F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Distributed Cloud Services: Client-Side Defense Implementation
  3. Configuring a CSD Profile
Manual Chapter : Configuring a CSD Profile

Applies To:

Show Versions Show Versions

BIG-IP Distributed Cloud Services

  • 17.1.2, 17.1.1, 17.1.0
Manual Chapter

Configuring a CSD Profile

Configuring a CSD Profile

Before configuring a CSD profile in the BIG-IP, you need to first add your web application's root domain to the CSD configuration page in the F5 Distributed Cloud Console.
Configure a CSD profile to protect your web application from malicious JavaScript attacks.
  1. On the Main tab, click
    Distributed Cloud Services
    Client-Side Defense
    CSD Profiles
    .
    The CSD Profiles screen displays the list of CSD profiles on the BIG-IP.
  2. Click
    Create
    .
    The New CSD Profile screen opens.
  3. In the Basic/Advanced Toggle, select
    Advanced
    .
  4. In the
    Profile Name
     field, enter a unique name for the CSD profile.
  5. In the
    Parent Profile
     field, select an existing CSD profile from which the current profile will inherit undefined properties.
    The system-supplied
    csd
     parent profile is assigned by default.
  6. Optional:
     In the
    Description
     field, enter a description of the profile.
  7. At
    Use Proxy Server
    , select
    Yes
     if you want to route data via a proxy server so that it won't be sent directly from the BIG-IP to the CSD backend server.
    Some deployments may require proxy support with basic authentication to control outbound traffic towards internet.
  8. If
    Use Proxy Server
     is
    No
    :
    • At
      API Domain Pool
      , if you are creating an CSD profile for the first time, click the
      +
       button to create a new pool using the domain that is part of the
      src
       URL in the CSD JavaScript tag in the F5 Distributed Cloud Console (or the URL from F5 Support).
      For example, if:
      src = “https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js”
      use the domain
      us.gimp.zeronaught.com
       when creating the pool.
      The CSD JavaScript tag is located in the F5 Distributed Cloud Console at
      Client-Side Defense
      Configuration
      How to Inject JS
      .
      If you have already created an API Domain Pool in a previous CSD profile, you can select the pool that you created from the drop-down list.
    • At
      API Hostname
      , do not change this name without consulting F5 Support. This name is generated automatically based on the API Domain Pool you select.
    • At
      Telemetry Domain Pool
      , if you are creating a CSD profile for the first time, click the + button to create a new pool using the domain
      csd.zeronaught.com
       (this is usually the correct domain, but verify this with F5 Support). When creating the Telemetry Domain Pool, you must use the https protocol and service port 443.
      If you have already created a Telemetry Domain Pool in a previous CSD profile, you can select the pool that you created from the drop-down list.
    • At
      Telemetry Hostname
      , do not change this name without consulting F5 Support. This name is generated automatically based on the API Domain Pool you select.
  9. If
    Use Proxy Server
     is
    Yes
    :
    • At
      Proxy Pool
      : Select a Proxy Pool from the drop-down list, or click the
      +
       button to configure a new proxy pool.
      If you click the
      +
       button, the pool configuration screen appears. In the pool configuration screen, create a new pool with explicit proxy nodes. When you click
      Finish
      in the pool configuration screen, you return to the CSD Profile properties screen.
    • At
      Proxy Username
      : Enter a user name for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      Proxy Password
      : Enter a password for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      API Proxy Destination
      : Enter here the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console (or from F5 Support).
      For example, if you received the following JS URL:
      https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
      ,
      enter here:
      https://us.gimp.zeronaught.com
      .
      Optionally, you can add a port number if you are using a port that is not standard for http or https. Using the example above, if you want to use port 550, enter here:
      https://us.gimp.zeronaught.com:550
      .
    • At
      Telemetry Proxy Destination
      , do not change the default path unless instructed to do so by F5 Support.
  10. At
    API SSL Profile
    , select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
  11. At
    JavaScript Path
    , enter the path starting with
    /__imp_apg__/
     in the JS URL that you received in the F5 Distributed Cloud Console (or from F5 Support).
    For example, if you received the following JS URL:
    https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , use the path
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    .
  12. At
    Customer ID
    , enter your Customer ID that you received from the F5 Distributed Cloud Console. Usually, this can be taken from the JavaScript Path. For example, if the JavaScript Path is
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , the Customer ID is
    volt-volterra_abcdefg-12345678
    .
  13. At
    Telemetry SSL Profile
    , select an SSL profile that will be attached to a new virtual server for routing traffic to the Telemetry Pool.
  14. At
    Telemetry Path Prefix
    , do not change the default path unless instructed to do so by F5 Support.
  15. At
    Injection Location
    , select either
    After <head>
     or
    After <body>
     for the location of the JS injection.
  16. At
    Script Attribute
    , choose an attribute that is added at the end of the injected JS, either
    Async Defer, Async, Sync,
     or
    Defer
    . This attribute determines how the JavaScript is loaded and executed.
    F5 recommends applying the
    Sync
     attribute (selected by default) to ensure optimal detection of suspicious activity. If a Script Attribute other than
    Sync
     is selected, it is possible that the CSD JS may not detect actions of other scripts running on the web page.
  17. At
    Inject in Specific Paths
    , select
    Yes
     to inject the JS in specific web pages of your web application. Select
    No
     to inject the JS in all web pages of your web application.
    • Injection Paths:
       If
      Inject in Specific Paths = Yes
      , enter here the relative paths of the webpages in your application to receive the JS injections. You can use
      /*
       for wildcard pattern matching.
  18. At
    Exclude Injection from Specific Paths
    , select
    Yes
     to exclude the JS injection from specific web pages in your web application.
    • Excluded Paths
      : If
      Exclude Injection from Specific Paths = Yes
      , enter here the relative paths of the web pages in your application that the JS injections should be excluded from. You can use
      /*
       for wildcard pattern matching.
    • If a webpage is selected to both receive the JS injection and to be excluded from the JS injection, the exclude will override the include and the webpage will not receive the JS injection.
    • If you are also applying Application Traffic Insight (ATI) on your web application, and you exclude a path from the JS injection in the CSD profile but that same path is included for JS injection in ATI, the exclusion in CSD is nullified and the path receives the JS injection in both CSD and ATI.
  19. At
    Add Connecting IP to Headers
    , select
    Yes
    to add a new header with a connecting IP to the HTTP request.
    If you want the connecting IP to be added to the XFF header, do that in an HTTP profile attached to one of the web application’s virtual servers.
  20. At
    Connecting IP Header Name
    , do not change the header name here unless instructed to do so by F5 Support.
    This setting is displayed only if Add Connecting IP to Headers = Yes.
  21. At
    iRules
    , select iRules to attach to the
    API Domain Pool
    or
    Proxy Pool
    . iRules help automate the intercepting, processing, and routing of CSD-related traffic to the CSD backend server.
    • Enabled:
       Lists the iRules on the system that are already applied to the
      API Domain Pool
      or
      Proxy Pool
      . The BIG-IP applies iRules in the order that they appear in the list. You can change the order using the up and down buttons.
    • Available:
       Lists the iRules on the system that are available to apply on the
      API Domain Pool
      or
      Proxy Pool
      .
  22. Click
    Save
    .
After you have configured your CSD profile, you need to assign that profile to a virtual server.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information