Lab 2.2: Create custom security policies & Application Service TemplateΒΆ

****TASKS****

Create a custom ASM policy

  1. Logout of BIG-IQ (top right corner)
  2. Login as larry with password of larry
  3. Navigate to Configuration >> SECURITY >> Web Application Security >> Policies
../../../_images/img_module2_lab2_1.png

  1. Click on the ASM policy f5-asm-policy1 from the list and look through its settings. Notice the policy is in Transparent mode.
  2. Validate Learning Mode is set to Manual
  3. Check the box Make available in Application Templates
../../../_images/img_module2_lab2_4.png

  1. Click Save Button (bottom right)
  2. While still editing the policy f5-asm-policy1, navigate to POLICY BUILDING >> Settings
  3. Change Learning Mode to Manual
  4. Change Policy Building Mode to Central
  5. Click Save & Close button (bottom right corner)

Warning

Ignore the unauthorized / denied error when saving the policy.

This is a known bug and will be resolved in the next BIG-IQ release.

../../../_images/img_module2_lab2_4b.png

****TASKS****

Create an AFM Policy

  1. Navigate to Configuration >> SECURITY >> Network Security >> Firewall Policies
  2. Click Create button
  3. Enter the name of your policy: f5-afm-policy1
  4. Make sure the box Make available in Application Templates is checked.
../../../_images/img_module2_lab2_5.png

****TASKS****

Create 2 Firewall Rules

  1. Click on RULES
  2. Click Create Rule button
  3. Click the little pencil icon on Rule id 1
  4. On the next step, do not mistakenly use Port SOURCE instead of Port DESTINATION
  5. Add 80 and 443 to Port Destination
  6. Set Protocol to tcp (use scroll bar in rule window to scroll right)
  7. Scroll back to the left side and click Update button on rule
  8. Click Create Rule (creating 2nd rule)
  9. Click the little pencil icon on Rule id 2
  10. Set Action to reject (use scroll bar in rule window to scroll right)
  11. Check Log checkbox (all the way to the right in the rule)
  12. Scroll back to the left side and click Update button on rule
  13. Click Save & Close button (bottom right corner)
../../../_images/img_module2_lab2_6.png

****TASKS****

Create an App Service Catalog from a template

  1. Logout of BIG-IQ (top right corner)
  2. Login as marco with password of marco
  3. Navigate to Applications >> SERVICE CATALOG
  4. Select Default-f5-HTTPS-WAF-lb-template
  5. Click the Clone button (top right)
  6. Enter the name of your cloned template as f5-HTTPS-WAF-lb-template-custom1
  7. Click Clone button
../../../_images/img_module2_lab2_7.png

  1. While editing the template, navigate to SECURITY POLICIES
  2. Under Attached ASM Policy, select f5-asm-policy1 for both Virtual Servers in this template
  3. Under Enforce Firewall Policy, seelect f5-afm-policy1 for both Virtual Servers in this template
  4. Click Save buttom (bottom right)
  5. Navigate around in this template (left navigation) and review the Virtual Servers and Pools this template is configured to create for new apps.
../../../_images/img_module2_lab2_8.png

../../../_images/img_module2_lab2_9.png

****TASKS****

We need to give permission to the group that Paula belongs to access this new application template.

  1. Navigate to System (top tab) >> Role Management >> Roles
  2. Then navigate within that to CUSTOM ROLES >> Application Roles
  3. Click on Application Creator VMware role (already assigned to Paula)
  4. Select checkbox on Available Template f5-HTTPS-WAF-lb-template-custom1
  5. Push right arrow to move to Selected
  6. Click Save & Close button (bottom right corner)
../../../_images/img_module2_lab2_10.png

Note

A DoS Profile could also be assign to the template but we are not using it for this lab.

Previous Next