From 136dc95c1d7224caefde102baa0e66dc6056f9aa Mon Sep 17 00:00:00 2001 From: Matt Mabis Date: Wed, 11 Dec 2024 11:46:07 -0700 Subject: [PATCH] changing documents for 401 lab for appworld --- ...01-Deploy-SSL-Enabled-App_Services_as3.rst | 4 +- ...2-Replace-Application-Certificates_as3.rst | 4 +- ...rst => 03-Application-Maintenance_as3.rst} | 6 +- .../AS3/03-WAF-Policy-Management_as3.rst | 75 ------------- ...3.rst => 04-WAF-Policy-Management_as3.rst} | 6 +- ...-Policy-Management-JuiceShop-Roles_as3.rst | 105 ------------------ .../Modules/00-Backup-Restore-Role.rst | 2 +- .../01-Deploy-SSL-Enabled-App_Services.rst | 4 +- .../02-Replace-Application-Certificates.rst | 4 +- ...nce.rst => 03-Application-Maintenance.rst} | 6 +- .../Modules/03-WAF-Policy-Management.rst | 81 -------------- ...-Role.rst => 04-WAF-Policy-Management.rst} | 6 +- ...-WAF-Policy-Management-JuiceShop-Roles.rst | 99 ----------------- 13 files changed, 21 insertions(+), 381 deletions(-) rename docs/class10/AS3/{04-Application-Maintenance_as3.rst => 03-Application-Maintenance_as3.rst} (92%) delete mode 100644 docs/class10/AS3/03-WAF-Policy-Management_as3.rst rename docs/class10/AS3/{05-WAF-Policy-Management-Role_as3.rst => 04-WAF-Policy-Management_as3.rst} (93%) delete mode 100644 docs/class10/AS3/06-WAF-Policy-Management-JuiceShop-Roles_as3.rst rename docs/class10/Modules/{04-Application-Maintenance.rst => 03-Application-Maintenance.rst} (93%) delete mode 100644 docs/class10/Modules/03-WAF-Policy-Management.rst rename docs/class10/Modules/{05-WAF-Policy-Management-Role.rst => 04-WAF-Policy-Management.rst} (94%) delete mode 100644 docs/class10/Modules/06-WAF-Policy-Management-JuiceShop-Roles.rst diff --git a/docs/class10/AS3/01-Deploy-SSL-Enabled-App_Services_as3.rst b/docs/class10/AS3/01-Deploy-SSL-Enabled-App_Services_as3.rst index 2b8daad..8f46e52 100644 --- a/docs/class10/AS3/01-Deploy-SSL-Enabled-App_Services_as3.rst +++ b/docs/class10/AS3/01-Deploy-SSL-Enabled-App_Services_as3.rst @@ -20,7 +20,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/ + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/AS3/01-Deploy-SSL-Enabled-App_Services-AS3/ 3. Run the Ansible Playbook ‘Deploy-SSL-Enabled-App_Services.yaml’: @@ -37,7 +37,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 1 - HTTP or Use Case 1 - HTTPS`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 1 - HTTP or Use Case 1 - HTTPS`` - OR within the browser you can browse to https://10.1.20.30/ - You will need to bypass the certificate warning (within Firefox Warning --> Advanced --> Accept the Risk and Continue) diff --git a/docs/class10/AS3/02-Replace-Application-Certificates_as3.rst b/docs/class10/AS3/02-Replace-Application-Certificates_as3.rst index 6c10a3a..6d2f402 100644 --- a/docs/class10/AS3/02-Replace-Application-Certificates_as3.rst +++ b/docs/class10/AS3/02-Replace-Application-Certificates_as3.rst @@ -19,7 +19,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/02-Replace-Application-Certificates-AS3/ + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/AS3/02-Replace-Application-Certificates-AS3/ 3. Run the Ansible Playbook ‘Replace-Application-Certificates.yaml’: @@ -153,7 +153,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 2`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 2`` - OR within the browser you can browse to https://10.1.20.30:8081/ - From a client browser, access the VIP on port 8081 to view the new self-signed certificate (https://10.1.20.30:8081) diff --git a/docs/class10/AS3/04-Application-Maintenance_as3.rst b/docs/class10/AS3/03-Application-Maintenance_as3.rst similarity index 92% rename from docs/class10/AS3/04-Application-Maintenance_as3.rst rename to docs/class10/AS3/03-Application-Maintenance_as3.rst index fd364ba..cd50711 100644 --- a/docs/class10/AS3/04-Application-Maintenance_as3.rst +++ b/docs/class10/AS3/03-Application-Maintenance_as3.rst @@ -1,4 +1,4 @@ -Use Case 04: Application Maintenance with AS3 +Use Case 03: Application Maintenance with AS3 ============================================= OVERVIEW @@ -21,7 +21,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/04-Application-Maintenance-AS3 + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/AS3/03-Application-Maintenance-AS3 3. Run the Ansible Playbook ‘Application-Maintenance.yaml’ @@ -46,7 +46,7 @@ This section assumes knowledge of how to operate BIG-IP commands and networking. Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 4`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 3`` - OR within the browser you can browse to https://10.1.20.30:8083/ - Browse the page and notice that only NODE2 is the only responsive Node as Node 1 was disabled. diff --git a/docs/class10/AS3/03-WAF-Policy-Management_as3.rst b/docs/class10/AS3/03-WAF-Policy-Management_as3.rst deleted file mode 100644 index b4fc152..0000000 --- a/docs/class10/AS3/03-WAF-Policy-Management_as3.rst +++ /dev/null @@ -1,75 +0,0 @@ -Use Case 03: WAF (XML) Policy Management with AS3 -================================================= - -OVERVIEW --------- -WAF-Policy-Management.yaml is a templated Ansible Playbook to manage blocked IP addresses and URL's on F5 ASM through Ansible automation. - -Web Application Firewalls work to protect web applications by inspecting incoming traffic, blocking bots, SQL injection, Cross Site Scripting and a host of other attacks. - -This playbook is designed to demonstrate a basic WAF scenario to create and modify an F5 WAF (ASM) policy to block URL(s) or IP address(s) or both. - -Using this playbook, other security vendors or even ticketing based solutions like Service NOW, users will be able to create a start to finish automated solution based on when attacks can occur. - -RUNNING THE TEMPLATE --------------------- -Running this template assumes that a F5 BIG-IP instance, necessary webservers and Ansible node are available. - - 1. Login to the Ansible host - - 2. Change Directory in the Ansible Host to the use-cases repo previously downloaded - - .. code:: - - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/03-WAF-Policy-Management-AS3/ - - 3. Launch the Ansible playbook 'WAF-Policy-Management.yaml': - - .. code:: - - ansible-navigator run WAF-Policy-Management.yaml --mode stdout - - .. note:: - - This Playbook modifies the provisioning of modules on the BIG-IP and will take some time to complete as the new module comes online. - - .. attention:: - - This Playbook detects if blocked URL or IP already exists and only add what is new (idempotency). because of that it will create Errors and ignore them on first run, this is expected behavior. The Errors will indicate when the exported ASM Policy doesn't contain the data we are attempting to add, and then will add that data. - - -TESTING AND VALIDATION ----------------------- - -**VERIFYING WAF POLICY ENFORCEMENT:** - - **Access Using F5 UDF Console:** - - Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 3`` - - OR within the browser you can browse to https://10.1.20.30:8082/ - - Access the URL's present in the f5_vars.yml file to see the WAF policy in action - - - https://10.1.20.30:8082/blocked.html - - https://10.1.20.30:8082/hacked.html - - https://10.1.20.30:8082/robot.txt - - -**BIG-IP CONFIGURATION VERIFICATION:** - -This section is optional and for testing and verification purposes only. It assumes knowledge of how to operate BIG-IP commands and networking. - - **Access Using F5 UDF Console:** - - - BIG-IP - (In UDF --> Components --> BIG-IP --> Access --> TMUI) - This will popup a webpage to access the F5 Login Page - - - Login to the BIG-IP instance - - Navigate to Security --> Application Security to view the WAF policy deployed - - Navigate to Local Traffic --> Virtual Servers - - View the deployed use case access F5-BIG-IP-Public-IP:port (8082) - - - Login information for the BIG-IP: - - * username: admin - * password: **found in the inventory hosts file** \ No newline at end of file diff --git a/docs/class10/AS3/05-WAF-Policy-Management-Role_as3.rst b/docs/class10/AS3/04-WAF-Policy-Management_as3.rst similarity index 93% rename from docs/class10/AS3/05-WAF-Policy-Management-Role_as3.rst rename to docs/class10/AS3/04-WAF-Policy-Management_as3.rst index 88f6c23..b7131ec 100644 --- a/docs/class10/AS3/05-WAF-Policy-Management-Role_as3.rst +++ b/docs/class10/AS3/04-WAF-Policy-Management_as3.rst @@ -1,4 +1,4 @@ -Use Case 05: WAF (XML) Policy Management in a Role with AS3 +Use Case 04: WAF (XML) Policy Management in a Role with AS3 =========================================================== OVERVIEW @@ -21,7 +21,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/05-WAF-Policy-Management-Role-AS3/ + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/AS3/04-WAF-Policy-Management-AS3/ 3. Launch