Skip to main content
F5 BIG-IP

Search

F5 BIG-IP Integration Steps

© 2024 Cequence Security. All Rights Reserved.

F5 BIG-IP Integration Steps

  • Updated on
  • ~ minute read
Download PDF

Article purpose and audience

The Cequence Unified API Protection Platform (UAP) can natively integrate with the F5 BIG-IP to provide seamless integration with your BIG-IP deployments. This article provides step-by-step instructions for adding Cequence Unified API Protection Platform (UAP) to an existing F5 BIG-IP deployment.  This article uses F5 BIG-IP UI 16.1.3.2 for illustration. Also, please read the F5 Integration Overview document for a general description. 

 

F5, Inc. - Wikipedia

 

Cequence Security Integration

There are two basic approaches for integrating Cequence Unified API Protection Platform (UAP) into an existing F5 BIG-IP Deployment:  inline and passive. Your Cequence UAP deployment could include Bot Defense, API Sentinel, or both.

In inline Integration, API traffic is routed through the Cequence UAP.  This deployment scenario supports both Bot mitigation and API protection. For inline integration, there are two integration options to choose from:  Upstream and Hairpin.  

In passive integration, request/response transaction information is captured and sent to Cequence UAP using the F5 BIG-IP Clone Pools feature. This approach supports API discovery and risk analysis of APIs by Cequence API Sentinel.  Detection, discovery, and risk events may be logged to external SIEM and SOAR services.

This guide provides information to configure the F5 BIG-IP to support Upstream and Hairpin for inline deployments. Upon request, the Cequence Customer Success Team can assist with your Cequence UAP deployment to meet your security posture needs. 

 

Prerequisites

This deployment will require the following

  • F5 BIG-IP
    • Local Traffic (LTM)
  • Cequence UAP deployment w/ Defender
  • HTTP profile for X-Forwarded-For Header IP configured in the BIG-IP
  • MTLS configuration (Optional)

The traffic between the relevant components can be configured to communicate via private networks or publicly routed networks. This integration ensures the traffic is encrypted during every step, so how you integrate is your preference. The attachments in this document are provided as a reference only and can not be imported into the F5 BIG-IP. Apply your configuration after every step to avoid configuration loss.

 

MTLS Authentication Support

Normal SSL/TLS encryption is one-way, meaning clients perform SSL handshakes when initiating a new connection with an SSL-protected application. Cequence Security supports this method by default. However, Cequence also supports Mutual TLS(MTLS) Authentication, which provides an additional layer of security. In MTLS, the remote client and protected application server validate the SSL certificates by signing the CA certifications in their trusted CA stores. 

The steps to configure MTLS are provided below and are meant as an overview to demonstrate that Cequence fully supports Mutual TLS authentication. You can also go directly to the following F5 document for complete end-to-end configuration detail. MTLS configuration is optional and not required.

F5 Mutual TLS Authentication Documentation

 

Import The Application SSL Certificate

1. In the BIG-IP, go to System > Certificate Management > Traffic Certificate Management > SSL Certificate List, Then click "Import."

mceclip9.png

 

2. Next, select "Key" and enter the parameters accordingly. 

mceclip0.png

 

Import The Application SSL Certificate

1.  To import the signing certificate, select "Certificate" as the import type and enter your parameters.  

mceclip1.png

 

Create the Client SSL Profile

1. Configure the Client SSL profile for two-way authentication. Navigate to Local Traffic > Profiles > SSL > Client. You can configure it as strict or less restrictive. See F5 document k12140946 for more detail. 

mceclip0.png

 

2. In the top left, click "Create" and configure all the necessary parameters

mceclip3.png

 

3. Be sure to add the necessary parameters to match your deployment

Name: your profile name
Configuration: Custom  [This tab is on the far right]
Certificate Key Chain: Add  
Certificate: Associate website certificate [see image below]
Key: Associate website key [see image below]


 

4. Be sure to associate your web certificate and key

mceclip4.png

 

4. Once you have configured your Client SSL profile, you must associate it with the Virtual Server

5. The final step is to import the client certificate. You will find the complete steps to accomplish this using the F5 documentation below

F5 Mutual TLS Authentication

 

Create HTTP Profile

An HTTP profile must be created to decrypt the traffic and log the source IP address. This ensures the Cequence Platform can record the correct end user/API client IP address. First, create the HTTP profile. 

1. Create an HTTP Profile to extract the client source IP address. In the main menu, navigate to "Local Traffic" then select "Profiles" Select the Create Button on the Top right to create the HTTP Profile. 

mceclip2.png

 

2. Configure the settings with the information below.

Partition / Path: Common
Proxy Mode: Reverse
Parent Profile: http
Insert X-Forwarded-For: Enabled

 

3. Leave all the rest as defaults.

 

Integration Deployments 

API traffic is received by the F5 BIG-IP, then forwarded to Cequence for deeper API security analysis. The response is sent back to the BIG-IP from Cequence en route to the Application server.

