In this 40 hour course, students are provided with a functional understanding of how to deploy, tune, and operate F5 Advanced Web Application Firewall to protect their web applications from HTTP-based attacks. The course includes lecture, hands-on labs, and discussion about different F5 Advanced Web Application Firewall tools for detecting and mitigating threats from multiple attack vectors such web scraping, Layer 7 Denial of Service, brute force, bots, code injection, and zero day exploits.
This course is intended for SecOps personnel responsible for the deployment, tuning, and day-to-day maintenance of F5 Adv. WAF. Participants will obtain a functional level of expertise with F5 Advanced WAF, including comprehensive security policy and profile configuration, client assessment, and appropriate mitigation types. • Experience with LTM is not required. • Prior WAF knowledge is not required. • This course is on the list of approved study resources for the F5 ASM 303 certification exam.
Chapter 1: Setting Up the BIG-IP System
• Introducing the BIG-IP System
• Initially Setting Up the BIG-IP System
• Archiving the BIG-IP System Configuration
• Leveraging F5 Support Resources and Tools
Chapter 2: Traffic Processing with BIG-IP
• Identifying BIG-IP Traffic Processing Objects
• Understanding Profiles
• Overview of Local Traffic Policies
• Visualizing the HTTP Request Flow
Chapter 3: Web Application Concepts
• Overview of Web Application Request Processing
• Web Application Firewall: Layer 7 Protection
• Layer 7 Security Checks
• Overview of Web Communication Elements
• Overview of the HTTP Request Structure
• Examining HTTP Responses
• How F5 Advanced WAF Parses File Types, URLs, and Parameters
• Using the Fiddler HTTP Proxy
Chapter 4: Web Application Vulnerabilities
• A Taxonomy of Attacks: The Threat Landscape
• Common Exploits Against Web Applications Chapter 5: Security Policy Deployment
• Defining Learning
• Comparing Positive and Negative Security Models
• The Deployment Workflow
• Assigning Policy to Virtual Server
• Deployment Workflow: Using Advanced Settings • Configure Server Technologies
• Defining Attack Signatures
• Viewing Requests
• Security Checks Offered by Rapid Deployment
• Defining Attack Signatures
Chapter 6: Policy Tuning and Violations
• Post-Deployment Traffic Processing
• How Violations are Categorized
• Violation Rating: A Threat Scale
• Defining Staging and Enforcement
• Defining Enforcement Mode
• Defining the Enforcement Readiness Period
• Reviewing the Definition of Learning
• Defining Learning Suggestions
• Choosing Automatic or Manual Learning
• Defining the Learn, Alarm and Block Settings
• Interpreting the Enforcement Readiness Summary
• Configuring the Blocking Response Page
Chapter 7: Attack Signatures and Threat Campaigns
• Defining Attack Signatures
• Attack Signature Basics
• Creating User-Defined Attack Signatures
• Defining Simple and Advanced Edit Modes
• Defining Attack Signature Sets
• Defining Attack Signature Pools
• Understanding Attack Signatures and Staging
• Updating Attack Signatures
• Defining Threat Campaigns
• Deploying Threat Campaigns
Chapter 8: Positive Security Policy Building
• Defining and Learning Security Policy Components
• Defining the Wildcard
• Defining the Entity Lifecycle
• Choosing the Learning Scheme
• How to Learn: Never (Wildcard Only)
• How to Learn: Always
• How to Learn: Selective
• Reviewing the Enforcement Readiness Period: Entities
• Viewing Learning Suggestions and Staging Status
• Defining the Learning Score
• Defining Trusted and Untrusted IP Addresses
• How to Learn: Compact
Chapter 9: Securing Cookies and Other Headers
• The Purpose of F5 Advanced WAF Cookies
• Defining Allowed and Enforced Cookies
• Securing HTTP headers
Chapter 10: Visual Reporting and Logging
• Viewing Application Security Summary Data
• Reporting: Build Your Own View
• Reporting: Chart based on filters
• Brute Force and Web Scraping Statistics
• Viewing Resource Reports
• PCI Compliance: PCI-DSS 3.0
• Analyzing Requests
• Local Logging Facilities and Destinations
• Viewing Logs in the Configuration Utility
• Defining the Logging Profile
• Configuring Response Logging
Chapter 11: Automatic Policy Building
• Overview of Automatic Policy Building
• Defining Templates Which Automate Learning
• Defining Policy Loosening
• Defining Policy Tightening
• Defining Learning Speed: Traffic Sampling
• Defining Track Site Changes
Chapter 12: Deploying Layered Policies
• Defining a Parent Policy
• Defining Inheritance
• Parent Policy Deployment Use Cases
Chapter 13: Login Enforcement and Brute Force Mitigation
• Defining Login Pages for Flow Control
• Configuring Automatic Detection of Login Pages
• Defining Brute Force Attacks
• Brute Force Protection Configuration
• Source-Based Brute Force Mitigations
• Defining Credential Stuffing
• Mitigating Credential Stuffing
Chapter 14: Layer 7 DoS Mitigation
• Defining Denial of Service Attacks
• Defining the DoS Protection Profile
• Overview of TPS-based DoS Protection
• Creating a DoS Logging Profile
• Applying TPS Mitigations
• Defining Behavioral and Stress-Based Detection Chapter 15: Advanced Bot Defense
• Classifying Clients with the Bot Defense Profile
• Defining Bot Signatures
• Defining F5 Fingerprinting
• Defining Bot Defense Profile Templates
• Defining Microservices protection
Chapter 16: Form Encryption using DataSafe
• Targeting Elements of Application Delivery
• Exploiting the Document Object Model
• Protecting Applications Using DataSafe
• The Order of Operations for URL Classification
• Describe the role of the BIG-IP system as a full proxy device in an application delivery network
• Provision the F5 Advanced Web Application Firewall
• Define a web application firewall
• Describe how F5 Advanced Web Application Firewall protects a web application by securing file types, URLs, and parameters
• Deploy F5 Advanced Web Application Firewall using the Rapid Deployment template (and other templates) and define the security checks included in each
• Define learn, alarm, and block settings as they pertain to configuring F5 Advanced Web Application Firewall
• Define attack signatures and explain why attack signature staging is important
• Deploy Threat Campaigns to secure against CVE threats
• Contrast positive and negative security policy implementation and explain benefits of each
• Configure security processing at the parameter level of a web application
• Deploy F5 Advanced Web Application Firewall using the Automatic Policy Builder
• Tune a policy manually or allow automatic policy building
• Integrate third party application vulnerability scanner output into a security policy
• Configure login enforcement for flow control
• Mitigate credential stuffing
• Configure protection against brute force attacks
• Deploy Advanced Bot Defense against web scrapers, all known bots, and otherautomated agents
• Deploy DataSafe to secure client-side data
The following general network technology knowledge and experience are recommended before attending any F5 Global Training Services instructor-led course:
• OSI model encapsulation
• Routing and switching
• Ethernet and ARP
• TCP/IP concepts
• IP addressing and subnetting
• NAT and private IP addressing
• Default gateway
• Network firewalls
• LAN vs. WAN