F5 BIG-IP WAF v1.0.0

About the connector

The F5 BIG-IP WAF can identify and block attacks, filter, monitor, and block HTTP/S traffic, to and from a web application to protect against malicious attempts that can compromise the system or ex-filtrate data. By inspecting HTTP/S traffic, the F5 BIG-IP WAF can prevent web application attacks such as cross-site scripting, SQL injection, cookie poisoning, invalid input etc.

This document provides information about the F5 BIG-IP WAF connector, which facilitates automated interactions with an F5 BIG-IP WAF server using FortiSOAR™ playbooks. Add the F5 BIG-IP WAF connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating or deleting network firewall policy and associated rules, listing network policies and associated rules, and updating network firewall policy rules.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 4.12.1-253 and later

F5 BIG-IP WAF Version Tested on: 14.0.0.3-0.0.4

Authored By: Fortinet

Certified: Yes

Installing the connector

All connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and use the yum command to install connectors:

yum install cyops-connector-f5-big-ip-waf

For the detailed procedure to install a connector, click here.

Prerequisites to configuring the connector

• You must have the IP address or the Server URL of F5 BIG-IP WAF server to which you will connect and perform automated operations and credentials such as the username and password to access that server.
• To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
• Ensure that you have required permission to the necessary modules on F5 BIG-IP WAF.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the connectors page, select the F5 BIG-IP WAF connector row, and in the Configure tab enter the required configuration details.

Parameter	Description
Server Address	IP address or FQDN of the F5 BIG-IP WAF server to which you will connect and perform the automated operations.
Username	Username used to access the F5 BIG-IP WAF server to which you will connect and perform the automated operations.
Password	Password used to access the F5 BIG-IP WAF server to which you will connect and perform the automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks, and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 and onwards:

Function	Description	Annotation and Category
Create Network Firewall Policy	Creates a new network firewall policy for the specified partition on F5 BIG-IP WAF based on the policy name provided.	create_policy Miscellaneous
Create Network Firewall Policy Rule	Creates a new rule for the specified network firewall policy in F5 BIG-IP WAF.	create_policy_rule Miscellaneous
Get List of Virtual Servers	Retrieves a list of virtual servers from F5 BIG-IP WAF.	List_virtual_servers Investigation
Get List of Policy Rules	Retrieves a list of rules associated with the specified network firewall policy from F5 BIG-IP WAF.	list_policy_rules Investigation
Get List of Network Firewall Policies	Retrieves a list of network firewall policies for the specified partition from F5 BIG-IP WAF.	get_policy Investigation
Apply Network Firewall Policy to Virtual Server	Applies or removes network firewall policy for the specified virtual server.	apply_policy Investigation
Update Network Firewall Policy Rule	Updates an existing rule for the specified network firewall policy on F5 BIG-IP WAF.	update_policy_rule Investigation
Delete Network Firewall Policy	Deletes the specified network firewall policy from F5 BIG-IP WAF.	delete_policy Miscellaneous
Delete Network Firewall Policy Rule	Deletes a rule for the specified network firewall policy from F5 BIG-IP WAF.	delete_policy_rule Miscellaneous

operation: Create Network Firewall Policy

Input parameters

Parameter	Description
Policy Name	Name of the network firewall policy that you want to create on F5 BIG-IP WAF.
Partition	Name of the network partition to which to apply the new policy that you want to create on F5 BIG-IP WAF. By default, the new policy will be applied to the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.
Description	Description of the new network firewall policy that you want to create on F5 BIG-IP WAF.

Output

The output contains the following populated JSON schema:
{
"name": "",
"kind": "",
"fullPath": "",
"description": "",
"rulesReference": {
"link": "",
"isSubcollection": ""
},
"selfLink": "",
"generation": "",
"partition": ""
}