 

Inline Data flow - Hairpin Deployment:

 

F5-Inline-Hairpin.png

 

  1. The end user/API client sending a request to the application server is first received by the F5 BIG-IP Virtual Server1 IP Address.

  2. The BIG-IP has an HTTP profile that will decrypt traffic to gather the true source of the client's IP address. The traffic is then re-encrypted with an X-Forwarded-For header to be processed by the next step.

  3. Virtual Server1 then forwards the request to the Cequence Unified API Protection Platform (UAP).

  4. The traffic is recorded and processed for discovery, analysis, and threat mitigation. The request can then be blocked, redirected, or mitigated - by a Cequence's threat mitigation policy action if configured.

  5. Validated requests are then returned to the BIG-IP by the Cequence platform and received on the Virtual Server2 IP address.

  6. The F5 BIG-IP Virtual Server2 forwards the request to the application server, where it is processed.

  7. To avoid stateful TCP errors, the application server response will take the same return path to the end-user or API Client by default.

Hairpin Deployment Steps

Create Virtual Server1

Configuration examples are attached to this document for reference. However, each step is thoroughly detailed step by step in this document. The section will require the configuration of the following. 

  • Virtual Server to receive traffic from the end user/API Client and forward to the Cequence Platform
  • HTTP Profile to decrypt SSL and provide the true X-Forwarded-For Header
  • Virtual Server to receive traffic from the Cequence Platform and forward to the application server
  • Health monitor 

 

1. Create a Virtual Server for your Cequence Security with the defender IP in the pool. In the main menu, navigate to "Local Traffic," then select "Virtual Servers."

mceclip0.png

 

2. Select the Create Button on the Top right to create the Virtual Server1. This will be the external VIP for application server traffic. Set the following settings listed below and leave the rest as defaults.

mceclip1.png

 

3. Configuration settings for Virtual Server1. 

Source Address: You can allow all of the traffic for the external source here. If all traffic must be allowed then set the default 0.0.0.0/0
source: 0.0.0.0/0
Destination Address: Internal VIP address for API Clients
Service Port: http/https
Protocol: TCP
protocol profile client: tcp
Protocol profile server: Use Client Profile
http profile client: http_xff
SSL Profile Client: clientssl
SSL Profile Server: serverssl-insecure-compatible
Source Address translation: Auto Map

 

4. Create your backend pool directly in the virtual server configuration UI. Down below in the "Resources" section on the default pool tab, click the "Plus" button. You will create your "Pool" for the Cequence Platform.

mceclip3.png

 

5. This pool will point directly to the IP address of the Cequence data plane

mceclip5.png

 

6. You can name your pool as you see fit. Populate the following settings

Name: pool_security_applicance
Configuration: Basic
Load Balancing Method: Round Robin(or preference)
Health Monitor: http or https

 

 

Create Virtual Server2

1. Create a Virtual Server for your Cequence Security with the defender IP in the pool. In the main menu, navigate to "Local Traffic," then select "Virtual Servers."

mceclip0.png

 

 

2. Select the Create Button on the Top right to create the Virtual Server2. This will be the VIP that receives traffic from the Cequence Platform. Set the following settings listed below and leave the rest as defaults.

mceclip6.png

 

3. Configuration settings for Virtual Server2

Source Address: You can allow all of the traffic for the external source here. If all traffic must be allowed then set the default 0.0.0.0/0
source: 0.0.0.0/0
Destination Address: Internal VIP address for Web Pool
Service Port: http/https
Protocol: TCP
protocol profile client: tcp
Protocol profile server: Use Client Profile
http profile client: NONE
SSL Profile Client: NONE
SSL Profile Server: NONE
Source Address translation: Auto Map

 

4. Create your backend pool directly in the virtual server configuration UI. Down below in the "Resources" section on the default pool tab, click the "Plus" button. You will create your "Pool" for the Cequence Platform.

mceclip3.png

 

5. This pool will point directly to the IP address of the application server(s).

mceclip7.png

 

6. You can name your pool as you see fit. Populate the following settings

Name: pool_web_server
Configuration: Basic
Load Balancing Method: Round Robin(or preference)
Health Monitor: http or https

 

After following the steps above, your F5 BIG-IP configuration will support integration with Cequence UAP in an inline hairpin deployment. 

 

 

Inline Data flow - Upstream Deployment

API traffic is received by the F5 BIG-IP, then forwarded to Cequence en route to the Application server for deeper API security analysis.

F5-Inline-Upstream.png

 

    1. The end user/API client sends a request to the application server which is first received by the F5 BIG-IP Virtual Server1 IP Address.

