diff --git a/docs/class9/_static/XCVerifyWAFAttached.png b/docs/class9/_static/XCVerifyWAFAttached.png new file mode 100644 index 00000000..e281c9c4 Binary files /dev/null and b/docs/class9/_static/XCVerifyWAFAttached.png differ diff --git a/docs/class9/_static/XCVerifyWAFAttached2.png b/docs/class9/_static/XCVerifyWAFAttached2.png new file mode 100644 index 00000000..1e8159e6 Binary files /dev/null and b/docs/class9/_static/XCVerifyWAFAttached2.png differ diff --git a/docs/class9/_static/XCVerifyWAFAttached3.png b/docs/class9/_static/XCVerifyWAFAttached3.png new file mode 100644 index 00000000..c8fb7703 Binary files /dev/null and b/docs/class9/_static/XCVerifyWAFAttached3.png differ diff --git a/docs/class9/_static/XCVerifyWAFAttached4.png b/docs/class9/_static/XCVerifyWAFAttached4.png new file mode 100644 index 00000000..1925c6db Binary files /dev/null and b/docs/class9/_static/XCVerifyWAFAttached4.png differ diff --git a/docs/class9/_static/XCVerifyWAFAttached5.png b/docs/class9/_static/XCVerifyWAFAttached5.png new file mode 100644 index 00000000..5f0bc30d Binary files /dev/null and b/docs/class9/_static/XCVerifyWAFAttached5.png differ diff --git a/docs/class9/intro.rst b/docs/class9/intro.rst index c8af77d7..603e0bfe 100644 --- a/docs/class9/intro.rst +++ b/docs/class9/intro.rst @@ -136,8 +136,9 @@ F5 Distributed Cloud Console. .. warning:: *If you have not received the email to change your credentials or ran into problems changing - your credentials specifically for Account name: **f5-xc-lab-mcn**, - *please stop and get help from one of the Lab Assistants. + your credentials specifically for Account name:* + **f5-xc-lab-mcn**, + *please stop and get help from one of the Lab Assistants.* 1. Locate the **Update Your Account** email sent to you from *F5 Distributed Cloud *. @@ -152,8 +153,7 @@ F5 Distributed Cloud Console. | |PSUpdatePassword| | +----------------------------------------------------------------------------------------------+ -3. -Type your *new password*. +3. Type your *new password*. Adhere to the password strength restrictions and make a mental note of these credentials as you will need them several times throughout this lab today. diff --git a/docs/class9/lab1.rst b/docs/class9/lab1.rst index f1bf77fe..e36dca82 100644 --- a/docs/class9/lab1.rst +++ b/docs/class9/lab1.rst @@ -29,7 +29,7 @@ When you add a BIG-IP instance as a *provider*, you must first set up an *agent* .. note:: **Prerequisites:** - **Policy Supervisor Agent** *requires the following applications to be installed on your Linux machine/VM:* + Installation of the **Policy Supervisor Agent** *requires the following applications to be installed on your Linux machine/VM:* - Docker - wget @@ -55,8 +55,8 @@ Access the F5 **Policy Supervisor** console at https://policysupervisor.io as in | |lab002| | +----------------------------------------------+ -3. Copy & paste (save) the value of the **Token** to a text file or notepad. - *(This token will be required in *Task 2* below.)* +3. *Copy & paste* (save) the value of the **Token** to a text file or notepad. + (This token will be required in *Task 2* below.) +----------------------------------------------+ | |lab003| | @@ -70,7 +70,7 @@ Access the F5 **Policy Supervisor** console at https://policysupervisor.io as in +----------------------------------------------+ 5. At the bottom of the *Package Registry* page, **right-click** on the **agent-installer** file name and - select **Copy Link**. *(This URL will be required in *Task 2* below.)* + select **Copy Link**. (This URL will be required in *Task 2* below.) .. note:: *The URL for the agent-installer file changes from time to time when it is updated.* diff --git a/docs/class9/lab2.rst b/docs/class9/lab2.rst index 5c447eea..783aac35 100644 --- a/docs/class9/lab2.rst +++ b/docs/class9/lab2.rst @@ -9,12 +9,18 @@ Please refer to the Tutorial in the GitHub repo (https://github.com/f5devcentral **Policy Supervisor** provides a graphical interface for visual policy creation, editing and management for traditional SecOps personas. +.. note:: + The ephemeral accounts that are created in Distributed Clound for students of this lab + do not have sufficient priviliges/rights to configure **Policy Supervisor** as described in this lab. + The steps below are therefore provided here for demonstration purposes only. + Task 1: Obtain an authentication token for your F5 Distributed Cloud tenant ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A valid F5 Distributed Cloud authentication token before it can be added as a provider. -1- Browse to your Distributed Cloud console at **https://f5-xc-lab-mcn.console.ves.volterra.io/** and sign in to the **f5-xc-lab-mcn** domain using the ephemeral account credentials, as described in the introduction section of this lab guide. +1- Browse to your Distributed Cloud console (for example: **https://f5-xc-lab-mcn.console.ves.volterra.io**) +and sign as described in the introduction section of this