►
From YouTube: F5 AWS Web Application Firewall Walkthrough
Description
A walkthrough of the F5 WAF functionality and a demo of its capabilities to detect and block forceful browsing, cross-site scripting, and DoS attacks.
A
Hello,
my
name
is
Sam
white
I'm,
a
Senior
Product,
Manager
etiquette
lab
and
today
I'm
going
to
be
doing
the
walkthrough
and
demo
of
the
f5
Web
Application
Firewall
functionality,
which
they
license
as
their
ASM
or
application
security
manager.
So
with
that,
let's
just
dive
right
in
and
what
you're
looking
at
here
is
the
f5
firewall
dashboard
all
of
their
application,
security
or
web
application.
A
Firewall
functionality
is
here
under
their
security
menu,
and
if
we
take
a
look
in
there,
the
application
security
menu,
we
see
their
security
policies,
we
say
that's
done
as
far
as
their
web
application
firewall
package,
so
policy,
the
really
the
root
object
and
all
of
the
rules
them
out
or
fall
under
a
group
policy.
The
policies
can
be
grouped
up
in
different
policy
groups
and
you
can
create
multiple
but
I
found
that
they're
very
broad.
A
As
we
expected
for
an
enterprise
tool,
they
have
thoroughly
robust
audit
log
functionality,
so
you
can
see
here
all
of
the
different
changes
that
I've
made
the
policy
over
time.
You
can
also
run
different
reports.
One
thing
that
I
really
liked
when
I
initially
set
up
the
policy
was
that
it
prompted
me
for
which
server-side
technologies
I
was
running
and,
in
my
case,
I'm
running
a
lamp
stack
that
I
thought,
Apache,
PHP
and
my
sequel
enabled,
and
that
just
provided
a
baseline
of
rules.
That
I'll
show
you
a
little
bit
later
on
that.
A
Informs
the
way
that
the
policy
works,
I
come
down
to
the
policy
golden
menu,
you'll
see
that
their
traffic
learning
feature
is
highlighted,
front
and
center.
So
the
way
this
works
is
once
you
create
a
poll
create
a
base
policy.
You
can
go
through
and
you
can
manually
define
all
of
your
rules,
but
you
can
also
put
it
in
learning
mode,
which
has
the
firewall
observing
the
traffic
and
it
doesn't
immediately
start
walking
it.
It
just
observes
the
traffic
as
it
passes
through
and
over
time.
A
It
builds
up
a
profile
through,
what's
normal
for
your
application
and
then
it
starts
to
recommend
different
actions
based
off
of
that
either
to
lock
your
application
down.
It
should
notices
that
there's
a
certain
rule
that
could
be
applied
without
actually
preventing
any
of
the
legitimate
traffic
from
going
through
or
if
it
notices
that
there's
a
small
amount
of
anomalous
traffic
coming
from
a
certain
set
of
IPs,
that's
not
common
for
the
broader
base.
It
will
also
make
a
suggestion
there
and
you'll
notice
that
there's
this
learning
score
here.
A
Currently
this
one's
about
20%
once
that
gets
up
to
a
hundred
percent.
If
you
want,
you
can
choose
to
have
it
automatically
apply
that
policy
or
you
can
leave
it
in
manual
mode,
which
is
where
I
have
it
right
now,
where
it
doesn't
ever
enforce
policies
for
you,
but
instead
it
just
makes
recommendations
for
you
to
go
in
and
manually
review
so
just
coming
down
here.
A
For
one
example,
is
the
login
URL
bypass
where
it
noticed
twice,
someone
tried
to
bypass
the
login
page
and
go
straight
to
index.php
without
logging
in
classify
this
as
a
forceful
browsing
type,
and
in
that
scenario,
is
it's
still
learning,
because
it's
only
at
2%,
but
it
suggested
the
action
is
you
know?
