Applies To:
Show VersionsBIG-IP ASM
- 14.0.1, 14.0.0
Adding BIG-IP DataSafe to the BIG-IP System
Overview: Adding BIG-IP DataSafe to the BIG-IP system
F5® Networks security provides BIG-IP® DataSafe™, which protects users from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the BIG-IP system and provided uniquely per session. When the encrypted information is received by the BIG-IP system, it is decrypted using a private key that is kept on the server side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.
In order to use BIG-IP DataSafe in the BIG-IP system, you need to provision Fraud Protection Service (FPS) for BIG-IP DataSafe, create a BIG-IP DataSafe profile, create a virtual server, and associate the profile with that virtual server.
- The DataSafe Main JavaScript protects web applications with the content type text/html. If your web application is based on a different content type, you cannot apply the DataSafe Main JavaScript protection on it.
- In most cases, the virtual server that you will create for your profile will be an SSL virtual server.
Provisioning Fraud Protection Service for BIG-IP DataSafe using the Configuration utility
- On the Main tab, click .
-
Go to the Fraud Protection Service (FPS) row in
the list of modules, and in the Provisioning column select the check box and
select one of the options from the list:
- Dedicated: Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
- Nominal: Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
- Minimum: Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
- Click Submit.
Provisioning Fraud Protection Service for BIG-IP DataSafe using TMSH
Creating a node for a remote syslog server
Before creating a node for a remote syslog server, you must first provision FPS for BIG-IP DataSafe.
Creating a node for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section
Creating a pool for a remote syslog server
Before creating a pool for a remote syslog server, you should create a node for the remote syslog server.
Creating a pool for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
Creating a web application server node
Local traffic pools use nodes as resources for load balancing. A node is an IP address that represents a server resource, which hosts applications.
- If you plan to add your BIG-IP DataSafe profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
- An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP system automatically creates the corresponding node. For example, if you create pool member 10.10.20.30:80, the system automatically creates a node with the address 10.10.20.30.
Creating a web application pool
- If you plan to add your BIG-IP DataSafe profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
- Repeat the following steps for each desired pool.
Creating a remote high-speed log destination
Creating a log publisher
Creating an initial BIG-IP DataSafe profile
Overview: Creating an initial profile
Typically, when you create your initial profile, you will want to:
- Set general properties for the profile in the Profile Properties screen
- Define URLs to be included in the profile
- Set one of the URLs to be a login page
- Configure a post-login URL (in certain situations)
Therefore, the instructions for creating an initial profile are presented according to these four stages.
Configuring general properties for a BIG-IP DataSafe profile
Defining URLs in the profile
Setting a URL or SPA view to be a login page
Set a URL or Single Page Application (SPA) view in your profile to be a login page if you want to encrypt data on a login page in your web site.