Applies To:
Show VersionsBIG-IP ASM
- 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Overview: Adding BIG-IP DataSafe to the BIG-IP system
F5® Networks security provides BIG-IP® DataSafe™, which protects users from Trojan attacks by encrypting data at the application layer on the client-side. Encryption is performed on the client-side using a public key generated by the web server and provided uniquely per session. When the encrypted information is received by the web server, it is decrypted using a private key that is kept on the server side. Users can view alerts on potential encryption attacks in the Data Protection log in the BIG-IP system or in a remote Syslog Server if you choose to configure one for receiving alerts.
In order to use BIG-IP DataSafe in the BIG-IP system, you need to provision Fraud Protection Service (FPS) for BIG-IP DataSafe, create a BIG-IP DataSafe profile, create a virtual server, and associate the profile with that virtual server.
Task Summary
Provisioning Fraud Protection Service for BIG-IP DataSafe using the Configuration utility
- On the Main tab, click .
-
Go to the Fraud Protection Service (FPS) row in the list of modules, and in the
Provisioning column select the check box and choose one of the following from
the drop-down:
- Dedicated: Specifies that the system allocates all CPU, memory, and disk resources to one module. When you select this option, the system sets all other modules to None (Disabled).
- Nominal: Specifies that, when first enabled, a module gets the least amount of resources required. Then, after all modules are enabled, the module gets additional resources from the portion of remaining resources.
- Minimum: Specifies that when the module is enabled, it gets the least amount of resources required. No additional resources are ever allocated to the module.
- Click Submit.
Provisioning Fraud Protection Service for BIG-IP DataSafe using tmsh
Creating a node for a remote syslog server
Creating a node for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
Creating a pool for a remote syslog server
Creating a pool for a remote syslog server only necessary if you want alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
Creating a web application server node
Local traffic pools use nodes as resources for load balancing. A node is an IP address that represents a server resource, which hosts applications.
- If you plan to add your BIG-IP® DataSafe™ profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application node.
- An alternate way to create a node is to create a pool member. When you create a pool member, the BIG-IP® system automatically creates the corresponding node. For example, if you create pool member 10.10.20.30:80, the system automatically creates a node with the address 10.10.20.30.
Creating a web application pool
- If you plan to add your BIG-IP® DataSafe™ profile to an existing virtual server (i.e., you are not going to create a new virtual server for your profile), you do not need to create a new web application pool.
- Repeat the following steps for each desired pool.
Creating a remote high-speed log destination
Create a log destination of the Remote Syslog type if you want to have alerts sent to a remote syslog server. If you don't want alerts sent to a remote syslog server, skip this section.
Creating a log publisher
Creating an initial BIG-IP DataSafe profile
Overview: Creating an initial profile
Typically, when you create your initial profile, you will want to:
- Set general properties for the profile in the Profile Properties screen
- Define URLs to be included in the profile
- Set one of the URLs to be a login page
- Configure a post-login URL (in certain situations)
Therefore, the instructions for creating an initial profile are presented according to these four stages.
Configuring general properties for a BIG-IP DataSafe profile
Defining URLs in the profile
Set a URL to be a login page
Set a URL in your profile to be a login page if you want to encrypt data on a login page in your web site.