Manual Chapter : Adding BIG-IP DataSafe to the BIG-IP System

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.1.0
Manual Chapter

Adding
BIG-IP DataSafe
to the BIG-IP System

Overview: Adding
BIG-IP DataSafe
to the BIG-IP system

F5 Networks security provides BIG-IP DataSafe, which protects users from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.
In order to use BIG-IP DataSafe in the BIG-IP system, you need to provision Fraud Protection Service (FPS) for BIG-IP DataSafe, create a BIG-IP DataSafe profile, create a virtual server, and associate the profile with that virtual server.
  • The DataSafe Main JavaScript protects web applications with the content type
    text/html
    . If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.
  • In most cases, the virtual server that you will create for your profile will be an SSL virtual server.

Provisioning Fraud Protection Service for BIG-IP DataSafe using the Configuration utility

You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from the Configuration utility in the BIG-IP system.
  1. On the Main tab, click
    System
    Resource Provisioning
    .
  2. Go to the Fraud Protection Service (FPS) row in the list of modules, and in the Provisioning column select the check box and select one of the options from the list:
    • Dedicated:
      Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to
      None
      (Disabled).
    • Nominal:
      Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
    • Minimum:
      Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
  3. Click
    Submit
    .

Provisioning Fraud Protection Service for BIG-IP DataSafe using TMSH

You must provision Fraud Protection Service (FPS) for BIG-IP DataSafe before performing any of the other tasks for adding BIG-IP DataSafe to the BIG-IP System. You can provision FPS either from the Configuration utility in the BIG-IP system, or from the TMSH TMOS Shell command line interface. The following steps explain how to provision FPS from TMSH.
  1. Open TMSH (
    tmsh
    ).
  2. View the current provisioning of the system by typing
    list sys provision
    in the command line.
    The system displays the provision configuration. In this example, the system has nominal provisioning for LTM and the other modules are not provisioned.
    sys provision afm { } sys provision am { } sys provision apm { } sys provision asm { } sys provision avr { } sys provision dos { } sys provision fps { } sys provision gtm { } sys provision ilx { } sys provision lc { } sys provision ltm { level nominal } sys provision pem { } sys provision sslo { } sys provision swg { } sys provision urldb { }
  3. Modify provisioning for the FPS module by typing
    modify sys provision fps <level_type>
    in the command line, where
    <level_type>
    is one of the following:
    • dedicated
      : Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
    • nominal
      : Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
    • minimum
      : Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
    For example, to set FPS provisioning to nominal, type
    modify sys provision fps level nominal
    The system displays the provision configuration. In this example, the system now has nominal provisioning for FPS.
    sys provision afm { } sys provision am { } sys provision apm { } sys provision asm { } sys provision avr { } sys provision dos { } sys provision fps { level nominal } sys provision gtm { } sys provision ilx { } sys provision lc { } sys provision ltm { level nominal } sys provision pem { } sys provision sslo { } sys provision swg { } sys provision urldb { }
  4. Save the changes to the stored configuration by typing
    save sys config
    in the command line.
  5. Verify the current provisioning of the system by typing
    list sys provision
    in the command line.

Creating
a node for a remote syslog server

Before creating a node for a remote syslog server, you must first provision FPS for BIG-IP DataSafe.
Creating a node for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section
An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP system automatically creates the corresponding node. For example, if you create pool member
10.10.20.30:80
, the system automatically creates a node with the address
10.10.20.30
.
  1. On the Main tab, expand
    Local Traffic
    , and click
    Nodes
    .
    The Node List screen opens.
  2. Click the
    Create
    button.
    The New Node screen opens.
  3. In the
    Name
    field, type a descriptive label for the node.
    Names are case-sensitive.
  4. In the
    Address
    field, types the IP address of the remote Syslog server.
  5. Click
    Finished
    .
    The screen refreshes, and the new node appears in the node list.

