4. Service Policies

This guided lab is used to configure service policies which are used in conjuntion with WAF policies to add additional security controls to an application. The steps in this guide are based on the Service Policy How To guide, as well as the IP Reputation How to

Namespace Service Policies

This section of the guided lab will Add geo-filter and allowed-ip based service policies.

1. In the left-hand navigation menu, expand the Security section and click Service Policies. In the flyout menu, click the Service Policies link.

   

2. Click Add Service Policy in the top left area as shown.

   

3. In the Metadata section enter geo-filter for the Name and then click Rules in the left-hand navigation.

   

4. Select Denied Sources from the dropdown for Select Policy Rules.

   

5. Locate the Country List input field, and begin typing Fiji, and then select it from the list that appears.

   

6. Click the dropdown for Default Action. Observe the available options and select

   Next Policy then click Save and Exit

   

7. Observe the resulting added geo-filter Service Policy added in your namespace.

   

8. Open another tab in your browser (Chrome shown), navigate to https://ipinfo.io and note your IP address as shown. (example provided)

   

9. Return to the Service Policies window and click Add Service Policy.

   

10. In the Metadata section enter allowed-ip for the Name and then click Rules in the left-hand navigation.

    

11. Select Allowed Sources from the dropdown for Select Policy Rules

    

12. locate the IPv4 Prefix List configuration section and click Configure

    

13. Enter your IP address with mask notation (/32), then click Apply

    

14. Click the dropdown for Default Action, select Deny, and click Save and Exit.

    

15. Observe the resulting added allowed-ip Service Policy added in your namespace.

    

    

IP Reputation

Attach Service Policies to your configured Load Balancer.

1. Return to the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer > HTTP Load Balancers

   

2. Click Manage Configuration

   

3. Click Edit Configuration in the top right-hand corner.

   

4. Click Security Configuration in the left-hand navigation.

   

5. From the Service Policies dropdown, select Apply Specified Service Policies.

   

6. In the added menu for Apply Specified Service Policies, click Configure.

   

7. In the resulting Policies window, use the List of Policies dropdown to select your <namespace>/geo-filter Service Policy. Then click Apply.

   

8. Returning to the Load Balancer dialogue, note the changes shown in the Service Policies section.

9. As we are already in this section, we will go ahead and add IP reputation filtering. This can be added as a Service Policy (shared or local namespace) or as a direct configuration.

10. To start, the IP Reputation configuration, locate the IP Reputation section and click the dropdown menu, then select Enable.

    

11. Using the List of IP Threat Categories to choose add any of the configured Threat categories.

    

12. Select Spam Sources and Tor Proxy, then scroll to the bottom of the window and click the Save and Exit button.

    

13. In your browser (Chrome shown), navigate to your application/Load Balancer configuration: http://<namespace>.lab-sec.f5demos.com

    

14. You should receive a 403 Forbidden error. This is due to a Service Policy configuration error. Because we only attached the geo-filter Service Policy and the Default Action was Next Policy, there is no other or next policy to “Allow” traffic, therefore, all other traffic is disallowed producing the 403. This is will also show in the Security Events window.

    

15. Return to the Load Balancer in the F5 Distributed Cloud Console, Manage > Load Balancer > HTTP Load Balancers and use the Action Dots and click Manage Configuration

    

16. Click Edit Configuration in the top right-hand corner.

    

17. Click Security Configuration in the left-hand navigation.

18. From the Service Policies section, click Edit Configuration.

    

19. In the resulting window click Add Item and from the dropdown select you allow-ip Service Policy <namespace>/allowed-ip.

    

20. Observe the order. Service Policies must be ordered correctly in a order to process traffic as intended. Click Apply when completed.

    Note

    The allowed-ip begins with an allowed ip (yours) and ends in a “Deny” a positive security model will be applied (denying all other traffic). Similar positive or negative service policies can be created and applied (Headers, methods, file types, etc)

    

21. Scroll to the bottom of the HTTP Load Balancer configuration and click Save and Exit.

    

22. In your browser, navigate to the application/Load Balancer URL: http://<namespace>.lab-sec.f5demos.com and successfully log in.

    

Routes

Attach Service Policies to the configured Load Balancer.

1. Navigate to Manage > Load Balancer > HTTP Load Balancers, click the Action Dots, and click Manage Configuration

   

2. Click Routes Configuration in the left-hand navigation, and select Edit Configuration

   

3. Toggle the Show Advanced Fields button to the On position, and Under the Routes section, click Configure.

   

4. In Routes, click the Add Item link.

   

5. In the resulting menu, toggle the Show Advanced Fields button to the On position.

   

6. Observe the various route types and matching criteria controls that can be leveraged to securely control access, perform pool targeting, make path responses or develop custom control to secure protected applications.