Manual Chapter : Configuring an ATI Profile

Applies To:

Show Versions Show Versions

BIG-IP Distributed Cloud Services

  • 17.1.0
Manual Chapter

Configuring an ATI Profile

Configuring an ATI Profile - Basic Configuration

Before configuring an ATI profile in the BIG-IP, you need to first add your web application to the ATI Dashboard in the F5 Distributed Cloud Console and choose BIG-IP for the JavaScript injection method.
The instructions in the section explain how to configure an ATI profile using the Basic Configuration. However, some of the ATI Profile settings are assigned default values and can be changed by choosing Advanced Configuration. For example:
  • By default all web pages in the web application receive the ATI JS injection, but you can modify this to include only certain pages or exclude certain pages by choosing Advanced Configuration.
  • By default the ATI JS is injected after the <head> tag, but you can change this to after the <body> tag by choosing Advanced Configuration.
  • iRules for automating interception, processing, and routing of ATI-related traffic to the ATI backend server can be attached to the API Domain Pool or Proxy Pool by choosing Advanced Configuration.
If you are configuring a standard deployment for the U.S. cluster, F5 recommends using the Basic Configuration.
  1. On the Main tab, click
    Distributed Cloud Services
    Application Traffic Insight
    ATI Profiles
    .
    The ATI Profiles screen displays the list of ATI profiles on the BIG-IP.
  2. Click
    Create
    .
    The New ATI Profile screen opens.
  3. In the Basic/Advanced Toggle, ensure that
    Basic
    is selected.
  4. In the
    Profile Name
    field, enter a unique name for the ATI profile.
  5. In the
    Parent Profile
    field, select an existing ATI profile from which the current profile will inherit undefined properties.
    The system-supplied
    ati
    parent profile is assigned by default.
  6. Optional:
    In the
    Description
    field, enter a description of the profile.
  7. At
    Use Proxy Server
    , select
    Yes
    if you want to route data via a proxy server so that it won't be sent directly from the BIG-IP to the ATI backend server.
    Some deployments may require proxy support with basic authentication to control outbound traffic towards internet.
  8. If
    Use Proxy Server
    is
    No
    :
    • At
      Domain Pool
      : If you are creating an ATI profile for the first time, click the
      +
      button to create a new pool using the domain you received in JS URL in F5 Distributed Cloud Console (or from F5 Support).
      For example, if you received the following JS URL:
      https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
      use the domain
      us.gimp.zeronaught.com
      when creating the pool.
      Also, when configuring the Domain Pool, use port 443 for the HTTPS protocol.
  9. If
    Use Proxy Server
    is
    Yes
    :
    • At
      Proxy Pool
      : Select a Proxy Pool from the drop-down list, or click the
      +
      button to configure a new proxy pool.
      If you click the
      +
      button, the pool configuration screen appears. In the pool configuration screen, create a new pool with explicit proxy nodes. When you click
      Finish
      in the pool configuration screen, you return to the ATI Profile properties screen.
    • At
      Proxy Username
      : Enter a user name for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      Proxy Password
      : Enter a password for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      Proxy Destination
      : Enter here the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console (or from F5 Support).
      For example, if you received the following JS URL:
      https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
      ,
      enter here:
      https://us.gimp.zeronaught.com
      .
      Optionally, you can add a port number if you are using a port that is not standard for http or https. Using the example above, if you want to use port 550, enter here:
      https://us.gimp.zeronaught.com:550
      .
  10. At
    SSL Profile
    , select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
  11. At
    JavaScript Path
    , enter the path starting with
    /__imp_apg__/
    in the JS URL that you received in the F5 Distributed Cloud Console (or from F5 Support).
    For example, if you received the following JS URL:
    https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , use the path
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    .
  12. At
    Customer ID
    , enter your Customer ID that you received from the F5 Distributed Cloud Console. Usually, this can be taken from the JavaScript Path. For example, if the JavaScript Path is
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , the Customer ID is
    volt-volterra_abcdefg-12345678
    .
  13. If you do not want the ATI server in the cloud to receive data traffic collected by the BIG-IP, set
    Use Bot Assessment Service = No.
    When this setting is set to
    Yes
    , the BIG-IP collects data traffic and sends it to the ATI server in the cloud. The ATI server analyzes that traffic to detect bots. Some of the bots detected in the BIG-IP traffic cannot be detected by the ATI client-side JavaScript and therefore F5 recommends leaving this setting enabled unless there is a strong customer need to disable it.
  14. If
    Use Bot Assessment Service = Yes
    :
    • At
      Domain Pool
      , if you are creating an ATI profile for the first time, click the
      +
      button to create a new pool using the Bot Assessment domain that you received in the F5 Distributed Cloud Console (or from F5 Support).
      If you have already created a Bot Assessment Domain Pool in a previous ATI profile, you can select that pool from the drop-down list.
      This setting is displayed only if
      Use Proxy Server = No
      .
    • At
      Proxy Destination
      , enter the Bot Assessment URL you received in the F5 Distributed Cloud Console (or from F5 Support).
      This setting is displayed only if
      Use Proxy Server = Yes
      .
    • At
      SSL Profile
      , select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
  15. Click
    Save
    .
After you have configured your ATI profile, you need to assign that profile to a virtual server.

