Merge branch 'f5devcentral:dev' into dev

f5devcentral · Jan 25, 2024 · 8a3d439 · 8a3d439
2 parents 1bcbb72 + 4706a88
commit 8a3d439
Show file tree

Hide file tree

Showing 8 changed files with 122 additions and 32 deletions.
diff --git a/docs/class9/_static/XCVerifyWAFAttached.png b/docs/class9/_static/XCVerifyWAFAttached.png
diff --git a/docs/class9/_static/XCVerifyWAFAttached2.png b/docs/class9/_static/XCVerifyWAFAttached2.png
diff --git a/docs/class9/_static/XCVerifyWAFAttached3.png b/docs/class9/_static/XCVerifyWAFAttached3.png
diff --git a/docs/class9/_static/XCVerifyWAFAttached4.png b/docs/class9/_static/XCVerifyWAFAttached4.png
diff --git a/docs/class9/_static/XCVerifyWAFAttached5.png b/docs/class9/_static/XCVerifyWAFAttached5.png
diff --git a/docs/class9/intro.rst b/docs/class9/intro.rst
@@ -136,8 +136,9 @@ F5 Distributed Cloud Console.
 
 .. warning::
    *If you have not received the email to change your credentials or ran into problems changing
-   your credentials specifically for Account name: **f5-xc-lab-mcn**,
-   *please stop and get help from one of the Lab Assistants.
+   your credentials specifically for Account name:* 
+   **f5-xc-lab-mcn**,
+   *please stop and get help from one of the Lab Assistants.*
 
 1. Locate the **Update Your Account** email sent to you from *F5 Distributed Cloud <[email protected]>*.
 
@@ -152,8 +153,7 @@ F5 Distributed Cloud Console.
 | |PSUpdatePassword|                                                                           |
 +----------------------------------------------------------------------------------------------+
 
-3.
-Type your *new password*.
+3. Type your *new password*.
 Adhere to the password strength restrictions and make a mental note of these
 credentials as you will need them several times throughout this lab today.
 

diff --git a/docs/class9/lab1.rst b/docs/class9/lab1.rst
@@ -29,7 +29,7 @@ When you add a BIG-IP instance as a *provider*, you must first set up an *agent*
 .. note::
    **Prerequisites:**
 
-   **Policy Supervisor Agent** *requires the following applications to be installed on your Linux machine/VM:*
+   Installation of the **Policy Supervisor Agent** *requires the following applications to be installed on your Linux machine/VM:*
 
    - Docker
    - wget
@@ -55,8 +55,8 @@ Access the F5 **Policy Supervisor** console at https://policysupervisor.io as in
 | |lab002|                                     |
 +----------------------------------------------+
 
-3. Copy & paste (save) the value of the **Token** to a text file or notepad.
-   *(This token will be required in *Task 2* below.)*
+3. *Copy & paste* (save) the value of the **Token** to a text file or notepad.
+   (This token will be required in *Task 2* below.)
 
 +----------------------------------------------+
 | |lab003|                                     |
@@ -70,7 +70,7 @@ Access the F5 **Policy Supervisor** console at https://policysupervisor.io as in
 +----------------------------------------------+
 
 5. At the bottom of the *Package Registry* page, **right-click** on the **agent-installer** file name and
-   select **Copy Link**. *(This URL will be required in *Task 2* below.)*
+   select **Copy Link**. (This URL will be required in *Task 2* below.)
 
 .. note:: *The URL for the agent-installer file changes from time to time when it is updated.*
 

diff --git a/docs/class9/lab2.rst b/docs/class9/lab2.rst
@@ -9,12 +9,18 @@ Please refer to the Tutorial in the GitHub repo (https://github.com/f5devcentral
 
 **Policy Supervisor** provides a graphical interface for visual policy creation, editing and management for traditional SecOps personas.
 
+.. note:: 
+   The ephemeral accounts that are created in Distributed Clound for students of this lab
+   do not have sufficient priviliges/rights to configure **Policy Supervisor** as described in this lab.
+   The steps below are therefore provided here for demonstration purposes only.
+
 Task 1: Obtain an authentication token for your F5 Distributed Cloud tenant
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 A valid F5 Distributed Cloud authentication token before it can be added as a provider.
 
