Manual Chapter : Configuring AP and AI profile

Applies To:

Show Versions

BIG-IP Distributed Cloud Services

17.1.0

Configuring AP and AI profile

Before configuring Account Protection (AP) and Authentication Intelligence (AI) profile you need to configure a Proxy Pool or Domain Pool, or select an existing pool during configuration. For more information, refer to BIG-IP Local Traffic Management: Basics - Introduction to pools.

Use this task to configure AP and AI profile.

The screen elements described here are for basic configuration. Refer to the help text available in the configuration utility for details about all the fields.

On the Main tab, click

Distributed Cloud Services

Account Protection & Authentication Intelligence

AP and AI Profiles

The AP and AI Profiles screen displays the list of AP and AI profiles on the BIG-IP.

Click the

Create

button.

The New Profile screen opens.

In the General Properties section, enter the following details:

In the Basic or Advanced dropdown, select

Advanced

Profile Name

field, enter a unique name for the AP and AI profile.

Parent Profile

field, select the AP and AI parent profile from which this profile will inherit settings.

In Service Configuration section, update the following fields:

Account Protection

field, select

Yes

to enable Account Protection (AP) to collect the telemetry and securely process transactions.

If Bot Defense (BD) is enabled on the same virtual server as AP, then BD processes the traffic first and therefore can block the page before traffic is processed by AP.

Authentication Intelligence

field, select

Yes

to enable Authentication Intelligence (AI) to extend the login session for authentic users.

If BD and/or AP are enabled on the same virtual server as AI, then BD and/or AP processes the traffic first and therefore can block the page before traffic is processed by AI.

In the Proxy Configuration section, enter the following details:

Use Proxy Server

field, select

Yes

if you want the data to be routed through a proxy server or select

to send data directly from the BIG-IP to the Distributed Cloud backend server.

Proxy Pool

field, select an existing pool or click the

button to add a new pool.

The

Proxy Pool

field is displayed when the

Use Proxy Server

field is set to

Yes

In the API Configuration section, enter the following details:

Proxy Destination

field, enter the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console or from F5 Support. For example, if the JS URL

https://us.gimp.zeronaught.com/__imp_apg__/js/ab123_abcdefg-12345678.js

is received, then you would enter

https://us.gimp.zeronaught.com

. Optionally, you can add a port number if you are instructed by F5 support. For example,

https://us.gimp.zeronaught.com:550

The

Proxy Destination

field is displayed when the

Use Proxy Server

field is set to

Yes

Domain Pool

field, select an existing pool or click the

button to add a new pool.

The

Domain Pool

field is displayed when the

Use Proxy Server

field is set to

Hostname

field, enter the hostname or IP address.

The

Hostname

field is displayed when the

Use Proxy Server

field is set to

SSL Profile

field, select the profile that attaches to a new virtual server for routing traffic to the service pool.

JavaScript Path

field, enter the path starting with

/__imp_apg__/

in the JS URL that you received in the Distributed Cloud Console or from F5 Support. For example, if the JS URL

https://us.gimp.zeronaught.com/__imp_apg__/js/ab123_abcdefg-12345678.js

is received, then use the path

/__imp_apg__/js/ab123_abcdefg-12345678.js

Customer ID

field, enter the ID that you received from the Distributed Cloud Console. The ID can be taken from the JavaScript Path. For example, if the JavaScript Path is

/__imp_apg__/js/ab123_abcdefg-12345678.js

, then the Customer ID is

ab123_abcdefg-12345678

Telemetry Path Prefix

field, enter the value provided by F5 Support.

In the Cookie Decryption and Processing section, enter the following details:

Decrypt Cookie

field, select

Yes

if you want the BIG-IP to decrypt the encrypted cookie on protected endpoints or select

to forward the cookie to the origin server without processing.

Encryption Key (Base64)

field, enter the value provided by F5 Support.

Protected Endpoints

field, click

Add

button and use the following settings to configure which endpoints will be protected:

In TMSH and WebUI while configuring AP and AI profile, when entering value in path fields the special character

will display a

as a prefix. This has no impact on functionality. For example, during path configuration in query parameter

/hello?age=20

is displayed as

/hello\?age=20

, where an additional backslash is added before special character

Host

field, enter the hostname or IP address of the application to be protected by AP. You can add a port number if you are using a port that is not standard for HTTP or HTTPS.

Path

field, enter the path to the application to be protected by AP. For example,

/login

Account Protection

field, select

Yes

to enable AP protection to the endpoint.

Enforcement Mode

field, select

Monitor

to collect the telemetry or select

Mitigate

to block or redirect the HTTP request.

Mitigation Action

field, select the mitigation action that the BIG-IP should take if a malicious HTTP request is detected on the endpoint.

Mitigate Missing Cookie

field, select

Yes

to mitigate the request if the cookie is missing.

The AP cookie might not be added from the client browser for the first request towards virtual server when ASM policy is being used. The initial client request towards AP endpoint might get blocked due to missing AP cookie. Set the

Mitigate Missing Cookie

field to

for the particular endpoint.

Mitigate Malformed Cookie

field, select

Yes

to mitigate the request if the cookie is malformed.

Mitigate Cookie Age

field, select

Yes

to mitigate the request if the cookie age is more than the configured maximum cookie age value.

Max Cookie Age

field, enter the maximum cookie age in days.

Authentication Intelligence

field, select

Yes

to enable AI protection to the endpoint.

Click

Add Endpoint

button.

Recommendation Cookie Name

field, enter the name of the cookie

Account Protection Header Name

field, enter the name of the AP header. The default is

x-safe-fr

, do not change the header name unless instructed by F5 Support.

Authentication Intelligence Header Name

field, enter the name of the AI header. The default is

x-apg-sr

, do not change the header name unless instructed by F5 Support.

In the Advanced Features section, enter the following details:

Add Connecting IP to Headers

field, select

Yes

to add a new header with a connecting IP to the HTTP request.

Connecting IP Header Name

field, enter the name of the connecting IP header. The default is

x-iapp-real-ip

, do not change the header name unless instructed by F5 Support.

Click

Save

button.

The AP and AI profile is created.

Assign the AP and AI profile to Virtual Server, refer to Assigning AP and AI Profile to Virtual Server.

Subscriptions

Product Usage

Trials

Registration Keys

Downloads

Applies To:

BIG-IP Distributed Cloud Services

Configuring AP and AI profile