Manual Chapter :
Configuring an ATI Profile
Applies To:
Show VersionsBIG-IP Distributed Cloud Services
- 17.1.2, 17.1.1, 17.1.0
Configuring an ATI Profile
Configuring an ATI Profile - Basic Configuration
Before configuring an
ATI profile in the BIG-IP, you need to first add your web application to the ATI
Dashboard in the F5 Distributed Cloud Console and choose BIG-IP for the JavaScript
injection method.
The instructions in the section explain how to
configure an ATI profile using the Basic Configuration. However, some of the ATI Profile
settings are assigned default values and can be changed by choosing Advanced
Configuration. For example:
- By default all web pages in the web application receive the ATI JS injection, but you can modify this to include only certain pages or exclude certain pages by choosing Advanced Configuration.
- By default the ATI JS is injected after the <head> tag, but you can change this to after the <body> tag by choosing Advanced Configuration.
- iRules for automating interception, processing, and routing of ATI-related traffic to the ATI backend server can be attached to the API Domain Pool or Proxy Pool by choosing Advanced Configuration.
If you are configuring a standard
deployment for the U.S. cluster, F5 recommends using the Basic
Configuration.
- On the Main tab, click.The ATI Profiles screen displays the list of ATI profiles on the BIG-IP.
- ClickCreate.The New ATI Profile screen opens.
- In the Basic/Advanced Toggle, ensure thatBasicis selected.
- In theProfile Namefield, enter a unique name for the ATI profile.
- In theParent Profilefield, select an existing ATI profile from which the current profile will inherit undefined properties.The system-suppliedatiparent profile is assigned by default.
- Optional:In theDescriptionfield, enter a description of the profile.
- AtUse Proxy Server, selectYesif you want to route data via a proxy server so that it won't be sent directly from the BIG-IP to the ATI backend server.Some deployments may require proxy support with basic authentication to control outbound traffic towards internet.
- IfUse Proxy ServerisNo:
- AtDomain Pool: If you are creating an ATI profile for the first time, click the+button to create a new pool using the domain you received in JS URL in F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.jsuse the domainus.gimp.zeronaught.comwhen creating the pool.Also, when configuring the Domain Pool, use port 443 for the HTTPS protocol.
- IfUse Proxy ServerisYes:
- AtProxy Pool: Select a Proxy Pool from the drop-down list, or click the+button to configure a new proxy pool.If you click the+button, the pool configuration screen appears. In the pool configuration screen, create a new pool with explicit proxy nodes. When you clickFinishin the pool configuration screen, you return to the ATI Profile properties screen.
- AtProxy Username: Enter a user name for proxy authorization. This setting is needed only if your proxy server requires this.
- AtProxy Password: Enter a password for proxy authorization. This setting is needed only if your proxy server requires this.
- AtProxy Destination: Enter here the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js,enter here:https://us.gimp.zeronaught.com.Optionally, you can add a port number if you are using a port that is not standard for http or https. Using the example above, if you want to use port 550, enter here:https://us.gimp.zeronaught.com:550.
- AtSSL Profile, select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
- AtJavaScript Path, enter the path starting with/__imp_apg__/in the JS URL that you received in the F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js, use the path/__imp_apg__/js/volt-volterra_abcdefg-12345678.js.
- AtCustomer ID, enter your Customer ID that you received from the F5 Distributed Cloud Console. Usually, this can be taken from the JavaScript Path. For example, if the JavaScript Path is/__imp_apg__/js/volt-volterra_abcdefg-12345678.js, the Customer ID isvolt-volterra_abcdefg-12345678.
- If you do not want the ATI server in the cloud to receive data traffic collected by the BIG-IP, setUse Bot Assessment Service = No.When this setting is set toYes, the BIG-IP collects data traffic and sends it to the ATI server in the cloud. The ATI server analyzes that traffic to detect bots. Some of the bots detected in the BIG-IP traffic cannot be detected by the ATI client-side JavaScript and therefore F5 recommends leaving this setting enabled unless there is a strong customer need to disable it.