-1- Browse to your Distributed Cloud console at **https://f5-xc-lab-mcn.console.ves.volterra.io/** and sign in to the **f5-xc-lab-mcn** domain using the ephemeral account credentials, as described in the introduction section of this lab guide.
+1- Browse to your Distributed Cloud console (for example: **https://f5-xc-lab-mcn.console.ves.volterra.io**)
+and sign as described in the introduction section of this lab guide.
 
 +----------------------------------------------+
 | .. image:: _static/tenantlogin2.png          |
@@ -42,7 +48,8 @@ A valid F5 Distributed Cloud authentication token before it can be added as a pr
 |    :width: 800px                             |
 +----------------------------------------------+
 
-5- Find and click on **Add Credentials**, fill in the fields as shown in the picture above and click **Generate**
+5- Find and click on **Add Credentials** on the *Credentials* page, then fill in the fields as shown
+in the picture above and click **Generate**.
 
 +----------------------------------------------+
 | .. image:: _static/XCToken3.png              |
@@ -53,97 +60,180 @@ A valid F5 Distributed Cloud authentication token before it can be added as a pr
 
 7- Click **Done**
 
-Task 2: Create a new *Load Balancer* in your Distributed Cloud tenant/domain
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-[insert steps to create a new simple load balancer... Should we use curl/API scripts to make it as easy and quick as possible?]
-
-Task 3: Create a new **Policy Supervisor** *Provider*
+Task 2: Create a new **Policy Supervisor** *Provider*
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-1- Browse to the **Policy Supervisor** *Providers* page and login (login instructions can be found in the introduction section of this lab guide).
+.. note:: 
+   The ephemeral accounts that are created in Distributed Clound for students of this lab
+   do not have sufficient priviliges/rights to configure **Policy Supervisor** as described in this lab.
+   The steps below are therefore provided here for demonstration purposes only.
+
+1- Browse to the **Policy Supervisor** *Providers* page (**http://policysupervisor.io**) and
+login if required *(login instructions can be found in the introduction section of this lab guide).
 
 +----------------------------------------------+
 | .. image:: _static/PSProviderList.png        |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-2- Click **Add provider** 
+2- Click **Add provider**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCProvider1.png         |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-3- Select **Distributed Cloud** for the *Provider Type* and click **+ Add secret**
+3- Select **Distributed Cloud** for the *Provider Type* and click **+ Add secret**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCProvider2.png         |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-4- Enter a name, paste the value of the Distributed Cloud token obtained in Task 1 above, and click **Create**
+4- Enter a name, paste the value of the Distributed Cloud token obtained in Task 1 above, and click **Create**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCProvider3.png         |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-5- Select this newly created secret and click **Continue**
+5- Select this newly created secret from the drop-down list and click **Continue**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCProvider4.png         |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-6- Enter a name for this provider (*for example:* **Distributed Cloud**), type or paste the URL for your Distributed Cloud domain/tenant (for the ephemeral credentails automatically created for this lab: **https://f5-xc-lab-mcn.console.ves.volterra.io**), and click **Test Connection**
+6- Enter a name for this provider (*for example:* **Distributed Cloud**), type or 
+paste the URL for your Distributed Cloud domain/tenant *(for example:* **https://f5-xc-lab-mcn.console.ves.volterra.io**) and click **Test Connection**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCProvider5.png         |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-7- Wait for the test to complete. Click **Go to overview** to return to the Providers Overview page.
+7- Wait for the test to complete, then click **Go to overview** to return to the Providers Overview page.
 
-Task 4: Deploy an existing WAF policy to an existing *F5 Distributed Cloud Load Balancer*
+Task 3: Deploy an existing WAF policy to an existing *F5 Distributed Cloud Load Balancer*
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Now that Distribured Cloud is configured as a Provider, **Policy Supervisor** can deploy WAF policies to any **Load Balancer** defined in your tenant/domain.
+With a Distribured Cloud Provider successfully configured, **Policy Supervisor** can deploy WAF policies to any 
+**pre-existing HTTP Load Balancer** in the corresponding Distributed Cloud tenant.
+
+The steps to deploy a WAF policy to Distribured Cloud are basically the same as those provided in *Lab 1*
+for deploying a WAF policy to a BIG-IP.
+
+.. note:: 
+   Creating Distributed Cloud *HTTP Load Balancer* is out of scope for this lab.
+   The steps below are therefore provided here for demonstration purposes only.
 
-1- In **Policy Supervisor**, browse to the **Policies** page.
+1- In **Policy Supervisor**, browse to the **Policies** page (**http://policysupervisor.io**).
 