Creating
a pool for a remote syslog server

Before creating a pool for a remote syslog server, you should create a node for the remote syslog server.
Creating a pool for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. At the
    New Members
    setting, select
    Node List
    .
  5. In the
    Address
    field, select the IP address of the remote Syslog server.
  6. In the
    Service Port
    field, select
    HTTP
    or
    HTTPS
    from the list.
  7. Click
    Add
    .
  8. Click
    Finished
    .
The new pool appears in the Pools list.

Creating a web application server node

Before creating a web application server node, you must first provision FPS for BIG-IP DataSafe.
Local traffic pools use nodes as resources for load balancing. A
node
is an IP address that represents a server resource, which hosts applications.
  • If you plan to add your
    BIG-IP DataSafe
    profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
  • An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP system automatically creates the corresponding node. For example, if you create pool member
    10.10.20.30:80
    , the system automatically creates a node with the address
    10.10.20.30
    .
  1. On the Main tab, expand
    Local Traffic
    , and click
    Nodes
    .
    The Node List screen opens.
  2. Click the
    Create
    button.
    The New Node screen opens.
  3. In the
    Name
    field, type a descriptive label for the node.
    Names are case-sensitive.
  4. In the
    Address
    field, type the IP address of the web application server.
  5. Click
    Finished
    .
    The screen refreshes, and the new node appears in the node list.

Creating a web application pool

Before creating a web application server pool, you must first create a web application server node.
You can create a pool of servers that you can group together to receive and process traffic.
  • If you plan to add your
    BIG-IP DataSafe
    profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
  • Repeat the following steps for each desired pool.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the web application pool.
  4. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. Select
      Node List
      .
    2. For the
      Address
      option, select the IP address of the web application server.
    3. For the
      Service Port
      option, select
      HTTP
      or
      HTTPS
      from the list.
    4. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Creating a remote high-speed log destination

Before creating a remote high-speed log destination, ensure that at least one pool of remote log servers exists on the BIG-IP system.
Create a log destination of the
Remote High-Speed Log
type if you want to have alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    .
    The Log Destinations screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this destination.
  4. From the
    Type
    list, select
    Remote High-Speed Log
    .
  5. From the
    Pool Name
    list, select the remote syslog server pool that you defined previously.
  6. From the
    Protocol
    list, select the TCP protocol.
  7. Click
    Finished
    .

Creating a log publisher

Create a log publisher to specify where the BIG-IP system sends alert messages.
If you want alerts sent to a remote syslog server, you need to create two log publishers, one for the local syslog server and one for the remote syslog server.
  1. On the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    .
    The Log Publishers screen opens.
  2. Click
    Create
    .
  3. In the
    Name
    field, type a unique, identifiable name for this publisher.
  4. For the
    Destinations
    setting, select
    local-syslog
    from the
    Available
    list, and click
    <<
    to move the destination to the
    Selected
    list.
  5. Click
    Finished
    .
    The list of Log Publishers appears, showing the Log Publisher you just created.
  6. If you want to have alerts sent to a remote syslog server, repeat steps 2-5, and at step 4 select the log destination that you created previously from the
    Available
    list.

Creating an initial BIG-IP DataSafe profile

Overview: Creating an initial profile

Typically, when you create your initial profile, you will want to:
  • Set general properties for the profile in the Profile Properties screen
  • Define URLs to be included in the profile
  • Set one of the URLs to be a login page
  • Configure a post-login URL (in certain situations)
Therefore, the instructions for creating an initial profile are presented according to these four stages.
The
DataSafe
Main JavaScript protects web applications with the content type
text/html
and
application/xhtml+xml
. If your web application is based on a different content type, you cannot apply the
DataSafe
Main JavaScript protection on it.