- IfUse Bot Assessment Service = Yes:
- AtDomain Pool, if you are creating an ATI profile for the first time, click the+button to create a new pool using the Bot Assessment domain that you received in the F5 Distributed Cloud Console (or from F5 Support).If you have already created a Bot Assessment Domain Pool in a previous ATI profile, you can select that pool from the drop-down list.This setting is displayed only ifUse Proxy Server = No.
- AtProxy Destination, enter the Bot Assessment URL you received in the F5 Distributed Cloud Console (or from F5 Support).This setting is displayed only ifUse Proxy Server = Yes.
- AtSSL Profile, select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
- ClickSave.
After you have
configured your ATI profile, you need to assign that profile to a virtual
server.
Configuring an ATI Profile - Advanced Configuration
Before configuring an ATI profile in the BIG-IP, you
need to first add your web application to the ATI Dashboard in the F5 Distributed Cloud
Console and choose BIG-IP for the JavaScript injection method.
Some of the ATI
Profile settings are assigned default values and can be changed by choosing Advanced
Configuration. For example:
- By default all web pages in the web application receive the ATI JS injection, but you can modify this to include only certain pages or exclude certain pages by choosing Advanced Configuration.
- By default the ATI JS is injected after the <head> tag, but you can change this to after the <body> tag by choosing Advanced Configuration.
- iRules for automating interception, processing, and routing of ATI-related traffic to the ATI backend server can be attached to the API Domain Pool or Proxy Pool by choosing Advanced Configuration.
If you are configuring a standard deployment for the
U.S. cluster, F5 recommends using the Basic Configuration.
- On the Main tab, click.The ATI Profiles screen displays the list of ATI profiles on the BIG-IP.
- ClickCreate.The New ATI Profile screen opens.
- In the Basic/Advanced Toggle, selectAdvanced.
- In theProfile Namefield, enter a unique name for the ATI profile.
- In theParent Profilefield, select an existing ATI profile from which the current profile will inherit undefined properties.The system-suppliedatiparent profile is assigned by default.
- Optional:In theDescriptionfield, enter a description of the profile.
- AtUse Proxy Server, selectYesif you want to route data via a proxy server so that it won't be sent directly from the BIG-IP to the ATI backend server.Some deployments may require proxy support with basic authentication to control outbound traffic towards internet.
- IfUse Proxy ServerisNo:
- AtDomain Pool: If you are creating an ATI profile for the first time, click the+button to create a new pool using the domain you received in JS URL in F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.jsuse the domainus.gimp.zeronaught.comwhen creating the pool.Also, when configuring the Domain Pool, use port 443 for the HTTPS protocol.
- AtHostname: Do not change this name without consulting F5 Support. This name is generated automatically based on the Domain Pool you select.
- IfUse Proxy ServerisYes:
- AtProxy Pool: Select a Proxy Pool from the drop-down list, or click the+button to configure a new proxy pool.If you click the+button, the pool configuration screen appears. In the pool configuration screen, create a new pool with explicit proxy nodes. When you clickFinishin the pool configuration screen, you return to the ATI Profile properties screen.
- AtProxy Username: Enter a user name for proxy authorization. This setting is needed only if your proxy server requires this.
- AtProxy Password: Enter a password for proxy authorization. This setting is needed only if your proxy server requires this.
- AtProxy Destination: Enter here the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js,enter here:https://us.gimp.zeronaught.com.Optionally, you can add a port number if you are using a port that is not standard for http or https. Using the example above, if you want to use port 550, enter here:https://us.gimp.zeronaught.com:550.
- AtSSL Profile, select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
- AtJavaScript Path, enter the path starting with/__imp_apg__/in the JS URL that you received in the F5 Distributed Cloud Console (or from F5 Support).For example, if you received the following JS URL:https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js, use the path/__imp_apg__/js/volt-volterra_abcdefg-12345678.js.