operation: Create Network Firewall Policy Rule

Input parameters

Parameter	Description
Policy Name	Name of the existing firewall policy for which you want to create the new rule in F5 BIG-IP WAF.
Partition	Name of the network partition to which to apply the new rule on F5 BIG-IP WAF. By default, the new rule will be applied to the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.
Rule Name	Name of the new rule that you want to create on F5 BIG-IP WAF for the specified firewall policy.
State	State (Enabled or Disabled) in which you want to create the new rule on F5 BIG-IP WAF. Enabled - applies the new rule to the addresses and ports specified, by default. Disabled - does not apply the new rule to the addresses and ports specified, by default.
Protocol	The protocol to which the new firewall policy rule will be applicable on F5 BIG-IP WAF.
Specify Rule Position	Specify whether you want to add the new rule at the beginning or at end of the rules list for the specified policy on F5 BIG-IP WAF.
Action	Select from the actions - Accept, Drop or Reject, to specify whether to accept, drop or reject the connection with the IP addresses provided in Source and/or Destination.
Source	Comma-separated list of source IP addresses or the range of IP addresses which the new firewall rule will be applicable on F5 BIG-IP WAF.
Destination	Comma-separated list of destination IP addresses or the range of IP addresses which the new firewall rule will be applicable on F5 BIG-IP WAF.
iRule	Specify an iRule to be applied to the new firewall policy rule on F5 BIG-IP WAF. An iRule can be started when the firewall rule matches traffic.
iRule Sampling Rate	Specify the frequency with which an iRule is to be triggered in the new rule, for sampling purposes on F5 BIG-IP WAF. The value you configure is one out of n times the iRule is triggered. For example, set this field to 5 to trigger the iRule one out of every five times the rule matches a flow.
Send to Virtual Server	Specify a virtual server to which to send the traffic that matches the iRule on F5 BIG-IP WAF.
Service Policy	Specify a service policy to apply to the new firewall policy rule on F5 BIG-IP WAF. A service policy collects flow timer and flow timeout features in a policy that can be applied to different contexts, and allows you to configure policies to drop traffic on a specified port when the service does not match.
Protocol Inspection Profile	Specify a protocol inspection profile to associate with the new firewall policy rule on F5 BIG-IP WAF. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
Classification Policy	Specify a classification policy to associate with the new firewall policy rule on F5 BIG-IP WAF.
Enable Logging for Rule	Specify whether logging should be enabled or disabled for the new firewall policy rule on F5 BIG-IP WAF.

Output

The output contains the following populated JSON schema:
{
"name": "",
"ipProtocol": "",
"action": "",
"selfLink": "",
"generation": "",
"kind": "",
"source": {
"addresses": [
{
"name": ""
}
],
"identity": {}
},
"fullPath": "",
"log": "",
"status": "",
"destination": {},
"iruleSampleRate": ""
}

operation: Get List of Policy Rules

Input parameters

Parameter	Description
Policy Name	Name of the network firewall policy for which you want to retrieve the list of associated rules from F5 BIG-IP WAF.
Partition	Name of the network partition for which to retrieve the list of associated firewall policy rules from F5 BIG-IP WAF. By default, the firewall policy rules list will be fetched for the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.

Output

The output contains the following populated JSON schema:
{
"kind": "",
"items": [
{
"kind": "",
"ipProtocol": "",
"status": "",
"selfLink": "",
"generation": "",
"name": "",
"source": {
"identity": {}
},
"fullPath": "",
"log": "",
"action": "",
"destination": {},
"iruleSampleRate": ""
}
],
"selfLink": ""
}

operation: Get List of Virtual Servers

Input parameters

None.

Output

The output contains the following populated JSON schema:

{
"kind": "",
"selfLink": "",
"items": [
{
"generation": "",
"lastModifiedTime": "",
"cmpEnabled": "",
"throughputCapacity": "",
"fwStagedPolicyReference": {
"link": ""
},
"rateLimit": "",
"mask": "",
"source": "",
"ipProtocol": "",
"poolReference": {
"link": ""
},
"partition": "",
"fwEnforcedPolicyReference": {
"link": ""
},
"translateAddress": "",
"enabled": "",
"synCookieStatus": "",
"sourcePort": "",
"fwEnforcedPolicy": "",
"rateLimitSrcMask": "",
"mirror": "",
"rateLimitDstMask": "",
"name": "",
"addressStatus": "",
"rateLimitMode": "",
"nat64": "",
"securityNatPolicy": {
"useDevicePolicy": "",
"useRouteDomainPolicy": ""
},
"kind": "",
"selfLink": "",
"connectionLimit": "",
"profilesReference": {
"link": "",
"isSubcollection": ""
},
"gtmScore": "",
"vsIndex": "",
"creationTime": "",
"fullPath": "",
"sourceAddressTranslation": {
"type": ""
},
"vlansDisabled": "",
"pool": "",
"destination": "",
"fwStagedPolicy": "",
"policiesReference": {
"link": "",
"isSubcollection": ""
},
"mobileAppTunnel": "",
"autoLasthop": "",
"serviceDownImmediateAction": "",
"translatePort": ""
}
]
}