 +----------------------------------------------+
+|                                              |
+| *Option 1:*                                  |
+|                                              |
 | .. image:: _static/PSDeploy1.png             |
 |    :width: 800px                             |
+|                                              |
 +----------------------------------------------+
-+----------------------------------------------+
+|                                              |
+| *Option 2:*                                  |
+|                                              |
 | .. image:: _static/PSDeploy2.png             |
 |    :width: 800px                             |
+|                                              |
 +----------------------------------------------+
 
-2- Locate and click on the **Deploy** button for the policy you wish to deploy.
+2- Locate and click on the **Deploy** button for the policy you wish to deploy. 
 
 +----------------------------------------------+
 | .. image:: _static/PSXCDeploy3.png           |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-3- Select the **Distribured Cloud** *Provider* configured in the previous task, enter the required note in the text box, and click **Conversion Summary**.
+3- Select the **Distribured Cloud** *Provider* that was configured in the previous task,
+enter the required note in the text box and click **Conversion Summary**.
+
+You can select multiple different *Providers* if you wish to *simultaneously* deploy
+this WAF policy to multiple different F5 platforms *(platform don't have to be of the same type).
 
 +----------------------------------------------+
 | .. image:: _static/PSXCDeploy4.png           |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-4- Wait for the conversion process to complete and click **Save & Continue** and click **Continue Deployment**.
+4- Wait for the conversion process to complete, then click **Save & Continue**, and click **Continue Deployment**.
 
 +----------------------------------------------+
 | .. image:: _static/PSXCDeploy5.png           |
 |    :width: 800px                             |
 +----------------------------------------------+
 
-5- Select the Distributed Cloud **Load Balancer** where the policy is to be deployed/attached.
+5- Select the target Distributed Cloud **Load Balancer** where you want this policy to be deployed/attached.
+
+This *HTTP Load Balancer* must be pre-configured and available in the corresponding tenant.
 
-Task 5: Confirm that the WAF policy was deployed as expected
+.. note:: 
+   Creating Distributed Cloud *HTTP Load Balancer* is out of scope for this lab.
+   The steps below are therefore provided here for demonstration purposes only.
+
+Task 4: Confirm that the WAF policy was deployed as expected
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+1- Browse back to your Distributed Cloud tenant *(for example:* **https://f5-xc-lab-mcn.console.ves.volterra.io**)
+and find the *HTTP Load Balancer* that was targeted in the previous task.
+
+2- Go to the **Web App & API Protection** tile/service.
+
++----------------------------------------------+
+| .. image:: _static/XCVerifyWAFAttached.png   |
+|    :width: 800px                             |
++----------------------------------------------+
+
+3- Select the corresponding *HTTP Load Balancer* and click the **Manage Configuration** link that can be
+found on the right side of the screen after clicking the three dots **(...)** in the *Actions* colum.
+
++----------------------------------------------+
+| .. image:: _static/XCVerifyWAFAttached2.png  |
+|    :width: 800px                             |
++----------------------------------------------+
+
+4- Scroll down to the **Web Applicaiton Firewall** section and observe that WAF is enabled with the
+correct policy.  
+
++----------------------------------------------+
+| .. image:: _static/XCVerifyWAFAttached3.png  |
+|    :width: 800px                             |
++----------------------------------------------+
+
+5- Optional testing step: Scroll further down to find the *host name* or *IP address* of your HTTP Load Balancer
+and browse to the corresponding URL. 
+
++----------------------------------------------+
+| .. image:: _static/XCVerifyWAFAttached4.png  |
+|    :width: 800px                             |
++----------------------------------------------+
+
+If the WAF policy is correctly applied and configured to be in blocking mode, forefully browsing
+to URI paths that are illegal will result in a blocking page. To validate, add the following path
+to the URL in your browser's address bar for your HTTP Load Balancer's host name
+(this represents a known SQL injection attack with a corresponding matching WAF signature):
+
+.. code:: 
+
+   /rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users--
+
++----------------------------------------------+
+| .. image:: _static/XCVerifyWAFAttached5.png  |
+|    :width: 800px                             |
++----------------------------------------------+
+
+The above *rejected* message represents the default F5 WAF blocking page.
+
+**Hint:** If the SQL injection attack is not blocked, go back to verify the configuration
+of the WAF policy in Distributed Cloud and change it to blocking mode!
+
+**WELL DONE!!!**
+
+This concludes the lab.