lab guide. +----------------------------------------------+ | .. image:: _static/tenantlogin2.png | @@ -42,7 +48,8 @@ A valid F5 Distributed Cloud authentication token before it can be added as a pr | :width: 800px | +----------------------------------------------+ -5- Find and click on **Add Credentials**, fill in the fields as shown in the picture above and click **Generate** +5- Find and click on **Add Credentials** on the *Credentials* page, then fill in the fields as shown +in the picture above and click **Generate**. +----------------------------------------------+ | .. image:: _static/XCToken3.png | @@ -53,97 +60,180 @@ A valid F5 Distributed Cloud authentication token before it can be added as a pr 7- Click **Done** -Task 2: Create a new *Load Balancer* in your Distributed Cloud tenant/domain -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -[insert steps to create a new simple load balancer... Should we use curl/API scripts to make it as easy and quick as possible?] - -Task 3: Create a new **Policy Supervisor** *Provider* +Task 2: Create a new **Policy Supervisor** *Provider* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -1- Browse to the **Policy Supervisor** *Providers* page and login (login instructions can be found in the introduction section of this lab guide). +.. note:: + The ephemeral accounts that are created in Distributed Clound for students of this lab + do not have sufficient priviliges/rights to configure **Policy Supervisor** as described in this lab. + The steps below are therefore provided here for demonstration purposes only. + +1- Browse to the **Policy Supervisor** *Providers* page (**http://policysupervisor.io**) and +login if required *(login instructions can be found in the introduction section of this lab guide). +----------------------------------------------+ | .. image:: _static/PSProviderList.png | | :width: 800px | +----------------------------------------------+ -2- Click **Add provider** +2- Click **Add provider**. +----------------------------------------------+ | .. image:: _static/PSXCProvider1.png | | :width: 800px | +----------------------------------------------+ -3- Select **Distributed Cloud** for the *Provider Type* and click **+ Add secret** +3- Select **Distributed Cloud** for the *Provider Type* and click **+ Add secret**. +----------------------------------------------+ | .. image:: _static/PSXCProvider2.png | | :width: 800px | +----------------------------------------------+ -4- Enter a name, paste the value of the Distributed Cloud token obtained in Task 1 above, and click **Create** +4- Enter a name, paste the value of the Distributed Cloud token obtained in Task 1 above, and click **Create**. +----------------------------------------------+ | .. image:: _static/PSXCProvider3.png | | :width: 800px | +----------------------------------------------+ -5- Select this newly created secret and click **Continue** +5- Select this newly created secret from the drop-down list and click **Continue**. +----------------------------------------------+ | .. image:: _static/PSXCProvider4.png | | :width: 800px | +----------------------------------------------+ -6- Enter a name for this provider (*for example:* **Distributed Cloud**), type or paste the URL for your Distributed Cloud domain/tenant (for the ephemeral credentails automatically created for this lab: **https://f5-xc-lab-mcn.console.ves.volterra.io**), and click **Test Connection** +6- Enter a name for this provider (*for example:* **Distributed Cloud**), type or +paste the URL for your Distributed Cloud domain/tenant *(for example:* **https://f5-xc-lab-mcn.console.ves.volterra.io**) and click **Test Connection**. +----------------------------------------------+ | .. image:: _static/PSXCProvider5.png | | :width: 800px | +----------------------------------------------+ -7- Wait for the test to complete. Click **Go to overview** to return to the Providers Overview page. +7- Wait for the test to complete, then click **Go to overview** to return to the Providers Overview page. -Task 4: Deploy an existing WAF policy to an existing *F5 Distributed Cloud Load Balancer* +Task 3: Deploy an existing WAF policy to an existing *F5 Distributed Cloud Load Balancer* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Now that Distribured Cloud is configured as a Provider, **Policy Supervisor** can deploy WAF policies to any **Load Balancer** defined in your tenant/domain. +With a Distribured Cloud Provider successfully configured, **Policy Supervisor** can deploy WAF policies to any +**pre-existing HTTP Load Balancer** in the corresponding Distributed Cloud tenant. + +The steps to deploy a WAF policy to Distribured Cloud are basically the same as those provided in *Lab 1* +for deploying a WAF policy to a BIG-IP. + +.. note:: + Creating Distributed Cloud *HTTP Load Balancer* is out of scope for this lab. + The steps below are therefore provided here for demonstration purposes only. -1- In **Policy