clicking the view feature details button or one of the links below:

    _images/CS-EAP-Signup-App.Protect.Features.png
  1. Your Essential App Protect instance has been created and it is ready to start protecting your application. The last step is to change your DNS settings so that all of your application’s traffic goes through your Essential App Protect instance. This is done by creating a CNAME record in the zone file for your application through your application’s hosting provider. For more information, see Protect Application - DNS Settings.

    _images/CS-EAP-Signup-Set.up.DNS.png

After you’ve updated DNS records, it can take up to 72 hours for it to fully propagate, but it’s typically much faster. Once this process is complete, your application is actively protected by Essential App Protect.

Dashboard

The Essential App Protect Service dashboard allows you to view the protection status of each of your protected applications and make adjustments to your protection settings as events change. To view the dashboard for an application, click Essential App Protect in the navigation menu and then select the desired application with the View: dropdown.

_images/CS-EAP-Monitor.Applications.png

The dashboard shows an overview of one protected application as defined by the selection in the View: dropdown. Below, the dashboard is structured with three data cards across the top and a workspace at the bottom. Clicking on each card will change the workspace to show different information below the cards, but the cards themselves are always present at the top of the page to provide your security overview. Details for each of these cards is given below.

At the bottom of the View: dropdown is an option to show All my applications.

_images/CS-EAP-Dashboard-View.png

This will show your Essential App Protect Service instances for each of your applications along with their current status. You can create a new service instance to protect another application by clicking the Create button. For details on the service creation process, see the Set up the Essential App Protect Service section. You can also delete a service instance by checking the box to the left of the service and pressing the Delete button in the upper right.

_images/CS-EAP-Dashboard-View-All.my.applications.png

Monitor Application

The MONITOR APPLICATIONS data card shows an overview of the malicious requests received by the application. The histogram shows the history of malicious activity over the last two hours in five-minute increments. The donut chart shows the percentage of malicious requests blocked during the last time period as well as the specific numbers of blocked and not blocked requests.

_images/CS-EAP-Monitor.Applications.Card.png

Clicking on the card will show a world map in the workspace with more details on various malicious activity for the application. The legend area in the top left of the map shows some details of the protected application including the number of application endpoints. Below that are the different types of malicious actors that can be viewed on the map. The checkboxes enable you to view or hide each type of malicious actor, which can be helpful when there are many attacks occurring simultaneously.

_images/CS-EAP-Monitor.Applications.png

Try these map features:

  • Locate endpoint(s) - The concentric blue circle icon(s) shows your application endpoint(s) and location(s).
  • Quickly Identify and mitigate attacks - Hover over any of the malicious actor icons on the map to get more details regarding that location. From there you can click on the View Incident button to go to the VIEW EVENTS card and then get specific details on the attack. Similarly click the View Settings button to go to the PROTECT APPLICATION card to view or change settings.
  • Get real-time threat updates - Yellow attack bars indicate active attacks information. When the screen is first loaded, you will see attack bars from all malicious attackers who have attacked in the last five minutes. Subsequently attacks bars appear as new malicious attacks are detected.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on a attack cluster (mentioned above) if any are displayed.

Below the map is a list of the detection events shown on the map.


Protect Application

The PROTECT APPLICATION card shows the current protection level for each of the categories of protection offered for an application. Each category can be either Off (not used), Monitoring (show the threat but don’t take action), or Blocking (block all threats). These and other protection settings and information can be accessed by clicking the PROTECT APPLICATION card.

_images/CS-EAP-Protect.Application.Card.png

The Protections Settings section has six tabs: General, Hi-risk Attack Mitigation, Malicious IP, Threat Campaigns, DNS Settings, and JSON configuration. Each tab is discussed in a section below.

_images/CS-EAP-Protect.Application.png

Protect Application - General

In the General tab, there are four sections as shown below:

  • APPLICATION DETAILS -
    • Fully Qualified Domain Name (FQDN): This is the protected application.
    • Application Encoding: The type of characters used for your application.
    • Application Display Name: This is the name Essential App Protect will use for your protected application. This name will be shown in the View: dropdown menu in the upper right corner of most Essential App Protect screens.
    • Description: Use this optional field to diffentiate between like-named applications.
  • SSL CERTIFICATE - If your application encrypts data between server and browser (uses HTTPS), then this area will show the certificate you added when you set up Essential App Protect for this application.
  • DEPLOYED REGIONS - This section shows the AWS region(s) where your application is deployed. If your application has multiple IP endpoints, then you may have multiple regions listed. For each region, you’ll see the port used for communicating with the application and whether or not it is using TLS (Transport Layer Security. For the complete list of supported AWS regions, see the region list in the FAQ for Essential App Protect.
  • COMPLIANCE & PRIVACY - Essential App Protect provides two general mechanisms for masking sensitive information, Data Guard and Sensitive Parameters, which are enabled or disabled with their associated checkboxes. In addition, each of these options have options of their own that are enabled/disabled with either checkboxes or combo boxes. To see or build your list of sensitive parameters, click on Manage sensitive parameters. Then you can select from the list in the dropdown portion of each of the combo boxes, or you can enter your own sensitive parameters by simply typing the parameter’s name in the box and pressing the Enter/Return key for each entry. For more information on the compliance options, see the sensitive information topic in the FAQ for Essential App Protect.