Configuring general properties for a
BIG-IP DataSafe
profile

Configure general properties for a
BIG-IP DataSafe
profile to ensure proper encryption of data on your web site.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. Click
    Create
    .
    The Create New DataSafe Profile screen opens.
  3. Select the
    Customize All
    check box.
  4. In the
    Profile Name
    field, type a unique name for the profile.
  5. From the
    Parent Profile
    list, choose which parent profile you want to base your profile on.
    • All undefined properties in the profile you are creating will be inherited from the parent profile. And any future changes to those properties in the parent profile will be automatically inherited by the profile you are creating.
    • URL properties are not inherited.
  6. If you previously created a Log Publisher for a remote Syslog server, select it from the
    Log Publisher
    list.
  7. From the
    Local Syslog Publisher
    list, select the Log Publisher that you previously created for the local Syslog server.
  8. If your web application is case-sensitive to URLs and SPA views, do the following:
    1. Click
      Advanced
      in the General Settings section.
      The Advanced settings appear.
    2. For the
      URLs are case sensitive
      setting, select the
      Enabled
      check box.
      • You should enable this setting only if your web application is case-sensitive to URLs and SPA views.
      • This setting cannot be changed after initial creation of your profile and does not affect URL parameters in the profile.
  9. Click
    Create
    .
    The BIG-IP DataSafe profile has been created.
After creating your the profile, you should define the URLs that you want to include in your profile.

Defining URLs in the profile

Define URLs in your
BIG-IP DataSafe
profile to ensure proper protection of your web site.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the profile on which you want to define a URL.
    The
    DataSafe
    Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Click the
    Add URL
    button.
    The Create New URL screen opens.
  5. In the
    URL Path
    field, choose one of the following types for the URL path:
    • Explicit
      : Assign a specific URL path.
    • Wildcard
      : Assign a wildcard expression URL. Any URL that matches the wildcard expression is considered legal and will receive protection. For example, typing the wildcard expression
      /*
      specifies that any URL is allowed.
    All URLs must start with a slash (
    /
    ), for both Explicit and Wildcard types.
    1. If you chose
      Explicit
      , type the URL path.
    2. If you chose
      Wildcard
      , type the wildcard expression URL and if you want it to include a query string, select the
      Include Query String
      check box.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a real URL and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      Regular expressions should not be used in Wildcard URLs.
  6. Click
    Advanced
    .
  7. If you want the
    BIG-IP DataSafe
    Main JavaScript to run on the web page of the URL, select the
    Enabled
    check box for
    Inject Main JavaScript
    (selected by default).
    When this setting is enabled, the
    BIG-IP DataSafe
    Main JavaScript also runs on all SPA views on this URL that are configured in the profile.
    • The
      DataSafe
      Main JavaScript protects web applications with the content types
      text/html
      and
      application/xhtml+xml
      . If your web application is based on a different content type, you cannot apply the
      DataSafe
      Main JavaScript protection on it.
    • Inject Main JavaScript
      can be disabled for web pages that do not require fraud protection and only receive data from a protected page.
  8. If you want to change the default location where the
    BIG-IP DataSafe
    Main JavaScript is injected in the URL's web page, at
    Location of Main JavaScript Injection
    , do the following:
    • Select a position for the Main JavaScript (either before or after the tag you define).
    • In the
      Tag
      field, type the tag for determining where the Main JavaScript is placed.
    The
    BIG-IP DataSafe
    Main JavaScript must be injected into the web page HTML before the CSS Element.
  9. If you want to change the default location of the Disabled JavaScript Detection Tag, at
    Location of Disabled JavaScript Detection Tag
    do the following:
    • Select a position for the Disabled JavaScript Detection Tag (either before or after the tag you define).
    • In the
      Tag
      field, type the tag for determining where the Disabled JavaScript Detection Tag is placed.
    The Disabled JavaScript Detection Tag detects if JavaScript has been disabled in your web browser.
    • For Internet Explorer browsers 9.0 and later versions, Disabled JavaScript Detection is not supported if the content type of your web application response is
      xhtml
      .
    • For web browsers other than Internet Explorer, if the content type of your web application response is
      xhtml
      you must use the default settings
      After
      and
      body
      .
  10. Leave the
    Additional function to be run before JavaScript load
    field blank unless instructed otherwise by F5.
  11. Click
    Create
    to save your initial URL settings.

