F5 Solutions for Containers > Class 3: Application Deployments with BIG-IP and Application Services (AS3) Source |

Lab 3 - Adding a WAF policy to an application¶

This lab will be broken down to 3 parts.

We will apply an already existing WAF policy to an HTTPS virtual server.
We will apply an policy that is stored in a source repository to an HTTPS virtual server.
We will update the policy to be in blocking mode.
We will delete our application configurations.

Already Existing WAF policy deployment¶

If you already have a WAF policy on the BIG-IP that you would like to apply to your application then it is easy enough to just reference it in the AS3 declaration in the policyWAF area.

In Postman select the Lab3, HTTPS with local WAF policy request. Notice in the body the policyWAF option.

{
"class": "AS3",
"action": "deploy",
"persist": true,
"syncToGroup": "/Common/failoverGroup",
"declaration": {
   "class": "ADC",
   "schemaVersion": "3.0.0",
   "id": "123abc",
   "label": "Sample 4",
   "remark": "HTTPS with sslbridging and WAF",
   "Sample_04": {
   "class": "Tenant",
   "A1": {
         "class": "Application",
         "template": "https",
         "serviceMain": {
         "class": "Service_HTTPS",
         "virtualAddresses": [
            "10.1.10.103"
         ],
         "pool": "web_pool",
         "policyWAF": {
            "bigip": "/Common/test-policy"
         },
         "clientTLS": {
            "bigip": "/Common/serverssl"
         },
         "serverTLS": "webtls"
         },
         "web_pool": {
         "class": "Pool",
         "loadBalancingMode": "predictive-node",
         "monitors": [
         "https"
         ],
         "members": [{
            "servicePort": 443,
            "shareNodes": true,
            "serverAddresses": [
            "10.1.10.31"
            ]
         }]
         },
         "webtls": {
         "class": "TLS_Server",
         "certificates": [{
            "certificate": "webcert"
         }]
         },
         "webcert": {
         "class": "Certificate",
         "remark": "in practice we recommend using a passphrase",
         "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
         "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
         "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
         }
         }
   }
   }
}
}

Click on Send.
Confirm the results of the POST, and make sure you receive a result of 200.
Look at the BIG-IP configuration and select Local Traffic and Virtual Servers. Select the Sample_04 partition.
Select the serviceMain virtual server, and then go to the Security tab and see the test-policy applied to the virtual server.
You can also open a tab and browse to https://10.1.20.103. We have now deployed the hackazon application with a WAF policy in learning mode.

WAF policy in source repository¶

If you store your WAF policy in a Source Control Repository, you can assign it via AS3 as follows.

Select the Lab 3, HTTPS with external WAF policy request, and look at the Body. Notice the Policy at the bottom and the policyWAF referencing it, with the URL for the WAF Policy file:

The body of the post will be as follows:

{
"class": "AS3",
"action": "deploy",
"persist": true,
"syncToGroup": "/Common/failoverGroup",
"declaration": {
   "class": "ADC",
   "schemaVersion": "3.0.0",
   "id": "123abc",
   "label": "Sample 4",
   "remark": "HTTPS with sslbridging and external WAF",
   "Sample_04": {
   "class": "Tenant",
   "A1": {
         "class": "Application",
         "template": "https",
         "serviceMain": {
         "class": "Service_HTTPS",
         "virtualAddresses": [
            "10.1.10.103"
         ],
         "pool": "web_pool",
         "policyWAF": {
            "use": "My_AWAF_Policy"
         },
         "clientTLS": {
            "bigip": "/Common/serverssl"
         },
         "serverTLS": "webtls"
         },
         "web_pool": {
         "class": "Pool",
         "loadBalancingMode": "predictive-node",
         "monitors": [
         "https"
         ],
         "members": [{
            "servicePort": 443,
            "shareNodes": true,
            "serverAddresses": [
            "10.1.10.31"
            ]
         }]
         },
         "webtls": {
         "class": "TLS_Server",
         "certificates": [{
            "certificate": "webcert"
         }]
         },
         "webcert": {
         "class": "Certificate",
         "remark": "in practice we recommend using a passphrase",
         "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
         "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
         "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
         }
         },
         "My_AWAF_Policy": {
            "class": "WAF_Policy",
            "ignoreChanges": false,
            "url": "https://raw.githubusercontent.com/Larsende/Agility2020-AS3/masterimages/Common_test_policy__2020-1-13_9-38-13__bigip02.as3lab.com.xml"
         }
   }
   }
}
}

Click on Send.
Confirm the results of the POST, and make sure you receive a result of 200.
If you go to /Security/Application Security/Security Policies and then select the Sample_04 partition, you will notice there are two security policies. One in the Common partition and one in the Sample_04 partition. The Sample_04 instance is named My_AWAF_Policy.

Also notice in the Virtual Server Security settings that the new My_AWAF_Policy is applied to the serviceMain virtual server instead of the test-policy.

Setting WAF policy to Blocking mode:¶

Select the Lab 3, BIG-IP: HTTPS with external WAF policy in blocking mode, and look at the Body.

In order to set blocking mode we can override what is defined in the Policy with an additional enforcementMode option in our WAF Policy declaration:

{
"class": "AS3",
"action": "deploy",
"persist": true,
"syncToGroup": "/Common/failoverGroup",
"declaration": {
   "class": "ADC",
   "schemaVersion": "3.0.0",
   "id": "123abc",
   "label": "Sample 4",
   "remark": "HTTPS with sslbridging and external WAF",
   "Sample_04": {
   "class": "Tenant",
   "A1": {
         "class": "Application",
         "template": "https",
         "serviceMain": {
         "class": "Service_HTTPS",
         "virtualAddresses": [
            "10.1.10.103"
         ],
         "pool": "web_pool",
         "policyWAF": {
            "use": "My_AWAF_Policy"
         },
         "clientTLS": {
            "bigip": "/Common/serverssl"
         },
         "serverTLS": "webtls"
         },
         "web_pool": {
         "class": "Pool",
         "loadBalancingMode": "predictive-node",
         "monitors": [
         "https"
         ],
         "members": [{
            "servicePort": 443,
            "shareNodes": true,
            "serverAddresses": [
            "10.1.10.31"
            ]
         }]
         },
         "webtls": {
         "class": "TLS_Server",
         "certificates": [{
            "certificate": "webcert"
         }]
         },
         "webcert": {
         "class": "Certificate",
         "remark": "in practice we recommend using a passphrase",
         "certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
         "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
         "passphrase": {
            "ciphertext": "ZjVmNQ==",
            "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
         }
         },
         "My_AWAF_Policy": {
            "class": "WAF_Policy",
            "url": "https://raw.githubusercontent.com/Larsende/Agility2020-AS3/masterimages/Common_test_policy__2020-1-13_9-38-13__bigip02.as3lab.com.xml",
            "ignoreChanges": false,
            "enforcementMode": "blocking",
            "serverTechnologies": [
               "PHP",
               "MySQL"
            ]
         }
   }
   }
}
}

Click on Send.
Confirm the results of the POST, and make sure you receive a result of 200.
Now go to the BIG-IP configuration and look at the Security Policies. Select the My_AWAF_Policy and look at the Enforcement Mode.

Delete the Applications deployed¶

This time we will delete all the AS3 declarations that are currently deployed.
In Postman open the Getting Started section.
Select the BIG-IP: Delete ALL declarations declaration, and look at the Body of the declaration.
In this instance we are setting the Action to remove. Also notice that we set a syncToGroup option in order to cause the HA pair to sync configurations.

Previous Next