Maybe
we
need
to
remove
index
dot
PHP
from
the
list
of
authenticated
URLs,
because
maybe
this
is
this
is
legitimate
traffic
instead
of
malicious.
Now,
in
the
case
of
this
actual
website,
it
was
blocking
it
and
it
should
be
an
authenticated
URL.
A
But
you
can
see
how
it's
very
cautious
in
its
approach.
It
doesn't
jump
to
conclusions
because
you
certainly
would
not
want
it
to
just
throw
me
start
blocking
legitimate
traffic,
or
in
this
case
it's
actually
suggesting
to
you,
dial
the
policy
back
to
allow
more
data
through
to
prevent
blocking
legitimate
traffic.
So
it
learns
on
both
ends
of
the
spectrum.
A
Specifically,
you
can
decide
how
fast
it
learns
and
how
quickly
it
reacts
to
different
activities.
So
right
now,
I
have
it
in
manual
mode.
I
can
put
it
on
automatic
I
have
mine
dialed
up
to
your
fast
learning
speed,
because
I
wanted
to
quickly
generate
some
data
for
the
demo,
but
typically
this
enforcement
readiness
period
would
be
targeted
more
at
a
week
and
you
would
have
a
little
bit
slower
of
a
learning
speed
just
to
help
it
be
more
confident
in
the
decisions
before
it
started,
making
recommendations.
A
Also,
if
I
come
down
here,
you
can
see
a
large
bucketed
list
of
different
types
of
rules,
so
that
can
be
included
in
the
policy.
So,
for
example,
if
I
expand
this
out,
the
attack
signature
section
again,
you'll
notice
those
technologies
that
I
selected
earlier
on
when
I
initially
created
the
policy
of
PHP.
A
My
sequel
and
Apache
show
up
as
having
some
pre-built
signatures
out
of
the
box,
and
I
can
set
all
of
these
either
just
learning
mode,
alarm
or
block,
and
if
I
want
to
see
a
list
of
all
of
the
different
rules
that
are
available
here.
I
can
click
on
blocking
settings,
and
it
lets
me
see
and
manage
all
of
the
different
options
here
in
one
long
list,
I
also
like
the
way
that
they
have
options
down
here
to
customize
the
policy
building
process.
A
So,
even
though
it
is,
you
know,
when
you
put
something
into
automatic
mode,
you
want
to
be
very
careful
because
websites
can
change
over
time,
especially
if
developers
push
to
new
code,
and
so
a
rule
set
that
you
had
in
place.
That
was
blocking
a
certain
page
or
certain
types
of
activity.
There
was
not
generating
false
positives
before
doesn't
necessarily
mean
it
won't
start
generating
false
positives
tomorrow.
So
here
you
can
consider
configure
your
settings
on
how
and
where
and
when.
You
want
to
start
loosening
policy
as
well
as
how
you
want
to
tighten
policy.
A
Now
that
we've
gone
through
just
a
high-level
overview
of
how
the
policy
is
structured,
really
all
of
the
other
items
in
this
menu
feed
into
these
rules
and
these
rules-
thoughts
that
are
in
here
there,
for
example,
the
attack
signatures
one.
It
takes
that
signatures
from
the
attack
signatures
menu
down
here.
So
why
don't?
We
just
take
a
look
at
that
get
a
little
bit
of
a
deeper
dive.
A
A
Others
are
specific
to
my
sequel:
I
can
go
through
and
filter
those
again
you'll
notice
that
the
intelligence
and
the
learning
capabilities
of
the
f5
laughs
are
built
in
throughout
where
right
now
all
of
these
policies
are
ready
to
be
enforced,
meaning
that
they've
had
enough
data
points
where
the
f5
laughs
is
confident
in
making
a
recommendation
to
start
enforcing
the
signature.
The
signature
blocking
when
I
initially
turned
it
on
and
started
configuring,
it
alistel
and
waiting
mode.
So
it's
waiting
for
additional
traffic
samples.