If you make changes on this tab, press the Update button to save the changes.


Protect Application - High-risk Attack Mitigation

High-Risk Attack Mitigation evaluates incoming requests and calculates the likelihood that it is actually an incoming attack. It does this based on the types of violations that are shown and enabled or disabled on this tab. Listed below are the things available on this tab.

_images/CS-EAP-Protect.Application-Hi.risk.Attack.Mitigation.png

  • Turn on checkbox: The entire category of high-risk attack mitigation can be enabled or disabled using the checkbox at the top. If it is checked (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected).

  • ATTACK SIGNATURES are rules or patterns that identify attacks or classes of attacks on a web application and its components. A security policy compares patterns in the attack signatures against the contents of requests and responses looking for potential attacks. Some of the signatures are designed to protect specific operating systems, web servers, databases, frameworks or applications. For more details, see the Attack Types section in the Security Details document.

  • GEOLOCATION ENFORCEMENT gives you options for denying requests from certain countries. You can either deny requests from OFAC-sanctioned countries or you can deny requests from a list of countries that you create (which can be empty). Click Manage countries to add or delete denied countries from your list.

  • DISALLOWED FILE TYPES allows you to block access to certain file types. The scroll list shows common file types that you can block (checked box) or allow (unchecked box). Click Manage file types to add or delete other file types not listed.

  • IP ENFORCEMENT allows you to allow or block access to your application from specific IP addresses. This is analogous to a “white list” and/or a “blacklist.” IP addresses listed here and their selected options will override any other options or settings for those IP addresses, such as in the Malicious IP tab. Click Manage rules to add and/or see the IP addresses listed and set options for each of them.

    • IP Address - enter the IP address you want affected.
    • IP Action - Block will deny access all traffic (blacklist), and Allow will allow all traffic (whitelist).
    • Description - Enter a descriptive name or phrase to help you identify the IP address.
    • Event Logging - Check the box if you want all events from the IP address logged and viewable by clicking on the VIEW EVENTS card.
  • PROTOCOL COMPLIANCE ENFORCEMENT

    • HTTP verifies the HTTP request is properly formed. Malformed HTTP requests can be used to bypass proxy filters, poison caches, or cause the response from one request to be incorrectly matched with another; Ref: OWASP HTTP.
    • API enforces proper XML requests. The system checks that the request contains XML data that is well-formed, according to W3C standards. Sending a document which the application was not expecting to handle can result in various attacks, like denial of service.
    • WebSocket adds WebSocket URLs and defines defense measures in a WebSocket proflie. This protects against attacks such as server stack abuse, session riding, cross-site scripting, and SQL injection; Ref WebSocket security.
  • METHOD ENFORCEMENT allows you to allow or block specific HTTP request methods. By default, Essential App Protect allows GET, HEAD, and POST methods.

If you make changes on this tab, press the Update button to save the changes.

Protect Application - Malicious IP

A malicious IP is an IP address that has been deemed to be some form of bad actor. Essential App Protect will make this determination after receiving a request that fits into one of the malicious IP categories shown on the Malicious IP tab. The actions you can take are listed below.

_images/CS-EAP-Protect.Application-Malicious.IP.png
  • Enable checkbox: The entire category of malicious IP enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected). - The list box shows the different Malicious IP categories. This allows you to have different settings for each malicious IP category.

If you make changes on this tab, press the Update button to save the changes.

For more information about Malicious IP and the related categories, see the Malicious IP topic in the FAQ for Essential App Protect.


Protect Application - Threat Campaigns

Threat Campaigns provide targeted signatures to protect organizations from pervasive attacks that are often coordinated by organized crime and nation states. The Threat Campaign tab allows you to tell Essential App Protect how to deal with these types of threats. Because there are hundreds of different campaigns, Essential App protect provides different ways to look at and filter the list. The actions you can take are listed below.

_images/CS-EAP-Protect.Application-Threat.Campaigns.png

  • Enable checkbox: The entire category of Threat Campaign enforcement can be enabled or disabled using the checkbox at the top. If it is enabled (turned on), then the Mode can be set to either Monitoring (show the threat but don’t take action) or Blocking (block all threats detected).
  • Enable or disable individual threat campaigns with the Enable check box in each row of the table.
  • Filter the table to see only campaigns that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “remote include” will not match a row that contains “Remote File Include”; however, “file include” will match “Remote File Include”, but it will exclude rows that contain “File <anything but Include>”.
  • Sort columns by clicking on column header.

If you make changes on this tab, press the Update button to save the changes.