the Ansible playbook 'WAF-Policy-Management-Role.yaml': @@ -47,7 +47,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 5`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 4`` - OR within the browser you can browse to https://10.1.20.30:8084/ - Access the URL's present in the f5_vars.yml file to see the WAF policy in action diff --git a/docs/class10/AS3/06-WAF-Policy-Management-JuiceShop-Roles_as3.rst b/docs/class10/AS3/06-WAF-Policy-Management-JuiceShop-Roles_as3.rst deleted file mode 100644 index c7eb0df..0000000 --- a/docs/class10/AS3/06-WAF-Policy-Management-JuiceShop-Roles_as3.rst +++ /dev/null @@ -1,105 +0,0 @@ -Use Case 06: WAF (XML) Policy Management in a Role with Juice Shop With AS3 -=========================================================================== - -OVERVIEW --------- - -WAF-Policy-Mangement-Role.yaml and JuiceShop-Docker-Deploy.yaml are Ansible -Roles to manage blocked IP addresses and URL's on F5 ASM through Ansible -automation using the Juice Shop website. - -Web Application Firewalls work to protect web applications by inspecting -incoming traffic, blocking bots, SQL injection, Cross Site Scripting and a host -of other attacks. This playbook is designed to demonstrate a basic WAF scenario -to create and modify an F5 WAF (ASM) policy to block URL(s) or IP address(s) or -both. - -Using this role, other security vendors or even ticketing based solutions like -Service NOW, users will be able to create a start to finish automated solution -based on when attacks can occur. - -RUNNING THE TEMPLATE --------------------- - -Running this template assumes that a F5 BIG-IP instance, necessary webservers -and Ansible node are available. - - 1. Login to the Ansible host - - 2. Change Directory in the Ansible Host to the use-cases repo previously - downloaded - - .. code:: bash - - cd ~/f5-bd-ansible-labs/201-F5-Advanced/AS3/06-WAF-Policy-Management-JuiceShop-Roles-AS3/ - - 3. Launch the Ansible playbook 'JuiceShop-WAF.yaml' to build out the - Juice Shop Podman container on each webserver node and deploy the VIP/WAF Policy: - - .. code:: bash - - ansible-navigator run JuiceShop-WAF.yaml --mode stdout - - .. attention:: - - This can take up to 5 minutes due to installing of podman and all of its sub-components, and the JuiceShop application on each webserver. - - 4. **(Optional)** Block your Client IP Address with WAF - - You can use the IP address of the External Client Node to block which is "10.1.1.9" - - .. code:: bash - - ansible-navigator run Block-My-IP.yaml --mode stdout --extra-vars "my_ip_address=10.1.1.9" - - - This template will gather your IP Address from your SSH connection and then add it to the existing WAF Policy and start blocking your IP so that when you browse port 8085 you will get a "Request Rejected" message. - - .. note:: - - This Playbook modifies the provisioning of modules on the BIG-IP and will take some time to complete as the new module comes online. - - .. attention:: - - This Playbook detects if blocked URL or IP already exists and only add what is new (idempotency). - -TESTING AND VALIDATION ----------------------- - -**VERIFYING WAF POLICY ENFORCEMENT:** - - **Access Using F5 UDF Console:** - - Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 6`` - - OR within the browser you can browse to https://10.1.20.30:8085/ - - Access the URL's present in the f5_vars.yml file to see the WAF policy in action - - - https://10.1.20.30:8085/blocked.html - - https://10.1.20.30:8085/hacked.html - - https://10.1.20.30:8085/robot.txt - - -**BIG-IP CONFIGURATION VERIFICATION:** - -This section is optional and for testing and verification purposes only. It assumes knowledge of how to operate BIG-IP commands and networking. - - **Access Using F5 UDF Console:** - - - BIG-IP - (In UDF --> Components --> BIG-IP --> Access --> TMUI) - This will popup a webpage to access the F5 Login Page - - - Login to the BIG-IP instance - - Navigate to Security --> Application Security to view the WAF policy deployed - - Navigate to Local Traffic --> Virtual Servers - - View the deployed use case access F5-BIG-IP-Public-IP:port (8085) - - - Login information for the BIG-IP: - - * username: admin - * password: **found in the inventory hosts file** - -**UDF Lab Revert** -------------------------------- - - Once you have completed this section it is recommended to go back to Use-Case 00 and