Configuring an ATI Profile - Advanced Configuration

Before configuring an ATI profile in the BIG-IP, you need to first add your web application to the ATI Dashboard in the F5 Distributed Cloud Console and choose BIG-IP for the JavaScript injection method.
Some of the ATI Profile settings are assigned default values and can be changed by choosing Advanced Configuration. For example:
  • By default all web pages in the web application receive the ATI JS injection, but you can modify this to include only certain pages or exclude certain pages by choosing Advanced Configuration.
  • By default the ATI JS is injected after the <head> tag, but you can change this to after the <body> tag by choosing Advanced Configuration.
  • iRules for automating interception, processing, and routing of ATI-related traffic to the ATI backend server can be attached to the API Domain Pool or Proxy Pool by choosing Advanced Configuration.
If you are configuring a standard deployment for the U.S. cluster, F5 recommends using the Basic Configuration.
  1. On the Main tab, click
    Distributed Cloud Services
    Application Traffic Insight
    ATI Profiles
    .
    The ATI Profiles screen displays the list of ATI profiles on the BIG-IP.
  2. Click
    Create
    .
    The New ATI Profile screen opens.
  3. In the Basic/Advanced Toggle, select
    Advanced
    .
  4. In the
    Profile Name
    field, enter a unique name for the ATI profile.
  5. In the
    Parent Profile
    field, select an existing ATI profile from which the current profile will inherit undefined properties.
    The system-supplied
    ati
    parent profile is assigned by default.
  6. Optional:
    In the
    Description
    field, enter a description of the profile.
  7. At
    Use Proxy Server
    , select
    Yes
    if you want to route data via a proxy server so that it won't be sent directly from the BIG-IP to the ATI backend server.
    Some deployments may require proxy support with basic authentication to control outbound traffic towards internet.
  8. If
    Use Proxy Server
    is
    No
    :
    • At
      Domain Pool
      : If you are creating an ATI profile for the first time, click the
      +
      button to create a new pool using the domain you received in JS URL in F5 Distributed Cloud Console (or from F5 Support).
      For example, if you received the following JS URL:
      https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
      use the domain
      us.gimp.zeronaught.com
      when creating the pool.
      Also, when configuring the Domain Pool, use port 443 for the HTTPS protocol.
    • At
      Hostname
      : Do not change this name without consulting F5 Support. This name is generated automatically based on the Domain Pool you select.
  9. If
    Use Proxy Server
    is
    Yes
    :
    • At
      Proxy Pool
      : Select a Proxy Pool from the drop-down list, or click the
      +
      button to configure a new proxy pool.
      If you click the
      +
      button, the pool configuration screen appears. In the pool configuration screen, create a new pool with explicit proxy nodes. When you click
      Finish
      in the pool configuration screen, you return to the ATI Profile properties screen.
    • At
      Proxy Username
      : Enter a user name for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      Proxy Password
      : Enter a password for proxy authorization. This setting is needed only if your proxy server requires this.
    • At
      Proxy Destination
      : Enter here the protocol and domain from the JS URL you received in the F5 Distributed Cloud Console (or from F5 Support).
      For example, if you received the following JS URL:
      https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
      ,
      enter here:
      https://us.gimp.zeronaught.com
      .
      Optionally, you can add a port number if you are using a port that is not standard for http or https. Using the example above, if you want to use port 550, enter here:
      https://us.gimp.zeronaught.com:550
      .
  10. At
    SSL Profile
    , select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
  11. At
    JavaScript Path
    , enter the path starting with
    /__imp_apg__/
    in the JS URL that you received in the F5 Distributed Cloud Console (or from F5 Support).
    For example, if you received the following JS URL:
    https://us.gimp.zeronaught.com/__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , use the path
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    .
  12. At
    Customer ID
    , enter your Customer ID that you received from the F5 Distributed Cloud Console. Usually, this can be taken from the JavaScript Path. For example, if the JavaScript Path is
    /__imp_apg__/js/volt-volterra_abcdefg-12345678.js
    , the Customer ID is