A
If
I
come
over
here
and
just
take
a
look
at
a
few
more
items
in
this
menu,
one
that
I
found
of
note
was
the
vulnerability
assessments
capability.
So
the
way
this
works
is
you're
able
to
configure
a
separate
vulnerability
assessment
tool,
whether
that's
a
generic
scanner
or
one
that
they
have
a
native
integration
with,
and
once
you
have
that
set
up.
As
that
scanner
goes
to
scan
your
application
and
identifies
vulnerabilities,
you
can
come
back
to
this
vulnerabilities
page
and
determine
the
actions
to
take
related
to
it.
A
Other
areas
to
note
are
the
file
type
submenu
and
again
it
has
that
learning
capability.
So
it's
notice
that
the
file
type
of
PHP
is
common.
It's
seen
that
you
know
you
pretty
much
all
of
the
requests
that
have
come
across,
so
it's
confident
in
making
the
recommendation
to
add
this
to
the
allowed
file
types
list.
It
also
comes
with
a
was
the
disallowed
pala
types
out
of
box,
which
are
thoroughly
standard
ones
that
you
would
expect
to
be
blocked
or
not
included.
As
far
as
passing
the
firewall
traffic.
A
I'm
not
going
to
go
through
all
of
these
submenus,
because
some
of
these
you
require
additional
licensing
and
there's
a
lot
of
functionality
here
and
I
want
to
try
to
keep
the
video
to
a
reasonable
length.
Well,
I
do
want
to
highlight
just
a
few
other
areas
in
here.
One
is
the
sessions
and
logon
sections
so
in
here
you're
able
to
configure
a
login
URL
and
as
part
of
that
you
can
configure
those
response
type
or
what
it
looks
like
when
a
user
is
successfully
authenticated.
A
When
the
firewall
sees
that
traffic
passing,
it
knows
that
the
user
successfully
logged
in
and
then
you
can
also
configure
a
set
of
logout
pages
and
so
between
the
the
information
of
those
two
pages.
If
you
have
those
configured
correctly,
then
you
can
start
writing
rules
to
enforce
things
related
to
logging,
like
the
login
way.
If
you
want
that
to
expire
after
a
certain
amount
of
time,
you
can
set
that
up
and
you
can
also
set
a
list
of
authenticated
URLs
again
index
dot.
A
To
highlight
this
one
as
well.
This
is
tied
to
login
URL
and
it's
able
to
detect
if
there's
an
excessive
amount
of
requests
or
failed
login
attempts,
and
if
there
are,
you
can
configure
the
action
to
take
in
this
case.
I
have
it
set
up
to
alarm
and
prompt
with
a
capture
response,
but
that
is
all
customizable
and
you
can
choose
what
kind
of
mitigation
you
want
to
take.
A
And
this
menu
just
to
call
out
they
do
have
integrated
services,
which
include
the
ability
to
configure
a
separate
antivirus
or
database
security
server.
In
that
case
it
offloads
the
binaries
or
any
files
that
it
serves
off
to
that
server
for
further
inspection,
and
then
you
can
take
an
action
based
off
of
that.
It
also
supports
a
basic
geolocation
enforcement,
where
you
can
specify
which
regions
of
the
world
you
want
to
allow
or
get
a
lot
of
traffic.
A
So
coming
down
and
taking
a
look
at
some
of
the
other
features
here
that
you
have
Protocol
security,
which
is
relatively
limited,
they
just
have
ftp
and
smtp.
They
have
their
IP
IP
intelligence
firewall,
which
really
just
acts
like
your
basic
layer,
4
type
firewall.
If
there
are
specific
IPS
that
you
want
to
allow
or
disallow,
it
also
does
support
the
ability
to
take
you
on
the
feed.