run the **restore** of the BIG-IP before continuing to test the Modules Section. \ No newline at end of file diff --git a/docs/class10/Modules/00-Backup-Restore-Role.rst b/docs/class10/Modules/00-Backup-Restore-Role.rst index f941480..e7e91ee 100644 --- a/docs/class10/Modules/00-Backup-Restore-Role.rst +++ b/docs/class10/Modules/00-Backup-Restore-Role.rst @@ -25,7 +25,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/00-Backup-Restore-Role/ + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/Modules/00-Backup-Restore-Role/ 3. **(Optional)** Edit 'f5_vars.yml' file in the vars folder to customize the existing variables. For example: File-Name: ‘mybackup.ucs' diff --git a/docs/class10/Modules/01-Deploy-SSL-Enabled-App_Services.rst b/docs/class10/Modules/01-Deploy-SSL-Enabled-App_Services.rst index 11c5e05..9589040 100644 --- a/docs/class10/Modules/01-Deploy-SSL-Enabled-App_Services.rst +++ b/docs/class10/Modules/01-Deploy-SSL-Enabled-App_Services.rst @@ -21,7 +21,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/01-Deploy-SSL-Enabled-App_Services/ + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/Modules/01-Deploy-SSL-Enabled-App_Services/ 3. **(Optional)** Edit 'f5_vars.yml' file to customize the existing variables. @@ -48,7 +48,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 1 - HTTP or Use Case 1 - HTTPS`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 1 - HTTP or Use Case 1 - HTTPS`` - OR within the browser you can browse to https://10.1.20.30/ - You will need to bypass the certificate warning (within Firefox Warning --> Advanced --> Accept the Risk and Continue) diff --git a/docs/class10/Modules/02-Replace-Application-Certificates.rst b/docs/class10/Modules/02-Replace-Application-Certificates.rst index de39cf9..0b235b9 100644 --- a/docs/class10/Modules/02-Replace-Application-Certificates.rst +++ b/docs/class10/Modules/02-Replace-Application-Certificates.rst @@ -20,7 +20,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/02-Replace-Application-Certificates + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/Modules/02-Replace-Application-Certificates 3. **(Optional)** Edit 'f5_vars.yml' file to customize your variables. @@ -50,7 +50,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 2`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 2`` - OR within the browser you can browse to https://10.1.20.30:8081/ - From a client browser, access the VIP on port 8081 to view the new self-signed certificate (https://10.1.20.30:8081) diff --git a/docs/class10/Modules/04-Application-Maintenance.rst b/docs/class10/Modules/03-Application-Maintenance.rst similarity index 93% rename from docs/class10/Modules/04-Application-Maintenance.rst rename to docs/class10/Modules/03-Application-Maintenance.rst index 42b5ad5..fedbdb4 100644 --- a/docs/class10/Modules/04-Application-Maintenance.rst +++ b/docs/class10/Modules/03-Application-Maintenance.rst @@ -1,4 +1,4 @@ -Use Case 04: Application Maintenance +Use Case 03: Application Maintenance ==================================== OVERVIEW @@ -21,7 +21,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/04-Application-Maintenance + cd ~/f5-bd-ansible-labs/401-F5-AppWorld-Lab/Modules/03-Application-Maintenance 3. **(Optional)** Edit 'f5_vars.yml' file to customize your variables for your environment. @@ -50,7 +50,7 @@ This section assumes knowledge of how to operate BIG-IP commands and networking. Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 4`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 3`` - OR within the browser you can browse to https://10.1.20.30:8083/ - Browse the page and notice that only NODE2 is the only responsive Node as Node 1 was disabled. diff --git a/docs/class10/Modules/03-WAF-Policy-Management.rst b/docs/class10/Modules/03-WAF-Policy-Management.rst deleted file mode 100644 index ec57f4b..0000000 --- a/docs/class10/Modules/03-WAF-Policy-Management.rst +++ /dev/null @@ -1,81 +0,0 @@ -Use Case 03: WAF (XML) Policy Management -======================================== - -OVERVIEW --------- - -WAF-Policy-Management.yaml is a templated Ansible Playbook to manage blocked IP addresses and URL's on F5 ASM through Ansible automation. - -Web Application Firewalls work to protect web applications by inspecting incoming traffic, blocking bots, SQL injection, Cross Site Scripting and a host of other attacks. This playbook is