operation: Get List of Network Firewall Policies

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
"kind": "",
"items": [
{
"name": "",
"kind": "",
"fullPath": "",
"rulesReference": {
"link": "",
"isSubcollection": ""
},
"selfLink": "",
"generation": "",
"partition": ""
}
],
"selfLink": ""
}

operation: Apply Network Firewall Policy to Virtual Server

Input parameters

Parameter	Description
Virtual Server Name	Name of the virtual server to which you want to apply a network firewall policy on F5 BIG-IP WAF.
Partition	Name of the network partition where the virtual server belongs on F5 BIG-IP WAF. You can find the partition name for a virtual server using ‘Get List of Virtual Servers’ action.
Enforcement	Enables or disables the firewall policy for the specified virtual server in the Network Firewall area on F5 BIG-IP WAF. If you select Enabled, then select the firewall policy to be applied on the virtual server. If you select Disabled, then any previously applied firewall policy on the virtual server will be removed.
Policy Name	Name of the firewall policy that you want to apply on the specified virtual server in Enforcement, on F5 BIG-IP WAF. Note: The firewall policies defined for Common partition can also be applied to the virtual servers in other partitions. However, the policies defined for any other partitions can not be applied to the virtual servers in Common partition.
Staging	Enables or disables the staging of firewall policy for the specified virtual server in the Network Firewall area on F5 BIG-IP WAF. If you select Enabled, then select the firewall policy to be staged for applying on the virtual server. If you select Disabled, then any previously staged firewall policy will be removed for the virtual server.
Policy Name	Name of the firewall policy that you want to apply on the specified virtual server in Staging, on F5 BIG-IP WAF. Note: The firewall policies defined for Common partition can also be applied to the virtual servers in other partitions. However, the policies defined for any other partitions can not be applied to the virtual servers in Common partition.

Output

The output contains the following populated JSON schema:

{
"generation": "",
"connectionLimit": "",
"description": "",
"cmpEnabled": "",
"rateLimitMode": "",
"fwStagedPolicyReference": {
"link": ""
},
"vsIndex": "",
"mask": "",
"ipProtocol": "",
"source": "",
"partition": "",
"fwEnforcedPolicyReference": {
"link": ""
},
"translateAddress": "",
"policiesReference": {
"link": "",
"isSubcollection": ""
},
"enabled": "",
"lastModifiedTime": "",
"sourcePort": "",
"rateLimitSrcMask": "",
"mirror": "",
"name": "",
"addressStatus": "",
"nat64": "",
"synCookieStatus": "",
"securityNatPolicy": {
"useDevicePolicy": "",
"useRouteDomainPolicy": ""
},
"kind": "",
"selfLink": "",
"vlansDisabled": "",
"profilesReference": {
"link": "",
"isSubcollection": ""
},
"gtmScore": "",
"destination": "",
"creationTime": "",
"fullPath": "",
"fwStagedPolicy": "",
"sourceAddressTranslation": {
"type": ""
},
"rateLimit": "",
"rateLimitDstMask": "",
"fwEnforcedPolicy": "",
"throughputCapacity": "",
"mobileAppTunnel": "",
"autoLasthop": "",
"serviceDownImmediateAction": "",
"translatePort": ""
}