Setting a URL or SPA view to be a login page

Set a URL or Single Page Application (SPA) view in your profile to be a login page if you want to encrypt data on a login page in your web site.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Click the URL or view that you want to set as the login page, or click
    Add URL
    (or
    Add View
    ) if you want to create a new URL or view to be a login page.
  5. In the URL Configuration (or View Configuration) area, select
    Parameters
    .
    The Parameters list is displayed.
  6. Click the
    Add
    button.
    The Parameter Settings screen opens.
  7. In the
    Parameter Name
    field, choose one of the following types for the parameter name:
    • Explicit
      : Assign a specific parameter name.
    • Wildcard
      : Assign a wildcard expression for the parameter name. Any parameter name that matches the wildcard expression is considered legal and receives protection. For example, typing the wildcard expression
      *
      specifies that any parameter name is allowed.
    1. If you chose
      Explicit
      , type the parameter name.
    2. If you chose
      Wildcard
      , type the wildcard expression.
      The syntax for wildcard entities is based on shell-style wildcard characters. This following table lists the wildcard characters that you can use so that the entity name matches multiple objects.
      Wildcard character
      Matches
      *
      All characters
      ?
      Any single character
      [abcde]
      Exactly one of the characters listed
      [!abcde]
      Any character not listed
      [a-e]
      Exactly one character in the range
      [!a-e]
      Any character not in the range
      If a wildcard character is actually used as part of a parameter name and you don't want it to be treated as a wildcard character, use
      \
      and then the character to indicate that it should not be used as a wildcard character.
      A regular expression should not be used as part of the wildcard expression for a parameter name.
  8. Select
    Identify as Username
    .
    Only one parameter per URL can have the attribute
    Identify as Username
    .
  9. Click
    Create
    and then
    Back to URL
    (or
    Back to View
    ).
  10. Under URL Configuration (or View Configuration) select
    Login Page Properties
    .
    Configuring the
    Login Page Properties
    is not required but recommended because a login cannot be verified as successful unless at least one of the criteria in the
    Login Page Properties
    is configured.
  11. For the
    URL is Login Page
    setting, select the
    Yes
    check box.
    The Login Page Properties appear.
    If
    URL is Login Page
    is enabled, you must configure at least one of the Login Page Properties. If you configure more than one Login Page Property, then all the criteria for all properties must be fulfilled for the BIG-IP system to consider the login successful.
  12. In the
    A string that should appear in the response body
    field, type a string that should appear in the successful response to the login URL.
  13. In the
    A string that should NOT appear in the response body
    field, type a string that should not appear in the successful response to the login URL.
  14. In the
    Expected HTTP response status code
    field, select
    Specify
    and type the HTTP response status code that the server must return to the user upon successful login, or select
    None
    .
    If you select
    None
    , HTTP response code is not used to determine a successful login.
  15. In the
    Expected response header
    field, type a header name that the successful response to the login URL must match.
  16. In the
    Expected cookie name
    field, type a cookie name that the successful response to the login URL must include.
  17. Click
    Save
    .
    The Login Page and Parameter settings are saved.
If the form action in the HTTP request from the login page does not refer to the login page URL, you need to also configure a post-login URL.

Configuring a post-login URL

You need to configure a post-login URL only if the login page sends the login request to a URL that is different from the login URL. (For example, the login page URL is
/login.jsp
, but it sends the user name and password to
/validate.jsp
).
Configure a post-login URL to ensure that the BIG-IP system can retrieve the user name and decrypt the password.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the DataSafe Configuration area, click
    URL List
    .
    The URL List opens.
  4. Select the check box next to the login URL.
  5. Click the
    Clone
    button.
    The Clone URL pop-up screen opens.
  6. In the
    URL Path
    field, type the URL that is referred to in the form action of the HTTP request.
  7. Optional: In the
    Description
    field, type a description for the URL.
  8. Ensure that the
    Inject JavaScript
    setting is disabled.
  9. If the login URL contains SPA views and you want the post-login URL to inherit those views, select the
    Enabled
    check box by Views.
  10. Select the
    Enabled
    check box by Parameters.
  11. Click the
    Clone
    button in the Clone URL pop-up screen.
    Once the new URL is created, there is no further dependency on the source URL and any future changes made to the source URL are not inherited by the new URL.
The BIG-IP system creates the post-login URL.