    2. The BIG-IP has an HTTP profile that will decrypt traffic to gather the true source of the client's IP address. The traffic is then re-encrypted with an X-Forwarded-For header to be processed by the next step.

    3. Virtual Server1 then forwards the request to the Cequence Unified API Protection Platform (UAP).

    4. The traffic is recorded and processed for discovery, analysis, and threat mitigation. The request can then be blocked, redirected, or mitigated - by Cequence's threat mitigation policy action if configured.

    5. Validated requests are then forwarded by the Cequence platform to the application server, where it is processed.

    6. To avoid stateful TCP errors, the application server response will take the same return path to the end-user or API Client by default.

 

Upstream Deployment Steps

For basic inline upstream deployment, only one virtual server is needed. The Cequence Platform will receive the traffic from the BIG-IP and forward upstream to the application server after deeper analysis.

 

Create a Virtual Server

Configuration examples are attached to this document for reference. However, each step is thoroughly detailed step by step in this document.  The section will require the configuration of the following. 

  • Virtual Server to receive traffic from the end user/API Client and forward to the Cequence Platform
  • HTTP Profile to decrypt SSL and provide the true X-Forwarded-For Header
  • Health monitor 

 

1. Create a Virtual Server for your Cequence Security with the defender IP in the pool. In the main menu, navigate to "Local Traffic," then select "Virtual Servers."

mceclip0.png

 

2. Select the Create Button on the Top right to create the Virtual Server1. This will be the external that forwards traffic to the Cequence Security Platform. Set the following settings listed below and leave the rest as defaults.

mceclip1.png

 

3. Configuration settings for virtual server1. 

Source Address: You can allow all of the traffic for the external source here. If all traffic must be allowed then set the default 0.0.0.0/0
source: 0.0.0.0/0
Destination Address: Internal VIP address for API Clients
Service Port: http/https
Protocol: TCP
protocol profile client: tcp
Protocol profile server: Use Client Profile
http profile client: http_xff
SSL Profile Client: clientssl
SSL Profile Server: serverssl-insecure-compatible
Source Address translation: Auto Map

 

4. Create your backend pool directly in the virtual server configuration UI. Down below in the "Resources" section on the default pool tab, click the "Plus" button. You will create your "Pool" for the Cequence Platform.

mceclip3.png

 

5. This pool will point directly to the IP address of the Cequence data plane

mceclip5.png

 

6. You can name your pool as you see fit. Populate the following settings

Name: pool_security_applicance
Configuration: Basic
Load Balancing Method: Round Robin(or preference)
Health Monitor: http or https

 

Once the configuration is complete on your F5 BIG-IP, your Cequence Security Platform will begin processing traffic in collaboration with the BIG-IP.  For any questions, please reach out to your Cequence Security contact. 

 

 

Passive Data Flow - Sensor Deployment

ClonePool5.PNG

The Cequence Platform will receive a copy of the traffic from the BIG-IP, and after analysis, it forwards the log transactions to SIEM or SOAR platform for further action. For more information on F5 BIG-IP passive deployments, see the following F5 documentation on F5 Passive Deployments.

  1. The end user/API client sends a request to the application server, which is first received by the F5 BIG-IP Virtual Server1 IP Address.

  2. The BIG-IP has an HTTP profile that will decrypt traffic to gather the true source of the client's IP address. The traffic is then re-encrypted with an X-Forwarded-For header to be processed by the next step.

  3. Two different things happen next.
    • Virtual Server1 then forwards the request to the upstream application server.
    • A copy of this information via Clone Pool is forwarded to the Cequence Platform through the CQ Sensor to utilize its Next-Generation API security capabilities, including discovery and analysis. 

  4. Log transactions can then be sent to upstream SEIM or SOAR platforms with added information to help Security Analysts further inspect potential threats. 

Create a Clone Pool

For passive deployment, The main difference is that you will create a clone pool and apply it to the Virtual Server. To accomplish this, follow these steps. 

1. Create a Clone Pool for your Cequence Security with the CQ Sensor IP in the pool. In the main menu, navigate to "Local Traffic," then select "Pools." 

ClonePool1.PNG

2. Select Create and enter all of the necessary configuration parameters. For address, use the CQ Sensor IP address.

ClonePool2.PNG

3. Next, from the Virtual Server UI, change the Configuration to Advanced. Toward the bottom in the Advanced section, select Clone Pool(Server) and enter the cq_sensor Pool. 

ClonePool3.PNG

Once the configuration is complete on your F5 BIG-IP, your Cequence Security Platform will begin processing passive traffic in collaboration with the BIG-IP.  For any questions, please reach out to your Cequence Security Success Team. 

Attachments

  • F5 Virtual Server
  • F5 VS1 Pool
  • F5 VS1 HTTP Profile
  • F5 VS2 Pool
  • F5 Virtual Server

 

Was this article helpful?