    volt-volterra_abcdefg-12345678
    .
  13. At
    Telemetry Path
    , do not change the path here unless instructed to do so by F5 Support.
  14. At
    Injection Location
    , select either
    After <head>
    or
    After <body>
    for the location of the JS injection.
  15. At
    Script Attribute
    , choose an attribute that is added at the end of the injected JS, either
    Async Defer, Async, Sync,
    or
    Defer
    . This attribute determines how the JavaScript is loaded and executed.
  16. At
    Inject in Specific Paths
    , select
    Yes
    to inject the JS in specific web pages of your web application. Select
    No
    to inject the JS in all web pages of your web application.
    • If
      Inject in Specific Paths
      is
      Yes
      , at Injection Paths enter the relative paths of the webpages in your application to receive the JS injections. You can use
      /*
      for wildcard pattern matching.
  17. At
    Exclude Injection from Specific Paths
    , select
    Yes
    to exclude the JS injection from specific web pages in your web application.
    • If
      Exclude Injection from Specific Paths
      is
      Yes
      , enter the relative paths of the web pages in your application that the JS injections should be excluded from. You can use
      /*
      for wildcard pattern matching.
    • If a webpage is selected to both receive the JS injection and to be excluded from the JS injection, the exclude will override the include and the webpage will not receive the JS injection.
    • If you are also applying Client-Side Defense (CSD) on your web application, and you exclude a path from the JS injection in the ATI profile but that same path is included for JS injection in CSD, the exclusion in ATI is nullified and the path receives the JS injection in both CSD and ATI.
  18. At
    Add Connecting IP to Headers
    , select
    Yes
    to add a new header with a connecting IP to the HTTP request.
    If you want the connecting IP to be added to the XFF header, do that in an HTTP profile attached to one of the web application’s virtual servers.
  19. At
    Connecting IP Header Name
    , do not change the header name unless instructed to do so by F5 Support.
    This setting is displayed only if
    Add Connecting IP to Headers
    is
    Yes
    .
  20. At
    iRules
    , select iRules to attach to the
    Domain Pool
    or
    Proxy Pool
    . iRules help automate the intercepting, processing, and routing of ATI-related traffic to the ATI backend server.
    • Enabled:
      Lists the iRules on the system that are already applied to the
      Domain Pool
      or
      Proxy Pool
      . The BIG-IP applies iRules in the order that they appear in the list. You can change the order using the up and down buttons.
    • Available:
      Lists the iRules on the system that are available to apply on the
      Domain Pool
      or
      Proxy Pool
      .
  21. If you do not want the ATI server in the cloud to receive data traffic collected by the BIG-IP, set
    Use Bot Assessment Service = No.
    When this setting is set to
    Yes
    , the BIG-IP collects data traffic and sends it to the ATI server in the cloud. The ATI server analyzes that traffic to detect bots. Some of the bots detected in the BIG-IP traffic cannot be detected by the ATI client-side JavaScript and therefore F5 recommends leaving this setting enabled unless there is a strong customer need to disable it.
  22. If
    Use Bot Assessment Service = Yes
    :
    • At
      Domain Pool
      , if you are creating an ATI profile for the first time, click the
      +
      button to create a new pool using the Bot Assessment domain that you received in the F5 Distributed Cloud Console (or from F5 Support).
      If you have already created a Bot Assessment Domain Pool in a previous ATI profile, you can select that pool from the drop-down list.
      This setting is displayed only if
      Use Proxy Server = No
      .
    • At
      Hostname
      : Do not change this name without consulting F5 Support. This name is generated automatically based on the Domain Pool you select.
      This setting is displayed only if
      Use Proxy Server = No
      .
    • At
      Proxy Destination
      , enter the Bot Assessment URL you received in the F5 Distributed Cloud Console (or from F5 Support).
      This setting is displayed only if
      Use Proxy Server = Yes
      .
    • At
      SSL Profile
      , select an SSL profile that will be attached to a new virtual server for routing traffic to the Service Pool.
    • At
      Telemetry Path
      , do not change the path here unless instructed to do so by F5 Support.
  23. Click
    Save
    .
After you have configured your ATI profile, you need to assign that profile to a virtual server.