- AtCustomer ID, enter your Customer ID that you received from the F5 Distributed Cloud Console. Usually, this can be taken from the JavaScript Path. For example, if the JavaScript Path is/__imp_apg__/js/volt-volterra_abcdefg-12345678.js, the Customer ID isvolt-volterra_abcdefg-12345678.
- AtTelemetry Path, do not change the path here unless instructed to do so by F5 Support.
- AtInjection Location, select eitherAfter <head>orAfter <body>for the location of the JS injection.
- AtScript Attribute, choose an attribute that is added at the end of the injected JS, eitherAsync Defer, Async, Sync,orDefer. This attribute determines how the JavaScript is loaded and executed.
- AtInject in Specific Paths, selectYesto inject the JS in specific web pages of your web application. SelectNoto inject the JS in all web pages of your web application.
- IfInject in Specific PathsisYes, at Injection Paths enter the relative paths of the webpages in your application to receive the JS injections. You can use/*for wildcard pattern matching.
- AtExclude Injection from Specific Paths, selectYesto exclude the JS injection from specific web pages in your web application.
- IfExclude Injection from Specific PathsisYes, enter the relative paths of the web pages in your application that the JS injections should be excluded from. You can use/*for wildcard pattern matching.
- If a webpage is selected to both receive the JS injection and to be excluded from the JS injection, the exclude will override the include and the webpage will not receive the JS injection.
- If you are also applying Client-Side Defense (CSD) on your web application, and you exclude a path from the JS injection in the ATI profile but that same path is included for JS injection in CSD, the exclusion in ATI is nullified and the path receives the JS injection in both CSD and ATI.
- AtAdd Connecting IP to Headers, selectYesto add a new header with a connecting IP to the HTTP request.If you want the connecting IP to be added to the XFF header, do that in an HTTP profile attached to one of the web application’s virtual servers.
- AtConnecting IP Header Name, do not change the header name unless instructed to do so by F5 Support.This setting is displayed only ifAdd Connecting IP to HeadersisYes.
- AtiRules, select iRules to attach to theDomain PoolorProxy Pool. iRules help automate the intercepting, processing, and routing of ATI-related traffic to the ATI backend server.
- Enabled:Lists the iRules on the system that are already applied to theDomain PoolorProxy Pool. The BIG-IP applies iRules in the order that they appear in the list. You can change the order using the up and down buttons.
- Available:Lists the iRules on the system that are available to apply on theDomain PoolorProxy Pool.
- If you do not want the ATI server in the cloud to receive data traffic collected by the BIG-IP, setUse Bot Assessment Service = No.When this setting is set toYes, the BIG-IP collects data traffic and sends it to the ATI server in the cloud. The ATI server analyzes that traffic to detect bots. Some of the bots detected in the BIG-IP traffic cannot be detected by the ATI client-side JavaScript and therefore F5 recommends leaving this setting enabled unless there is a strong customer need to disable it.
- IfUse Bot Assessment Service = Yes:
- AtDomain Pool, if you are creating an ATI profile for the first time, click the+button to create a new pool using the Bot Assessment domain that you received in the F5 Distributed Cloud Console (or from F5 Support).If you have already created a Bot Assessment Domain Pool in a previous ATI profile, you can select that pool from the drop-down list.This setting is displayed only ifUse Proxy Server = No.
- AtHostname: Do not change this name without consulting F5 Support. This name is generated automatically based on the Domain Pool you select.This setting is displayed only ifUse Proxy Server = No.
- AtProxy Destination, enter the Bot Assessment URL you received in the F5 Distributed Cloud Console (or from F5 Support).This setting is displayed only ifUse Proxy Server = Yes.
- AtSSL Profile, select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
- AtTelemetry Path, do not change the path here unless instructed to do so by F5 Support.
- ClickSave.
After you have configured your ATI profile, you need
to assign that profile to a virtual server.