operation: Update Network Firewall Policy Rule

Input parameters

Parameter	Description
Policy Name	Name of the existing firewall policy for which you want to update the associated rule in F5 BIG-IP WAF.
Partition	Name of the network partition for which you want to update the associated firewall policy rule on F5 BIG-IP WAF. By default, the rule will be updated for the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.
Rule Name	Name of the existing rule that you want to update on F5 BIG-IP WAF for the specified policy.
State	Update the State (Enabled or Disabled) of the specified firewall policy rule on F5 BIG-IP WAF. Enabled - applies the updated rule to the addresses and ports specified, by default. Disabled - does not apply the updated rule to the addresses and ports specified, by default.
Protocol	The protocol to which the updated firewall policy rule will be applicable on F5 BIG-IP WAF.
Action	Select from the actions - Accept, Drop or Reject, to specify whether to accept, drop or reject the connection with the IP addresses provided in Source and/or Destination.
Source/Destination IP Addresses	Specify whether to add or remove the IP addresses specified in the Source and Destination. Add - adds the specified IPs to the rule being updated. Remove - removes the specified IPs from the rule being updated.
Source	Comma-separated list of source IP addresses or the range of IP addresses that you want to add or remove from the firewall policy rule.
Destination	Comma-separated list of destination IP addresses or the range of IP addresses that you want to add or remove from the firewall policy rule.
iRule	Specify an iRule to be applied to the firewall policy rule on F5 BIG-IP WAF. An iRule can be started when the firewall rule matches traffic.
iRule Sampling Rate	Specify the frequency with which an iRule is to be triggered in the firewall policy rule, for sampling purposes on F5 BIG-IP WAF. The value you configure is one out of n times the iRule is triggered. For example, set this field to 5 to trigger the iRule one out of every five times the rule matches a flow.
Send to Virtual Server	Specify a virtual server to which to send the traffic that matches the iRule on F5 BIG-IP WAF.
Service Policy	Specify a service policy to apply to the firewall policy rule on F5 BIG-IP WAF. A service policy collects flow timer and flow timeout features in a policy that can be applied to different contexts, and allows you to configure policies to drop traffic on a specified port when the service does not match.
Protocol Inspection Profile	Specify a protocol inspection profile to associate with the firewall policy rule on F5 BIG-IP WAF. Protocol inspection profiles can be configured to run multiple inspections across different protocols.
Classification Policy	Specify a classification policy to associate with the new firewall policy rule on F5 BIG-IP WAF.
Enable Logging for Rule	Specify whether logging should be enabled or disabled for the rule you want to update on F5 BIG-IP WAF.

Output

The output contains the following populated JSON schema:
{
"name": "",
"ipProtocol": "",
"action": "",
"selfLink": "",
"generation": "",
"kind": "",
"source": {
"addresses": [
{
"name": ""
}
],
"identity": {}
},
"fullPath": "",
"log": "",
"status": "",
"destination": {
"addresses": [
{
"name": ""
}
]
},
"iruleSampleRate": ""
}

operation: Delete Network Firewall Policy

Input parameters

Parameter	Description
Policy Name	Name of the existing network firewall policy that you want to delete from F5 BIG-IP WAF.
Partition	Name of the network partition for which to delete the firewall policy in F5 BIG-IP WAF. By default, the specified firewall policy is deleted for the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

operation: Delete Network Firewall Policy Rule

Input parameters

Parameter	Description
Policy Name	Name of the existing network firewall policy for which you want to delete an associated rule in F5 BIG-IP WAF.
Partition	Name of the network partition for which to delete the associated firewall policy rule in F5 BIG-IP WAF. By default, the rule is deleted for the Common partition. Partitions are containers with administrative boundaries that you control with access permissions.
Rule Name	Name of the rule that you want to delete from F5 BIG-IP WAF for the specified firewall policy.

Output

The output contains the following populated JSON schema:
{
"result": "",
"status": ""
}

Included playbooks

The Sample - F5 BIG-IP WAF - 1.0.0 playbook collection comes bundled with the F5 BIG-IP WAF connector. These playbooks contain steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the F5 BIG-IP WAF connector.

• Apply Network Firewall Policy to Virtual Server

• Create Network Firewall Policy

• Create Network Firewall Policy Rule

• Delete Network Firewall Policy

• Delete Network Firewall Policy Rule

• Get List of Network Firewall Policies

• Get List of Policy Rules

• Get List of Virtual Server

• Update Network Firewall Policy Rule

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.