For more information about Threat Campaign, see the Threat Campaign topic in the FAQ for Essential App Protect


Protect Application - DNS Settings

The DNS Settings tab helps with the update or addition of your CNAME record in your DNS settings.

_images/CS-EAP-Protect.Application-DNS.Settings.png

Step 1. Copy this CNAME: The CNAME value shown is the specific URL for protecting your application. It is essentially your copy of Essential App Protect. By creating a CNAME record, you’ll be directing all traffic to your application to first go through this URL for verification.

Step 2. Update your CNAME record: The details for this step will be dependent on your hosting provider. Generally you are modifying your application’s zone records, which are used for DNS. Your hosting provider will provide the tools to do this–look for DNS Records, Manage DNS, Zone Editor, or something similar. When creating the CNAME record, you’ll enter two key fields:

  1. Name: think of this as what someone would type into a browser to get to your application
  2. Value: the URL for your copy of Essential App Protect (the CNAME shown in Step 1)

Step 3. Wait for propogation: This process transmits your updated zone file to DNS name servers throughout the world.

Note

This process can take up to 72 hours, but it is typically much faster.

Step 4. Test: Click the Test updated DNS button to verify that your CNAME change is correct. This test will be successful when you have correctly added the CNAME record and it has propogated globally.


Protect Application - JSON Configuration

Sometimes it is convenient to see an entire Essential App Protect configuration at once. Use the JSON configuration tab to see and edit your configuration for this service instance (visit json.org for more information on the JSON format). This can be convenient for making quick edits or even to copy/paste an entire security policy from one service instance to another.

_images/CS-EAP-Protect.Application-JSON.Configuration.png

The JSON window is a basic editor allowing you to view, scroll, and make changes to the configuration.

  • Click the small arrows next to the line numbers to expand or collapse sections of the JSON.
  • The standard copy function copies selected text (collapsed sections are expanded in the copied text).
  • The standard paste function will overwrite existing text.
  • An error marker (red box containing ‘X’) will appear next to a line number if there is a syntax error on this line (sometimes caused by the preceding line).

If you have made changes to the JSON and want those changes to modify your protection settings, click the Update button.


View Events

The VIEW EVENTS data card shows the three most recent events detected.

_images/CS-EAP-View.Events.Card.png

Clicking in the card will show the list of recent along with details for each.

_images/CS-EAP-View.Events.png

Actions you can take within the table:

  • Filter the table to see only events that include only a specific word or phrase. Filtering is not case sensitive. The filter will not search for multiple words individually, i.e. “illegal type” wlil not match a row that contains “Illegal File type”; however, “illegal file” will match and it will exclude rows that contain “Illegal <anything but Include>”.

  • Sort columns by clicking on column header.

  • Kabob menu () at the right edge of each row gives three options for an event

    • Always allow this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Allow, which means all traffic from this IP address will bypass all protection capabilities within Essential App Protect. This is the equivalent of “whitelisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • Always block this IP - This will add the IP address associated with this row to the IP Enforcement Rules and set the IP Action to Block, which means no requests from this IP address will reach your application. This is the equivalent of “blacklisting” this IP address. For more information on managing this list, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • Mark as exception - Use this option to tell Essential App Protect that this type of event should not be blocked.
    • View full request - This brings up a separate browser tab showing all the details of the request associated with this row. see below.
  • Click on any row to see a more detailed view of the request in a slide bar on the right side of the table.

    _images/CS-EAP-View.Events-Details.png

    In the slide bar, you can:

    • Use the Source IP Address dropdown to either always allow or always block this IP address in accordance with the IP Enforcement Rules. For more information on IP Enforcement Rules, see the IP Enforcement topic under the High-risk Attack Mitigation section.
    • View full request - This brings up a separate browser tab showing all the details of the request.
    _images/CS-EAP-View.Events-View.Full.Request.png

Worldwide Threat Map

To see the worldwide threat campaigns, use the View: dropdown (below the user information in the top right of the Cloud Services window) and select WorldWide Threat Map.

_images/CS-EAP-Worldwide.Threats.png

The left side of the map shows an overview of the activity seen over the past 24 hours. It also shows a list of the recent threat campaigns detected. To see the full list, click + Show all. Below this list is some getting started information and the Start protecting your application to set up Essential App Protect for an application. For details on how to do this, refer to the Set up the Essential App Protect Service section.

Try these map features:

  • Attack details - Hover over any of the threat icons on the map to get more details regarding that location.
  • Expand attack clusters - If more than one attack of the same type in the same region appears, the icon shows them as a cluster with the number of attackers included. The icon will appear larger based on the number of attackers. You can click on the number icon to zoom into that area and examine the individual actors. To zoom out again, click the blue circle with the minus sign in it in the upper right corner of the map.
  • Pan and zoom - You can pan the map by clicking the mouse anywhere on the map and dragging. This is especially useful when the map is zoomed in. You can zoom the map by clicking on a attack cluster (mentioned above) if any are displayed.