designed to demonstrate a basic WAF scenario to create and modify an F5 WAF (ASM) policy to block URL(s) or IP address(s) or both. - -Using this playbook, other security vendors or even ticketing based solutions like Service NOW, users will be able to create a start to finish automated solution based on when attacks can occur. - -RUNNING THE TEMPLATE --------------------- - -Running this template assumes that a F5 BIG-IP instance, necessary webservers and Ansible node are available. - - 1. Login to the Ansible host - - 2. Change Directory in the Ansible Host to the use-cases repo previously downloaded - - .. code:: bash - - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/03-WAF-Policy-Management/ - - - 3. **(Optional)** Edit 'f5_vars.yml' file to customize your variables. Here you can add/remove IP addresses and URLs from the 'Blocked_IPs' and 'Blocked_URLs' list - - 4. Launch the Ansible playbook 'WAF-Policy-Management.yaml' with the variable file ‘f5_vars.yml’: - - .. code:: bash - - ansible-navigator run WAF-Policy-Management.yaml --mode stdout -e @f5_vars.yml - - This template will configure the F5 BIG-IP to provision the `WAF module `__, create a Virtual IP (VIP) including a Pool and nodes, a WAF policy for the use case, then modify the policy to block IP’s and URL’s. - - .. note:: - - This Playbook modifies the provisioning of modules on the BIG-IP and will take some time to complete as the new module comes online. - - .. attention:: - - This Playbook detects if blocked URL or IP already exists and only add what is new (idempotency). because of that it will create Errors and ignore them on first run, this is expected behavior. The Errors will indicate when the exported ASM Policy doesn't contain the data we are attempting to add, and then will add that data. - - - -TESTING AND VALIDATION ----------------------- - -**VERIFYING WAF POLICY ENFORCEMENT:** - - **Access Using F5 UDF Console:** - - Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 3`` - - OR within the browser you can browse to https://10.1.20.30:8082/ - - Access the URL's present in the f5_vars.yml file to see the WAF policy in action - - - https://10.1.20.30:8082/blocked.html - - https://10.1.20.30:8082/hacked.html - - https://10.1.20.30:8082/robot.txt - - -**BIG-IP CONFIGURATION VERIFICATION:** - -This section is optional and for testing and verification purposes only. It assumes knowledge of how to operate BIG-IP commands and networking. - - **Access Using F5 UDF Console:** - - - BIG-IP - (In UDF --> Components --> BIG-IP --> Access --> TMUI) - This will popup a webpage to access the F5 Login Page - - - Login to the BIG-IP instance - - Navigate to Security --> Application Security to view the WAF policy deployed - - Navigate to Local Traffic --> Virtual Servers - - View the deployed use case access F5-BIG-IP-Public-IP:port (8082) - - - Login information for the BIG-IP: - - * username: admin - * password: **found in the inventory hosts file** \ No newline at end of file diff --git a/docs/class10/Modules/05-WAF-Policy-Management-Role.rst b/docs/class10/Modules/04-WAF-Policy-Management.rst similarity index 94% rename from docs/class10/Modules/05-WAF-Policy-Management-Role.rst rename to docs/class10/Modules/04-WAF-Policy-Management.rst index 6a2c275..81c346d 100644 --- a/docs/class10/Modules/05-WAF-Policy-Management-Role.rst +++ b/docs/class10/Modules/04-WAF-Policy-Management.rst @@ -1,4 +1,4 @@ -Use Case 05: WAF (XML) Policy Management in a Role +Use Case 04: WAF (XML) Policy Management in a Role ===================================================== OVERVIEW @@ -22,7 +22,7 @@ Running this template assumes that a F5 BIG-IP instance, necessary webservers an .. code:: bash - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/05-WAF-Policy-Management-Role/ + cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/04-WAF-Policy-Management-Role/ 3. **(Optional)** Edit 'vars/f5_vars.yml' file to customize your variables. @@ -55,7 +55,7 @@ TESTING AND VALIDATION Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 5`` + - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``401 - Labs`` and Select ``Use Case 4`` - OR within the browser you can browse to https://10.1.20.30:8084/ - Access the URL's present in the f5_vars.yml file to see the WAF policy in action diff --git a/docs/class10/Modules/06-WAF-Policy-Management-JuiceShop-Roles.rst