A
So
if
you
have
a
threat,
intelligence,
feed
or
a
IP
feed
that
you
want
to
have
come
in
to
automatically
block
you
can
bring
that
into
the
product
as
well,
then
it
has
das
protection
and
bought
defense,
and
these
two
are
highly
interrelated.
So
das
protection
has
two
aspects
to
it:
one
it
can
look
at
known
signatures
that
are
indicative
of
a
das
attack
and
you
can
also
configure
a
protection
profile
and
if
I
come
in
here,
if
it's
just
a
minute
load,
there
are
several
different
ways
it
can
detect
the
das
attack.
A
One
is
strictly
volumetric,
so
based
off
of
the
amount
of
traffic
coming
in
either
by
source,
IP
or
device
geolocation,
URL
or
site
wide.
It
can
take
an
action
of
your
choosing
right
now.
I'm
you
can
either
have
it
automatically
choose
what
type
of
response
to
take,
or
it
said
that
the
manual
right
now
I
have
it
in
manual
mode
and
I'm.
A
Choosing
this
case
to
block
everything,
but
I
could
also
do
great,
limiting
a
CAPTCHA
challenge
or
or
configure
these
thresholds
I've
lowered
the
specials
down,
because
I
want
to
demo
this
a
little
bit
later
on.
Normally
these
thresholds
would
be
a
little
bit
higher
to
support
a
higher
threshold
than
just
for
transactions
affecting
the
das.
A
Protection
also
is
able
to
analyze
things
on
a
site-wide
basis,
so
it's
able
to
look
at
the
stress
of
the
actual
system,
so
looking
at
the
CPU
levels,
the
latency
levels
and
notice
what
as
latency
starts
to
get
long,
it's
able
to
identify
those
areas
that
are
contributing
to
the
latency
and
again
it
can
block
or
rate
limit
or
we're
gonna
capture
response
for
those
as
well.
So
the
bot
defense
is
similar
as
well.
It
can
take
in
a
list
of
known
signatures,
there's
a
lot
of
signatures
out
of
the
gate.
A
It
has
over
900
entries
of
different
types
of
blocks
and
crawlers
that
you
expected
to
typically
see,
along
with
an
Associated
risk
and
then
based
off
of
that.
You
can
build
a
defense
profile
on
how
you
want
to
protect
against
those
BOTS
right
now.
I
have
this
in
transparent
mode,
but
I
can
easily
switch
that
over
and
deblocking,
though,
in
order
to
actually
proactively
stop
the
bots,
and
you
can
configure
what
type
of
action
to
take
there,
as
well
as
what
type
of
signatures
to
protect
against
same
thing,
for
browser
browser,
verification.
A
You
that's
just
a
quick
overview
and
walkthrough
I'm
going
to
go
ahead
and
click
on
the
event
log
and
show
you
some
of
the
reporting
functionality
that
they
have
in
here.
This
event,
log
just
shows
a
list
of
anything
that
was
bond
or
configured
to
be
logged.
As
part
of
your
policy,
you
can
see
if
there's
a
threat
or
risk
associated
with
it
we're
here
the
request
needs
further
examination.
In
this
case,
the
request
is
most
likely
a
threat,
so
it
ranks
the
threats
on
a
scale
of
1
to
5.
A
A
A
Here's
a
login
page
I'm
running
dvwa,
which
is
a
web
server
with
known
vulnerabilities
in
it,
just
reload
it
to
make
sure
it's
working
all
right
and
by
default,
as
you
noticed
earlier,
it
was
triggering
an
alert
because
I
was
going
ahead
and
just
trying
to
directly
visit
index.php
and
it's
actually
being
blocked
by
the
f5
lapse.
So
this
was
sitting
in
front
of
the
application
itself.
A
A
A
And
you'll
notice
that
the
attack
is
successful
it
it
displays
this
alert,
pop-up
saying
hi
and
means
that
I
was
able
to
exploit
that
attack,
and
then
this
case
the
f5
firewall
did
not
protect
against
that
cross-site
scripting
attempt
come
back
here,
hey
cool
could
be
a
dump
logs
and
we're
going
to
see
how
that
shows
up
in
the
system.