Creating a custom HTTP profile

This procedure should be performed only if SNAT or Auto Map is used for Source Address Translation in the virtual server.
An HTTP profile defines the way that you want the BIG-IP system to manage HTTP traffic.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    HTTP
    .
    The HTTP profile list screen opens.
  2. Click
    Create
    .
    The New HTTP Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. Select the
    Custom
    check box.
  5. In the
    Insert X-Forwarded-For
    field, select
    Enabled
    .
  6. Click
    Finished
    .
The custom HTTP profile now appears in the HTTP profile list screen.

Creating a virtual server

You can create a virtual server on the BIG-IP system, where clients send application requests. The virtual server manages the network resources for the web application that you are securing with a security policy.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
  5. In the
    Service Port
    field, type
    80
    , or select
    HTTP
    from the list.
  6. From the
    HTTP Profile
    list:
    1. If you previously created an HTTP profile, then select the profile you created.
    2. Otherwise, select
      http
      .
  7. From the
    Source Address Translation
    list, select the appropriate translation.
  8. From the
    Default Pool
    list, select the pool that is configured for the application server.
  9. Click
    Finished
    .

Associating a profile with a virtual server

In order to complete the process of adding
BIG-IP DataSafe
to a virtual server, you need to associate the profile with the virtual server.
If the virtual server that you associate with your
BIG-IP DataSafe
profile also has an HTTP compression profile associated with it, you must perform the instructions in the following section
Configuring
BIG-IP DataSafe
with an HTTP compression profile
.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. On the menu bar, from the Security menu, choose Policies.
  4. From the
    Anti-Fraud Profile
    list, select
    Enabled
    , and then from the
    Profile
    list, select the profile you created previously.
  5. Click
    Update
    to save the changes.
If the virtual server that you associated with your
BIG-IP DataSafe
profile also has an HTTP compression profile associated with it, you must perform the instructions in the following section
Configuring
BIG-IP DataSafe
with an HTTP compression profile
.

Configuring
BIG-IP DataSafe
with an HTTP compression profile

The instructions in this section are relevant only if your
BIG-IP DataSafe
profile is associated with a virtual server that also has an HTTP compression profile associated with it.
If your
BIG-IP DataSafe
profile is associated with a virtual server that also has an HTTP compression profile associated with it, you must perform the following steps to ensure that your web site is not disabled.
  1. On the Main tab, click
    Security
    Data Protection
    BIG-IP DataSafe
    .
    The BIG-IP DataSafe screen opens.
  2. From the list of profiles, select the relevant profile.
    The DataSafe Profile Properties screen opens.
  3. In the General Settings area of the DataSafe Profile Properties screen, click
    Advanced
    .
    The Advanced settings appear.
  4. At
    JavaScript Configuration Directory
    , copy the path.
  5. On the Main tab, go to
    Local Traffic
    Profiles
    Services
    HTTP Compression
    .
  6. In the list of profiles, click on the HTTP compression profile that is associated with the same virtual server as your
    BIG-IP DataSafe
    profile.
  7. In the URI List section, at URI paste the path of the JavaScript Configuration Directory.
  8. In the URI List section, click
    Exclude
    .
  9. At the bottom of the screen, click
    Update
    .
  10. In the BIG-IP command line, set the BigDB variable for Datasync with the following command:
    tmsh modify sys db variable datasync.gzip_fpm value enable