F5 BIG-IP Creating Custom Whitelists for DoS Profile

How to apply an IP whitelist to a DoS Profile. 

This is F5 BIG-IP version 13.1.1.

If you are looking at this screen trying to figure out how to add your custom address list in place of the Default list for a DoS Profile, you are not alone!

F5 does give you the ability to add addresses on the right hand side, pictured below. You can also create an address list under Security > Network Firewall > Address List.

This is an excellent feature. Now we just need to actually add this newly created list in place of the default list. As far as I can tell there is no way to do this on the GUI, but you can do this from the CLI.

SSH into the F5

Command:

tmsh modify security dos profile dos whitelist test-list

After dos profile you will enter the name of your dos profile as well as the name of your whitelist in place of test-list. After running this command, to verify that this is working you can run the command: tmsh list security dos profile dos. Hit space until you are at the bottom of the profile.

You should be able to see your whitelist inside your DoS profile.

Please comment below if this helped you or if you have any further questions!

Hope this helped!

How to upgrade F5 BIG-IP

Initial Steps

  1. Determine the version you are upgrading from and too. Here is an excellent guide for determining if you will experience a smooth upgrade: Upgrade Path
  2. Download the iso File of the version you are upgrading from Support.F5.com.
  3. Learn of any new bugs that could cause issues with current configuration before updating.

Image updates are located here on the BIG-IP: System > Software Management > Image > Import

Hotfix updates are located here on the BIG-IP: System > Software Management > Hotfix List > Import > Browse > Locate > Image File

Upgrading

  1. Create archives on both active and standby devices.
  2. Download both archives to your local machine as a precaution.
  3. Re-activate license before upgrading. Note: do not re-activate license while the unit is active — it will restart processes and disrupt traffic processing. Wait to re-activate the license on the second unit until it has been failed over.
  4. Upload software images to both devices. If your change process allows for it, feel free to upload and install the image. It won’t affect traffic processing on the F5 and will reduce your time to completion during the actual change window.
  5. Force standby device offline to ensure no failover occurs.
  6. Install upgrade on standby device.
  7. If you have access to the management console (such as on a virtual edition F5) or if you have a serial console server in the data center plugged into the F5, you can run the command, watch the shutdown and reboot processes. Once the login prompt appears, enter your local root credentials and use the following commands to monitor logs: tail -f /var/log/ltm. You’ll gain extra visibility and it’s comforting to see at what step in the upgrade process you are, rather than, staring at a circle spinning on the GUI.
  8. Once you are able to access the GUI; give the F5 a few more minutes to finish up the boot processes.
  9. Look at the system statistics. Check for CPU usage and Memory. It is normal for these to spike at initial boot. Watch for 3-5 minutes, compare the graphs with that over the past 24 hours, remember that your standby unit will show low utilization over the past 24 hours and you will see this increase as you fail over once you’re ready to proceed with the second unit. See if you notice any drastic changes that are not going away after about 5 minutes before moving on.
  10. Take the unit we just upgraded out of Force Offline status. Verify that your Local Traffic configuration items (nodes, pool members, pools, VIPs) pass their health checks and maybe connect to a couple of high-priority VIPs via the F5’s CLI before failing over the active unit. Take note of the currently active unit’s connection counts in the F5 statistics, fail over and check the newly active unit’s connection statistics to make sure traffic is being processed no the newly active device. You can also check your floating traffic group in the device management section.
  11. Cover your bases by having the load balanced applications checked out and validated independently by the app owner or business stakeholders. Ask them to sign off that the applications are still functioning correctly before moving on to the next device.
  12. Repeat this same process with secondary device.

Importing Vulnerability Scan Results into ASM

Application Security Manager gives you the ability to import a vulnerability assessment from a wide variety of scanners such as: Qualys, IBM Appscan, ImmuniWeb, Quotium Seeker, and White Hat Sentinel. Each scanning tool is configured slightly different.

First, run the scan. Once it has completed, view the report for that scan and download the XML file on your local machine. F5’s Application Security Manager only allows you to import XML files for vulnerability assessment.

Login to the GUI of the active F5 that you would like to import the policy on. To do this go to: Security > Application Security > Vulnerability Assessment > Settings.

"Security

Next, we must enter which scanning tool we are using before importing the XML file. After selecting the tool used, go to: Security > Application Security > Vulnerability Assessment > Vulnerabilities

"Security

Click import on the top right and select the XML file that we just downloaded from our scanning tool. If it imported successfully, we should see the number of vulnerabilities that were discovered. After seeing the vulnerabilities, we can make changes to secure our policy.

Tweaking the Imported Results

The ASM will give you the following options to secure the newly found vulnerabilities:

Resolve and Staging: Adds the change to the policy, but does not enforce. This is helpful if the policy is in blocking mode since the change will not have the chance of blocking traffic.


Resolve: Adds the change to the policy and enforces. This will enable the change to take immediate effect. This can be dangerous if it creates a rule that restricts legitimate traffic to your application.


Ignore: Specifies that you do not want to make a changed based on the output of your scanning tool.

If you chose “Resolve,” under the column “ASM Status,” you will see “Mitigated.” This means the ASM is doing its job at mitigating the vulnerability by exercising the appropriate defenses.

Be sure to click “apply policy” in the upper right corner for your changes to take effect.

The vulnerability assessment tool is an excellent addition to the toolset that Application Security Manager offers. However, this is not an absolute security method— these scanning tools do not always pick up on every threat.  You still need to actively monitor the policies that are set in place. The scan can be automated to run anytime that fulfills your security needs and requirements.

To read more about the Qualys Community Edition scanning tool take a look at this guide: Qualys Setup.

F5 BIG-IP ASM Policy Creation

You heard us talk about WAFs and ASM. So now it’s time to discuss how to create a basic F5 BIG-IP ASM Policy which is a security policy using F5’s Application Security Manager (ASM). With ASM you get the flexibility to both create a negative or positive security model. Negative security model means: I will block bad stuff. Positive security model means: I will only allow known good application traffic, everything else will be blocked.

Continue reading “F5 BIG-IP ASM Policy Creation”