You
can
see
my
browsing
activity,
you'll
notice,
that
I
came
to
this
one
abilities
page
and
it
Flags
it
with
a
score
of
3.
It
says,
needs
further
examination.
A
You
can
see
that
request
that
I
made
with
the
script
tag
in
the
URL
parameter
and
if
I
click
on
attack
signature
detected,
it
gives
a
little
bit
more
detail
saying
just
saying
that
this
is
an
attack
pattern
that
matches
multiple
requests
from
from
IP
addresses.
You
might
want
to
consider
disabling
this
as
a
false
positive,
so
I
can
either
accept
their
request
and
say
that
it
was
fine
delete
the
requester
exported
in
this
case.
A
A
And
here
I'm
going
to
filter
down
to
just
those
signatures
that
are
related
to
cross-site
scripting
and
if
you
remember,
none
of
these
are
actually
blocking.
None
of
these
are
in
blocking
mode
right
now,
so
they're
ready
to
be
enforced,
they've
been
in
staging
the
system
has
enough
knowledge
that
it's
recommending
them.
A
In
this
case,
the
one
that
was
triggered
was
the
cross-site
script
tag
in
the
parameter
field,
but
I'm
gonna
go
ahead
and
just
enable
all
of
these
and
I'm
going
to
click
enforce,
and
it's
going
to
move
all
of
those
to
enforcing
mode
and
now
you'll
notice.
Up
here
it
says,
changes
not
applied.
This
is
another
element
of
the
laughs
that
I
really
appreciate,
which
is
that
every
change
to
policy
requires
a
two-step
process.
So
there's
no
way
to
just
accidentally
make
a
change
to
policy
by
clicking
a
single
button.
A
It
all
requires
the
change
to
be
made,
and
then
you
actually
have
to
go
and
apply
the
policy
into
the
environment.
It's
also
useful,
if
you
have
several
changes
to
the
policy
that
you're
trying
to
make
it
month,
and
then
you
want
to
rollers
out
all
at
once
so
I'm
going
to
go
ahead
and
click
apply
policy
we're
going
to
give
it
just
a
minute
to
take
effect.
A
And
you'll
notice
that
it's
now
blocking
learning
and
alarming
against
all
of
those
policies.
So
now
that
that's
in
blocking
mode,
if
I
come
back
here
and
I
attempt
to
repeat
that
same
attack
that
I
just
performed
you'll
notice
that
it
says
requested
URL
was
rejected.
And
again
it
prevents
me
from
executing
that
attack.
A
One
last
area
that
I
want
to
call
out
is
their
brute
force
and
their
dot
protection
and
to
simulate
that
type
of
attack
I'm
going
to
leverage
a
tool
called
artillery
IO,
which
is
a
load
testing
tool.
It
can
also
be
used
just
to
simulate
a
lot
of
traffic,
so
in
this
case,
I've
got
a
script
setup
where
I'm
going
to
be
generating
a
whole
lot
of
traffic
just
against
the
root
server.
A
A
One
dashboard
is
this
overview,
dashboard
or
system
overview
dashboard
that
just
lets
you
see
the
overall
CPU
sej,
the
memory
usage
and
the
connections
over
the
last
five
minutes.
In
this
case,
you
can
see
the
CPU
is
being
stressed,
especially
where
this
is
a
smaller
VM,
that
I'm
just
running
on
my
local
machine.
A
A
A
I'm
gonna
go
ahead
and
stop
that
attack
and
we
can
look
back
and
we
can
see
here
in
the
log
from
artillery
IO
what
happened
as
well.
So
as
it
started
out
at
first
we're
getting
200
response
error
responses
because
it
was
going
to
successfully
launch
the
f5
West
detected
this
violation.
It
started
blocking
those.