Supervisor**, browse to the **Policies** page. +1- In **Policy Supervisor**, browse to the **Policies** page (**http://policysupervisor.io**). +----------------------------------------------+ +| | +| *Option 1:* | +| | | .. image:: _static/PSDeploy1.png | | :width: 800px | +| | +----------------------------------------------+ -+----------------------------------------------+ +| | +| *Option 2:* | +| | | .. image:: _static/PSDeploy2.png | | :width: 800px | +| | +----------------------------------------------+ -2- Locate and click on the **Deploy** button for the policy you wish to deploy. +2- Locate and click on the **Deploy** button for the policy you wish to deploy. +----------------------------------------------+ | .. image:: _static/PSXCDeploy3.png | | :width: 800px | +----------------------------------------------+ -3- Select the **Distribured Cloud** *Provider* configured in the previous task, enter the required note in the text box, and click **Conversion Summary**. +3- Select the **Distribured Cloud** *Provider* that was configured in the previous task, +enter the required note in the text box and click **Conversion Summary**. + +You can select multiple different *Providers* if you wish to *simultaneously* deploy +this WAF policy to multiple different F5 platforms *(platform don't have to be of the same type). +----------------------------------------------+ | .. image:: _static/PSXCDeploy4.png | | :width: 800px | +----------------------------------------------+ -4- Wait for the conversion process to complete and click **Save & Continue** and click **Continue Deployment**. +4- Wait for the conversion process to complete, then click **Save & Continue**, and click **Continue Deployment**. +----------------------------------------------+ | .. image:: _static/PSXCDeploy5.png | | :width: 800px | +----------------------------------------------+ -5- Select the Distributed Cloud **Load Balancer** where the policy is to be deployed/attached. +5- Select the target Distributed Cloud **Load Balancer** where you want this policy to be deployed/attached. + +This *HTTP Load Balancer* must be pre-configured and available in the corresponding tenant. -Task 5: Confirm that the WAF policy was deployed as expected +.. note:: + Creating Distributed Cloud *HTTP Load Balancer* is out of scope for this lab. + The steps below are therefore provided here for demonstration purposes only. + +Task 4: Confirm that the WAF policy was deployed as expected ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +1- Browse back to your Distributed Cloud tenant *(for example:* **https://f5-xc-lab-mcn.console.ves.volterra.io**) +and find the *HTTP Load Balancer* that was targeted in the previous task. + +2- Go to the **Web App & API Protection** tile/service. + ++----------------------------------------------+ +| .. image:: _static/XCVerifyWAFAttached.png | +| :width: 800px | ++----------------------------------------------+ + +3- Select the corresponding *HTTP Load Balancer* and click the **Manage Configuration** link that can be +found on the right side of the screen after clicking the three dots **(...)** in the *Actions* colum. + ++----------------------------------------------+ +| .. image:: _static/XCVerifyWAFAttached2.png | +| :width: 800px | ++----------------------------------------------+ + +4- Scroll down to the **Web Applicaiton Firewall** section and observe that WAF is enabled with the +correct policy. + ++----------------------------------------------+ +| .. image:: _static/XCVerifyWAFAttached3.png | +| :width: 800px | ++----------------------------------------------+ + +5- Optional testing step: Scroll further down to find the *host name* or *IP address* of your HTTP Load Balancer +and browse to the corresponding URL. + ++----------------------------------------------+ +| .. image:: _static/XCVerifyWAFAttached4.png | +| :width: 800px | ++----------------------------------------------+ + +If the WAF policy is correctly applied and configured to be in blocking mode, forefully browsing +to URI paths that are illegal will result in a blocking page. To validate, add the following path +to the URL in your browser's address bar for your HTTP Load Balancer's host name +(this represents a known SQL injection attack with a corresponding matching WAF signature): + +.. code:: + + /rest/products/search?q=qwert%27%29%29%20UNION%20SELECT%20id%2C%20email%2C%20password%2C%20%274%27%2C%20%275%27%2C%20%276%27%2C%20%277%27%2C%20%278%27%2C%20%279%27%20FROM%20Users-- + ++----------------------------------------------+ +| .. image:: _static/XCVerifyWAFAttached5.png | +| :width: 800px | ++----------------------------------------------+ + +The above *rejected* message represents the default F5 WAF blocking page. + +**Hint:** If the SQL injection attack is not blocked, go back to verify the configuration +of the WAF policy in Distributed Cloud and change it to blocking mode! + +**WELL DONE!!!** + +This concludes the lab. \ No newline at end of file