F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Distributed Cloud Services: AP and AI Implementation
  3. Configuring AP and AI profile
Manual Chapter : Configuring AP and AI profile

Applies To:

Show Versions Show Versions

BIG-IP Distributed Cloud Services

  • 17.5.0, 17.1.2, 17.1.1, 17.1.0
Manual Chapter

Configuring AP and AI profile

Configuring AP and AI profile

Before configuring Account Protection (AP) and Authentication Intelligence (AI) profile you need to configure a Proxy Pool or Domain Pool, or select an existing pool during configuration. For more information, refer to BIG-IP Local Traffic Management: Basics - Introduction to pools.
Use this task to configure AP and AI profile.
The screen elements described here are for basic configuration. Refer to the help text available in the configuration utility for details about all the fields.
  1. On the Main tab, click
    Distributed Cloud Services
    Account Protection & Authentication Intelligence
    AP and AI Profiles
    .
    The AP and AI Profiles screen displays the list of AP and AI profiles on the BIG-IP.
  2. Click the
    Create
     button.
    The New Profile screen opens.
  3. In the General Properties section, enter the following details:
    • In the Basic or Advanced dropdown, select
      Advanced
      .
    • In
      Profile Name
       field, enter a unique name for the AP and AI profile.
    • In
      Parent Profile
       field, select the AP and AI parent profile from which this profile will inherit settings.
  4. In Service Configuration section, update the following fields:
    • In
      Account Protection
       field, select
      Yes
       to enable Account Protection (AP) to collect the telemetry and securely process transactions.
      If Bot Defense (BD) is enabled on the same virtual server as AP, then BD processes the traffic first and therefore can block the page before traffic is processed by AP.
    • In
      Authentication Intelligence
       field, select
      Yes
       to enable Authentication Intelligence (AI) to extend the login session for authentic users.
      If BD and/or AP are enabled on the same virtual server as AI, then BD and/or AP processes the traffic first and therefore can block the page before traffic is processed by AI.
  5. In the Proxy Configuration section, enter the following details:
    • In
      Use Proxy Server
       field, select
      Yes
       if you want the data to be routed through a proxy server or select
      No
       to send data directly from the BIG-IP to the Distributed Cloud backend server.
    • In
      Proxy Pool
       field, select an existing pool or click the
      +
       button to add a new pool.
      The
      Proxy Pool
       field is displayed when the
      Use Proxy Server
       field is set to
      Yes
      .
  6. In the API Configuration section, enter the following details:
    • In
      Proxy Destination
       field, enter the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console or from F5 Support. For example, if the JS URL
      https://us.gimp.zeronaught.com/__imp_apg__/js/ab123_abcdefg-12345678.js
       is received, then you would enter
      https://us.gimp.zeronaught.com
      . Optionally, you can add a port number if you are instructed by F5 support. For example,
      https://us.gimp.zeronaught.com:550
      .
      The
      Proxy Destination
       field is displayed when the
      Use Proxy Server
       field is set to
      Yes
      .
    • In
      Domain Pool
       field, select an existing pool or click the
      +
       button to add a new pool.
      The
      Domain Pool
       field is displayed when the
      Use Proxy Server
       field is set to
      No
      .
    • In
      Hostname
       field, enter the hostname or IP address.
      The
      Hostname
       field is displayed when the
      Use Proxy Server
       field is set to
      No
      .
    • In
      SSL Profile
       field, select the profile that attaches to a new virtual server for routing traffic to the service pool.
    • In
      JavaScript Path
       field, enter the path starting with
      /__imp_apg__/
       in the JS URL that you received in the Distributed Cloud Console or from F5 Support. For example, if the JS URL
      https://us.gimp.zeronaught.com/__imp_apg__/js/ab123_abcdefg-12345678.js
       is received, then use the path
      /__imp_apg__/js/ab123_abcdefg-12345678.js
      .
    • In
      Customer ID
       field, enter the ID that you received from the Distributed Cloud Console. The ID can be taken from the JavaScript Path. For example, if the JavaScript Path is
      /__imp_apg__/js/ab123_abcdefg-12345678.js
      , then the Customer ID is
      ab123_abcdefg-12345678
      .
    • In
      Telemetry Path Prefix
       field, enter the value provided by F5 Support.
  7. In the Cookie Decryption and Processing section, enter the following details:
    • In
      Decrypt Cookie
       field, select
      Yes
       if you want the BIG-IP to decrypt the encrypted cookie on protected endpoints or select
      No
       to forward the cookie to the origin server without processing.
    • In
      Encryption Key (Base64)
       field, enter the value provided by F5 Support.
    • In
      Protected Endpoints
       field, click
      Add
       button and use the following settings to configure which endpoints will be protected:
      In TMSH and WebUI while configuring AP and AI profile, when entering value in path fields the special character
      ?
       will display a
      \
       as a prefix. This has no impact on functionality. For example, during path configuration in query parameter
      /hello?age=20
       is displayed as
      /hello\?age=20
      , where an additional backslash is added before special character
      ?
      .
      • In
        Host
         field, enter the hostname or IP address of the application to be protected by AP. You can add a port number if you are using a port that is not standard for HTTP or HTTPS.
      • In
        Path
         field, enter the path to the application to be protected by AP. For example,
        /login
        .
      • In
        Account Protection
         field, select
        Yes
         to enable AP protection to the endpoint.
      • In
        Enforcement Mode
         field, select
        Monitor
         to collect the telemetry or select
        Mitigate
         to block or redirect the HTTP request.
      • In
        Mitigation Action
         field, select the mitigation action that the BIG-IP should take if a malicious HTTP request is detected on the endpoint.
      • In
        Mitigate Missing Cookie
         field, select
        Yes
         to mitigate the request if the cookie is missing.
        The AP cookie might not be added from the client browser for the first request towards virtual server when ASM policy is being used. The initial client request towards AP endpoint might get blocked due to missing AP cookie. Set the
        Mitigate Missing Cookie
         field to
        No
         for the particular endpoint.
      • In
        Mitigate Malformed Cookie
         field, select
        Yes
         to mitigate the request if the cookie is malformed.
      • In
        Mitigate Cookie Age
         field, select
        Yes
         to mitigate the request if the cookie age is more than the configured maximum cookie age value.
      • In
        Max Cookie Age
         field, enter the maximum cookie age in days.
      • In
        Authentication Intelligence
         field, select
        Yes
         to enable AI protection to the endpoint.
      • Click
        Add Endpoint
         button.
    • In
      Recommendation Cookie Name
       field, enter the name of the cookie
    • In
      Account Protection Header Name
       field, enter the name of the AP header. The default is
      x-safe-fr
      , do not change the header name unless instructed by F5 Support.
    • In
      Authentication Intelligence Header Name
       field, enter the name of the AI header. The default is
      x-apg-sr
      , do not change the header name unless instructed by F5 Support.
  8. In the Advanced Features section, enter the following details:
    • In
      Add Connecting IP to Headers
       field, select
      Yes
       to add a new header with a connecting IP to the HTTP request.
    • In
      Connecting IP Header Name
       field, enter the name of the connecting IP header. The default is
      x-iapp-real-ip
      , do not change the header name unless instructed by F5 Support.
  9. Click
    Save
     button.
    The AP and AI profile is created.
Assign the AP and AI profile to Virtual Server, refer to Assigning AP and AI Profile to Virtual Server.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information