b/docs/class10/Modules/06-WAF-Policy-Management-JuiceShop-Roles.rst deleted file mode 100644 index 5c66959..0000000 --- a/docs/class10/Modules/06-WAF-Policy-Management-JuiceShop-Roles.rst +++ /dev/null @@ -1,99 +0,0 @@ -Use Case 06: WAF (XML) Policy Management in a Role with Juice Shop -===================================================================== - -OVERVIEW --------- - -F5-WAF-Policy-Mangement-Role.yaml and JuiceShop-Docker-Deploy.yaml are Ansible Roles to manage blocked IP addresses and URL's on F5 ASM through Ansible automation using the Juice Shop website. - -Web Application Firewalls work to protect web applications by inspecting incoming traffic, blocking bots, SQL injection, Cross Site Scripting and a host of other attacks. This playbook is designed to demonstrate a basic WAF scenario to create and modify an F5 WAF (ASM) policy to block URL(s) or IP address(s) or both. - -Using this role, other security vendors or even ticketing based solutions like Service NOW, users will be able to create a start to finish automated solution based on when attacks can occur. - -RUNNING THE TEMPLATE --------------------- - -Running this template assumes that a F5 BIG-IP instance, necessary webservers and Ansible node are available. - - 1. Login to the Ansible host - - 2. Change Directory in the Ansible Host to the use-cases repo previously downloaded - - .. code:: bash - - cd ~/f5-bd-ansible-labs/201-F5-Advanced/Modules/06-WAF-Policy-Management-JuiceShop-Roles/ - - - 3. **(Optional)** Edit 'vars/f5_vars.yml' file to customize your variables. Here you can add/remove IP addresses and URLs from the 'Blocked_IPs' and 'Blocked_URLs' list - - - 4. Launch the Ansible playbook 'JuiceShop-WAF.yaml' to build out the - Juice Shop Podman container on each webserver node and deploy the VIP/WAF Policy: - - .. code:: bash - - ansible-navigator run JuiceShop-WAF.yaml --mode stdout - - .. attention:: - - This can take up to 5 minutes due to installing of podman and all of its sub-components, and the JuiceShop application on each webserver. - - 5. **(Optional)** Block your Client IP Address with WAF - - You can use the IP address of the External Client Node to block which is "10.1.1.9" - - .. code:: bash - - ansible-navigator run Block-My-IP.yaml --mode stdout --extra-vars "my_ip_address=10.1.1.9" - - This template will gather your IP Address from your SSH connection and then add it to the existing WAF Policy and start blocking your IP so that when you browse port 8085 you will get a "Request Rejected" message. - - .. note:: - - This Playbook modifies the provisioning of modules on the BIG-IP and will take some time to complete as the new module comes online. - - .. attention:: - - This Playbook detects if blocked URL or IP already exists and only add what is new (idempotency). - - -TESTING AND VALIDATION ----------------------- - -**VERIFYING WAF POLICY ENFORCEMENT:** - - **Access Using F5 UDF Console:** - - Using the External Client (UDF --> Components --> External Client --> Access --> Firefox) - - - In the Bookmarks bar you can select the ``Ansible Labs`` Folder and goto ``201 - Labs`` and Select ``Use Case 6`` - - OR within the browser you can browse to https://10.1.20.30:8085/ - - Access the URL's present in the f5_vars.yml file to see the WAF policy in action - - - https://10.1.20.30:8085/blocked.html - - https://10.1.20.30:8085/hacked.html - - https://10.1.20.30:8085/robot.txt - - -**BIG-IP CONFIGURATION VERIFICATION:** - -This section is optional and for testing and verification purposes only. It assumes knowledge of how to operate BIG-IP commands and networking. - - **Access Using F5 UDF Console:** - - - BIG-IP - (In UDF --> Components --> BIG-IP --> Access --> TMUI) - This will popup a webpage to access the F5 Login Page - - - Login to the BIG-IP instance - - Navigate to Security --> Application Security to view the WAF policy deployed - - Navigate to Local Traffic --> Virtual Servers - - View the deployed use case access F5-BIG-IP-Public-IP:port (8085) - - - Login information for the BIG-IP: - - * username: admin - * password: **found in the inventory hosts file** - -**UDF Lab Revert** -------------------------------- - - Once you have completed this section it is recommended to go back to Use-Case 00 and run the **restore** of the BIG-IP before continuing to test the AS3 Section. \ No newline at end of file